Should hazardous liquids pipelines be prepared to operate “manually” in the event of a future cyberattack? An almost million dollar fine proposed by the Pipeline and Hazardous Materials Safety Administration (“PHMSA”) on Colonial Pipeline Company (“Colonial”) for, among other things, not having a communications plan in place for “manual operation” of the pipeline at all stations between Louisiana and New Jersey would suggest the answer is “yes…maybe.” PHMSA justifies this interpretation of its pipeline safety rules because, according to PHMSA, Colonial’s failure to have this communication plan in place exacerbated the supply issues and societal impact of the 2021 ransomware attack on the company. But this remarkable penalty action does not make clear whether PHSMA really thinks that forcing an operator to undertake manual operations meets the safety objectives of Part 195 when the operator’s preference is to evaluate a particular situation before determining which if any operations it might undertake manually. The penalty action might simply be seen as a distortion of PHMSA’s mandate to regulate the safe operation of pipelines to achieve political outcomes unrelated to safety.
On May 5, 2022, PHMSA issued a Notice of Probable Violation (“NOPV”) to Colonial Pipeline Company that included a probable violation arising from the May 2021 ransomware attack on Colonial’s operations. In response to the intrusion into its technology system, Colonial shut down operations for several days to prevent hackers from accessing sensitive data. Although the pipeline shutdown caused significant disruptions in the gas market, the attack did not result in any unauthorized releases of gasoline or other environmental incidents. Yet PHMSA, the agency most concerned with preventing environmental disasters from pipeline releases, has proposed a $846,300 fine on Colonial for not having a plan for manual operation of its pipeline system.
This NOPV does not mention any cyber security requirements for pipeline operations, and it does not discuss Critical Infrastructure Protection requirements such as those administered by the North American Electric Reliability Corporation for companies connected to the public grid. This omission is likely due to the fact that, at the time of the ransomware attack on Colonial, only “guidelines” for cybersecurity preparedness were in effect; there were no federal requirements that pipeline companies have certain protective measures in place against cyberattacks. Even now, PHMSA has still not articulated a federal preparedness standard for manual operation of a liquids pipeline in the event of a cyberattack. Nevertheless, PHMSA’s NOPV is premised on the notion that Colonial should have been prepared for manual operation of its pipeline between Baton Rouge, Louisiana and Linden, New Jersey when the ransomware attack occurred to prevent “exacerbating the supply issues and societal impacts.”
The probable violation cited by PHMSA alleges Colonial failed to comply with 49 C.F.R. § 195.446(c)(3) by ensuring that it had adopted, tested and verified an “internal communication plan to provide adequate means for manual operation of the pipeline.” PHMSA alleges that Colonial had failed to prepare and test that plan at six different locations starting in Baton Rouge, Louisiana and ending at Linden, New Jersey and concluded that:
Since Respondent had not tested and verified an internal communication plan when the cyber-attack occurred…Respondent was not prepared for manual restart and operation…
PHMSA’s NOPV then states that this “ad-hoc approach towards consideration of a manual restart created the potential for increased risks to the pipeline’s integrity as well as additional days in restart.”
Notably, the rule cited by PHMSA requires only a communication plan to support manual operation. It does not require an operator to manually operate a complex pipeline without a SCADA system. PHMSA’s enforcement action is also unusual in that it would punish Colonial for not being prepared to undertake an activity (manual operation of a pipeline) that is not clearly feasible or practicable. Notably, Part 195 of the PHMSA regulations only refers to “manual operation” once (see Section 195.446) and, arguably, does not require preparedness for the entirety of a pipeline to be capable of immediate manual operation.
Likewise, the NOPV does not address the key question of whether Colonial should have continued operation of the pipeline to avoid disruptions in the gasoline market even if it would have allowed third parties to seize control over all pipeline operations or expose the company’s sensitive data. Although likely not PHMSA’s intention, this penalty creates a curious disincentive for pipeline companies experiencing a ransomware attack and complicates the operator’s decision related to shutting down operations to prevent unauthorized control by a third party. PHMSA concludes that the failure of preparedness for a “manual restart” created the “potential for increased risks to the pipeline’s integrity as well as additional delays in restart, exacerbating the supply issues and societal impacts,” but the agency seems to overlook the safety benefits of not operating a pipeline when a third party may be able to get control of the SCADA system.
For now, the Transportation Security Administration’s directives from 2021 are still the motivation for pipeline companies to adequately prepare for and respond to cyberattacks. (We discussed the first and second directives in previous articles.) Whether this enforcement action signals a meaningful attempt by PHMSA to require alternative preparedness by pipeline companies or is just an effort to look for some way to impose federal sanctions on Colonial for the ransomware incident remains to be seen.