Critical Infrastructure Protection:
Actions Needed to Address Weaknesses in TSA's Pipeline Security Program Management
GAO-19-542T: Published: May 1, 2019. Publicly Released: May 1, 2019.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-8777
russellw@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The U.S. depends on interstate pipeline systems to deliver products like oil and gas. These computerized systems are attractive targets for hackers and terrorists. (Cybersecurity, including the protection of cyber critical infrastructure, is on our High Risk List.)
We testified about weaknesses in how TSA manages its pipeline security efforts. For example, it had no process for determining when to update its security guidelines for pipeline operators. We previously made 10 recommendations, including that TSA establish better processes for updating its guidelines. In April 2019, TSA reported new procedures for doing so, which we are reviewing.
Hazardous Liquid and Natural Gas Pipelines in the United States, September 2018
Map showing network
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-8777
russellw@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) has developed and provided pipeline operators with voluntary security guidelines, and also evaluates the vulnerability of pipeline systems through security assessments. However, GAO's prior work, reported in December 2018, identified some weaknesses and made recommendations to strengthen TSA's management of key aspects of its pipeline security program.
Pipeline security guidelines. GAO reported that TSA revised its voluntary pipeline security guidelines in March 2018 to reflect changes in the threat environment and incorporate most of the principles and practices from the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity. However, TSA's revisions do not include all elements of the current NIST framework and TSA does not have a documented process for reviewing and revising its guidelines on a regular basis. GAO recommended that TSA implement a documented process for reviewing and revising TSA's Pipeline Security Guidelines at defined intervals. TSA has since outlined procedures for reviewing its guidelines, which GAO is reviewing to determine if they sufficiently address the recommendation.
Workforce planning. GAO reported that the number of TSA security reviews of pipeline systems has varied considerably over time. TSA officials stated that staffing limitations within its Pipeline Security Branch have prevented TSA from conducting more reviews. Staffing levels for the branch have varied significantly, ranging from 1 full-time equivalent in 2014 to 6 from fiscal years 2015 through 2018. Further, TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies—such as the required level of cybersecurity expertise—necessary to carry out its pipeline security responsibilities. GAO recommended that TSA develop a strategic workforce plan, which TSA plans to complete by July 2019.
Pipeline risk assessments. GAO identified factors that likely limit the usefulness of TSA's risk assessment methodology for prioritizing pipeline security reviews. For example, TSA has not updated its risk assessment methodology since 2014 to reflect current threats to the pipeline industry. Further, its sources of data and underlying assumptions and judgments regarding certain threat and vulnerability inputs are not fully documented. GAO recommended that TSA update its risk ranking tool to include up-to-date data to ensure it reflects industry conditions and fully document the data sources, assumptions and judgments that form the basis of the tool. As of April 2019, TSA reported taking steps to address these recommendations. GAO is reviewing documentation of these steps to determine if they sufficiently address the recommendations.
Monitoring performance. GAO reported that conducting security reviews was the primary means for TSA to assess the effectiveness of its efforts to reduce pipeline security risks. However, TSA has not tracked the status of key security review recommendations for the past 5 years. GAO recommended that TSA take steps to update information on security review recommendations and monitor and record their status, which TSA plans to address by November 2019
Why GAO Did This Study
More than 2.7 million miles of pipeline transport and distribute natural gas, oil, and other hazardous products throughout the United States. Interstate pipelines run through remote areas and highly populated urban areas, and are vulnerable to accidents, operating errors, and malicious physical and cyber-based attack or intrusion. Pipeline system disruptions could result in commodity price increases or widespread energy shortages. Several federal and private entities have roles in pipeline security. TSA is primarily responsible for the federal oversight of pipeline physical security and cybersecurity.
This statement summarizes previous GAO findings related to TSA's management of its pipeline security program. It is based on a prior GAO product issued in December 2018, along with updates as of April 2019 on actions TSA has taken to address GAO's recommendations from the report. To conduct the prior work, GAO analyzed TSA documents, such as its Pipeline Security Guidelines ; evaluated TSA pipeline risk assessment efforts; and interviewed TSA officials, 10 U.S. pipeline operators—a non-generalizable sample selected based on volume, geography, and material transported—and representatives from five pipeline industry associations. GAO also reviewed information on TSA's actions to implement its prior recommendations.
What GAO Recommends
GAO made 10 recommendations in its December 2018 report to strengthen TSA's management of its pipeline security program. DHS agreed and has described planned actions or timeframes for addressing these recommendations.
For more information, contact William Russell at (202) 512-8777 or russellw@gao.gov.
Dec 10, 2020
-
Uranium Management:
Actions to Mitigate Risks to Domestic Supply Chain Could Be Better Planned and CoordinatedGAO-21-28: Published: Dec 10, 2020. Publicly Released: Dec 10, 2020.
Dec 8, 2020
-
Offshore Wind Energy:
Planned Projects May Lead to Construction of New Vessels in the U.S., but Industry Has Made Few Decisions amid UncertaintiesGAO-21-153: Published: Dec 8, 2020. Publicly Released: Dec 8, 2020.
Nov 19, 2020
-
Nuclear Waste Disposal:
Better Planning Needed to Avoid Potential Disruptions at Waste Isolation Pilot PlantGAO-21-48: Published: Nov 19, 2020. Publicly Released: Nov 19, 2020.
Oct 29, 2020
-
Nuclear Safety:
DOE and the Safety Board Should Collaborate to Develop a Written Agreement to Enhance OversightGAO-21-141: Published: Oct 29, 2020. Publicly Released: Oct 29, 2020.
Oct 15, 2020
-
Nuclear Weapons:
NNSA Plans to Modernize Critical Depleted Uranium Capabilities and Improve Program ManagementGAO-21-16: Published: Oct 15, 2020. Publicly Released: Oct 15, 2020.
Jul 24, 2020
-
Nuclear Weapons:
Action Needed to Address the W80-4 Warhead Program's Schedule ConstraintsGAO-20-409: Published: Jul 24, 2020. Publicly Released: Jul 24, 2020.
Jun 24, 2020
-
National Nuclear Security Administration:
Analyzing Cost Savings Program Could Result in Wider Use and Additional Contractor EfficienciesGAO-20-451: Published: Jun 24, 2020. Publicly Released: Jun 24, 2020.
Jun 9, 2020
-
Nuclear Weapons:
NNSA Needs to Incorporate Additional Management Controls Over Its Microelectronics ActivitiesGAO-20-357: Published: Jun 9, 2020. Publicly Released: Jun 9, 2020.
May 13, 2020
-
Environmental Liabilities:
DOE Needs to Better Plan for Post-Cleanup Challenges Facing SitesGAO-20-373: Published: May 13, 2020. Publicly Released: May 13, 2020.
May 12, 2020
-
Hanford Waste Treatment Plant:
DOE Is Pursuing Pretreatment Alternatives, but Its Strategy Is Unclear While Costs Continue to RiseGAO-20-363: Published: May 12, 2020. Publicly Released: May 12, 2020.
Looking for more? Browse all our products here