Nearly 3 million miles of pipelines that crisscross the United States carrying oil, natural gas and other hazardous liquids may be vulnerable to cyberattacks as the federal agency responsible for overseeing their security is overburdened with other responsibilities, lawmakers, government auditors and regulators say.

The Transportation Security Administration, or TSA, better known for pat-downs of passengers heading to their flights, is also in charge of securing about 2.7 million miles of pipelines. Most are buried underground in remote and open terrain, but others run through densely populated areas, the Government Accountability Office said in a recent report.

At times in the past few years, the TSA managed that responsibility with just one person, according to the GAO.

The TSA was short on cybersecurity expertise, made only recommendations for voluntary compliance that pipeline operators could ignore and hadn’t reviewed the security practices of pipeline operators for more than five years to assess if they followed the agency’s recommendations, the GAO found in a little noticed report published a week before Christmas.

Terrorists have threatened pipelines before. The GAO report highlighted instances when terror groups targeted pipelines for physical destruction in Colombia, Nigeria and Canada. The report noted that U.S. law enforcement had identified in 2006 what appeared to be an al-Qaida plan to blow up the Trans-Alaska Pipeline and arrested individuals for planning to blow up natural gas pipelines in Oklahoma and Texas.

Since the report came out, lawmakers in both chambers of Congress have held hearings to address pipeline security.

The GAO found that operators of at least 34 of the nation’s top 100 pipeline systems deemed highest risk had not identified their most vulnerable and important facilities. The agency said the disparity may be because TSA’s guidelines didn’t spell out exactly what constituted a critical facility.

Staffing at TSA’s Pipeline Security Branch has seesawed over the years, going from 14 full-time staff in fiscal year 2012 to just one individual in fiscal 2014, the GAO said, noting that the agency had no long-term plan to identify the kind of cybersecurity experts it would need to get the job done.

‘Weird calmness’

The dire assessment of cybersecurity efforts in the pipeline sector stands in contrast to warnings by the FBI and the Department of Homeland Security that the U.S. energy grid at large is a prime target of hackers tied to foreign governments.

In March 2018, the FBI and DHS said Russian-government-backed hackers had targeted energy companies “where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.”

Once the hackers gained access, they conducted reconnaissance, moved into other adjacent networks and collected information on computers that control industrial systems, the warning said.

At a recent Senate Energy and Natural Resources Committee hearing, several lawmakers were alarmed at what appeared to be a lackadaisical approach to cybersecurity in the energy sector and the agency responsible for pipeline security.

“There’s a weird calmness about this hearing,” Sen. Angus King of Maine said. “This is not calm. The Russians are already in the grid, are they not?” he said raising his voice.

Sen. Martin Heinrich, a New Mexico Democrat who’s also a member of the Senate Intelligence Committee, wondered why TSA was in charge of pipelines.

“Is TSA the right place … and I appreciate they’re putting more focus on this, and they seem to have a pretty big job at the airports I have noticed, so is it the right place for that to live?” Heinrich asked.

Across Capitol Hill, in the House Homeland Security Committee, Rep. Lou Correa, chairman of the committee’s panel on transportation and maritime security, raised a similar question last week.

“Some have questioned whether DHS has paid enough attention to pipeline security and have raised the idea of moving responsibility of securing pipelines to another department,” the California Democrat said.

Neil Chatterjee, chairman of the Federal Energy Regulatory Commission, told Heinrich that he too wondered if TSA was the best agency to oversee pipelines. FERC regulates the interstate transmission of electricity, natural gas and oil.

Natural gas

“Is the entity responsible for aviation, for railroad, for highways, also responsible for this, particularly when reports indicated that they had four or six people?” Chatterjee told the Senate panel, referring to the staffing problems at the TSA that the GAO had highlighted.

Chatterjee said FERC was helping by sending its experts to work with TSA. He also urged lawmakers to tell TSA to use its authority to impose mandatory security requirements on pipeline operators, as opposed to issuing voluntary guidelines.

Sonya Proctor, director of the division at TSA that oversees pipeline security, told House Homeland Security lawmakers last week that voluntary guidelines are better because cyberthreats are constantly changing and therefore fixed regulations may become obsolete.

Of the 2.7 million miles of pipelines, 2.2 million miles of pipes carry natural gas from transmission sites to consumers, the GAO said. About 319,000 miles of pipes carry natural gas from sources to communities. And about 216,000 miles of pipes carry hazardous liquid, including crude oil, diesel, gasoline, jet fuel, anhydrous ammonia and carbon dioxide.

Operators of natural gas pipelines see cybersecurity as a “top operational risk and take the management of this risk very seriously,” Rebecca Gagliostro, director of security, reliability and resilience at the Interstate Natural Gas Association of America, told the House panel last week.

The 28 companies that are members of the trade group operate about 200,000 miles of interstate gas pipelines and follow the National Institute of Standards and Technology standards on cybersecurity as well as guidelines provided by the TSA, Gagliostro told the committee.

The companies conduct table-top exercises to test security programs, share information with other companies, and plan for how to work with other sectors in case of an attack, she said.

But the pipeline industry needs a “cooperative relationship with our government partners to facilitate rapid information sharing,” she said.

TSA steps

TSA is taking steps to address gaps identified by the GAO, Proctor told Roll Call.

The agency committed to the GAO that it would conduct 10 cybersecurity reviews in fiscal 2019 and already has completed one and is in the process of scheduling three more, according to Proctor.

The reviews are conducted along with the newly formed Cybersecurity and Infrastructure Security Agency, or CISA, within the Homeland Security Department because the agency has the cybersecurity expertise that TSA lacks, she said.

The reviews compare “what was agreed upon and published and what they’re actually doing in the companies,” Proctor said, referring to the agency’s cybersecurity guidelines and pipeline companies’ practices.

At a minimum, pipeline operators abide by the cybersecurity standards published by the National Institute of Standards and Technology. But TSA’s assessment of companies’ cybersecurity measures goes well beyond the basics and is “much more comprehensive and much more in-depth,” Proctor said.

Once TSA completes the 10 cybersecurity assessments, TSA and CISA will work with pipeline operators to come up with ways to lower cybersecurity risks, Bob Kolasky, head of the National Risk Management Center at CISA, told the House Homeland Security panel last week.

How TSA ended up overseeing pipeline security is an artifact of the bureaucratic shuffle following the 9/11 attacks, said Chris Currie, one of the authors of the GAO report.

When the Department of Homeland Security was created in 2002, it was made responsible for security of the country’s critical infrastructure, and pipelines were considered both critical and a form of transportation, landing them in TSA’s basket of responsibilities, Currie said.