Cantwell, Pallone Demand Immediate Action On Pipeline Cybersecurity From DHS

The Call Comes on the Heels of a GAO Report Spotlighting Vulnerabilities in our System

Washington, D.C. – Today, Ranking Member of the Senate Energy and Natural Resources Committee Maria Cantwell (D-WA) and House Energy and Commerce Ranking Member Frank Pallone, Jr. (D-NJ) released a letter to DHS Secretary Kirstjen Nielsen calling for her to take urgent action to protect America’s pipelines from cyber attack. The letter comes as the Government Accountability Office (GAO) released a report today, requested by Cantwell and Pallone, detailing issues American pipelines face defending against potentially catastrophic cyber attacks.

“We write today to request the Department of Homeland Security (DHS) perform an assessment of current cyber and physical security protections for U.S. natural gas, oil, and other hazardous liquid pipelines and associated infrastructure,” Cantwell and Pallone wrote. “We also request a specific plan of action as to how DHS will address GAO’s concerns.”

“Our nation’s energy assets are critical to our safety, security and economic well-being. Protecting our pipelines, and the people who live and work near them, must be a top priority for our government and I hope this report will prompt the Trump administration to start treating this challenge with the urgency it deserves,” said Sen. Cantwell.

“It’s clear from GAO’s work that while pipelines are reliable today, the Transportation Security Administration (TSA) is not fully prepared to face the challenges of tomorrow. I’m concerned that TSA lacks both the resources and expertise in energy delivery systems to keep up with its obligations under the law.  Secretary Nielsen must address the concerns Senator Cantwell and I raise in our letter to ensure the security of our nation’s pipelines.” said Rep. Pallone.

Key findings of the GAO report include: 
1. TSA does not have a process to update its Pipeline Security Guidelines to ensure consistency with the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity or updates in the cybersecurity space.  For much of the guidelines’ existence they have not kept pace with the NIST Cybersecurity Framework. 

2. TSA relies on the industry’s self-evaluation using ill-defined criteria provided by TSA to determine whether a specific pipeline operator has a critical facility within its pipeline system.  As a result, approximately one third of the top 100 systems based on volume indicated to TSA that they do not have any critical facilities and TSA did not conduct an onsite review of these facilities.

3. TSA has not tracked the status of corporate security review recommendations to pipeline operators for the past five years.  As a result, TSA may be unable to determine whether a pipeline operator has corrected any omission or vulnerability identified in a previous site visit.  In GAO’s words, “[w]ithout current, complete, and accurate information, it is difficult for TSA to evaluate the performance of the pipeline security program.”  

In March 2018, Secretary Perry acknowledged the serious problem our pipelines face with cybersecurity, saying “Senator Cantwell, thank you for recognizing the challenge that we have, it is very real, it is ever changing.”

Additionally, two members of the Federal Energy Regulatory Commission (FERC), one Democrat and one Republican, co-authored an op-ed about the looming challenge.

Read about Senator Cantwell’s previous actions and statements on cybersecurity here.

The full letter can be found here.