Colonial fights charges of ‘ad hoc’ response to pipeline hack

By Mike Soraghan | 12/01/2022 07:22 AM EST

Federal regulators say the company was unprepared for the manual restart of its pipeline after a 2021 cyberattack that led to East Coast fuel shortages.

A customer is pictured pumping fuel as others wait in line in May 2021 in Charlotte, N.C., following a cyberattack on Colonial Pipeline Co.

A customer is pictured pumping fuel as others wait in line in May 2021 in Charlotte, N.C., following a cyberattack on Colonial Pipeline Co. AP Photo/Chris Carlson

KANSAS CITY, Mo. — Colonial Pipeline Co. defended Wednesday its response to a May 2021 cyberattack that led to a shutdown of its system and fuel shortages at gas stations along the East Coast.

The company’s representatives spoke at an enforcement hearing held here at the regional office of the Department of Transportation. Federal regulators have alleged that Colonial took an “ad hoc” approach to restarting its pipeline in the wake of the 2021 attack, in which hackers stole the company’s computer files and demanded $5 million.

But the suggestion that Colonial was unprepared “is inappropriate and incorrect,” Colonial attorney Catherine Little said at Wednesday’s hearing.


DOT’s Pipeline and Hazardous Materials Safety Administration is seeking to fine Colonial nearly $1 million for control room failures. The agency accuses the company of being unprepared for the manual operation and restart of the pipeline, worsening a supply crunch that led to panic buying and a sharp rise in gasoline prices.

PHMSA attorney Joseph Hainline called Colonial’s preparations for communicating when its system shuts down a “bare-bones plan.”

“You have to have something more than what they had,” he said.

Colonial’s 5,500-mile network delivers nearly half of the fuel — including gasoline, jet fuel and other products — used each day along the East Coast. The system runs from Houston to New York, but shortages were most acute in Georgia, the Carolinas and southern Virginia.

The 2021 shortages occurred after Colonial shut down its system because a criminal hacking group called DarkSide managed to steal its computer files and hold them hostage (Energywire, May 12, 2021).

It was the most disruptive ransomware attack in U.S. history and thrust a little-known, high-volume company into an unexpected spotlight. The company is based in Alpharetta, Ga., and reported revenues last year of about $1.3 billion. It is owned by subsidiaries of Koch Industries Inc., Shell PLC and other investors.

The yellow “out of service” bags on closed gasoline pumps created a sudden political headache for President Joe Biden, whose political opponents seek to tie gasoline prices and other energy problems to his policies on climate and the environment.

It also drove home to the public that cybersecurity is not an abstraction and led quickly to public pressure for mandatory cybersecurity regulations for the pipeline sector. The incident also spurred a broader conversation around regulations for critical infrastructure beyond oil and natural gas.

The circumstances of the 2021 shutdown were not discussed at length in the Wednesday hearing, which was held in Kansas City because it is the location of PHMSA’s control room inspection program. Colonial brought a team of 11 officials — including attorneys and executives — who carted boxes of documents into the room. They were joined by five PHMSA officials, including Larry White, a presiding official at DOT’s Pipeline Safety Law Division. A PHMSA inspector also joined by phone from the Chicago office.

Debate during the four-hour hearing turned largely on whether federal minimum regulations require pipeline companies to have — for each control room — an internal communication plan for manual operation of their systems.

“Notwithstanding the number of people here and the number of binders spread across the table, this case is very simple,” Hainline said. “Does it need to be tested in each control room?”

But Little, Colonial’s lead attorney, said PHMSA had misinterpreted the rules and misunderstood Colonial’s operations. She also stressed that the agency’s regulations give companies latitude on how to comply.

“PHMSA cannot require more than the law allows,” Little said. “It simply does not say what PHMSA wants it to say.”

Colonial also noted that the fine PHMSA is seeking is 37 times the size of the only other penalty sought for a violation of the control room rule. Hainline conceded that PHMSA miscalculated prior violations in determining the penalty. He did not say how much that might reduce the penalty.

Hainline stressed that the agency is not accusing Colonial of being responsible for the cyberattack but did make a connection.

“We do believe that it is relevant because this is what the regulations were intended to address,” he said.

Drew Lohoff, Colonial’s director of government affairs, stressed that Colonial was not required to shut down its system and only did so “out of an abundance of caution.”

In filings, Colonial has also argued that PHMSA’s fine is an attempt to enforce cybersecurity rules in the wake of the high-profile shutdown. The company says PHMSA and DOT don’t have authority over cybersecurity, which falls under the purview of the Department of Homeland Security and the Transportation Security Administration.

PHMSA considers its enforcement hearings to be “informal.” E&E asked to attend Wednesday’s hearing, and a reporter was granted access.

During the four-hour hearing, there was a closed session lasting roughly 30 minutes. Colonial requested it to discuss control room communications, and White, the hearing officer, granted it over the protest of E&E News.

But White warned Colonial that a private session could “disadvantage” the company in the enforcement process.

“I urge you to present the fullest response that’s public,” White said.

White will make a recommendation sometime next year on Colonial’s protest of the enforcement actions and fine.

PHMSA held such enforcement hearings behind closed doors until about four years ago. In March 2018, E&E News, with help from the Reporters Committee for Freedom of the Press, challenged the convening of a private hearing about leaks at Cheniere Energy Inc.’s Sabine Pass liquefied natural gas export terminal (Greenwire, March 21, 2018).

PHMSA officials agreed to allow an E&E News reporter to attend the 2018 session in Houston. The agency subsequently agreed to post online notices about when enforcement hearings get scheduled.