Is Pipeline Security Adequate?
America’s got a lot in the pipeline. More specifically, the United States hosts 2.7 million miles of pipelines that transport oil, natural gas, and other fossil fuels to create energy. These fuels are hazardous and potentially explosive, and in a March report the U.S. Congressional Research Service (CRS) argued that they are making pipeline security a national security issue.
“Ongoing threats against the nation’s natural gas, oil, and refined product pipelines have heightened concerns about the security risks,” wrote CRS in its report, Pipeline Security: Homeland Security Issues in the 116th Congress.
According to the CRS, the U.S. government expects pipeline companies to report an average of approximately 32 pipeline security incidents (both physical and cyber) annually.
In 2018, the U.S. Transportation Security Administration’s (TSA) Surface Security Plan identified improvised explosive devices as key risks to energy pipelines, which “are vulnerable to terrorist attacks largely due to their stationary nature, the volatility of transported products, and [their] dispersed nature.”
The expanding risks facing pipelines include the possibility of multiple, coordinated attacks by using explosives on the natural gas pipeline system. This could create unprecedented challenges for restoring gas flows, the CRS report found.
Another growing concern is pipeline cybersecurity because the computer systems used to operate much of the pipeline system are vulnerable to outside manipulation. A cybercriminal could exploit a pipeline control system to disrupt or damage pipelines.
For example, in April 2018, new cyberattacks reportedly caused the shutdown of the customer communications systems at four of the United States’ largest natural gas pipeline companies. Nine months later, then U.S. Director of National Intelligence Dan Coats, while testifying at a congressional hearing, singled out gas pipelines as critical infrastructure vulnerable to cyberattacks which could cause disruption “for days to weeks.” Overall, 796 critical infrastructure cyber incidents were reported to the U.S. Department of Homeland Security from 2013 to 2015; the energy sector accounted for 35 percent of them, according to the U.S. Government Accountability Office (GAO).
Another reason cybersecurity concerns are increasing is because of the rising interdependency between the pipeline and electric power sectors. A 2017 U.S. Department of Energy (DOE) report highlighted the electric power sector’s growing reliance upon natural gas-fired energy generation and the resulting security vulnerabilities associated with pipeline gas supplies. Commissioners on the Federal Energy Regulatory Commission (FERC) have said that because natural gas has become a major part of the fuel mix, cybersecurity threats to that supply take on a new urgency.
Several high-profile security incidents are driving increased pipeline concerns globally. In Nigeria, 21 percent of oil spills are due to operations malfunctions and 28 percent are due to sabotage, according to Nigerian researcher Freedom Onuoha. At least 30 people were killed in October 2018 in southeast Nigeria when a pipeline caught fire after a raid by suspected oil thieves.
In May 2019, a major oil pipeline in Saudi Arabia was struck by armed drones and temporarily shut down. Saudi officials called the incident an act of terrorism and sabotage. And there have been more than two dozen attacks on pipelines so far in 2019 in Colombia, where rebels from the leftist National Liberation Army (ELN) often attack oil infrastructure.
Currently in the United States, several federal agencies play a role in pipeline security, and TSA is primarily responsible for the oversight of pipeline physical security and cybersecurity. Back in 2006, TSA entered into a Memorandum of Understanding (MOU) Annex with the Pipeline and Hazardous Materials Safety Administration (PHMSA), which assigned respective protection responsibilities.
In 2010, TSA issued a Pipeline Security and Incident Recovery Protocol Plan, which defines roles of U.S. federal agencies in cases of security incidents. For example, during an incident, TSA is charged with coordinating information between the government and industry, while PHMSA coordinates U.S. federal activities to restore service with affected pipeline operators.
Then in 2011, TSA issued Pipeline Security Guidelines, which described a series of guidelines and standards for operators.
However, in recent reports, the GAO has found that these security plans may be outdated. According to the GAO report Critical Infrastructure Protection: Key Pipeline Security Documents Need to Reflect Current Operating Environment issued in June 2019, TSA has not updated its 2010 Pipeline Security and Incident Recovery plan in at least three key areas: pipeline security threats, especially those related to cybersecurity; incident management policies; and DHS’s terrorism alert system.
“By periodically reviewing and, as appropriate, updating its plan, TSA could better ensure it addresses changes in pipeline security threats,” the GAO found. “…TSA could also provide greater assurance that pipeline stakeholders understand federal roles and responsibilities related to pipeline incidents.”
Similarly, the GAO found that the 2006 MOU Annex has not been reviewed since its inception to consider new developments in pipeline security.
“Efforts to update the annex were delayed by other priorities,” the GAO found. “As of June 2019, there are no timeframes for completion.”
To address this, the GAO recommended that TSA and PHMSA implement a timeline for reviewing and updating the 2006 MOU Annex. GAO also recommended that TSA periodically review and update its 2010 pipeline incident recovery plan. DHS concurred with the recommendations.
The recommendations come on the heels of another series of pipeline security recommendations that the GAO made in December 2018 in Actions Needed to Address Significant Weaknesses in TSA’s Pipeline Security Program Management.
In that report, GAO recognized that TSA revised its 2011 Pipeline Security Guidelines in 2018 to reflect changes in the threat environment and to incorporate the U.S. government’s new principles for improving critical infrastructure cybersecurity. However, GAO also found that TSA did not have an established process for revising the guidelines regularly.
“Without such a documented process, TSA cannot ensure that its guidelines reflect the latest known standards and best practices for physical security and cybersecurity, or address the dynamic security threat environment that pipelines face,” the GAO found.
Further, GAO found that the revised guidelines lack clear definitions, hindering efforts by pipeline operators to identify their critical facilities. The GAO’s analysis showed that operators of at least 34 of the nation’s top 100 critical pipeline systems deemed highest risk had identified no critical facilities.
“This may be due, in part, to the guidelines not clearly defining the criteria to determine facilities’ criticality,” according to the GAO, which recommended that TSA revise its Pipeline Security Guidelines so that key terms for determining critical facilities are better defined.
Don Santa, president and CEO of the Interstate Natural Gas Association of America (INGAA), said in a statement that the GAO’s report raised a number of important questions which deserved industry review.
“In this environment of rapidly evolving cyber threats, it is important that we take an approach that enables flexibility and allows us to quickly adapt and update protocols,” Santa said.
However, Santa also cautioned the U.S. government against issuing new mandatory standards that can become quickly outdated.
“We need the flexibility and ability to build on our baseline practices to look forward towards addressing the threats of the future,” Santa said.