ATLP Association Highlights: HazMat Blog

On May 7, 2021, the Colonial Pipeline Company learned it was the victim of a cybersecurity ransomware attack allegedly carried out by the criminal group known as “DarkSide.” DarkSide is a “ransomware-as-a-service” business believed to be headquartered in Russia, which loans out its malware to criminal affiliates who conduct cyberattacks on its behalf. DarkSide’s ransomware uses an encryption program to hold files and IT systems hostage in exchange for payment. The attack required Colonial Pipeline to take certain IT systems offline and temporarily halt all pipeline operations to ensure that the threat was contained.  The Colonial Pipeline is the largest pipeline system for refined oil products in the United States, spanning between Houston, Texas and Linden, New Jersey, and carries up to 100 million gallons per day of diesel, gasoline, home heating oil, and jet fuel.

In the days following the news of the Colonial Pipeline cyberattack, panic buying caused shortages of supplies at gas stations throughout the east coast. Various agencies within the U.S. Department of Transportation (DOT) rapidly implemented actions to fuel augment supply. The Federal Motor Carrier Safety Administration issued a temporary Hours-of-Service waiver to allow increased transportation of refined petroleum products by truck in the affected states.  Additionally, the DOT’s Federal Railroad Administration canvased rail operators to assess their capacity to temporarily carry more refined petroleum products by rail. DOT’s Maritime Administration initiated a survey to determine whether there was sufficient capacity to carry refined petroleum products to affected locations on Jones Act-qualified vessels, or whether a waiver from the Jones Act requirements would be appropriate. Finally, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) granted an Emergency Stay of Enforcement to Colonial Pipeline, effective for 14 days, allowing certain Colonial Pipeline employees to perform emergency response and recovery efforts even if they do not fully meet federal pipeline operator qualification and drug testing requirements.

While PHMSA is the regulatory authority tasked with ensuring the physical safety of the U.S. pipeline infrastructure, the Transportation Security Administration (TSA) oversees pipeline security, as well as cybersecurity. TSA issues non-binding guidelines and pipelines are not required to comply. With that said, Colonial Pipeline’s website states that the company complies with all guidelines established by the TSA and submits an annual risk-based security plan to the TSA for review.  

In June 2018, the Federal Energy Regulatory Commission’s then-Chairman Neil Chatterjee and its current Chairman Richard Glick issued a joint letter advocating for transfer of TSA’s cybersecurity oversight for natural gas pipelines to the U.S. Department of Energy (DOE). In the wake of the Colonial Pipeline cyberattack, TSA has faced renewed scrutiny from legislators calling into question whether the TSA is still the appropriate agency for overseeing pipeline cybersecurity. On May 11, 2021, a bipartisan group of lawmakers introduced the “Pipeline and LNG Facility Cybersecurity Preparedness Act,” which would designate DOE as the lead federal agency for coordinating and developing policies, procedures, and responses to physical and cyber incidents impacting the energy sector. Although the bill would not expand federal authority over oil pipelines, the sponsors of the proposed bill stated that the Colonial Pipeline cyberattack was the impetus for the proposed legislation.

Colonial Pipeline reported that it began restarting its system on May 12, 2021, and was fully operational the following day. The company cautioned that it could take several days for the product delivery supply chain to return to normal. It was subsequently reported that Colonial Pipeline paid a ransom in the form of 75 Bitcoins, or approximately $4.4 million. President Biden announced that the United States would seek to disrupt the operations of those responsible for the cyberattack.

Share this post: