The Government Accountability Office reported yesterday it has found "significant weaknesses" in the oversight of cyber and physical defenses of the nation’s natural gas, oil and other hazardous liquids pipelines by the Transportation Security Administration (TSA).
TSA, the Department of Homeland Security division in charge of airport security, has been unable to make a comprehensive review of pipeline cybersecurity defenses because of a gaping shortage of qualified inspectors, the GAO report confirms. TSA’s Pipeline Security Branch had six full-time staff positions in fiscal 2018, an improvement over 2014, when there was one, the GAO report said. TSA’s oversight handicaps were documented in an E&E News special report in 2017 (Energywire, May 23, 2017).
Without a more defined process for security reviews, TSA cannot ensure that its voluntary cyber and physical defense guidelines "address the persistent and dynamic security threat environment currently facing the nation’s pipeline system," GAO said.
Jim Crumpacker, director of DHS’s liaison office with GAO, wrote to the agency last month that DHS concurs with 10 recommended actions GAO advanced, but added that the "significant weaknesses" conclusion "is an unfortunate mischaracterization" that doesn’t convey the effectiveness of TSA’s overall program and its achievements.
The GAO critique, requested by Sen. Maria Cantwell (D-Wash.) and Rep. Frank Pallone (D-N.J.) as ranking members on their chamber’s energy committees, is likely to escalate a policy debate about how the gas pipeline industry in particular should be regulated at a time when electric power generators are increasingly reliant on gas, according to insiders involved in the issue.
More than 3,000 companies operate the U.S. pipeline systems, spanning 2.7 million miles of pipes, the majority of which deliver long-distance transportation and local distribution of natural gas. Gas is a critical source of fuel for heating and electricity generation, and it’s the major feedstock for petrochemical production. Gas pipelines were among the energy facilities targeted by Russian state-backed hackers in 2017 who sought to implant hidden surveillance malware, the FBI and DHS reported in March. DHS has not identified any pipelines that were compromised.
Cantwell and Pallone released a letter sent yesterday to DHS Secretary Kirstjen Nielsen asking DHS to determine the cyber and physical security of the pipeline networks and to respond to GAO’s issues.
"TSA relies on the industry’s self-evaluation using ill-defined criteria provided by TSA to determine whether a specific pipeline has a critical facility within its pipeline system," the two legislators said. Operators of one-third of the nation’s 100 largest pipeline systems have told TSA that they have no "critical" pipeline segments, based on assessments of threats and vulnerabilities, and thus were not subject to TSA review.
Calls for reform
Congress gave responsibility for pipeline cyber and physical security oversight to TSA following the Sept. 11, 2001, terrorist attacks. TSA has authority to institute mandatory regulation of the sector but elected for a voluntary, collaborative approach, in contrast to the enforced cyber regulations that high-voltage power grid operators must meet.
Pipeline companies and their trade groups say they are heavily engaged in sharing cyberthreat information, best defensive practices and skills training, but have not done comprehensive industry reviews. Neither the Energy Department nor the Federal Energy Regulatory Commission has explicit authority to inspect pipeline cybersecurity.
Criticism of TSA’s performance has led senior DOE officials and several FERC commissioners to question whether pipeline oversight should be strengthened. DHS officials and pipeline industry lobbyists are dug in to oppose a change in TSA’s review role that would shift the responsibility to DOE.
In January, Pallone is in line to lead the House Energy and Commerce Committee, giving him the gavel on pipeline security scrutiny. His office declined comment yesterday on how Pallone will take up the issue next year when Democrats gain the majority in the House.
FERC Chairman Neil Chatterjee in a Twitter post yesterday said the GAO report "underscores concerns" that he and Commissioner Richard Glick raised earlier this year about TSA’s pipeline role, though he added he was pleased by recent efforts by DHS and the industry to improve security. Chatterjee added later he was "proud to join" Glick in calling for heightened natural gas cybersecurity measures.
The newest FERC commissioner, Bernard McNamee, played an important role at DOE in preparing a DOE policy proposal in 2017 that would channel subsidies to coal and nuclear power plants to prevent their premature retirement as a power grid security measure. McNamee was then deputy DOE general counsel for policy. DOE policy officials have argued that natural gas generators are at greater risk than coal and nuclear plants because of their long-distance gas supply lines. McNamee said consideration of a change from voluntary to mandatory security standards for pipelines was an issue best suited for Congress and TSA rather than FERC, in comments to the Senate Energy and Natural Resources Committee.
The GAO reviewers balanced their criticism by noting that the pipeline sector "is generally considered to be resilient and versatile." They added that pipeline operators historically have been able to quickly respond to outages, the agency’s report said.
But pipeline operators are increasingly deploying computer-based control systems to manage pipeline operations, expanding vulnerabilities to cyberattack from inside and outside the networks, GAO said. The agency made no assessment of whether or how much pipeline systems are at risk but found that TSA oversight doesn’t answer the question.
Pipeline industry organizations defended their cybersecurity readiness in statements yesterday.
Industry prefers voluntary standards
The American Petroleum Institute said: "Cyber threats are not new or unique to pipelines; they are present across the energy system, including at coal and nuclear plants. Pipeline companies have layers of security in place to protect against cascading failure, which also include mechanical controls that are not capable of being overridden through any cyber compromise."
Reliance on voluntary cooperation is a better defense "than prescriptive standards or regulations," API said.
Don Santa, president and CEO of the Interstate Natural Gas Association of America, representing long-distance pipelines, said in a statement, "In the time since this study was commissioned, a number of initiatives have been undertaken by the industry and our federal agency partners."
He cited a new joint partnership with TSA, DHS and DOE to conduct cybersecurity assessments of pipelines. "We believe this interagency approach will bring to bear the particular expertise of each agency, along with those of the industry itself." Making a case for continuation of voluntary oversight and adaptive responses, he said, "Experience shows that mandatory standards are all too often outdated almost as soon as they are introduced."
Dave McCurdy, chief executive of the American Gas Association, speaking for gas utilities, gave TSA a vote of confidence. "They understand the industry and have a strong working relationship with natural gas utilities." AGA is "advocating to increase the federal government’s capability to assess our members’ cybersecurity programs by expanding budgets and staff at TSA so that they can come into our member companies and make the assessments themselves."
In a statement yesterday, a DHS official said, "TSA is extremely proud of the effective work done in fostering collaboration with the pipeline industry to significantly improve physical security and cybersecurity. This has included the publication of security guidelines, extensive information sharing, and the conduct and analysis of pipeline security reviews.
"TSA looks forward to working with Federal partners and the pipeline industry in continuously improving physical and cyber security in this critical mode of transportation."
Reporters Blake Sobczak and Rod Kuckro contributed.