TSA's role in pipeline cybersecurity could be up for grabs

Congress is looking into which agency should oversee cybersecurity for natural gas and oil pipelines.

Shutterstock ID  1060101578 By Sundry Photography pipeline san jose
 

A gas pipeline near San Jose, Calif. (Photo credit: Sundry Photography/Shutterstock.com)

The Transportation Security Agency has the authority to regulate cybersecurity of natural gas and oil pipelines, but many lawmakers and stakeholder are starting to wonder whether that is the best arrangement, considering the vulnerability of infrastructure to remote attacks directed via industrial control systems.

In particular, some lawmakers have objected to TSA's oversight because its cybersecurity standards are voluntary for industry, despite possessing the authority to lay down mandatory rules. This differs from the electrical sector, which is subject to mandatory standards imposed by the Federal Energy Regulatory Commission.

Pipeline policy experts told FCW that TSA's standards are out of date, predating the National Institute of Standards and Technology's cybersecurity framework. They also said recent TSA updates to its standards this past summer came just before NIST updated its cyber framework.

In a call for stricter regulation, two FERC commissioners noted that there were just six full-time employees tasked with oversight of this nationwide pipeline system.

Lawmakers are concerned the infrastructure of privately owned electrical systems and natural gas pipelines are increasingly interdependent, which could present a cross-cutting vulnerability cyber attackers could exploit.

In July 2017, the ranking member of the Senate Energy and Natural Resources Committee, Sen. Maria Cantwell (D-Wash.), and the ranking member of the House Energy and Commerce Committee, Rep. Frank Pallone (D-N.J.), asked the Government Accountability Office to look into TSA's ability to oversee its pipeline security duties.

Cantwell and Pallone's letter asked specific questions about TSA personnel, onsite inspections, audits, cyber security criteria, as well as whether the agency was the most appropriate choice for the oversight.

A spokesman for Cantwell's office told FCW that GAO said it expected to report back by the end of October or early November. When that report comes, it could recommend moving pipeline cybersecurity responsibilities to another agency. Such a move would require Congress to change the 2001 law.

A TSA representative said the agency wouldn't be able to supply answers on deadline.

Pipeline industry officials said they are frustrated with what they say is an inaccurate picture of the cybersecurity risks to gas pipelines. At a Sept. 26 industry event, oil and gas pipeline industry representatives said recent incursions into pipeline IT systems involved ransomware infiltration of business systems, not industrial control systems.

"One of the basic principles of cyber hygiene and basic defense is to separate those systems because you cannot have your business system connected to your industrial control system," Dave McCurdy, president and CEO of the American Gas Association, said.

"People conflate all these issues and pull them together" and the resulting operational threat picture that can be overstated, he added.

Don Santa, president and CEO of the Interstate Natural Gas Association of America at the same event said that even if a hacker successfully penetrated an operations system, they couldn't immediately do much damage.

"What could they do? You hear lots of people spitting out 'oh my gosh, they could weaponize the pipeline and they will blow it up,'" he said. But according to Santa, there are mechanical security features designed to prevent damage being inflicted via a SCADA incursion. He added that gas can be delivered using manual controls if a SCADA system is disabled.

The pipeline industry shares information with government through the public-private Oil and Natural Gas Information Sharing and Analysis Center and the Downstream Natural Gas ISAC.

"The government is in a unique position in what it can see," Santa said. "It can share that with industry so they can respond and defend themselves. That is very important. We're in an area where the nature of the threat and technology change so quickly that it's not an area that lends itself to command and control regulation."

Pipeline policy experts who have talked with pipeline executives told FCW on background they have noticed a subtle shift in the last few months in how pipeline companies see cybersecurity. The experts said the industry may have reached the conclusion that they, like all other critical infrastructure, can do more to bolster cybersecurity to protect their companies and the public.

"We're waiting on the GAO report this fall," Santa told FCW at the industry event, adding his association's membership would work with whatever agency may take the lead on pipeline cybersecurity.