Lawmakers probe TSA's pipeline cyber role

Responsibility for oversight of 2.7 million miles of U.S. pipeline infrastructure falls to the Transportation Security Administration, but an oversight report from December 2018 found that TSA needs to get a better handle on this role.

According to Government Accountability Office, the agency hasn't maintained needed staffing levels in its pipeline security operations or kept its risk assessment methodology up to date.

China has the ability to launch disruptive cyberattacks on U.S. critical infrastructure including gas pipelines, according to a recent public intelligence assessment. That possibility has lawmakers concerned.

At a Feb. 14 Senate hearing, Sen. Martin Heinrich (D-N.M.) asked Neil Chatterjee, chairman of the Federal Energy Regulatory Committee, if TSA was the right agency to oversee gas pipeline security.

Chatterjee co-authored an Axios column in June 2018 calling for an agency with more stringent rulemaking authority, possibly the Department of Energy, to take over to take over pipeline security. Since then the energy regulator has changed his tune a bit.

"I've been impressed with industry's and TSA's response" to working on protections, Chatterjee said, adding he wanted to "give industry and TSA the opportunity to work in good faith" to improve pipeline security.

"It's clear TSA has a greater focus" on protecting pipelines, which have become crucial in supporting the electrical grid, said Chatterjee.

Chatterjee reminded the committee that moving TSA's authority to another agency would take an act of Congress.

Heinrich and Sen. John Cornyn (R-Texas) are looking to accomplish that. The two introduced a bill in late January to shift oversight of physical and cybersecurity of oil and gas pipelines to the energy secretary.

Sen. Angus King (I-Maine) took issue with voluntary security standards for the pipeline industry.

"Natural gas pipelines should have mandated standards" similar to those that apply to the electrical grid, he said. "We are in a dangerous place. This should be an urgent situation."

Chatterjee wouldn't respond directly when asked by King if mandatory cyber and physical security standards should be applied to pipelines. "Mandatory standards are one way," he said, adding that he was working with industry and TSA to strengthen protections and oversight.

Days before the GAO report was released, TSA Administrator David Pekoske announced an agency cybersecurity roadmap that called for transportation- and pipeline-sector stakeholders to go beyond sharing threat indicators and look at lessons learned, potential consequences and vulnerability-related details, as well as response and recovery plans after a cyber incident.