American Pipeline Security Only Begins With the TSA
The U.S. Government Accountability Office (GAO), after an assessment of the Transportation Security Administration’s (TSA) pipeline security program management, has called the agency to task for failing to adequately monitor the vulnerability of the 2.7 million-mile network of pipelines that transport and distribute natural gas all across the U.S.
In particular, the GAO criticized the agency for its lack of process for determining when to update its physical and cybersecurity guidelines for pipeline operators. The GAO also faulted the TSA for lacking a process to identify and assess new risks.
Before getting too alarmed, it’s important to remember that GAO hits weaknesses in the TSA’s security evaluation program and personnel management, not in the state of U.S. pipeline security itself.
Thankfully, there is substantial evidence that our nation’s natural gas industry remains committed to implementing the highest level of protections against physical and cyberattacks. Worldwide, pipeline operators spent $6.1 billion in 2017 on security systems and services. Annual investment in pipeline security systems is expected to reach $10.07 billion by 2023, according to market research firm Mordor Intelligence.
Yet security is a job that’s never finished. Protocols and policies must stay ahead of ever-changing threats. “Without such a documented process, TSA cannot ensure that its guidelines reflect the latest known standards and best practices for physical security and cybersecurity, or address the dynamic security threat environment that pipelines face,” the GAO report states.
But while the GAO concludes that the TSA and its regulators could do more to accurately catalog pipeline threats and communicate real vulnerabilities, the industry is already working diligently to bolster collaborative efforts and channels of communication with federal agencies.
For example, the industry works through the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) to communicate regularly with the layers of government agencies involved with security – including TSA – and provide insight into the comprehensive cybersecurity programs of the natural gas and oil industry.
All the GAO’s recommendations require TSA officials to work more closely with the agency’s Office of Security Policy and Industry Engagement—the TSA arm that connects with private sector stakeholders in aviation, rail and pipeline security. While most Americans’ experience with the TSA is limited to airport inspections, the agency’s scope is quite wide. When it comes to pipeline security, the GAO would like to see a methodology and metrics for risk assessment, uniform definitions of terms, a structure for peer review and a sound determination of the personnel required to meet these and related goals.
Yet if there’s a subtext to be found in these recommendations, it’s how large a leadership role in security we can realistically expect from the government. That might be the primary takeaway, especially since this latest report follows a previous set of general cybersecurity recommendations the watchdog office issued in September. That report slammed Washington in general for its failure to establish a comprehensive cybersecurity strategy and perform effective oversight of national cybersecurity, as called for by law.
While there are regular bipartisan calls for more government direction in various areas of critical infrastructure’s physical and cybersecurity, private sector initiatives have consistently outpaced the government’s own capabilities and resources. The report makes it clear that the government must manage its in-house security concerns, but it does not conclude agencies like the TSA need to take a larger role in directing overall industry standards and practices. In fact, voluntary mechanisms and the extensive system of public-private partnerships already established, rather than prescriptive regulations, is the best way to bolster the cybersecurity of our nation’s energy infrastructure.
In short, the TSA’s pipeline security initiative, whatever form it ultimately takes, should be the beginning of the process, not the end—a baseline to build on, not a mandated template to follow.
Steven Titch is an independent policy analyst and former editor of industry websites SecuritySquared.com and Network-Centric Security.