The Transportation Security Administration (TSA), the US agency in charge of the US oil & gas pipeline system, has a serious staffing issue on physical and cyber-security positions.
According to a report published today by the Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, the TSA employs only six full-time staffers for its pipeline security branch.
These six staffers are supposed to handle both physical and cybersecurity risk assessments and reviews for over 2.7 million miles of pipeline that carry natural gas, oil, and other hazardous products across all of the United States. Although US oil & gas pipelines are privately-owned and thousands of private sector employees and contractors are providing additional security services, the TSA staff is the one who sets rules and enforces compliance, and the low number of employees tasked with pipeline security impacts the system's overall security posture.
The GAO report's findings were the main topic at a House Energy Subcommittee hearing today on "The State of Pipeline Safety and Security in America."
"We know [...] that TSA staffing issues are a major limitation," US Representative Fred Upton (R-Michigan) said today at the hearing.
"TSA has some 50,000 employees, but only a handful, that's actually a handful plus one, six, are assigned to pipeline security," Rep. Upton said. "That's not very good."
Furthermore, the GAO report also found that TSA's pipeline safety staffers are also under-prepared for the issues they're facing.
"The TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies-such as the required level of cybersecurity expertise-necessary to carry out its pipeline security responsibilities," GAO investigators wrote in the report.
GAO officials said that interviews with pipeline operators and industry representatives highlighted the low level of training of the TSA's existing staff, which is in charge of enforcing security audits and compliance checks among private sector pipeline owners.
"Specifically, 6 of the 10 pipeline operators and 3 of the 5 industry representatives we interviewed reported that the level of cybersecurity expertise among TSA staff and contractors may challenge the Pipeline Security Branch's ability to fully assess the cybersecurity portions of its security reviews," GAO said.
Growing cyber-security threat
The report argues that the TSA's insufficient and poorly-prepared pipeline safety staff opens the door for physical and cyber attacks, from the likes of terrorist groups, hackers, foreign nations, criminal groups, and activists alike.
While threats of physical, on-premise sabotage have always been a problem, GAO officials also highlighted the rising threat of cyber-attacks against oil & gas pipeline infrastructure, a risk that has been growing with the increased computerization of oil & gas infrastructure.
"Pipelines increasingly rely on sophisticated networked computerized systems and electronic data, which are vulnerable to cyber-attack or intrusion," GAO said.
"New threats to the nation's pipeline systems have evolved to include sabotage by environmental activists and cyber-attack or intrusion by nations.
"For example [...] in March 2018, the Federal Bureau of Investigation and the National Cybersecurity and Communications Integration Center (NCCIC) reported that a nation-state had targeted organizations within multiple U.S. critical infrastructure sectors, including the energy sector, and collected information pertaining to Industrial Control Systems."
GAO officials recommended an increase of pipeline security staff and updates to the TSA's risk assessment methodology, so staffers and procedures will be up for the task of securing America's oil & gas pipeline against today's rising cyber-security threat landscape.
Related government coverage:
- DHS gives agencies 15-day deadline to patch security flaws
- French government releases in-house IM app to replace WhatsApp and Telegram use
- EU: No evidence of Kaspersky spying despite 'confirmed malicious' classification
- EU votes to create gigantic biometrics database
- Congress sends letter to Google for details on Sensorvault location tracking database
- UK could build an automatic national defence system, says GCHQ chief
- How Estonia became an e-government powerhouse TechRepublic
- Sri Lanka blocks social media after deadly Easter explosions CNET