Pipelines are becoming an increasingly important factor for the United States transporting fuels of all forms across the nation.
As pipeline networks becoming more digital, the benefits are strong, but that also leads to a larger attack surface.
That is why the General Accountability Office (GAO) conducted an audit and found weaknesses in how the Transportation Security Agency (TSA) manages its pipeline security efforts. In one case, it has no process for determining when to update its guidelines for pipeline operators. Also, its method for assessing risks needs updating.
After news about the GAO audit came out, Democrats on the House and Senate energy committees urged the Department of Homeland Security (DHS) to assess cyber and physical protections for natural gas and oil pipelines.
That request comes after the GAO audit criticizing DHS’ approach to the issue.
“The results of this assessment will help policymakers evaluate the security of our nation’s energy assets,” Sen. Maria Cantwell, D-Wash., and Rep. Frank Pallone, Jr., D-N.J. wrote to Homeland Security Secretary Kirstjen Nielsen.
Risk on Rise
Operators of the nation’s 2.7 million miles of pipelines for oil, natural gas, and other hazardous liquids have grappled with cybersecurity risk as their infrastructure becomes more digitized.
The GAO report also said TSA guidance “lack clear definitions to ensure that pipeline operators identify their critical facilities.”
TSA has not tracked the status of recommendations made by the agencies’ “corporate security reviews” of pipeline systems over the past five years, GAO said. “Without current, complete, and accurate information, it is difficult for TSA to evaluate the performance of the pipeline security program,” GAO SAID.
Cantwell and Pallone, Jr., asked DHS to produce a “specific plan of action” for addressing GAO’s findings.
U.S. officials dealing with critical infrastructure have placed an increasing emphasis on pipeline security in recent months.
But in a statement Wednesday, Pallone, Jr., said he was “concerned that TSA lacks both the resources and expertise in energy delivery systems to keep up with its obligations under the law.”
Cantwell and Pallone, Jr., asked DHS other questions, including which federal agency would be charged with enforcing mandatory pipeline security standards, should Congress enact them. The lawmakers also want to know the percentage of pipelines that are fully compliant with the voluntary guidelines, which TSA updated in March to account for emerging cyberthreats.
GAO made 10 recommendations to TSA to improve its pipeline security program management:
1. Direct the Security Policy and Industry Engagement’s Surface Division to implement a documented process for reviewing, and if deemed necessary, for revising TSA’s Pipeline Security Guidelines at regular defined intervals.
2. Direct the Security Policy and Industry Engagement’s Surface Division to clarify TSA’s Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities.
3. Develop a strategic workforce plan for its Security Policy and Industry Engagement’s Surface Division, which could include determining the number of personnel necessary to meet the goals set for its Pipeline Security Branch, as well as the knowledge, skills, and abilities, including cybersecurity, that are needed to effectively conduct Corporate Security Reviews (CSR) and Critical Facility Security Reviews (CFSR).
4. Direct the Security Policy and Industry Engagement’s Surface Division to update the Pipeline Relative Risk Ranking Tool to include up-to-date data to ensure it reflects industry conditions, including throughput and threat data.
5. Direct the Security Policy and Industry Engagement’s Surface Division to fully document the data sources, underlying assumptions and judgments that form the basis of the Pipeline Relative Risk Ranking Tool, including sources of uncertainty and any implications for interpreting the results from the assessment.
6. Direct the Security Policy and Industry Engagement’s Surface Division to identify or develop other data sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities and incorporate that data into the Pipeline Relative Risk Ranking Tool to assess relative risk of critical pipeline systems, which could include data on prior attacks, natural hazards, feedback data on pipeline system performance, physical pipeline condition, and cross-sector interdependencies.
7. Direct the Security Policy and Industry Engagement’s Surface Division to take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool, after the Pipeline Security Branch completes enhancements to its risk assessment approach.
8. Direct the Security Policy and Industry Engagement’s Surface Division to ensure it has a suite of performance measures which exhibit key attributes of successful performance measures, including measurable targets, clarity, and baseline and trend data.
9. Direct the Security Policy and Industry Engagement’s Surface Division to take steps to enter information on CSR recommendations and monitor and record their status.
10. Direct the Security Policy and Industry Engagement’s Surface Division to improve the quality of its pipeline security program data by developing written documentation of its data entry and verification procedures, implementing standardized data entry formats, and correcting existing data entry errors.