Pipelines: Securing the Veins of the American Economy

Statement of Paul W. Parfomak Specialist in Energy and Infrastructure Policy Before Committee on Homeland Security Subcommittee on Transportation Security U.S. House of Representatives Hearing on “Pipelines: Securing the Veins of the American Economy” April 19, 2016 Congressional Research Service https://crsreports.congress.gov TE10009 Congressional Research Service 1 Good morning Chairman Katko, Ranking Member Rice, and members of the subcommittee. My name is Paul Parfomak, Specialist in Energy and Infrastructure Policy at the Congressional Research Service (CRS). CRS appreciates the opportunity to testify here today about the evolution of and current federal role in pipeline security. Please note that, in accordance with our enabling statutes, CRS does not advocate policy or take a position on any related legislation. Introduction Nearly three million miles of pipeline transporting natural gas, oil, and other hazardous liquids crisscross the United States. While an efficient and comparatively safe means of transport, these pipelines carry materials with the potential to cause public injury, destruction of property, and environmental damage. The nation’s pipeline network is also widespread, running alternately through remote and densely populated regions. Pipelines are operated by increasingly sophisticated computer systems which manage their product flows and provide continuous information on their status. Due to their scale, physical exposure, and reliance on computer controls, pipelines are vulnerable to accidents, operating errors, and malicious attacks. Congress has had long-standing concern about the security of the nation’s pipeline network. Beginning with the Aviation and Transportation Security Act of 2001 (P.L. 107-71), which established the Transportation Security Administration, and continuing through the PIPES Act of 2006 (P.L. 109-468) and the Implementing Recommendations of the 9/11 Commission Act of 2007 (P.L. 110-53), Congress has enacted specific statutory provisions to help secure pipelines. Likewise, successive presidential administrations have promulgated executive orders establishing a federal framework for the security of pipelines, among other critical infrastructure. The 114th Congress is overseeing the implementation of the federal pipeline security program and considering new legislation related to the nation’s pipeline systems. In particular, the SAFE PIPES Act (S. 2776), which reauthorizes the federal pipeline safety program, would also mandate a report to Congress on the staffing, resource allocation, oversight strategy, and management of the federal pipeline security program (§20). Physical Threats to Pipeline Security Pipelines are vulnerable to intentional attacks using firearms, explosives, or other physical means. Oil and gas pipelines, globally, have been a favored target of terrorists, militant groups, and organized crime. For example, in 1996, London police foiled a plot by the Irish Republican Army to bomb gas pipelines and other utilities across the city.1 In Colombia, rebels have bombed the Caño Limón oil pipeline and other pipelines hundreds of times since 1993, most recently last March.2 Likewise, militants in Nigeria have repeatedly attacked oil pipelines, including coordinated bombings of three pipelines in 2007 and the sophisticated bombing of an underwater pipeline in 2016.3 A rebel group detonated bombs along Mexican oil and natural gas pipelines in July and September 2007.4 Natural gas pipelines in British Columbia, Canada, were bombed six times between October 2008 and July 2009 by unknown perpetrators in acts President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, Washington, DC, October 1997. 2 Luis Jaime Acosta, “Colombia's Caño Limón Pipeline Suspended After Rebel Attacks,” Reuters, March 14, 2016; Government Accountability Office (GAO), Security Assistance: Efforts to Secure Colombia’s Caño Limón-Coveñas Oil Pipeline Have Reduced Attacks, but Challenges Remain, GAO-05-971, September 2005. 3 Maggie Fick and Anjil Raval, “Bombed Pipeline to Hit Nigeria Oil Output,” Financial Times, March 8, 2016; Katherine Houreld, “Militants Say 3 Nigeria Pipelines Bombed,” Associated Press, May 8, 2007. 4 Reed Johnson, “Six Pipelines Blown Up in Mexico,” Los Angeles Times, September 11, 2007. p. A-3. 1 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 2 classified by authorities as environmentally motivated “domestic terrorism.”5 In 2009, the Washington Post reported that over $1 billion of crude oil had been stolen directly from Mexican pipelines by organized criminals and drug cartels.6 Pipelines in the United States have also been targeted by terrorists and other malicious individuals. In 1999, Vancouver police arrested a man planning to bomb the Trans Alaska Pipeline System (TAPS) for personal profit in oil futures.7 In 2005 a U.S. citizen sought to conspire with Al Qaeda to attack TAPS and a major natural gas pipeline in the eastern United States.8 In 2006 federal authorities acknowledged the discovery of a detailed posting on a website purportedly linked to Al Qaeda that reportedly encouraged attacks on U.S. pipelines, especially TAPS, using weapons or hidden explosives.9 In 2007, the U.S. Department of Justice arrested members of a terrorist group planning to attack jet fuel pipelines and storage tanks at the John F. Kennedy International Airport.10 In 2011, a man planted a bomb, which did not detonate, along a natural gas pipeline in Oklahoma.11 In 2012, a man who reportedly had been corresponding with “Unabomber” Ted Kaczynski unsuccessfully bombed a natural gas pipeline in Plano, Texas.12 To date, there have been no successful bombings of U.S. pipelines, but the threat of physical attacks remains credible. Cyber Threats to Pipelines Although physical attacks on pipelines have been a focus in North America and elsewhere, the sophisticated computer systems used to operate pipeline systems are also vulnerable to cyber attacks. Cyber infiltration of supervisory control and data acquisition (SCADA) systems could allow “hackers” to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations via the Internet or other communication pathways. Such an approach reportedly was used to cause the 2008 explosion of the Baku-Tbilisi-Ceyhan oil pipeline in Turkey.13 In March 2012, the Industrial Control Systems Cyber Emergency Response Team housed within the Department of Homeland Security identified an ongoing series of cyber intrusions among U.S. natural gas pipeline operators dating back to December 2011. According to the agency, various pipeline companies described targeted spear-phishing14 attempts and intrusions into multiple natural gas pipeline sector Ben Gelinas, “New Letter Threatens Resumption of ‘Action’ against B.C. Pipelines,” Calgary Herald, April 15, 2010. Steve Fainaru and William Booth, “Mexico’s Drug Cartels Siphon Liquid Gold,” Washington Post, December 13, 2009. 