Tech

TSA pipeline cybersecurity under review

The agency revised how it updates voluntary security guidelines for pipeline operators in April to address increased threats of hacking and environmental terrorism.

By Dave Nyczepir

May 6, 2019

an image of the trans-alaskan oil pipeline that carries oil from the northern part of Alaska all the way to valdez. this shot is right near the arctic national wildlife refuge

The Government Accountability Office is currently reviewing the process for updating pipeline security guidelines to better protect the cybersecurity of the critical infrastructure, according to a recent report.

The Transportation Security Administration oversees the physical security and cybersecurity of more than 2.7 million miles of computerized, interstate pipeline systems used to transport oil, natural gas and other hazardous products. These systems “are attractive targets for hackers and terrorists,” according to the GAO report.

In December, GAO found TSA lacked a process to determine when to update voluntary security guidelines for pipeline operators — among nine other weaknesses — prompting the latter to submit new procedures in April.

“A minor pipeline system disruption could result in commodity price increases, while prolonged pipeline disruptions could lead to widespread energy shortages,” said William Russell, acting director of GAO, in his written testimony to the House Energy Subcommittee. “A disruption of any magnitude may affect other domestic critical infrastructure and industries that are dependent on pipeline system commodities.”

The FBI reported a nation-state targeted organizations across multiple critical infrastructure sectors, including the energy sector, in March 2018 seeking information on industrial control systems.

TSA security reviews of pipeline systems have “varied considerably over time,” according to the report, which the agency attributes to a workforce shortage. A strategic workforce plan specifying the required level of cybersecurity expertise members of TSA’s pipeline security branch are expected to have is anticipated in July.

GAO also found TSA hasn’t updated its risk assessment methodology since 2014, and the data sources tied to its risk ranking tool aren’t fully documented or up to date. TSA in April reported taking steps to address those problems.

Corporate security reviews and critical facility security reviews of the 100 most critical pipeline systems remain at the owner’s discretion. By November, TSA plans to begin tracking security review recommendations from the past five years.