Critical Infrastructure Protection:

Actions Needed to Address Significant Weaknesses in TSA's Pipeline Security Program Management

GAO-19-48: Published: Dec 18, 2018. Publicly Released: Dec 19, 2018.

Additional Materials:

Contact:

Chris Currie
(404) 679-1875
curriec@gao.gov

 

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The nation depends on the interstate pipeline system to deliver oil, natural gas, and more. This increasingly computerized system is an attractive target for hackers and terrorists. (Protection of cyber critical infrastructure is on our High Risk List.)

We found weaknesses in how TSA manages its pipeline security efforts. For example, it has no process for determining when to update its guidelines for pipeline operators. Also, its method for assessing risks needs updating.

We made 10 recommendations, including establishing better processes for updating guidelines and assessing risks.

Map of Hazardous Liquid and Natural Gas Pipelines in the United States, September 2018

This map of the United States shows the massive network of pipelines.

This map of the United States shows the massive network of pipelines.

Additional Materials:

Contact:

Chris Currie
(404) 679-1875
curriec@gao.gov

 

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Pipeline operators reported using a range of guidelines and standards to address physical and cybersecurity risks, including the Department of Homeland Security's (DHS) Transportation Security Administration's (TSA) Pipeline Security Guidelines, initially issued in 2011. TSA issued revised guidelines in March 2018 to reflect changes in the threat environment and incorporate most of the principles and practices from the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. However, TSA's revisions do not include all elements of the current framework and TSA does not have a documented process for reviewing and revising its guidelines on a regular basis. Without such a documented process, TSA cannot ensure that its guidelines reflect the latest known standards and best practices for physical security and cybersecurity, or address the dynamic security threat environment that pipelines face. Further, GAO found that the guidelines lack clear definitions to ensure that pipeline operators identify their critical facilities. GAO's analysis showed that operators of at least 34 of the nation's top 100 critical pipeline systems (determined by volume of product transported) deemed highest risk had identified no critical facilities. This may be due, in part, to the guidelines not clearly defining the criteria to determine facilities' criticality.

U.S. Pipeline Systems' Basic Components and Vulnerabilities

U.S. Pipeline Systems' Basic Components and Vulnerabilities

To assess pipeline security risks, TSA conducts pipeline security reviews—Corporate Security Reviews and Critical Facility Security Reviews—to assess pipeline systems' vulnerabilities. However, GAO found that the number of TSA security reviews has varied considerably over the last several years, as shown in the table on the following page.

Pipeline Security Reviews Conducted, Fiscal Year 2010 through July 2018

U.S. Pipeline Systems' Basic Components and Vulnerabilities

aFiscal year 2018 data are through July 31, 2018.

bFiscal years 2010 and 2011 represent Critical Facility Inspections—the predecessor of the Critical Facility Security Review.

TSA officials stated that staffing limitations have prevented TSA from conducting more reviews. Staffing levels for TSA's Pipeline Security Branch have varied significantly since fiscal year 2010 with the number of staff ranging from 14 full-time equivalents in fiscal years 2012 and 2013 to 1 in 2014. Further, TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies—such as the required level of cybersecurity expertise—necessary to carry out its pipeline security responsibilities. By establishing a strategic workforce plan, TSA can help ensure that it has identified the necessary skills, competencies, and staffing.

GAO also identified factors that likely limit the usefulness of TSA's risk assessment methodology for prioritizing pipeline system reviews. Specifically, TSA has not updated its risk assessment methodology since 2014 to reflect current threats to the pipeline industry. Further, its sources of data and underlying assumptions and judgments regarding certain threat and vulnerability inputs are not fully documented. In addition, the risk assessment has not been peer reviewed since its inception in 2007. Taking steps to strengthen its risk assessment, and initiating an independent, external peer review would provide greater assurance that TSA ranks relative risk among pipeline systems using comprehensive and accurate data and methods.

TSA has established performance measures to monitor pipeline security review recommendations, analyze their results, and assess effectiveness in reducing risks. However, these measures do not possess key attributes—such as clarity, and having measurable targets—that GAO has found are key to successful performance measures. By taking steps to ensure that its pipeline security program performance measures exhibit these key attributes, TSA could better assess its effectiveness at reducing pipeline systems' security risks. Pipeline Security Branch officials also reported conducting security reviews as the primary means for assessing the effectiveness of TSA's efforts to reduce pipeline security risks. However, TSA has not tracked the status of Corporate Security Review recommendations for the past 5 years. Until TSA monitors and records the status of these reviews' recommendations, it will be hindered in its efforts to determine whether its recommendations are leading to significant reduction in risk.