7 David S. Cloud, “A Former Green Beret’s Plot to Make Millions Through Terrorism,” Ottawa Citizen, December 24, 1999, p. E15. 8 U.S. Attorney’s Office, Middle District of Pennsylvania, “Man Convicted of Attempting to Provide Material Support to AlQaeda Sentenced to 30 Years’ Imprisonment,” Press release, November 6, 2007; A. Lubrano and J. Shiffman, “Pa. Man Accused of Terrorist Plot,” Philadelphia Inquirer, February 12, 2006, p. A1. 9 Wesley Loy, “Web Post Urges Jihadists to Attack Alaska Pipeline,” Anchorage Daily News, January 19, 2006. 10 U.S. Department of Justice, “Four Individuals Charged in Plot to Bomb John F. Kennedy International Airport,” press release, June 2, 2007. 11 U.S. Attorney’s Office, “Konawa Man Sentenced for Attempting to Destroy or Damage Property Using an Explosive,” press release, December 5, 2012. 12 Valerie Wigglesworth, “Plano Blast Suspect Corresponded with Unabomber,” Dallas Morning News, June 29, 2014; U.S. Attorney’s Office, “Plano Man Guilty in Pipeline Bombing Incident,” press release, June 3, 2013. 13 Jordan Robertson and Michael Riley, “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar,” Bloomberg, December 10, 2014 14 “Spear-phishing” involves sending official-looking e-mails to specific individuals to insert harmful software programs (malware) into protected computer systems; to gain unauthorized access to proprietary business information; or to access confidential data such as passwords, social security numbers, and private account numbers. 5 6 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 3 organizations “positively identified … as related to a single campaign.”15 In 2011, computer security company McAfee reported similar “coordinated covert and targeted” cyber attacks originating primarily in China against global energy companies. The attacks began in 2009 and involved spear-phishing, exploitation of Microsoft software vulnerabilities, and the use of remote administration tools to collect sensitive competitive information about oil and gas fields.16 In 2010, the Stuxnet computer worm was first identified as a threat to industrial control systems. Although the Stuxnet software initially spreads indiscriminately, the software includes a highly specialized industrial process component targeting specific industrial SCADA systems built by the Siemens company.17 The increased vulnerability of pipeline SCADA systems due to their modernization, taken together with the emergence of SCADAspecific malicious software and the recent cyber attacks, suggests that cybersecurity threats to pipelines have been increasing. Potential Consequences of Pipeline Releases Although there have been no intentional releases from U.S. pipelines due to bombing or cyber attacks, accidental releases may illustrate the potential consequences of a successful attack. Pipeline accidents in the United States, on the whole, cause few fatalities compared to other product transportation modes, but such accidents have been catastrophic in several cases. For example, a 1999 gasoline pipeline accident in Bellingham, WA, killed three people and caused $45 million in damage to a city water plant and other property.18 In 2000, a natural gas pipeline accident near Carlsbad, NM, killed 12 campers.19 A 2010 natural gas pipeline explosion in San Bruno, CA, killed 8 people, injured 60 others, and destroyed 37 homes.20 A 2010 pipeline spill released 819,000 gallons of crude oil into a tributary of the Kalamazoo River near Marshall, MI.21 A 2014 natural gas distribution pipeline explosion in New York City killed eight people, injured 50 others, destroyed two five-story buildings, and caused the temporary closure of a transit line due to debris.22 Such accidents demonstrate the potential risk to human life, property, and the environment. Disruption of service from these pipelines also caused economic and operational impacts among the pipelines’ customers. Such accidents have generated substantial scrutiny of pipeline regulation and increased state and community activity related to pipeline safety and security.23 Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), “Gas Pipeline Cyber Intrusion Campaign,” ICSCERT Monthly Monitor, April 2012, p.1, http://www.us-cert.gov/control_systems/pdf/ICSCERT_Monthly_Monitor_Apr2012.pdf. 16 McAfee Foundstone Professional Services and McAfee Labs, Global Energy Cyberattacks:“Night Dragon,” white paper, February 10, 2011, p. 3, http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf. 17 Tobias Walk, “Cyber-attack Protection for Pipeline SCADA Systems,” Pipelines International Digest, January 2012, p. 7. 18 National Transportation Safety Board, Pipeline Rupture and Subsequent Fire in Bellingham, Washington June 10, 1999, NTSB/PAR-02/02, October 8, 2002. 19 National Transportation Safety Board, Natural Gas Pipeline Rupture and Fire Near Carlsbad, New Mexico August 19, 2000, NTSB/PAR-03-01, February 11, 2003. 20 National Transportation Safety Board, Pacific Gas and Electric Company Natural Gas Transmission Pipeline Rupture and Fire, San Bruno, California, September 9, 2010, NTSB/PAR-11/01, August 30, 2011. 21 National Transportation Safety Board, Enbridge, Inc. Hazardous Liquid Pipeline Rupture, Board meeting summary, July 25, 2010, http://www.ntsb.gov/news/events/2012/marshall_mi/index.html. 22 National Transportation Safety Board, Natural Gas-Fueled Building Explosion and Resulting Fire New York City, New York March 12, 2014, NTSB/PAR-15/01, June 9, 2015. 23 See, for example: Jim Lynch and Jonathan Oosting, “Opposition Grows to Straits of Mackinac Oil Lines,” Detroit News, April 13, 2016; Bellingham Herald Editorial Board, “Citizens Need Panel To Monitor Pipeline Safety,” Bellingham Herald (WA), Januray 24, 2010; Janet Zink, “Fueling the Resistance,” St. Petersburg Times, December 16, 2007; J. Nesmith and R. K. M. Haurwitz, “Pipelines: The Invisible Danger,” Austin American-Statesman, July 22, 2001. 