Printed from

TSA hasn’t fully addressed pipeline cybersecurity issues: GAO

Posted On: Jul. 28, 2021 2:07 PM CST


The Transportation Security Administration has failed to fully address two key pipeline cybersecurity-related weaknesses, a U.S. Government Accountability Office official said in testimony before a Senate committee Tuesday.

These are incomplete information for pipeline security risk assessments and aged protocols for responding to pipeline security incidents, Leslie V. Gordon, acting director of Homeland Security and Justice, said in a statement before the Senate Committee on Commerce, Science and Transportation.

When asked to respond, the TSA, which is part of the Department of Homeland Security, referred to written testimony submitted to the same Senate committee by TSA Administrator David P. Pekoske, who discussed the administration’s efforts in this area.

The GAO’s statement said TSA’s risk assessment did not include information consistent with critical infrastructure risk mitigation, such as information on natural hazards and cybersecurity risks.

The GAO has recommended TSA develop data sources relevant to pipeline threats, vulnerabilities and consequences of disruptions, but as of June, it had not fully addressed this recommendation, the statement said.

With respect to pipeline security incidents, the statement said TSA has not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline security threats, including those related to cybersecurity.

The GAO has recommended the TSA periodically review and update the 2010 plan, and while TSA has begun taking action on the issue, it had not fully addressed it as of June 2021, the statement said.

Mr. Pekoske described the TSA’s pipeline security efforts during his testimony.  He said that following the Colonial Pipeline incident the TSA issued a directive that requires pipeline owners and operators to designate a cybersecurity coordinator.

The TSA also issued a directive that requires critical pipeline owners and operators to implement specific mitigation measures to protect against ransomware attacks, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.