The US Transportation Security Administration needs to address significant weaknesses in its oil and gas pipeline security program, which has not been changed materially since it was established in 2011, the Government Accountability Office said in a Dec. 19 report.
Revised guidelines which the US Department of Homeland Security agency issued in March in response to changing threats do not include all of the current framework’s elements, and TSA does not have a documented process for reviewing and revising its guidelines regularly, it indicated.
“Without such a documented process, TSA cannot ensure that its guidelines reflect the latest known standards and best practices for physical security and cybersecurity or address the dynamic security threat environment that pipelines face,” the report said.
“Further, GAO found that the guidelines lack clear definitions to ensure that pipeline operators identify their critical facilities.”
The congressional watchdog service said its analysis showed that operators of at least 34 of the nation’s top 100 critical pipeline systems (determined by transported product volumes) deemed highest risk had identified no critical facilities. This may be due, in part, to the guidelines not clearly defining the criteria to determine whether facilities are critical, it suggested.
GAO’s report recommended that TSA Administrator David Pekoske:
- Implement a documented process for reviewing and, if necessary, revising TSA’s pipeline security guidelines at defined intervals.
- Clarify the guidelines by defining key criteria for determining critical facilities.
- Develop a strategy workforce plan for TSA’s Security Policy and Industry Engagement‘s Surface Division.
- Update TSA’s pipeline risk assessment methodology to include current data to assure it reflects industry conditions and threats.
- Fully document the data sources, underlying assumptions, and judgments that form the basis of TSA’s pipeline risk assessment methodology.
- Take steps to coordinate an independent, external peer review of TSA’s pipeline risk assessment methodology.
- Ensure the SPIE’s Surface Division has a suite of performance measures which exhibit key attributes of successful performance measures.
- And enter information on Corporate Security Review recommendations and monitor and record their status.
The Natural Gas Council, which is comprised of five trade associations representing nearly all aspects of the production, transportation, sales, and deliveries of the fuel in the US, said that GAO’s study raised several important questions which the groups are reviewing. It also questioned the report’s conclusion that the TSA program has significant weaknesses.
“The current cybersecurity guidelines are performance-based, which allows the industry to stay ahead of emerging threats and gives companies the flexibility necessary to respond to a constantly changing landscape,” it said in a Dec. 19 statement. “The GAO report is a snapshot in time of TSA’s cybersecurity efforts.”
NGC said that since GAO conducted its research, TSA has made great strides to facilitate a fuller partnership among government, industry, and regulators, including the recent Pipeline Cybersecurity Assessment Initiative that is a collaboration among TSA, DHS, the Cybersecurity Information Security Agency (CISA), and the US Department of Energy.
“Additionally, the Oil and Natural Gas Sector Coordinating Council has announced a cross-sector working group to engage interdependent sectors that need to understand better how the industry prepares for and responds to security events,” the group continued. “Our industry has long supported adequate resourcing for TSA and looks forward to working together in the future to see how these recommendations are implemented.”
The Natural Gas Supply Association, Interstate Natural Gas Association of America, Independent Petroleum Association of America, American Petroleum Institute, and American Gas Association are the NGC’s members.