15 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 4 The Federal Role in Pipeline Security Federal pipeline security efforts originated in the pipeline safety program. The Natural Gas Pipeline Safety Act of 1968 (P.L. 90-481) and the Hazardous Liquid Pipeline Act of 1979 (P.L. 96-129) are two of the principal early acts establishing the federal role in pipeline safety. Under both statutes, the Transportation Secretary is given primary authority to regulate key aspects of interstate pipeline safety: design, construction, operation and maintenance, and spill response planning. At the end of FY2015, the Department of Transportation (DOT) employed 234 pipeline safety staff in its Pipeline and Hazardous Materials Safety Administration (PHMSA).24 In addition to its own staff, PHMSA’s enabling legislation allows the agency to delegate authority to intrastate pipeline safety offices, and allows state offices to act as “agents” administering interstate pipeline safety programs (excluding enforcement) for those sections of interstate pipelines within their boundaries.25 There were approximately 330 full-time equivalent state pipeline safety inspectors in 2015.26 Presidential Decision Directive 63, issued by the Clinton administration in 1998, assigned to the DOT lead responsibility for pipeline security as well as safety.27 Under this authority, after the terrorist attacks of September 11, 2001, the DOT conducted a vulnerability assessment to identify critical pipeline facilities and worked with industry groups and state pipeline safety organizations to assess the industry’s readiness to prepare for, withstand, and respond to a terrorist attack.28 Together with the Department of Energy and state pipeline agencies, the DOT promoted the development of consensus standards for security measures29 tiered to correspond with the five levels of threat warnings issued by the Office of Homeland Security.30 The DOT also developed protocols for inspections of critical facilities to ensure that operators implemented appropriate security practices. To convey emergency information and warnings, the DOT established a variety of communication links to key staff at the most critical pipeline facilities throughout the country. The DOT also began identifying near-term technology to enhance deterrence, detection, response, and recovery, and began seeking to advance public and private sector planning for response and recovery.31 In September 2002, the DOT circulated formal guidance developed in cooperation with the pipeline industry associations defining the agency’s security program recommendations and implementation expectations. This guidance recommended that operators identify critical facilities, develop security plans consistent with prior trade association security guidance, implement these plans, and review them annually.32 While the guidance was voluntary, the DOT expected compliance and informed operators of 24 Artealia Gilliard, PHMSA, personal communication, September 18, 2015. Employees as of September 18, 2015. 49 U.S.C. 60107. 26 Artealia Gilliard, September 9, 2015. 27 Presidential Decision Directive 63, Protecting the Nation’s Critical Infrastructures, May 22, 1998. 28 Research and Special Programs Administration (RSPA), RSPA Pipeline Security Preparedness, December 2001. 29 See: American Petroleum Institute and National Petrochemical and Refiners Association, Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, March 2002; Interstate Natural Gas Association of America (INGAA) and American Gas Association (AGA), Security Guidelines for the Natural Gas Industry, September 2002. 30 Ellen Engleman, Administrator, Research and Special Programs Administration (RSPA), statement before the Subcommittee on Energy and Air Quality, House Energy and Commerce Committee, March 19, 2002. 31 Ellen Engleman, Administrator, Research and Special Programs Administration (RSPA), statement before the Subcommittee on Highways and Transit, House Transportation and Infrastructure Committee, February 13, 2002. 32 James K. O’Steen, Research and Special Programs Administration (RSPA), Implementation of RSPA Security Guidance, presentation to the National Association of Regulatory Utility Commissioners, February 25, 2003. 25 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 5 its intent to begin reviewing security programs within 12 months, potentially as part of more comprehensive safety inspections.33 Transferring Pipeline Security to TSA In November 2001, President Bush signed the Aviation and Transportation Security Act (P.L. 107-71) establishing the Transportation Security Administration (TSA) within the DOT. According to TSA, the act placed the DOT’s pipeline security authority (under PDD-63) within TSA. The act specified for TSA a range of duties and powers related to general transportation security, such as intelligence management, threat assessment, mitigation, and security measure oversight and enforcement, among others. On November 25, 2002, President Bush signed the Homeland Security Act of 2002 (P.L. 107-296) creating the Department of Homeland Security (DHS). Among other provisions, the act transferred to DHS the Transportation Security Administration from the DOT (§403). On December 17, 2003, President Bush issued Homeland Security Presidential Directive 7 (HSPD-7), clarifying executive agency responsibilities for identifying, prioritizing, and protecting critical infrastructure.34 HSPD-7 maintains DHS as the lead agency for pipeline security (par. 15), and instructs the DOT to “collaborate in regulating the transportation of hazardous materials by all modes (including pipelines)” (par. 22h). The order requires that DHS and other federal agencies collaborate with “appropriate private sector entities” in sharing information and protecting critical infrastructure (par. 25). TSA joined both the Energy Government Coordinating Council and the Transportation Government Coordinating Council under provisions in HSPD-7. The missions of the councils are to work with their industry counterparts to coordinate critical infrastructure protection programs in the energy and transportation sectors, respectively, and to facilitate the sharing of security information. HSPD-7 also required DHS to develop a national plan for critical infrastructure and key resources protection (par. 27), which the agency issued in 2006 as the National Infrastructure Protection Plan (NIPP). The NIPP, in turn, required each critical infrastructure sector to develop a Sector Specific Plan (SSP) that describes strategies to protect its critical infrastructure, outlines a coordinated approach to strengthen its security efforts, and determines appropriate funding for these activities. Executive Order 13416 further required the transportation sector SSP to prepare annexes for each mode of surface transportation.35 In accordance with the above requirements the TSA issued its