The US Government Accountability Office (GAO) issued a report on December 18, 2018, identifying significant weaknesses in the Department of Homeland Security’s (DHS) Transportation Security Administration’s (TSA) Pipeline Security Program management and recommending improvements to address those weaknesses. The report was driven by a recognition that “pipelines increasingly rely on sophisticated networked computerized systems and electronic data, which are vulnerable to cyber attack or intrusion,” and that “new threats to the nation’s pipeline systems have evolved to include sabotage by environmental activists and cyber attack or intrusion by nations.”
Operators of pipelines for the interstate transportation of oil, natural gas, and other hazardous liquids follow TSA guidelines to address physical and cybersecurity risks. Unlike electric utilities, pipelines are not subject to mandatory standards such as those developed and enforced by the North American Electric Reliability Organization (NERC) and overseen by the Federal Energy Regulatory Commission (FERC). Although FERC issues certificates for new interstate pipelines and sets their rates, pipeline security is the responsibility of TSA.
Pipeline operators follow guidelines including TSA’s Pipeline Security Guidelines. The initial guidelines were issued in 2011, but updated in March 2018 to respond to new threats to pipelines and to incorporate most of the principles and practices from the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.However, unlike NERC reliability standards, these guidelines are not mandatory or enforceable.
The recent GAO report highlighted weaknesses in TSA’s revised guidelines, particularly that TSA does not have a documented process for reviewing and revising its guidelines on a regular basis. GAO noted that the lack of a documented process may cause the TSA guidelines to not address the latest known standards and best practices for physical security and cybersecurity.
Other weaknesses included not incorporating the entirety of NIST’s current framework, and not using clear enough definitions necessary for pipeline operators to identify their critical facilities. GAO noted that at least 34 of the nation’s top 100 critical pipeline systems deemed highest risk had not identified any critical facilities, which the report suggested may be the result of the weaknesses in the TSA guidelines.
The report’s recommendations addressed the identified weaknesses, and include developing written documentation of TSA Pipeline Security Program procedures for reviewing and revising guidelines, and defining key terms within its criteria for determining critical facilities. Other recommendations relate to the Pipeline Security Program’s data including incorporating corporate security reviews, revising data entry formats, and documenting data verification procedures. Further recommendations relate to the TSA Pipeline Security Program’s Pipeline Relative Risk Ranking Tool, with a focus on expanding and documenting the underlying risks and assumptions used in the tool and establishing an independent, external peer review of the tool.
Ranking members of the Senate Energy and Natural Resources Committee and the House Energy and Commerce Committee recently issued a letter to DHS Secretary Kirstjen Nielsen recommending immediate actions to better protect pipelines from cyberattacks. The letter expresses concern that “TSA is not fully prepared to face the challenges of tomorrow” in regard to maintaining pipeline reliability and security. The letter requests that DHS perform an assessment of current physical security and cybersecurity protections for pipelines, and develop a plan of action as to how DHS will address GAO’s concerns raised in the report.
While the letter was issued in response to the GAO report, Congress, the Department of Energy, DHS, FERC, and NERC have each discussed pipeline security in the past. These discussions have included whether new action, such as increased interagency cooperation and establishing mandatory standards for pipelines, is necessary to ensure that pipelines are protected from physical and cyber threats.