Watchdog: Current pipeline security plans weak on cybersecurity, coordination

The Transportation Security Administration's plans for pipeline security aren't keeping up with rising threats in cyberspace, according to the Government Accountability Office.

An audit released June 5 found that the agency, which has primary responsibility for monitoring and securing the nation's 2.7 million miles of gas and oil pipelines, hasn't updated two plans that formally outline how agencies and other stakeholders should respond to security incidents in years.

TSA last issued its Pipeline Security and Incident Recovery Protocol Plan, which outlines roles and responsibilities for federal agencies and the private sector in the wake of a pipeline security incident, in 2010. Auditors said the plan hasn't been revised since then to account for the rising importance of cybersecurity threats to critical infrastructure. A similar agreement between TSA and the Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA) outlining specific roles and responsibilities for pipeline security hasn't been updated since 2006.

The recovery protocol plan "does not identify the cybersecurity roles and responsibilities of federal agencies that are identified in the plan, such as [Department of Energy], Federal Energy Regulatory Commission (FERC), or the FBI, or discuss the measures these agencies should take to prevent, respond to, or support pipeline operators following a cyber incident involving pipelines," the report stated.

The plans also haven't been updated to reflect the establishment of the Cybersecurity and Infrastructure Security Agency in 2018. Since CISA has become one of the primary defensive cybersecurity agencies for the private sector, critical infrastructure entities and civilian federal agencies, PHMSA officials and representatives from energy industry associations expressed concern to auditors that the older plans may no longer reflect the current threat or interagency environment.

TSA, on the other hand, told GAO that it does not believe the establishment of CISA meaningfully impacts how it approaches pipeline security or identifying pipeline critical infrastructure. Officials also said they had not updated the recovery protocol plan to include cybersecurity response protocols "because an overarching cybersecurity response protocol for all critical infrastructure sectors -- not just pipelines -- should first be developed."

While representatives from industry pointed to these documents as valuable tools to easily and quickly clarify roles and responsibilities between stakeholders in the aftermath of an incident, they also said that TSA, PHMSA and other agencies still use security guidelines, regulations, advisory bulletins and general outreach efforts to communicate and coordinate. Still they reported that their understanding was less clear for how agency coordination would work in practice for cybersecurity-specific incidents.

There are already concerns that TSA may be struggling to handle its new responsibilities in an environment where hackers and adversarial nations routinely target and probe the nation's critical infrastructure for software and hardware security flaws. Sonya Proctor, director of the Surface Division for the Office of Security Policy and Industry Engagement at TSA, told lawmakers in February that her pipeline security team consisted of just five employees, none of whom have cybersecurity backgrounds.

The chairman of the Federal Energy Regulatory Committee has expressed skepticism about whether TSA is the best agency to handle pipeline security, while Sens. John Cornyn (R-Texas) and Martin Heinrich (D-N.M.) have introduced legislation that would transfer authority for the nation's pipelines to the Department of Energy.

Auditors made five recommendations, all of which deal with implementing formal protocols and timelines for updating their internal documents and agreements to account for "relevant changes in pipeline security threats, technology, federal law and policy and any other factors relevant to the security of the nation's pipeline systems."

In a written response, Jim Crumpacker of DHS liaison to GAO, wrote that TSA and PHMSA began working in 2018 to update their memorandum of agreement annex, but that effort was put on hold while the agencies waited for GAO's report. Keith Washington, deputy assistant for administration at DOT, said the two agencies worked on removing or revising "outdated references to certain Presidential Policy Directives and legal citations, as well as sections requiring revision to more accurately reflect current programs."