Transportation Systems Sector Specific Plan and Pipeline Modal Annex in 2007 with an update on 2010. TSA’s Pipeline Security Activities Although the TSA has regulatory authority for pipeline security under P.L. 107-71 and P.L. 110-53, its activities to date have relied upon voluntary industry compliance with the agency’s security guidance and best practice recommendations.36 TSA has administered a multifaceted program to facilitate these efforts. In 2003, TSA initiated its ongoing Corporate Security Review (CSR) program, wherein the agency visits the largest pipeline and natural gas distribution operators to review their security plans and inspect their facilities. During the reviews, TSA evaluates whether each company is following the intent of the DOT’s voluntary security guidance, as updated by TSA, and seeks to maintain the list of assets each company has identified meeting the criteria established for critical facilities. In 2008, the TSA initiated its Critical James K. O’Steen, Office of Pipeline Safety (OPS), personal communication, June 10, 2003. HSPD-7 supersedes PDD-63 (par. 37). 35 Executive Order 13416, “Strengthening Surface Transportation Security,” December 5, 2006. 36 Transportation Security Administration, Pipeline Security Guidelines, April 2011, and Pipeline Security Smart Practice Observations, September 19, 2011. 33 34 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 6 Facility Inspection Program (CFI), under which the agency conducted in-depth inspections of all the critical facilities of the 125 largest pipeline systems in the United States. The agency estimated that these 125 pipeline systems collectively included approximately 600 distinct critical facilities.37 TSA concluded the initial round of CFI inspections in 2011, having completed a total of 347 site visits throughout the United States.38 Over the last decade, TSA has engaged in a number of additional pipeline security initiatives, including:          Developing a statistical tool used for relative risk ranking and prioritization, Completing a security incident and recovery protocol plan mandated under P.L. 110-53, Initiating a program to address risks from pipeline transportation of hazardous materials other than oil and natural gas, Assessing U.S. and Canadian security and planning for critical cross-border pipelines, Convening international pipeline security forums for U.S. and Canadian governments and pipeline industry officials, Facilitating pipeline security drills and exercises including those under the Intermodal Security Training Exercise Program (I-STEP), Developing pipeline security awareness training materials, Convening periodic information-sharing conference calls between key pipeline security stakeholders, and Participating in Sector Coordinating Councils and Joint Sector Committees.39 In addition to these activities, TSA has also conducted regional supply studies for key natural gas markets, has conducted training on cyber security awareness, has participated in pipeline blast mitigation studies, and has joined in “G-8” multinational security assessment and planning.40 Pipeline Cyber Security Initiatives Pipeline cyber security is an element of several federal initiatives within DHS.41 For example, TSA has included a number of general cybersecurity provisions in its industry security guidance42 and has encouraged industry compliance with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.43 TSA has also employed the Department of Homeland Security, “Extension of Agency Information Collection Activity Under OMB Review: Critical Facility Information of the Top 100 Most Critical Pipelines,” 76 Federal Register 62818, October 11, 2011. 38 Jack Fox, General Manager, Pipeline Security Division, Transportation Security Administration, personal communication, February 24, 2012. 39 Jack Fox, Pipeline Industry Engagement Manager, TSA, Pipeline Security: An Overview of TSA Programs, slide presentation, May 5, 2014; Transportation Security Administration, Transportation Systems Sector-Specific Plan, 2010, p. 326. 40 Transportation Security Administration, Pipeline Modal Annex, June 2007, pp. 10-11. G8 = Group of Eight (the United States, the United Kingdom, Canada, France, Germany, Italy, Japan, and Russia). 41 The Interstate Natural Gas Association of America (INGAA), a trade association for gas pipeline companies, maintains its own extensive cyber security guidelines for natural gas pipeline control systems: INGAA, Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry, Washington, DC, January 31, 2011. Likewise, the American Petroleum Institute (API), a trade association within the oil industry, maintains a standard for oil pipeline control system security: API, Pipeline SCADA Security, Second Edition, API Std. 1164, Washington, DC, June 2009. 42 For example, TSA’s guidance advises operators to “conduct a risk assessment to weigh the benefits of implementing wireless networking against the potential risks for exploitation.” TSA, April 2011, p. 18. 43 Jack Fox, Pipeline Industry Engagement Manager, TSA, personal communication, October 29, 2015. See: National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014, 37 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 7 Cybersecurity Assessment and Risk Management Approach (CARMA) in collaborating with key stakeholders to identify pipeline industry value chains, critical functions, and supporting cyber infrastructure.44 The agency has also coordinated with DHS and the Department of Energy to harmonize existing cybersecurity risk management programs. Pipelines are also included in DHS’s multi-modal cybersecurity initiatives, such as its Industrial Control Systems Cyber Emergency Response Team (ICSCERT).45 The TSA also has established a public/private partnership-based cybersecurity program supporting the National Infrastructure Protection Plan. Pipeline operators have participated in DHSsponsored control systems cybersecurity training and also participate in the DHS Industrial Control Systems Joint Working Group.46 Outside DHS, the Department of Energy operates the National SCADA Test Bed Program, a partnership with Idaho National Laboratory, Sandia National Laboratories, and other national laboratories which addresses control system security challenges in the energy sector. Among its key functions, the program performs control systems testing, research and development; control systems requirements development; and industry outreach.47 Sandia Laboratories also performs authorized defensive cybersecurity assessments for government, military, and commercial customers