Cybersecurity

TSA's pipeline security team has five employees

Shutterstock ID  1060101578 By Sundry Photography pipeline san jose 

The Transportation Security Administration division responsible for securing the nation's 2.7 million miles of pipeline currently has just five dedicated full-time employees, none with cybersecurity expertise, according to a TSA official.

Sonya Proctor, director of the Surface Division for the Office of Security Policy and Industry Engagement at TSA, told lawmakers at a Feb. 26 House Homeland Security Committee hearing that her pipeline security workforce is largely reliant on other federal entities within TSA and the Department of Homeland Security for cybersecurity resources.

"We have [no employees] that have specific cybersecurity expertise," Proctor said. "They do have pipeline expertise, but not cybersecurity expertise."

Proctor said that TSA coordinates with the Cybersecurity and Infrastructure Security Agency (CISA) for cybersecurity assessments and technical guidance. A planned merger with the Security Operations Office will allow the Pipeline Security Program to draw support from a 200-strong pool of transportation security field inspectors. However, those inspectors will be responsible for working on all surface transportation security. Proctor could not provide any figures around how many would be assigned to work on pipeline security full-time or part-time.

"We think the pipeline section is going to require specialized training, so we are going to put those people in there, provide the training and make sure that they are qualified to go out and do those assessments," said Proctor. "We've not arrived at a final number yet, we're still working on the some of the staffing issues for the shifting of personnel."

A 2018 Government Accountability Office report found that staffing levels at the Pipeline Security Program have fluctuated between as high as 14 and as low as one since 2010. It also found the TSA did not have a strategic workforce plan to identify skills and competencies -- such as cybersecurity expertise -- needed to carry out its mission.

Neil Chatterjee, chairman of the Federal Energy Regulatory Committee, has publicly called for an agency with stronger rule-making authority than TSA to take over the pipeline security function, although he recently told a Senate panel that he's since adopted a wait-and-see attitude.

In December 2018, TSA rolled out a cybersecurity road map to guide the organization's strategy over the next five years that calls for the organization's IT personnel to conduct more targeted risk assessment and mitigation for internal systems, embrace information sharing and develop detailed response and recovery plans based on past experience.

The road map also indicates the organization views CISA as a major partner in any information security efforts, something Proctor reiterated to reporters after the hearing.

"The cyber piece is going to reside primarily with CISA. They are the experts for DHS," said Proctor, adding that a hiring blitz for cyber-focused workers at TSA was not "in the immediate plans."

During the hearing, Rep. Jim Langevin (D-R.I.) called the lack of employees with cybersecurity background in the Pipeline Security Program "troubling." In a statement to FCW after the hearing, Langevin said that support from CISA was "appropriate," but as a transportation-specific agency, TSA "needs to have some level of in-house cybersecurity expertise."

"It is incumbent on TSA to come to the table with an understanding of the unique cybersecurity challenges faced in the sector," Langevin said. "I hope TSA will take the opportunity provided by the Cybersecurity Road Map and the forthcoming implementation plan to reassess what resources, including personnel, it needs to adequately coordinate protection of our pipelines, rail networks, and other surface transportation infrastructure."

Bob Kolasky, director of the National Risk Management Center at CISA, said the center's work defining national critical functions throughout the United States is expected to be finalized in April, and it has already flagged pipeline security as one area requiring higher prioritization from the federal government. He said his organization works with TSA to plan and implement validated architecture design reviews for pipeline networks and systems and that both groups rely on each other for specialized knowledge.

We're "having [both groups] work together to plan the assessment and then go out and do that collectively, so the teams that are doing the assessments are our experts on the assessments and control systems and business processes related to cyber and they're the experts on pipelines," Kolasky said.

Some lawmakers would rather shift responsibility for pipeline security out of TSA. Sens. John Cornyn (R-Texas) and Martin Heinrich (D-N.M.) are co-sponsoring a bill that would give the Department of Energy ultimate responsibility for pipelines.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.