Why GAO Did This Study

More than 2.7 million miles of pipeline transport and distribute oil, natural gas, and other hazardous products throughout the United States. Interstate pipelines run through remote areas and highly populated urban areas, and are vulnerable to accidents, operating errors, and malicious physical and cyber-based attack or intrusion. The energy sector accounted for 35 percent of the 796 critical infrastructure cyber incidents reported to DHS from 2013 to 2015. Several federal and private entities have roles in pipeline security. TSA is primarily responsible for the oversight of pipeline physical security and cybersecurity.

GAO was asked to review TSA's efforts to assess and enhance pipeline security and cybersecurity. This report examines, among other objectives: (1) the guidance pipeline operators reported using to address security risks and the extent that TSA ensures its guidelines reflect the current threat environment; (2) the extent that TSA has assessed pipeline systems' security risks; and (3) the extent TSA has assessed its effectiveness in reducing pipeline security risks.

GAO analyzed TSA documents, such as its Pipeline Security Guidelines ; evaluated TSA pipeline risk assessment efforts; and interviewed TSA officials, 10 U.S. pipeline operators—selected based on volume, geography, and material transported—and representatives from five industry associations.

What GAO Recommends

GAO makes 10 recommendations to TSA to improve its pipeline security program management (many are listed on the next page), and DHS concurred.

GAO recommends, among other things, that the TSA Administrator take the following actions:

implement a documented process for reviewing, and if deemed necessary, for revising TSA's Pipeline Security Guidelines at defined intervals;

clarify TSA's Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities;

develop a strategic workforce plan for TSA's Security Policy and Industry Engagement‘s Surface Division;

update TSA's pipeline risk assessment methodology to include current data to ensure it reflects industry conditions and threats;

fully document the data sources, underlying assumptions and judgments that form the basis of TSA's pipeline risk assessment methodology;

take steps to coordinate an independent, external peer review of TSA's pipeline risk assessment methodology;

ensure the Security Policy and Industry Engagement‘s Surface Division has a suite of performance measures which exhibit key attributes of successful performance measures; and

enter information on Corporate Security Review recommendations and monitor and record their status.

For more information, contact Chris Currie at (404) 679-1875 or curriec@gao.gov or Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We found that TSA's Pipeline Security Branch had revised its security guidelines in March 2018 to, among other things, reflect the dynamic threat environment and incorporate NIST's Cybersecurity Framework principles and practices. However, TSA had not instituted a documented process to consider the need to update the Pipeline Security Guidelines on a regular basis. As a result, we found that without a documented process defining how frequently TSA is to review and revise its guidelines, TSA could not ensure that its guidelines reflect the latest known standards and best practices for physical and cybersecurity. Therefore, we recommended that TSA implement a documented process for reviewing, and if deemed necessary, revising TSA's Pipeline Security Guidelines at regular defined intervals. In response, in March 2019 TSA officials established an internal operating procedure that documents the review and revision process for all of TSA's surface transportation security guidance, which include its Pipeline Security Guidelines. Per the procedure, TSA's Surface Division is to review, and if deemed appropriate revise, its surface transportation security guidance to ensure they remain current and appropriate using risk-based principles on an annual basis. Further, TSA's Surface Division is to update its security guidance, at a minimum, every five years but may update them earlier if TSA determines that new or revised are in the public interest. These actions are consistent with our recommendation.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to implement a documented process for reviewing, and if deemed necessary, for revising TSA's Pipeline Security Guidelines at regular defined intervals. (Recommendation 1)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  2. Status: Open

    Comments: As of June 2019, TSA reported that it completed a review of the Pipeline Security Guideline criteria for determining critical facilities. TSA met with pipeline industry representatives in April 2019 to review the criteria and other stakeholders are currently reviewing the criteria, according to TSA officials. TSA expects to submit a draft of the criteria to GAO for review by September 30, 2019. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to clarify TSA's Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities. (Recommendation 2)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  3. Status: Open

    Comments: DHS concurred with this recommendation and stated that TSA will develop a strategic workforce plan for the division, which includes determining the number of personnel necessary to meet the goals set for the Pipeline Security Branch, as well as the knowledge, skills, and abilities, including cybersecurity, that are needed to effectively conduct CSRs and CFSRs. As of June 2019, DHS reported that TSA had not initiated action on this recommendation due to work addressing other GAO recommendations related to pipeline security. We will continue to monitor the status of any efforts to develop a strategic workforce plan in response to this recommendation.