through its Information Design Assurance Red Team (IDART) program.48 The Relationship Between DOT and TSA Since TSA was established, Congress has had a continuing interest in the appropriate division of pipeline security authority between the DOT and TSA.49 Both the DOT and TSA have played important roles in the federal pipeline security program, with TSA the designated lead agency since 2002. In 2004, the DOT and DHS entered into a memorandum of understanding (MOU) concerning their respective security roles in all modes of transportation. The MOU notes that DHS has the primary responsibility for transportation security with support from the DOT, and establishes a general framework for cooperation and coordination. On August 9, 2006, the departments signed an annex “to delineate clear lines of authority and responsibility and promote communications, efficiency, and nonduplication of effort through cooperation and collaboration between the parties in the area of transportation security.”50 In January 2007, DOT officials testified before Congress that the agency had established a joint working group with TSA “to improve interagency coordination on transportation security and safety matters, and to develop and advance plans for improving transportation security,” presumably including pipeline security.51 According to TSA, the working group developed a multi-year action plan specifically http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf. 44 Jack Fox, May 5, 2014. 45 Department of Homeland Security, “Industrial Control Systems Cyber Emergency Response Team (ICS-CERT),” web page, April 13, 2106, https://ics-cert.us-cert.gov/. 46 Department of Homeland Security, “Industrial Control Systems Joint Working Group (ICSJWG),” web page, April 13, 2016, https://ics-cert.us-cert.gov/Industrial-Control-Systems-Joint-Working-Group-ICSJWG. 47 U.S. Department of Energy, “National SCADA Test Bed,” web page, August 13, 2016, http://energy.gov/oe/technologydevelopment/energy-delivery-systems-cybersecurity/national-scada-test-bed. 48 Sandia National Laboratories, “The Information Design Assurance Red Team (IDART),” web page, August 13, 2016, http://www.idart.sandia.gov/. 49 For example, see Hon. William J. Pascrell, Jr., statement at the House Committee on Transportation and Infrastructure, Subcommittee on Highways, Transit and Pipelines, hearing on Pipeline Safety, March 16, 2006. 50 Transportation Security Administration and Pipelines and Hazardous Materials Safety Administration, “Transportation Security Administration and Pipelines and Hazardous Materials Safety Administration Cooperation on Pipelines and Hazardous Materials Transportation Security,” August 9, 2006. 51 Barrett, T.J., Administrator, Pipeline and Hazardous Materials Safety Administration (PHMSA), Testimony before the Senate CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 8 delineating roles, responsibilities, resources and actions to execute 11 program elements: identification of critical infrastructure/key resources and risk assessments; strategic planning; developing regulations and guidelines; conducting inspections and enforcement; providing technical support; sharing information during emergencies; communications; stakeholder relations; research and development; legislative matters; and budgeting.52 Nonetheless, a DOT Inspector General (IG) assessment published May 2008 was not satisfied with this plan. The IG report stated that, although the agencies have taken initial steps toward formulating an action plan to implement the provisions of the pipeline security annex ... further actions need to be taken with a sense of urgency because the current situation is far from an “end state” for enhancing the security of the Nation’s pipelines.53 The assessment recommended that the DOT and TSA finalize and execute their security annex action plan, clarify their respective roles, and jointly develop a pipeline security strategy that maximizes the effectiveness of their respective capabilities and efforts.54 According to TSA, working with the DOT “improved drastically” after the release of the IG report; the two agencies began maintaining daily contact, sharing information in a timely manner, and collaborating on security guidelines and incident response planning.55 Key Policy Issues While the federal government has been engaged in various efforts to protect the nation’s oil and natural gas pipelines from deliberate attacks since September 11, 2001, questions remain regarding the structure and effectiveness of these efforts. Three specific issues, in particular, may warrant further congressional consideration: (1) TSA’s pipeline security resources, (2) voluntary versus mandatory security standards, and (3) uncertainty about security risks to the nation’s pipeline network. TSA Pipeline Security Resources Some Members of Congress have been critical in the past of TSA’s level of funding of non-aviation security activities, including pipeline activities. For example, as one Member remarked in 2005, “aviation security has received 90% of TSA’s funds and virtually all of its attention. There is simply not enough being done to address ... pipeline security.”56 At a congressional hearing in 2010, another Member expressed concern that TSA’s pipeline division did not have sufficient staff to carry out a federal pipeline security program on a national scale.57 With respect to pipeline security funding, little may have changed since 2005. The President’s FY2017 budget request for DHS does not include a separate line item for TSA’s pipeline security activities. The budget does request $110.8 million for “Surface Transportation Security,” which encompasses security activities in non-aviation transportation modes, including Committee on Commerce, Science, and Transportation hearing on Federal Efforts for Rail and Surface Transportation Security, January 18, 2007. 52 Transportation Security Administration, Pipeline Security Division, personal communication, July 6, 2007. 53 U.S. Dept. of Transportation, Office of Inspector General, Actions Needed to Enhance Pipeline Security, Pipeline and Hazardous Materials Safety Administration, Report No. AV-2008-053, May 21, 2008, p. 3. 54 Ibid. pp. 5-6. 55 Jack Fox, TSA, Pipeline Security Division, personal communication, February 2, 2010. 56 Sen. Daniel K. Inouye, opening statement before the Senate Committee on Commerce, Science and Transportation, hearing on the President’s FY2006 Budget Request for the Transportation Security Administration (TSA), February 15, 2005. 