The Transportation Security Administration, tasked with overseeing U.S. oil and gas pipeline cybersecurity, has not kept up with the latest threats to the industry and has not been clear enough in its expectations to ensure that pipeline operators are appropriately evaluating their risks, according to a report from the U.S. Government Accountability Office.
"To help ensure the safety of our pipelines throughout the nation, it is important for TSA to address weaknesses in the management of its pipeline security program," said the government watchdog's report, released Dec. 19. "A successful pipeline attack could have dire consequences on public health and safety, as well as the U.S. economy."
The industry and the TSA do not have a common understanding of the sector's risks, the GAO said. Of the nation's 100 most critical pipeline systems, based on volume, at least 34 had not identified any of their facilities as critical, the report found. The GAO recommended that the TSA more clearly define what constitutes "critical facilities." The agency did revise and reissue its guidelines in 2018, but the revision still did not include clearly defined terms for pipeline operators to figure out how critical their facilities are, the GAO said.
The GAO recommended that the TSA have a documented process for regularly reviewing and revising the pipeline security guidelines.
The administration also needs to know whether its risk assessments are effective, the GAO said. As part of that, the GAO recommended that the TSA update its methodology with more modern data to make sure the risk assessments reflect the industry's current conditions and threats. The TSA's risk assessment methods for figuring out which pipeline system reviews to prioritize also have not been updated since 2014 and have not been peer reviewed since they were originally put in place in 2007, the GAO noted, recommending that the agency revisit these criteria more often.
Also among the issues in recent years has been staffing, the GAO said. The TSA's pipeline security branch has had widely varying staffing levels since the 2010 fiscal year, ranging from only one person to as many as 14, the GAO noted. As a result of staffing fluctuations, the number of pipeline security reviews the agency has done in recent years has varied a great deal, ranging from more than 170 in 2010 to fewer than 60 in some years, the GAO found.
The U.S. Department of Homeland Security, which houses the TSA, challenged the GAO's conclusions. While acknowledging that all federal programs "have room for improvement," the department said in a letter that the GAO's "use of 'significant weaknesses' in the report title is an unfortunate mischaracterization that does not accurately convey the overall program effectiveness or account for the substantial work TSA has accomplished."
Still, Homeland Security agreed with the GAO's recommendations to the agency and highlighted its plans to address cyber threats.
"DHS and TSA recognize the challenging and evolving nature of the threat, particularly with regard to cybersecurity," the department told the GAO, noting that the TSA would be doing 10 in-depth cybersecurity reviews with pipeline companies during the 2019 fiscal year.
The Interstate Natural Gas Association of America, which represents pipeline companies, said the GAO study "raises a number of important questions," adding that the association appreciates that the TSA has increasingly been working with the U.S. Department of Energy on its cybersecurity assessments for pipelines.
The TSA is the primary agency responsible for overseeing pipelines' cybersecurity and physical security. Of the 796 critical infrastructure cyber incidents reported in 2013 through 2015, 35% were related to the energy sector, the GAO noted.