    Recommendation: The TSA Administrator should develop a strategic workforce plan for its Security Policy and Industry Engagement's Surface Division, which could include determining the number of personnel necessary to meet the goals set for its Pipeline Security Branch, as well as the knowledge, skills, and abilities, including cybersecurity, that are needed to effectively conduct Corporate Security Reviews (CSR) and Critical Facility Security Reviews (CFSR). (Recommendation 3)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  4. Status: Open

    Comments: DHS concurred with this recommendation and stated that TSA will update the Pipeline Relative Risk Ranking Tool to include up-to-date data in order to ensure it reflects industry conditions, including throughput and threat data. DHS provided information in June 2019 indicating actions taken to address this recommendation, such as updated throughput information. As of August 2019, we requested additional documentation to determine whether this recommendation was fully addressed.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to update the Pipeline Relative Risk Ranking Tool to include up-to-date data to ensure it reflects industry conditions, including throughput and threat data. (Recommendation 4)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  5. Status: Open

    Comments: DHS concurred with this recommendation and stated that TSA will fully document the data sources, underlying assumptions, and judgments that form the basis of the Pipeline Relative Risk Ranking Tool. According to DHS, this will include sources of uncertainty and any implications for interpreting the results from the assessment. In June 2019 DHS provided information indicating actions taken to address this recommendation, such as documented descriptions of data sources. However, as of August 2019, we requested additional documentation to determine whether this recommendation was fully addressed.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to fully document the data sources, underlying assumptions and judgments that form the basis of the Pipeline Relative Risk Ranking Tool, including sources of uncertainty and any implications for interpreting the results from the assessment. (Recommendation 5)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  6. Status: Open

    Comments: As of June 2019, TSA officials reported meeting with representatives from the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) in February and March 2019 for their input on the identification of sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities. TSA officials stated that efforts to incorporate DHS and FEMA input is ongoing. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to identify or develop other data sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities and incorporate that data into the Pipeline Relative Risk Ranking Tool to assess relative risk of critical pipeline systems, which could include data on prior attacks, natural hazards, feedback data on pipeline system performance, physical pipeline condition, and cross-sector interdependencies. (Recommendation 6)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  7. Status: Open

    Comments: DHS concurred with this recommendation and stated that, after completing enhancements to its risk assessment approach, TSA will take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool. DHS estimated that this effort would be completed by December 31, 2019.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool, after the Pipeline Security Branch completes enhancements to its risk assessment approach. (Recommendation 7)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  8. Status: Open

    Comments: As of June 2019, TSA reported completing a review and initial update of data collection and analysis associated with TSA's assessment of pipeline operator compliance with the TSA Pipeline Security Guidelines. The review and update included a revision of assessment tools currently in place and the development of new data analysis "workbooks," according to TSA officials. DHS estimated that this effort would be completed by December 31, 2019.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to ensure that it has a suite of performance measures which exhibit key attributes of successful performance measures, including measurable targets, clarity, and baseline and trend data. (Recommendation 8)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  9. Status: Open

    Comments: As of June 2019, TSA reported developing a tool for pipeline operators to indicate the status of CSR recommendations. TSA expects to begin monitoring implementation of CSR recommendations in October 2019. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to take steps to enter information on CSR recommendations and monitor and record their status. (Recommendation 9)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  10. Status: Open

    Comments: DHS concurred with this recommendation and stated that TSA will develop written documentation of its data entry and verification procedures, implementing standardized data entry formats, and correcting existing data entry errors. However, TSA officials reported in June 2019 that implementing this recommendation is dependent on completion of TSA's assessment tools and follow up processes (recommendations 8 and 9). We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

    Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to improve the quality of its pipeline security program data by developing written documentation of its data entry and verification procedures, implementing standardized data entry formats, and correcting existing data entry errors. (Recommendation 10)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

 

Explore the full database of GAO's Open Recommendations »

Nov 13, 2019

Oct 24, 2019

Oct 22, 2019

Oct 9, 2019

Sep 30, 2019

Sep 25, 2019

Sep 19, 2019

Sep 13, 2019

Looking for more? Browse all our products here