Are Pipelines Cyber Secure? Not to 2019 Standards, Says GAO

More than 2.7 million miles of pipeline transport the natural gas, oil, and other hazardous liquids the nation needs. The Departments of Homeland Security and Transportation share responsibility for safeguarding these pipelines along with pipeline operators.

In 2010, DHS’s Transportation Security Administration (TSA) issued a plan to coordinate pipeline security incident responses among government agencies and with the private sector. However, a June 5 Government Accountability Office (GAO) report finds TSA has not updated this plan since its issuance, and it does not fully reflect developments in key areas, such as cybersecurity.

The memorandum of understanding (MOU) Annex signed by the TSA and Pipeline and Hazardous Materials Safety Administration (PHMSA) in 2006 delineates their mutually agreed-upon roles and responsibilities for pipeline security, but has not been reviewed to consider pipeline security developments since its inception. As a result, the Annex may not fully reflect the agencies’ pipeline security and safety-related activities. Efforts to update the Annex have been delayed by other priorities. As of June 2019, there are still no timeframes for completion.

TSA’s Pipeline Security and Incident Recovery Protocol Plan, issued in March 2010, defines the roles and responsibilities of federal agencies and the private sector, among others, related to pipeline security incidents. For example, in response to a pipeline incident, TSA coordinates information sharing between federal and pipeline stakeholders and PHMSA coordinates federal activities with an affected pipeline operator to restore service. However, TSA has not revised the plan to reflect changes in at least three key areas: pipeline security threats, such as those related to cybersecurity, incident management policies, and DHS’s terrorism alert system. By periodically reviewing and, as appropriate, updating its plan, TSA could better ensure it addresses changes in pipeline security threats and federal law and policy related to cybersecurity, incident management and DHS’s terrorism alert system, among other things. GAO says TSA could also provide greater assurance that pipeline stakeholders understand federal roles and responsibilities related to pipeline incidents, including cyber incidents, and that response efforts to such incidents are well-coordinated.

GAO recommends that the TSA Administrator and the PHMSA Administrator should work together to develop and implement a timeline with milestone dates for reviewing and, as appropriate, updating the 2006 MOU Annex. DHS expects to complete this action by the end of August, 2019. GAO also wants the two parties to consult to revise the Annex to include a provision requiring periodic reviews of, and as appropriate, corresponding updates. DHS expects this to be completed by March 31, 2020.

Further, GAO calls for the TSA Administrator to periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation’s pipeline systems. DHS concurred and estimated that TSA will complete its first review by December 31, 2019 and will establish a timeline for updating the plan should the review determine that an update is necessary.

Read the full report at GAO

Kylie Bielby has 20 years' experience in reporting and editing a wide range of security topics, covering geopolitical and policy analysis to international and country-specific trends and events. She is an editor and contributor for Jane's by IHS Markit, a columnist for security and counter-terror publications, and a former managing editor for Homeland Security Today.

Leave a Reply

Latest from Cybersecurity

Go to Top
Malcare WordPress Security