The Department of Homeland Security’s (DHS) Transportation Security Administration’s (TSA) Pipeline Security Guidelines is a set of voluntary guidelines for pipeline operators that address natural gas pipelines and hazardous liquid pipeline physical security and cybersecurity.
Today, critical infrastructure sectors, including the oil and gas industry and the electric utility industry, face increasing cyberattacks from nation-states, criminals and terrorists.
Currently, several federal agencies in the United States are responsible for different aspects of pipeline security. The TSA is responsible for the oversight of physical security and cybersecurity for more than 2.6 million miles of natural gas and hazardous liquid pipelines.
In 2006, the TSA entered into a Memorandum of Understanding (MOU) Annex with the Pipeline and Hazardous Materials Safety Administration (PHMSA), assigning respective protection responsibilities.
In 2010, TSA issued a Pipeline Security and Incident Recovery Protocol Plan defining the roles of U.S. federal agencies in the event of security incidents. For example, the TSA is responsible for coordinating information between the government and the business sector, while the PHMSA coordinates the federal government’s activities to restore service with the affected pipeline operators.
Then in 2011, TSA issued its Pipeline Security Guidelines, describing a series of guidelines and standards for pipeline operators. In March 2018, the TSA revised its voluntary pipeline security guidelines to address changes in the threat environment. The TSA also included most of the principles and practices from the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity
Since 9/11, no new rules or regulations have been put into effect to address the physical security of pipelines or liquid natural gas facilities or cybersecurity specific to the oil and gas industry. And the DHS and the Federal Bureau of Investigation have only informally reached out to pipeline operators and liquid natural gas industry as issues occurred.
In 2017, the U.S. Department of Energy issued a report highlighting the fact that the electric power sector was increasingly relying on natural gas-fired energy generation. The report also detailed the security vulnerabilities associated with pipeline gas supplies.
In December 2018, the Government Accountability Office (GAO) uncovered some weaknesses in the TSA’s Pipeline Security Guidelines and recommended ways for the TSA to improve how it managed key aspects of its pipeline security program.
In June 2019, the GAO also revealed that the TSA’s 2006 MOU Annex had never been reviewed to take new developments in pipeline security into consideration.
According to the GAO, the TSA’s revised guidelines aren’t clearly defined, making it difficult for pipeline operators to identify their critical facilities. In fact, the GAO’s analysis indicated that the pipeline operators of at least 34 of the top 100 critical pipeline systems that the TSA considered highest risk indicated that they had no critical facilities.
The GAO has also recommended that the TSA establish a process for regularly revising its Pipeline Security Guidelines. In addition, the GAO recommended that TSA and PHMSA develop a timeline for reviewing and updating the 2006 MOU Annex