TSA's pipeline security team has five employees

The Transportation Security Administration division responsible for securing the nation's 2.7 million miles of pipeline currently has just five dedicated full-time employees, none with cybersecurity expertise, according to a TSA official.

Sonya Proctor, director of the Surface Division for the Office of Security Policy and Industry Engagement at TSA, told lawmakers at a Feb. 26 House Homeland Security Committee hearing that her pipeline security workforce is largely reliant on other federal entities within TSA and the Department of Homeland Security for cybersecurity resources.

"We have [no employees] that have specific cybersecurity expertise," Proctor said. "They do have pipeline expertise, but not cybersecurity expertise."

Proctor said that TSA coordinates with the Cybersecurity and Infrastructure Security Agency (CISA) for cybersecurity assessments and technical guidance. A planned merger with the Security Operations Office will allow the Pipeline Security Program to draw support from a 200-strong pool of transportation security field inspectors. However, those inspectors will be responsible for working on all surface transportation security. Proctor could not provide any figures around how many would be assigned to work on pipeline security full-time or part-time.

"We think the pipeline section is going to require specialized training, so we are going to put those people in there, provide the training and make sure that they are qualified to go out and do those assessments," said Proctor. "We've not arrived at a final number yet, we're still working on the some of the staffing issues for the shifting of personnel."

A 2018 Government Accountability Office report found that staffing levels at the Pipeline Security Program have fluctuated between as high as 14 and as low as one since 2010. It also found the TSA did not have a strategic workforce plan to identify skills and competencies -- such as cybersecurity expertise -- needed to carry out its mission.

Neil Chatterjee, chairman of the Federal Energy Regulatory Committee, has publicly called for an agency with stronger rule-making authority than TSA to take over the pipeline security function, although he recently told a Senate panel that he's since adopted a wait-and-see attitude.

In December 2018, TSA rolled out a cybersecurity road map to guide the organization's strategy over the next five years that calls for the organization's IT personnel to conduct more targeted risk assessment and mitigation for internal systems, embrace information sharing and develop detailed response and recovery plans based on past experience.

The road map also indicates the organization views CISA as a major partner in any information security efforts, something Proctor reiterated to reporters after the hearing.

"The cyber piece is going to reside primarily with CISA. They are the experts for DHS," said Proctor, adding that a hiring blitz for cyber-focused workers at TSA was not "in the immediate plans."

During the hearing, Rep. Jim Langevin (D-R.I.) called the lack of employees with cybersecurity background in the Pipeline Security Program "troubling." In a statement to FCW after the hearing, Langevin said that support from CISA was "appropriate," but as a transportation-specific agency, TSA "needs to have some level of in-house cybersecurity expertise."

"It is incumbent on TSA to come to the table with an understanding of the unique cybersecurity challenges faced in the sector," Langevin said. "I hope TSA will take the opportunity provided by the Cybersecurity Road Map and the forthcoming implementation plan to reassess what resources, including personnel, it needs to adequately coordinate protection of our pipelines, rail networks, and other surface transportation infrastructure."

Bob Kolasky, director of the National Risk Management Center at CISA, said the center's work defining national critical functions throughout the United States is expected to be finalized in April, and it has already flagged pipeline security as one area requiring higher prioritization from the federal government. He said his organization works with TSA to plan and implement validated architecture design reviews for pipeline networks and systems and that both groups rely on each other for specialized knowledge.

We're "having [both groups] work together to plan the assessment and then go out and do that collectively, so the teams that are doing the assessments are our experts on the assessments and control systems and business processes related to cyber and they're the experts on pipelines," Kolasky said.

Some lawmakers would rather shift responsibility for pipeline security out of TSA. Sens. John Cornyn (R-Texas) and Martin Heinrich (D-N.M.) are co-sponsoring a bill that would give the Department of Energy ultimate responsibility for pipelines.