57 Congressman Gus M. Billirakis, Remarks before the House Committee on Homeland Security, Subcommittee on Management, Investigations, and Oversight hearing on “Unclogging Pipeline Security: Are the Lines of Responsibility Clear?,” Plant City, FL, April 19, 2010. CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 9 pipelines. The budget would fund 761 full-time equivalent (FTE) employees.58 TSA’s pipeline branch has traditionally received from the agency’s general operational budget an allocation for routine operations, travel, and outreach. The budget historically has funded on the order of 10 to 15 FTE staff to carry out the agency’s pipeline security program.59 At its current staffing level, TSA’s pipelines branch has limited field presence for pipeline site visits, and has constrained capabilities for updating standards, interacting in the various stakeholder groups with which it collaborates, analyzing security information, and fulfilling other administrative responsibilities. In conducting a pipeline corporate security review, for example, TSA typically sends one to three staff to hold a three to four hour interview with the operator’s security representatives followed by a visit to only one or two of the operator’s pipeline assets.60 There is concern by some that the agency’s CSRs (as currently structured) may not allow for rigorous security plan verification nor a credible threat of enforcement, so operator compliance with security guidance is uncertain. The limited number of CSR’s the agency can complete in a year has also been a concern to some, even within TSA. According to a 2009 Government Accountability Office report, “TSA’s pipeline division stated that they would like more staff in order to conduct its corporate security reviews more frequently,” in part because other staff responsibilities such as “analyzing secondary or indirect consequences of a terrorist attack and developing strategic risk objectives required much time and effort.”61 TSA’s handful of field inspection staff stands in contrast to the hundreds of pipeline safety inspection staff available to the DOT at the federal and state levels. Furthermore, in the face of an expanding U.S. pipeline network and evolving safety requirements, DOT’s budget authority for pipeline safety has more than doubled over the last 10 years.62 Given this disparity, it may be logical to consider whether DOT’s field staff, who are charged with inspecting the same pipeline systems as TSA, could somehow be deployed to help fulfill the nation’s pipeline security objectives. The question also arises whether having separate inspections of the same pipeline systems for safety and security may be inherently inefficient, or may miss an opportunity for more frequent or thorough examination of pipeline security. Presumably many of the jurisdictional, operational, or administrative issues that were considered in the drafting of the 2004 MOU between DOT and TSA remain unchanged, but new factors—such as the evolving threat environment or greater experience with pipeline company security efforts—could warrant a reconsideration of the relationship between the agencies. Voluntary vs. Mandatory Pipeline Security Standards Federal pipeline security activities to date have relied upon voluntary industry compliance with DOT’s original security guidance, which later became TSA’s security best practices. By initiating this voluntary approach in 2002, DOT sought to speed adoption of security measures by industry and avoid the publication of sensitive security information (e.g., critical asset lists) that would normally be required in public rulemaking.63 However, a key subject of debate is the adequacy of the TSA’s voluntary approach 58 U.S. Office of Management and Budget, Budget of the United States Government, Fiscal Year 2017: Appendix, February 2016, p. 537. 59 Jack Fox, October 29, 2015. 60 Department of Homeland Security, “Intent to Request Approval from OMB of One New Public Collection of Information: Pipeline Corporate Security Review,” 74 Federal Register 42086, August 20, 2009. 61 U.S. Government Accountability Office, Transportation Security: Comprehensive Risk Assessments and Stronger Internal Controls Needed to Help Inform TSA Resource Allocation, GAO-09-492, March 2009, p. 30, http://www.gao.gov/new.items/d09492.pdf. 62 U.S. Office of Management and Budget, Budget of the United States Government, Appendix, Fiscal Years 2006 through 2017, “Pipeline Safety,” Line 1900 “Budget authority (total).” 63 GAO, Pipeline Security and Safety: Improved Workforce Planning and Communication Needed, GAO-02-785, August 2002, CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 10 to pipeline security, generally, and cybersecurity, in particular. For example, provisions in the Pipeline Inspection, Protection, Enforcement, and Safety Act of 2006 (P.L. 109-468) required the DOT Inspector General (IG) to “address the adequacy of security standards for gas and oil pipelines” (§23(b)(4)). The 2008 IG’s report stated that TSA’s current security guidance is not mandatory and remains unenforceable unless a regulation is issued to require industry compliance.... [DOT] and TSA will need to conduct covert tests of pipeline systems’ vulnerabilities to assess the current guidance as well as the operators’ compliance.64 Although the IG report did not elaborate on this recommendation, covert testing of vulnerabilities would likely include testing of both physical security measures and cybersecurity measures. The latter would be in place to protect pipeline SCADA systems and sensitive operating information such as digital pipeline maps, system design data, and emergency response plans. Consistent with the IG’s recommendation, an April 2011 White House proposal65 and the Cybersecurity Act of 2012 (S. 2105) both would have mandated the promulgation of cybersecurity regulations for pipelines, among other provisions, although these proposals would not necessarily have conferred upon TSA any authority it does not already have to regulate pipeline security. In contrast to the IG’s conclusions and the legislative proposals above, the pipeline industry has consistently expressed concern that security regulations could be “redundant” and “may not be necessary to increase pipeline security.”66 Echoing this sentiment, a DOT official testified in 2007 that enhancing security “does not necessarily mean that we must impose regulatory requirements.”67 TSA officials have similarly questioned the need for new pipeline security regulations, particularly the IG’s call for covert testing of pipeline operator security measures. The TSA has argued in the past that the agency is complying with the letter of P.L. 110-53 and that its pipeline operator security reviews are more than paper reviews.68 TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place at many pipeline companies based on their company-specific security assessments. Because the TSA believes the most critical U.S. pipeline systems generally meet or exceed industry security guidance, the agency asserts that it achieves better security with voluntary guidelines, and maintains a more cooperative and collaborative relationship with its industry partners as well.69 p. 22. 