On December 19, 2018, the Government Accountability Office (GAO) issued a report recommending action to address significant weaknesses in the design and implementation of the US Transportation Security Administration's (TSA) pipeline security program. The GAO's recommendations for remedying the identified weaknesses may foreshadow increased attention to both physical security and cybersecurity at critical pipeline facilities.
The GAO found that TSA's voluntary Pipeline Security Guidelines, which were revised in March 2018, were deficient in a number of ways. The GAO determined that TSA could not ensure that the guidelines reflected the latest known standards and best practices because TSA had no process for revising and reviewing the guidelines. Further, the GAO found that, due at least in part to ambiguous definitions in TSA guidelines, 34 of the nation's top 100 critical pipeline systems (determined by volume) avoided TSA scrutiny by identifying no critical facilities.
Regarding implementation, the GAO determined that TSA's risk assessment methodology was likely out of date, as the methodology was last peer reviewed in 2007 and had not been updated since 2014, and that the TSA risk ranking tool did not use current data or align with Department of Homeland Security (DHS) priorities. Moreover, the number of pipeline security reviews varied considerably year over year due to staffing challenges and the lack of a strategic workforce plan. The GAO found that TSA did not track the implementation of past security recommendations and that there were substantial data reliability issues in the information TSA collected, including missing data, inconsistent entry formats, and data entry errors.
Among a number of recommendations, the GAO suggested that TSA establish clearer performance measures with measurable targets to monitor pipeline security. Although it is unclear whether and how TSA will implement the recommendations, a serious effort to address the concerns raised by the GAO may change the security outlook in the pipeline industry, including new security risk assessments by industry members and more regular security reviews by TSA that are aligned to new metrics and that may require new security measures.
DHS estimated that the recommendations from the report would be implemented by November 30, 2019. We will continue to monitor the TSA's follow-up for further developments.