The U.S. Government Accountability Office (GAO) released a report on Tuesday stating that the U.S. Department of Homeland Security’s Transportation Security Administration (TSA) unit had not fully addressed two pipeline cybersecurity-related weaknesses that GAO previously identified. The identified weaknesses correspond to three of the 15 recommendations from GAO’s 2018 and 2019 reports.
In its report, the GAO identified factors that likely limit the usefulness of TSA’s risk assessment methodology for prioritizing pipeline cybersecurity reviews, leading to incomplete information for pipeline risk assessments. The GAO is a legislative branch government agency that provides auditing, evaluation, and investigative services for the US Congress, and acts as an audit institution on how the federal government spends taxpayer dollars.
For instance, TSA’s risk assessment did not include information consistent with critical infrastructure risk mitigation, such as information on natural hazards and cybersecurity risks. GAO recommended that TSA develop data sources relevant to pipeline threats, vulnerabilities, and consequences of disruptions. As of last month, TSA had not fully addressed this recommendation.
The GAO reported in June 2019 that TSA had not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline cybersecurity threats, including those related to cybersecurity, reflecting aged protocols for responding to pipeline cybersecurity incidents. Again, the congressional watchdog recommended that TSA periodically review, and update its 2010 plan. TSA has begun taking action in response to this recommendation but has not fully addressed it, as of June 2021.
The 2010 plan sought to set up a comprehensive interagency approach that would counter risks, coordinate federal agencies’ actions, and minimize the consequences of incidents involving pipeline infrastructure as well as recovery time from them. The plan also defines the roles and responsibilities of federal agencies; tribal, state, and local governments; and the private sector during a pipeline incident and the measures they may take related to pipeline infrastructure security incidents.
According to the plan, TSA, Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA), the Department of Energy, and the Federal Bureau of Investigation (FBI) have principal roles in pipeline incident response, while other agencies such as the U.S. Coast Guard and the Federal Emergency Management Agency have supporting roles. The PHMSA regulates the safety of pipelines operating within the United States.
As part of the developments, in early 2020, the TSA and the PHMSA entered into a memorandum of understanding to, among other things, coordinate ‘in the development of standards, regulations, guidelines, or directives having an effect on pipeline transportation security ….’ However, no mandatory cybersecurity rules for oil and gas pipeline systems have been issued yet.
The Cybersecurity Infrastructure and Security Agency (CISA) manages a Pipeline Cybersecurity Initiative (PCI) to enhance the cyber-resilience of the nation’s pipeline system. However, participation in the PCI is voluntary, pointed out law associates from Davis Wright Tremaine LLP in a Lexology blog post.
U.S. pipelines are vulnerable to cyber-based attacks due to increased reliance on computerized systems. In May 2021, malicious cyber attackers deployed DarkSide ransomware that led to the compromise of the Colonial Pipeline networks, which forced the company to take certain systems offline to contain the threat.
Colonial had a temporary halt of all pipeline operations that transport about 45 percent of all fuel consumed on the U.S. East Coast, with some of its IT systems affected. This incident showcases the shortcomings of the TSA on maintaining cybersecurity of critical pipeline systems, which the GAO was trying to address with its recommendations.
Prior to issuing a cybersecurity directive in May 2021, TSA’s efforts included issuing voluntary security guidelines and security reviews of privately owned and operated pipelines. GAO reports in 2018 and 2019 identified some weaknesses in the agency’s oversight and guidance and made 15 recommendations to address these weaknesses. The TSA has taken actions to address several weaknesses in the management of pipeline cybersecurity and has fully addressed 12 suggestions of the GAO’s recommendations. The transport agency has reported plans to address the pending GAO recommendations.
GAO also reviewed TSA’s May and July 2021 Pipeline Security Directives, TSA’s Pipeline Security Guidelines, and three federal security alerts issued in July 2020, May 2021, and June 2021. The TSA’s May 2021 cybersecurity directive requires that certain pipeline owners/operators assess whether their current operations are consistent with TSA’s Guidelines on cybersecurity, identify any gaps and remediation measures, and report the results to TSA and others.
TSA’s July 2021 cybersecurity directive mandates that certain pipeline owners/operators implement cybersecurity mitigation measures, develop a Cybersecurity Contingency Response Plan in the event of an incident, and undergo an annual cybersecurity architecture design review, among other things. These recent security directives are important requirements for pipeline owner/operators because TSA’s guidelines do not include key mitigation strategies for owner/operators to reference when reviewing their cyber assets.
The recent directives fail to say anything specific about the new requirements that TSA was imposing under the second directive, to prevent hackers from getting insights into their playbooks. Information is limited because of security considerations. This omission was not an accident or oversight; it was intentional.
TSA officials told GAO that a timely update to address current cyber threats is appropriate and that they anticipate updating the guidelines over the next year, the GAO said in its report.
Based on earlier GAO products issued in December 2018, June 2019, and March 2021, along with updates on actions TSA has taken to address GAO’s recommendations as of June 2021. To conduct the prior work, GAO analyzed TSA documents, interviewed TSA officials, industry association representatives, and a sample of pipeline operators selected based on type of commodity transported and other factors; and observed TSA security reviews.
For a second time in as many weeks, two U.S. government agencies are picking on one another for failing to carry out recommended cybersecurity measures. An audit report of the U.S. Department of Defense (DoD) found that the defense agency along with the Department of Homeland Security (DHS) failed to plan and execute activities to implement the memorandums between the two agencies, regarding cybersecurity and cyberspace operations and critical infrastructure environments.