64 U.S. Dept. of Transportation, Office of Inspector General, May 21, 2008, p. 6. 65 The White House, “Legislative Language, Cybersecurity Regulatory Framework for Covered Critical Infrastructure,” April 2011, p. 33, http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/law-enforcement-provisions-related-tocomputer-security-full-bill.pdf. 66 American Gas Association (AGA), American Petroleum Institute (API), Association of Oil Pipe Lines (AOPL), and American Public Gas Association (APGA), joint letter to members of the Senate Commerce Committee providing views on S. 1052, August 22, 2005. 67 T.J. Barrett, Administrator, Pipeline and Hazardous Materials Safety Administration, Department of Transportation, Testimony before the Senate Committee on Commerce, Science, and Transportation hearing on Federal Efforts for Rail and Surface Transportation Security, January 18, 2007. 68 John Sammon, Transportation Security Administration, Testimony before the House Transportation and Infrastructure Committee, Railroad, Pipelines, and Hazardous Materials Subcommittee hearing on Implementation of the Pipeline Inspection, Protection, Enforcement, and Safety Act of 2006, June 24, 2008. 69 John Pistole, Administrator, TSA, testimony before the Senate Committee on Commerce, Science, and Transportation hearing on Transportation Security Administration Oversight: Confronting America's Transportation Security Challenges, April 30, 2014; Jack Fox, General Manager, Pipeline Security Division, TSA, Remarks before the Louisiana Gas Association Pipeline Safety Conference, New Orleans, LA, July 25, 2012. CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 11 The Energy Sector Control Systems Working Group makes related assertions in its Roadmap to Achieve Energy Delivery Systems Cybersecurity about the effectiveness of cybersecurity standards alone: Although standards may elevate cybersecurity across the energy sector, they do so by requiring the implementation of minimum security measures that set a baseline for cybersecurity across an industry. These minimum security levels may not be sufficient to secure the sector against new and quickly evolving risks. Asset owners compliant with standards may still be vulnerable to cyber intrusion.70 Thus, in addition to cybersecurity requirements, pipeline companies may also need appropriate management practices, performance metrics, access to intelligence, and other support measures to maximize the effectiveness of their cybersecurity programs. Although the TSA believes a voluntary approach to pipeline security is most effective, Canadian pipeline regulators have come to a different conclusion. In 2010 the National Energy Board (NEB) of Canada mandated security regulations for jurisdictional Canadian petroleum and natural gas pipelines, some of which are cross-border pipelines entering the United States. Many companies operate pipelines in both countries. In announcing these new regulations, the board stated that it had considered adopting the existing cybersecurity standards “as guidance” rather than an enforceable standard, but “taking into consideration the critical importance of energy infrastructure protection,” the board decided to adopt the standard into the regulations.71 Establishing pipeline security regulations in Canada is not completely analogous to doing so in the United States as the Canadian pipeline system is much smaller and operated by far fewer companies than the U.S. system. Nonetheless, Canada’s choice to regulate pipeline security may raise questions as to why the United States has not. The Federal Energy Regulatory Commission (FERC), which regulates the U.S. bulk electric power system, has also taken a more directive approach to infrastructure security. The Energy Policy Act of 2005 (P.L. 109-58) gave the commission authority to oversee the reliability of the bulk power system, including authority to approve mandatory security standards. FERC approved mandatory Critical Infrastructure Protection cyber security reliability standards in 2008.72 The commission approved mandatory physical security standards in 201473 after a successful physical attack on a high-voltage transformer facility in California. While it differs in important ways from the pipeline system, the bulk power system faces the same threat environment and has many similar security vulnerabilities related to asset exposure and reliance on SCADA systems for network operations. In addition to examining the regulatory motivations of the NEB and FERC, consideration of mandatory pipeline security standards within TSA would have to account for the requirements to implement such standards. Unlike maintaining voluntary standards, developing pipeline security regulations—with provisions for pipeline operations, inspection, reporting, and enforcement—would involve a complex and potentially contentious rulemaking process involving multiple stakeholders. Should Congress choose to mandate the promulgation of such regulations, it is not clear that TSA’s pipeline security division as currently configured would be up to the task. Developing specific cybersecurity regulations may pose a 70 Energy Sector Control Systems Working Group, Roadmap to Achieve Energy Delivery Systems Cybersecurity, September 2011, p. 15. 71 National Energy Board of Canada, Proposed Regulatory Change (PRC) 2010-01, Adoption of CSA Z246.1-09 Security Management for Petroleum and Natural Gas Industry Systems, File Ad-GA-SEC-SecGen 0901, May 3, 2010, p. 1, https://www.neb-one.gc.ca/ll-eng/livelink.exe/fetch/2000/90463/409054/614444/A1S7H7__Proposed_Regulatory_Change_(PRC)_2010-01.pdf?nodeid=614556&vernum=0. 72 Federal Energy Regulatory Commission, Mandatory Reliability Standards for Critical Infrastructure Protection, Docket No. RM06-22-000, Order No. 706, January 18, 2008. 