The recent Colonial Pipeline hack created shortages and panic-buying of gasoline, and also raised questions about federal oversight of critical energy infrastructure.
It may come as a surprise to learn that the Transportation Security Administration, whose officers screen luggage and carry-ons at airport check-in gates, also has responsibility for the cybersecurity of energy pipelines.
“This dates back to the 9/11 era when Congress created TSA,” said Robert Knake, a senior fellow at the Council on Foreign Relations. “They also gave TSA responsibility for pipelines and for surface transportation.”
But the TSA’s pipeline cybersecurity responsibilities were overlooked even within the agency. A 2018 report by the Government Accountability Office found what it labeled “significant weaknesses” in TSA’s management of pipeline security. It noted that there were only six positions focused on the nation’s 2.7 million miles of pipelines.
Knake pointed out that the TSA relies on voluntary compliance from the private pipeline owners. The TSA, he said, doesn’t have the capacity, the staff or the budget for the job. “And so the first thing that needs to happen is the department and the Biden administration need to make the decision that, yes, we’re going to regulate and yes, we’re going to use these existing authorities,” Knake said.
Neil Chatterjee, a commissioner with and former chairman of the Federal Energy Regulatory Commission, has suggested transferring TSA’s pipeline oversight to another agency, such as the Department of Energy.
“My colleagues and I have been warning about the need to really beef up the security of these critical infrastructure assets. And I think this ransomware attack on the Colonial Pipeline is the first sort of real-world illustrative impact of this security concern,” Chatterjee said.
The TSA said it has hired more staff for pipeline oversight. The agency said there are now 34 positions and a $3 million budget. Chatterjee applauds that action but said it’s not enough. “They did beef up their pipeline security operations, but clearly, as evidenced by this incident, there’s more work to be done.”
For instance, Knake said there could be ongoing cyber incidents with other pipelines right now that the public and the government doesn’t know about.
“The most important thing that TSA needs to do is set requirements for pipelines to notify the agency of any new incidents that are occurring,” he said, “and then to have the authority to investigate those incidents.”
Rep. Jim Langevin, D-R.I., is co-sponsor of one of several measures before Congress aimed at strengthening the TSA’s hand in oversight of pipeline security. He worries that an attack on natural gas pipelines or the electric grid in the middle of winter could lead to widespread economic damages and even loss of life.
“This whole incident with Colonial should be a wake-up call to everyone, including regulators and the government and American people, that our critical infrastructure is incredibly vulnerable,” he said.
Chatterjee, the FERC commissioner, agrees. The nation’s adversaries, he said, “now recognize that by going after this critical energy infrastructure, they can really disrupt American life. And that’s something that we have to be cognizant of.”