A proposed $1M civil penalty against Colonial Pipeline for its procedural failures during a ransomware attack could indicate what’s in store for critical infrastructure operators who fail to keep employees up to date on how to react and respond when managing cyberattacks.

Colonial suffered a five-day ransomware attack by the Russian cybercrime group “DarkSide” that began on April 29, 2021. Colonial ultimately paid the hackers $4.4M to restore pipeline operations. On May 5, 2022, the U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) cited Colonial for “failures to adequately plan and prepare for a manual restart and shutdown operation [that] contributed to the national impacts when the pipeline remained out of service after the May 2021 cyberattack.” PHMSA believes that Colonial did not “test and verify its internal communication plan to provide adequate means for manual operations of the pipeline.” PHMSA contends these failures led to the pipeline being shut down longer than was necessary, leading to shortages, higher than necessary fuel prices and gasoline hoarding in many parts of the country.

Colonial can contest the penalty, but the fine is yet another indication that the United States government is serious about ensuring that critical infrastructure operators do all they can to be able to respond to a crippling cyberattack. Moreover, the PHMSA decision follows closely in the wake of a recent Cyber and Infrastructure Security Agency (CISA) announcement that they are about to begin a public comment period on the recently-enacted cyberattack reporting rules legislation. During this comment period, CISA is seeking input from critical infrastructure operators on how to balance national security concerns with operators’ ability to prepare/respond/recover from a cyberattack.