73 Federal Energy Regulatory Commission, Physical Security Reliability Standard, Docket No. RM14-15-000, Order No. 802, Issued November 20, 2014. CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 12 particular challenge as the TSA’s pipeline branch has limited existing capability to do so, although such capabilities may reside elsewhere in DHS. If mandatory standards were to be imposed, there may also be questions as to whether the agency as currently structured would have sufficient resources to implement the new security regulations, conduct rigorous security plan verification, and pose a credible threat of enforcement. Uncertainty About Security Risks A January 2011 federal threat assessment concluded “with high confidence that the terrorist threat to the U.S. pipeline industry is low.”74 However, subsequent events may have increased concerns about pipeline system threats, especially cyber threats. In a 2016 Federal Register notice, TSA stated that it expects pipeline companies will report approximately 30 “security incidents” annually—both physical and cyber.75 The agency has not publicly released a more current pipeline threat assessment. The pipeline industry’s security risk assessments rely upon information about security threats provided by the federal government and by pipeline operators themselves. The quantity, quality and timeliness of this threat information is a key determinant of what pipeline companies need to be protecting against, and what security measures to take. Incomplete or ambiguous threat information—especially from the federal government—may lead to inconsistency in physical and cyber security among pipeline owners, inefficient spending of limited security resources at facilities (e.g., that may not really be under threat), or deployment of security measures against the wrong threat. Concerns about the quality and specificity of federal threat information have long been an issue across all critical infrastructure sectors.76 Threat information continues to be an uncertainty in the case of pipeline network security. There may be agreement among government and industry stakeholders that oil and natural gas pipelines in the United States are vulnerable to attack, and that such attacks potentially could have catastrophic consequences. But the most serious, damaging attacks could require operational information and a certain level of sophistication, especially in the cyber regime, on the part of potential attackers. Consequently, despite the technical arguments, without more specific information about potential targets and attacker capabilities, the true risk of a serious attack on the pipeline system remains an open question. Conclusion The nation’s pipeline network is attractive to malicious actors and vulnerable to both physical and cyberattacks. Based on recent history, a strong federal pipeline security program is clearly necessary; there has been a series of unrelated terrorist plots and attempted attacks on U.S. pipelines since at least the 1990s. Real bombs have been planted, computers systems have been infiltrated, and perpetrators have been imprisoned. Such threats to the pipeline system are likely to continue. Both government and industry have taken numerous steps to improve pipeline security since 2001. On their face, these measures have been expansive and seem to address the full range of activities and priorities Congress intended when it embarked upon a national strategy for protecting critical infrastructure. However, while TSA and industry may be engaged in appropriate pipeline security activities, questions remain as to their level of commitment to those activities and how effective they have been in protecting the pipeline system. TSA’s pipeline staff would account for less than 2% of the agency’s surface transportation security staff under the proposed FY2017 budget, and just over 2% of the 74 Transportation Security Administration, Office of Intelligence, Pipeline Threat Assessment, January 18, 2011, p. 3. 81 Fed. Reg. 37, February 25, 2016, p. 9495. 76 See, for example, Philip Shenon, “Threats and Responses: Domestic Security,” New York Times, June 5, 2003, p. A15. 75 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 13 staff available to DOT under its pipeline safety program. Pipeline company expenditures on security are not generally reported, so their level of financial commitment is unknown. Furthermore, while there have been no publicly reported successful attacks on the U.S. pipeline system since 2001, existing physical security measures did not prevent two attackers from planting the live explosive devices along two different U.S. pipelines in 2011 and 2012 discussed earlier. Their failure to detonate was fortunate. The TSA maintains that its pipeline security program, administered as it is and relying upon voluntary standards, has been effective in protecting U.S. pipelines from physical and cyberattacks. Based on the agency’s corporate security reviews, TSA believes security among major U.S. pipeline systems is good, and pipeline operators agree. However, without formal security plans and reporting requirements, it is difficult for Congress and the general public to know for certain. To a great extent, the public must therefore rely on the pipeline industry’s self-interest to protect itself from malicious threats. Whether this self-interest is sufficient to generate the level of security appropriate for a critical infrastructure sector, and whether imposing mandatory standards would be a better approach, is open to debate. Faced with this uncertainty, legislators must rely upon their own best judgment to reach conclusions about the federal pipeline security program. If Congress concludes that current voluntary measures are insufficient to protect the pipeline system, it may decide to provide specific direction to the TSA to develop regulations and provide additional resources to support them, as such an effort may be beyond the TSA pipeline branch’s existing capabilities. Congress also may assess how the various elements of U.S. pipeline safety and security activity fit together in the nation’s overall strategy to protect critical infrastructure. For example, diverting pipeline resources away from safety to enhance security might further reduce terror risk, but not overall pipeline risk, if safety programs become less effective as a result. Pipeline safety and security necessarily involve many groups: federal and state agencies, oil and gas pipeline associations, large and small pipeline operators, and local communities. Reviewing how these groups work together to achieve common goals could be an oversight challenge for Congress. Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material. CRS TESTIMONY Prepared for Congress ————————————————————————————————— TE10009