May 2022
by Michael Herrera, CEO, MHA Consulting
[originally published on mha-it.com; written by Colin Garrison based on an interview with Michael Herrera]
The Department of Transportation recently announced a proposed $1 million fine of Colonial Pipeline for shortcomings in its recovery planning that increased the societal damage in the wake of the cyberattack on the company last year. Though unfortunate for the company, the proposed fine is a net plus for our industry because it could incentivize organizations to get serious about resiliency.
A Stiff Proposed Fine for Poor Planning
Chances are you remember the Colonial Pipeline ransomware attack, which took place a year ago this week and resulted in the five-day shutdown of the pipeline system that supplies 45 percent of fuel to the East Coast. You might even have been personally impacted by it.
The attack, you may recall, was launched by a Russian hacker group called DarkSide. It concluded with the company’s paying a Bitcoin ransom worth $4.4 million, receiving a decryption key that was too slow to be of use, and the FBI’s successfully getting back much of the ransom money.
This week a postscript to the story arrived in the form of the announcement by the DOT’s Pipeline and Hazardous Materials Safety Administration that they plan on fining the company $986,400. (The company has 30 days to respond.)
Of the proposed fine amount, $846,300 is tied to deficiencies the DOT found in Colonial’s communications plans.
The inspection that uncovered the violations took place before the hack. However, the large size of the proposed fine was obviously driven by Colonial’s response to the attack and its consequences for society at large.
The DOT explained the reasoning behind the proposed fine in a Notice of Probable Violation sent to Colonial on May 5.
The notice said that Colonial wasn’t prepared to manually restart and operate the pipeline because it “had not tested and verified an internal communication plan when the cyber-attack occurred, as was required by the regulation.”
This shortcoming “created the potential for increased risks to the pipeline’s integrity as well as additional delays in restart, exacerbating the supply issues and societal impacts,” according to the notice.
In other words, the DOT is saying that because of noncompliant gaps in Colonial’s recovery plans, they were slower than necessary to resume operation after the cyberattack, causing impacts to the nation at large—and that for this reason, they are being fined a significant sum.
Good News for Industry and Society
Obviously, if you’re Colonial Pipeline, the DOT’s proposed fine is not exactly good news.
But for industry and the society overall, I think it is good news.
It shows that we’re finally going to start holding companies accountable when they hurt other people and organizations as a result of not getting serious about resilience.
I’ve been saying for years this was going to happen, and I think this is a big step in that direction—which I think is the right direction.
I think we’re nearing the end of the days when a company can get away with saying, “We had an act of God or event beyond our control. Sorry we hurt you, but it wasn’t our fault.”
It would be great if from now on I can answer by saying, “If it’s proven you were negligent in preparing for such an event, it will be your fault and could lead to fines of millions of dollars.”
Moving forward, companies need to recognize that they can be fined or sued for not having a comprehensive, well-documented, executable, and validated plan covering all areas of the business.
This is especially true for companies that operate critical areas of the national infrastructure: oil, gas, utilities, logistics, hospitals, etc.
Change is necessary, and I think the DOT’s notice to Colonial shows it is on the way.
Raising the Bar for Resilience Planning
If you are old enough, you will remember how in the Seventies almost no one wore a seatbelt when riding in a car. In the Eighties almost everyone did, partly as a result of new seatbelt laws coming into effect.
Our ideas about seatbelt use have changed so much that now, if you drive without one, it doesn’t feel right.
I hope and expect that over time organizations of all types will come to feel that way about having a sound, tested, and validated BC program.
I think eventually companies’ BC programs will be evaluated and given a score by independent agencies the same way today credit bureaus give people scores summarizing their credit worthiness.
If the DOT’s action against Colonial turns out to raise the bar for resilience planning, then the ransomware attack by DarkSide could turn out to have a significant bright side.
Sharing the Colonial Pipeline Story with Management
I might be preaching to the choir in this post since most of our readers are front-line BC professionals who need no persuading about the value of a sound BCM program.
For them I think the takeaway from the DOT’s proposed fine of Colonial is, use it. Call the attention of your senior management to this story when you’re trying to get funding for your BC initiatives.
Where other arguments fail, the possibility of being hit with a significant fine for having a subpar recovery program might just get your executives’ attention and win their support.
Boosting Interest in Resilience Planning
The DOT’s proposed fine of Colonial Pipeline shows that the government is prepared to levy steep penalties against companies whose poor recovery planning leads to serious impacts on society at large. This might turn out to be a significant step forward in the necessary shift toward higher expectations for all organizations when it comes to resilience planning.
Given senior management’s focus on the bottom line, business continuity professionals could do worse than alert their executives to the Colonial Pipeline story. The possibility that noncompliance with recovery requirements can bring significant fines might boost management’s famously low interest in ensuring that their organization can quickly restore their critical operations in the event of a disaster.