The Government Accountability Office (GAO) recommended that the Transportation Security Administration (TSA) revise its pipeline security, cybersecurity guidelines, and risk assessment methodology, and build a more robust cybersecurity workforce to enhance its pipeline security program.
TSA has primary oversight and responsibility for the U.S. interstate pipeline system, which GAO said is vulnerable to not just spills and accidents, but also cyberattacks, so having a resilient and sound pipeline cybersecurity framework is critical.
“Given that many pipelines transport volatile, flammable, or toxic oil and liquids, and given the potential consequences of a successful physical or cyber-attack, pipeline systems are attractive targets for terrorists, hackers, foreign nations, criminal groups, and others with malicious intent,” GAO said.
Although GAO found TSA had previously incorporated the National Institute for Standards and Technology (NIST) Cybersecurity Framework in its Pipeline Security Guidelines, NIST updated its framework in April 2018, and when TSA released its revised guidelines in March 2018 it did not incorporate elements of the latest NIST framework.
GAO recommended TSA adopt the new NIST framework components, and TSA submitted its procedures to follow the recommendation April 30 for GAO to review.
TSA’s insufficient level of cybersecurity expertise is also an issue GAO found. Six of the 10 pipeline operators and three of the five industry representatives GAO interviewed said the level of cyber expertise among TSA staff and contractors challenges TSA’s ability to fully assess the cybersecurity parts of its security reviews. TSA also didn’t establish a workforce plan to help mitigate workforce and expertise barriers in bolstering cybersecurity.
“We found that TSA had not established a workforce plan for its Security Policy and Industry Engagement or its Pipeline Security Branch that identified staffing needs and skill sets as the required level of cybersecurity expertise among TSA staff and contractors,” GAO said.
GAO said that TSA should develop a strategic workforce plan to meet the goals set for its Pipeline Security Branch, as well as the knowledge, skills, and abilities – particularly in cybersecurity – that it needs to properly enforce security rules.