The repercussions of last year's hack of the Colonial Pipeline have not ended for the company in charge of the US' largest refined-oil pipeline system, who are now facing a $986,400 civil penalty from the US Department of Transportation.
The Pipeline and Hazardous Materials Safety Administration, which operates under the US DOT, conducted an inspection of Colonial Pipeline's risk mitigation efforts and procedures and found that, according to a press release on their website, a "probable failure to adequately plan and prepare for manual shutdown and restart of its pipeline system."
According to documents released by US DOT, Colonial uses a very complex system of hardware and software (known as a SCADA system) for their Control Room Management, which captures data and automates processes. By law, Colonial was supposed to continually test their backup servers "at least once each calendar year, but at intervals not to exceed 15 months."
Unfortunately, "Colonial failed to test the SCADA backup servers" at multiple control room locations.
In addition to their servers, USDOT also cited Colonial's "Failure to test and verify the operation of alarm and anomaly detectors."
This confirms just how important adhering to cybersecurity standard are, especially if you do contracted work with government entities.