GAO inspectors urge improving pipeline security guidance procedures
The Transportation Security Administration (TSA) has some work to do as its newly revamped infrastructure cybersecurity agency tackles the protection of oil and natural gas pipelines from malevolent and hostile hackers.
The U.S. Government Accountability Office (GAO) issued a report on Dec. 19 that concluded the TSA and its parent organization, the Department of Homeland Security (DHS), needed to take several administrative steps to increase the efficiency and effectiveness of its guidance and oversight.
“TSA has established performance measures to monitor pipeline security, review recommendations, analyze their results, and assess effectiveness in reducing risks,” the GAO said in its 94-page report. “However, these measures do not possess key attributes – such as clarity and having measurable targets – that GAO has found are key to successful performance measures.”
The report was issued a month after President Trump signed the Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018. This measure reorganized the National Protection and Programs Directorate into the CISA with responsibility for helping pipeline operators protect the nearly 2.7 million miles of pipes and support facilities crisscrossing the United States.
The GAO determined that the dozens of companies in the pipeline sector had largely been left on their own in formulating cybersecurity protocols for their own networks. The investigators concluded that a key current shortcoming was the lack of a definitive TSA procedure for reviewing individual cybersecurity plans.
The report’s 10 recommendations focused on taking steps, including increased TSA staffing, to improve the review procedure so that it would be timely and clear to stakeholders, and keep the TSA’s Pipeline Security Guidelines updated on a regular basis.
Key members of Congress were quick to urge the DHS to heed the report’s recommendations, including a formal “assessment” of current pipeline protections.
“We write today to request that the Department of Homeland Security perform an assessment of current cyber and physical security protections for U.S. natural gas, oil, and other hazardous liquid pipelines and associated infrastructure. We also request a specific plan of action as to how DHS will address GAO’s concerns,” said a letter written to DHS Secretary Kirstjen Nielsen by U.S. Sen. Maria Cantwell (D-WA), and Rep. Frank Pallone (D-NJ). Pallone is the ranking Democrat on the House Energy and Commerce Committee. Cantwell is the senior Democrat on the Senate Energy and Natural Resources Committee.
“It’s clear from GAO’s work that while pipelines are reliable today, the TSA is not fully prepared to face the challenges of tomorrow,” Pallone said in a statement. “I’m concerned that TSA lacks both the resources and expertise in energy delivery systems to keep up with its obligations under the law.”
The energy industry also appeared willing to endorse the GAO findings.
The American Petroleum Institute (API) issued a statement applauding the TSA for its current efforts in collaborating with the energy industry in strengthening cybersecurity defenses. “Our industry believes that strong investments in the TSA keeps our energy system strong and secure and will continue to support improvements to how they manage their cybersecurity guidelines,” the industry association said. “We look forward to our continued partnership as the agency considers these recommendations.”
But the industry also cautioned against having the TSA taking too much of the initiative and eroding the ability of companies to create security measures that meet their individual needs.
“In this environment of rapidly evolving cyber threats, it is important that we take an approach that enables flexibility and allows us to quickly adapt and update protocols,” said Don Santa, president and CEO of the Interstate Natural Gas Association of America. “Experience shows that mandatory standards are often outdated almost as soon as they are introduced. We need the flexibility and ability to build on our baseline practices.”
