TSA preps new guidelines on pipeline cyber

The Transportation Security Administration has developed a plan to more regularly update its cybersecurity guidelines for oil, natural gas and hazardous materials pipeline operators.

Shutterstock ID  1060101578 By Sundry Photography pipeline san jose
 

The Transportation Security Administration has submitted a plan to keep pipeline cybersecurity guidelines up to date, the Government Accountability Office's acting director told a May 1 House Energy and Commerce Energy Subcommittee hearing on pipeline security.

TSA has federal oversight responsibility for the physical security and cybersecurity of oil, natural gas and hazardous materials pipelines in the U.S. That pipeline infrastructure is mostly privately held.

In his testimony at the hearing, GAO Acting Director William Russell referenced his agency's December 2018 report on TSA's pipeline oversight. In that report, the GAO had recommended TSA formally document its review and revision processes for its Pipeline Security Guidelines for private pipeline infrastructure providers.

The GAO also found weakness in TSA's cybersecurity workforce, as well as a shortage of workers. The watchdog agency said staffing levels for the agency's pipeline branch have fluctuated "significantly" from a single worker in 2014, to six between 2015 and 2018. Those workers, it said, lacked cybersecurity expertise.

GAO's 2018 report said although TSA updated its guidelines with the National Institute for Standards and Technologies' cybersecurity framework in March, it missed some important updates to the NIST framework, particularly the Supply Chain Risk Management category that NIST added the following month. TSA missed that update because, according to the report, its plan didn't have a formal update process. GAO recommended TSA adopt a formalized process that allowed for more thorough and frequent updates at regular defined intervals.

"Without a documented process defining how frequently TSA is to review and, if deemed necessary, revise its guidelines, TSA cannot ensure that the guidelines reflect the latest known standards and best practices of physical security and cybersecurity," it said.

GAO's Russell's written testimony for the May 1 hearing said TSA had agreed to develop that plan and complete it by April 30, 2019. Russell said his agency is now reviewing the plan. To address the cyber workforce issues, GAO recommended TSA develop a strategic workforce plan and complete it by this coming July.