Sen. Maria Cantwell, D-Wash., and Rep. Frank Pallone, Jr., D-N.J., today wrote Department of Homeland Security (DHS) Secretary Kirstjen Nielsen and called for her to “take urgent action to protect America’s pipelines from cyber attack.” The letter follows a report released today from the Government Accountability Office (GAO) which detailed issues American pipelines face defending against cyber attacks.
“We write today to request the Department of Homeland Security (DHS) perform an assessment of current cyber and physical security protections for U.S. natural gas, oil, and other hazardous liquid pipelines and associated infrastructure,” wrote Cantwell, who is ranking Democrat on the Senate Energy and Natural Resources Committee, and Pallone, who is ranking member on the House Energy and Commerce Committee. “We also request a specific plan of action as to how DHS will address GAO’s concerns.”
In the letter, Cantwell and Pallone highlighted three findings from the GAO report:
- “TSA [Transportation Security Administration] does not have a process to update its Pipeline Security Guidelines to ensure consistency with the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity or updates in the cybersecurity space. For much of the guidelines’ existence they have not kept pace with the NIST Cybersecurity Framework.
- TSA relies on the industry’s self-evaluation using ill-defined criteria provided by TSA to determine whether a specific pipeline operator has a critical facility within its pipeline system. As a result, approximately one third of the top 100 systems based on volume indicated to TSA that they do not have any critical facilities and TSA did not conduct an onsite review of these facilities.
- TSA has not tracked the status of corporate security review recommendations to pipeline operators for the past five years. As a result, TSA may be unable to determine whether a pipeline operator has corrected any omission or vulnerability identified in a previous site visit. In GAO’s words, ‘[w]ithout current, complete, and accurate information, it is difficult for TSA to evaluate the performance of the pipeline security program.’”
“It’s clear from GAO’s work that while pipelines are reliable today, the Transportation Security Administration (TSA) is not fully prepared to face the challenges of tomorrow,” said Pallone. “I’m concerned that TSA lacks both the resources and expertise in energy delivery systems to keep up with its obligations under the law. Secretary Nielsen must address the concerns Senator Cantwell and I raise in our letter to ensure the security of our nation’s pipelines.”
In their letter, the legislators posed a number of questions to DHS regarding TSA’s actions and processes and how it plans to improve its cybersecurity posture. In addition to answering their questions, Cantwell and Pallone asked DHS to develop a specific plan of action as to how DHS will address GAO’s concerns. The legislators asked for answers to their questions and the plan by Jan. 31, 2019.