By Michael Brooks
WASHINGTON — Transportation Security Administration officials last week defended their efforts to protect the country’s natural gas pipelines, telling FERC they are adding more staff to the effort.
The importance of securing gas infrastructure was a recurring theme at a technical conference organized by FERC and the Department of Energy on security investments for energy infrastructure — an acknowledgement of the fuel’s growing importance to the country’s electric generation mix (AD19-12).
TSA — established under the newly created Department of Homeland Security after the Sept. 11, 2001, terrorist attacks — has come under increasing scrutiny in the last year over its role in securing pipelines.
Last June, the Houston Chronicle published an op-ed by FERC Chairman Neil Chatterjee and Commissioner Richard Glick that called on Congress to move responsibility for pipeline security from TSA to “an agency that fully comprehends the nation’s energy sector and has sufficient resources to address the growing cybersecurity threat to gas pipelines.”
The Government Accountability Office issued a critical report in December that noted TSA’s Pipeline Security Branch had only six full-time equivalent employees watching over more than 2.7 million miles of natural gas, oil and hazardous liquid pipelines.
In January, the U.S. Intelligence Community’s Worldwide Threat Assessment warned that Russia and China can launch cyberattacks that cause “localized, temporary disruptive effects on critical infrastructure,” such as pipelines. (See GAO Critical of TSA Pipeline Security Efforts.)
At a Senate Energy and Natural Resources Committee hearing on energy cybersecurity in February, some senators questioned whether Congress should give the pipeline job to a different, energy-focused agency. (See Senators Call for Urgency on Energy Cybersecurity.)
The GAO report suggested TSA’s pipeline role has been neglected by the agency in favor of airport security, a conclusion TSA Administrator David Pekoske did not dispute at Thursday’s hearing.
One of the criticisms of the GAO report was that “the agency has a detailed allocation plan for strategically aligning resources to screen passengers at TSA-regulated airports, but not for the entire agency.” Pekoske said that currently, all the agency’s inspectors, including those designated for surface transportation, are on the staffs of the 440 airports under TSA jurisdiction. “But we’re going to make a change to that,” he said.
Pipeline is one of the six modes of transportation under TSA’s jurisdiction, along with Aviation, Freight Rail, Highway & Motor Carrier, Postal & Shipping, and Mass Transit, according to the agency’s Cybersecurity Roadmap.
Pekoske also said he was consolidating the agency’s multiple “policy shops” into one. “I think there is a lot to be learned from security in other sectors that apply across the board, so all of our policy is going into one place.” He said he is also establishing regional offices co-located with the Federal Emergency Management Agency in New York City, Atlanta, Chicago, Dallas and Seattle.
“We already have a [regional presence] in place right now; it’s primarily purposed to support our aviation security mission,” he said. “I’m repurposing that … to advance the surface transportation security mission and also advance our contingency and planning response capability.”
Another criticism of the GAO report was that TSA lacked a strategic workforce plan to identify the skills required of its employees, such as cybersecurity expertise. Pekoske said the agency was “working very hard on” investing in staff with cybersecurity expertise. It currently relies on DHS’ Cybersecurity and Infrastructure Security Agency, “but it’s my desire to have specific, industry-related cybersecurity expertise within TSA,” he said.
“We believe TSA has both the tools and the authority to address any threats within the pipeline industry,” said Sonya Proctor, the agency’s assistant administrator of surface operations. “As a result of the realignment of resources that the administrator has undertaken, we’re going to be able to increase the number of personnel focused on pipeline security, which means we will have a presence in the pipeline community on a very regular basis.”
Though TSA has the authority to issue mandatory standards, its voluntary Pipeline Security Guidelines “provide us the flexibility to address threats outside of the time-consuming regulatory process, which could conceivably take months or even years to go through,” Proctor said. She also noted that as administrator, Pekoske has the authority to issue mandatory directives to pipeline companies in the event of an emergency or serious threat.
Neither Pekoske nor Proctor mentioned current staffing levels, or how many people would be added.
Questions of Standards
TSA published the documents Pekoske mentioned shortly before the Chatterjee-Glick op-ed. Chatterjee has backed off somewhat on the recommendation that pipeline security be reassigned, telling senators and the National Association of Regulatory Utility Commissioners that he had been impressed by Pekoske’s and the industry’s efforts since the article’s publication.
“TSA and industry should have an opportunity to better address cybersecurity concerns on a voluntary basis before anyone imposes mandatory cybersecurity standards for gas pipelines,” he said Thursday.
Glick pressed Proctor about how the agency prioritizes its pipeline oversight. According to the GAO report, TSA takes the top 100 critical pipeline systems, ranked by the volume of fuel transported a year, and re-ranks them through a risk assessment that calculates threat, vulnerability and consequences to determine their priority in getting reviewed.
“Putting aside the 100, what do you do with regard to the rest of the pipeline system around the country, including the distribution pipelines?” Glick asked.
Proctor said that the agency isn’t limited to the top 100 when it conducts its reviews, “but clearly we’re looking at risk, and we’re looking at the resources we have to apply to that risk so that is where our focus is first.” She said the agency will have the capability to review more than the top 100 with Pekoske’s resource realignment.
The GAO report said that operators of at least 34 of the top 100 had identified no critical facilities, speculating that this was because TSA’s guidelines lack a clear definition of the criteria to determine facilities’ criticality. Glick asked Proctor if the agency only did reviews of pipelines that had identified critical facilities.
“That is the language in the Pipeline Security Guidelines, and that’s something we continue to discuss with the pipeline systems, so that’s an area we continue to work with,” Proctor responded.
Glick also asked Don Santa, CEO of the Interstate Natural Gas Association of America (INGAA), why the industry doesn’t support mandatory standards.
“INGAA thinks the current collaborative model with the Transportation Security Administration works well, and in fact it is improving,” Santa replied. “We think that, as Assistant Administrator Proctor described, it enables us to be more agile and reacting quickly to things than if we were in a mandatory situation. …
“Let’s focus on improving [TSA’s work], making it better [and] getting it to be what it can be, rather than on changing the model,” he concluded.
NERC CEO Jim Robb was noncommittal over whether there should be mandatory pipeline standards.
“The gas system and the electric system are so intertwined right now from a reliability perspective that the gas system has to have at least equivalent secure reliability to serve its needs as the electric system that’s built on top of it,” he said in response to a question from Glick. “So, whether it’s through a mandatory standards regime or some other regime than what TSA is doing today or just through the work that TSA is doing, I don’t really care so much about that. What I do care about is making sure that the gas is there when we need it.”