TSA Should Relinquish Oversight of Pipeline Security

While the U.S. government does not have the authorities or capabilities to prevent cyberattacks in private industry, it does have a critical role in coordinating among stakeholders and setting basic security standards—particularly in industries that are vital to U.S. national and economic security interests. However, coordination and standard setting is hampered when these responsibilities fall to disparate entities and agencies across the federal government. These functions must be centralized for meaningful impact to occur, and the agency best situated to take on that role already exists within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

The recent cyberattack on Colonial Pipeline demonstrated why a coordinated approach to cybersecurity is so crucial as Americans living along the East Coast queued for hours at the pump in scenes reminiscent of the 1970s. Despite reassurances that the U.S. gasoline supply was not in imminent danger of drying up, many Americans nevertheless rushed to fill up their gas tanks. The sudden increased surge in demand due to panic buying caused many local gas stations to temporarily close due to lack of supply, which only furthered panic.

The pipeline industry has long resisted security regulation by the federal government, insisting that the safety regulations imposed by the Department of Transportation (DOT) serve the dual purpose of ensuring the security as well as the safety of pipeline infrastructure. This argument is credible when it comes to the physical security of pipelines, but the recent Colonial Pipeline cyberattack demonstrated that the threat landscape has shifted.

While a majority of Americans associate the Transportation Security Administration (TSA) with airport screening and long wait lines, TSA is presently the chief security regulator for all modes of transportation—air, surface, and pipeline. This is a legacy of TSA’s split from DOT when the DHS was erected in 2003. However, TSA is no longer best positioned to oversee pipeline security.

In the wake of 9/11, TSA’s primary mission focus was preventing another mass casualty terrorist attack in the aviation sector. Following the 2004 Madrid train bombing and subsequent 2005 London Tube bombing, TSA bolstered its efforts to reinforce security operations on other forms of mass transit. The vast majority of TSA’s resources—both financial and personnel—are dedicated to aviation security. The Biden administration’s recently released FY 2022 budget proposal request for surface transportation security, which encompasses mass transit, freight rail, maritime modes, and pipelines, is 75 percent less than what is requested for aviation security. Tasking an agency with a core mission of physical security to also take on an expanded cyber security portfolio will not only require a significant infusion of new resources, but chip away at the focus of the TSA mission. Fortunately, an agency with the competencies, expertise, and resources required to meet the main security challenge faced by the pipeline industry already exists. CISA is better equipped to serve as the chief security regulator of pipeline industry.

CISA currently oversees similarly situated industries as part of its portfolio of “sixteen critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These sectors include the energy sector, the chemical sector, the information technology sector, and the transportation systems sector.

TSA issued its first-ever regulation of the pipeline industry following the Colonial Pipeline hack, requiring pipeline companies to report incidents of cyberattacks to CISA no later than 12 hours following an incident. However, this regulation is too little too late and evinces both the lack of political will to take decisive action to counter emerging threats as well as a deficit in understanding of the core threats facing the pipeline industry. Recent regulation aside, the extent to which the pipeline industry has engaged with TSA has been on a completely voluntary basis. Pipeline companies can choose whether or not to engage with TSA for federal security reviews and cybersecurity audits. Following these audits, companies are provided a list of recommendations for improvements, but they are not required to report to TSA as to whether they have implemented them. TSA’s current pipeline security guidelines are just 33 pages long, with six pages are dedicated to cybersecurity, and were last updated in March of 2018. They have since been amended to include the new cybersecurity directive.

The competitive nature of private industry means that companies are not inclined to disclose or discuss vulnerabilities—security or otherwise—lest they give competitors an advantage or reduce shareholder confidence. However, the impact of the ransomware attack on Colonial Pipeline demonstrated the detrimental impact a well-executed cyberattack can have on the nation. While intelligence suggests those behind the attack were cybercriminals interested in financial gain, it showcased a critical vulnerability for more sophisticated adversaries if the United States’ defenses are not shored up.

It is a tribute to the small but dedicated team of civil servants that comprise the pipeline security division at TSA that this is the first major pipeline security incident that has had widespread impact. The voluntary nature of the guidelines issued for the industry to date has required TSA officials to forge relationships with companies in order to persuade officials to submit to voluntary security audits. Many of the civil servants that staff the pipeline unit within TSA have in fact come from within industry and have deep relationships and a unique understanding of the industry. Any reshuffle of responsibilities within DHS should ensure that this talent and knowledge is retained if there is a move to CISA.

Cybercriminals do not limit their attacks to discrete industry portfolios. Transferring responsibilities for pipeline security to CISA will ensure that threats are monitored and addressed in a uniform manner across all 16 critical infrastructure sectors. Unity of effort is one key to better security.

Elizabeth Hoffman is the director of congressional and government affairs and fellow at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2021 by the Center for Strategic and International Studies. All rights reserved.