The Transportation Security Administration's (TSA) natural gas and oil pipeline security guidelines aren't keeping pace with cybersecurity standards, according to a study by the U.S. Government Accountability Office (GAO).
Revisions to TSA's pipeline security guidelines issued earlier this year did not include all elements of the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, and TSA does not have a documented process for reviewing and revising its guidelines on a regular basis, according to the GAO report.
"Without such a documented process, TSA cannot ensure that its guidelines reflect the latest known standards and best practices for physical security and cybersecurity, or address the dynamic security threat environment that pipelines face," GAO said.
In addition, GAO found that TSA relies on the industry's self-evaluation "using ill-defined criteria" to determine whether pipeline operators have critical facilities within their pipeline systems. "As a result, approximately one third of the top 100 systems based on volume indicated to TSA that they do not have any critical facilities and TSA did not conduct an onsite review of these facilities," GAO said.
GAO made 10 recommendations to TSA to improve its pipeline security program management, including establishing better processes for updating guidelines and assessing risks.
TSA is an agency of the U.S. Department of Homeland Security (DHS).
Sen. Maria Cantwell (D-WA) and Rep. Frank Pallone (D-NJ) on Wednesday released a letter calling on DHS Secretary Kirstjen Nielsen "to perform an assessment of current cyber and physical security protections for U.S. natural gas, oil, and other hazardous liquid pipelines and associated infrastructure," and to "request a specific plan of action as to how DHS will address GAO's concerns."
Earlier this year, FERC Commissioners Neil Chatterjee and Richard Glick suggested shifting natural gas pipeline cybersecurity oversight from TSA to the Department of Energy (DOE). Electricity grid operators are required to comply with Federal Energy Regulatory Commission security standards, but there are no comparable standards for the nation's network of natural gas pipelines, they said.