December 5, 2021

News

News Network

Critical Infrastructure Protection: TSA Is Taking Steps to Address Some Pipeline Security Program Weaknesses

19 min read
<div>What GAO Found Protecting the nation's pipeline systems from security threats is a responsibility shared by both the Transportation Security Administration (TSA) and private industry stakeholders. Prior to issuing a cybersecurity directive in May 2021, TSA's efforts included issuing voluntary security guidelines and security reviews of privately owned and operated pipelines. GAO reports in 2018 and 2019 identified some weaknesses in the agency's oversight and guidance, and made 15 recommendations to address these weaknesses. TSA concurred with GAO's recommendations and has addressed most of them, such as clarifying portions of its Pipeline Security Guidelines improving its monitoring of security review performance, and assessing staffing needs. As of June 2021, TSA had not fully addressed two pipeline cybersecurity-related weaknesses that GAO previously identified. These weaknesses correspond to three of the 15 recommendations from GAO's 2018 and 2019 reports. Incomplete information for pipeline risk assessments. GAO identified factors that likely limit the usefulness of TSA's risk assessment methodology for prioritizing pipeline security reviews. For example, TSA's risk assessment did not include information consistent with critical infrastructure risk mitigation, such as information on natural hazards and cybersecurity risks. GAO recommended that TSA develop data sources relevant to pipeline threats, vulnerabilities, and consequences of disruptions. As of June 2021, TSA had not fully addressed this recommendation. Aged protocols for responding to pipeline security incidents. GAO reported in June 2019 that TSA had not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline security threats, including those related to cybersecurity. GAO recommended that TSA periodically review, and update its 2010 plan. TSA has begun taking action in response to this recommendation, but has not fully addressed it, as of June 2021. TSA's May 2021 cybersecurity directive requires that certain pipeline owner/operators assess whether their current operations are consistent with TSA's Guidelines on cybersecurity, identify any gaps and remediation measures, and report the results to TSA and others. TSA's July 2021 cybersecurity directive mandates that certain pipeline owner/operators implement cybersecurity mitigation measures; develop a Cybersecurity Contingency Response Plan in the event of an incident; and undergo an annual cybersecurity architecture design review, among other things. These recent security directives are important requirements for pipeline owner/operators because TSA's Guidelines do not include key mitigation strategies for owner/operators to reference when reviewing their cyber assets. TSA officials told GAO that a timely update to address current cyber threats is appropriate and that they anticipate updating the Guidelines over the next year. Why GAO Did This Study The nation's pipelines are vulnerable to cyber-based attacks due to increased reliance on computerized systems. In May 2021 malicious cyber actors deployed ransomware against Colonial Pipeline's business systems. The company subsequently disconnected certain systems that monitor and control physical pipeline functions so that they would not be compromised. This statement discusses TSA's actions to address previous GAO findings related to weaknesses in its pipeline security program and TSA's guidance to pipeline owner/operators. It is based on prior GAO products issued in December 2018, June 2019, and March 2021, along with updates on actions TSA has taken to address GAO's recommendations as of June 2021. To conduct the prior work, GAO analyzed TSA documents; interviewed TSA officials, industry association representatives, and a sample of pipeline operators selected based on type of commodity transported and other factors; and observed TSA security reviews. GAO also reviewed TSA's May and July 2021 Pipeline Security Directives, TSA's Pipeline Security Guidelines, and three federal security alerts issued in July 2020, May 2021, and June 2021.</div>

What GAO Found

Protecting the nation’s pipeline systems from security threats is a responsibility shared by both the Transportation Security Administration (TSA) and private industry stakeholders. Prior to issuing a cybersecurity directive in May 2021, TSA’s efforts included issuing voluntary security guidelines and security reviews of privately owned and operated pipelines. GAO reports in 2018 and 2019 identified some weaknesses in the agency’s oversight and guidance, and made 15 recommendations to address these weaknesses. TSA concurred with GAO’s recommendations and has addressed most of them, such as clarifying portions of its Pipeline Security Guidelines improving its monitoring of security review performance, and assessing staffing needs.

As of June 2021, TSA had not fully addressed two pipeline cybersecurity-related weaknesses that GAO previously identified. These weaknesses correspond to three of the 15 recommendations from GAO’s 2018 and 2019 reports.

  • Incomplete information for pipeline risk assessments. GAO identified factors that likely limit the usefulness of TSA’s risk assessment methodology for prioritizing pipeline security reviews. For example, TSA’s risk assessment did not include information consistent with critical infrastructure risk mitigation, such as information on natural hazards and cybersecurity risks. GAO recommended that TSA develop data sources relevant to pipeline threats, vulnerabilities, and consequences of disruptions. As of June 2021, TSA had not fully addressed this recommendation.
  • Aged protocols for responding to pipeline security incidents. GAO reported in June 2019 that TSA had not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline security threats, including those related to cybersecurity. GAO recommended that TSA periodically review, and update its 2010 plan. TSA has begun taking action in response to this recommendation, but has not fully addressed it, as of June 2021.

TSA’s May 2021 cybersecurity directive requires that certain pipeline owner/operators assess whether their current operations are consistent with TSA’s Guidelines on cybersecurity, identify any gaps and remediation measures, and report the results to TSA and others. TSA’s July 2021 cybersecurity directive mandates that certain pipeline owner/operators implement cybersecurity mitigation measures; develop a Cybersecurity Contingency Response Plan in the event of an incident; and undergo an annual cybersecurity architecture design review, among other things. These recent security directives are important requirements for pipeline owner/operators because TSA’s Guidelines do not include key mitigation strategies for owner/operators to reference when reviewing their cyber assets. TSA officials told GAO that a timely update to address current cyber threats is appropriate and that they anticipate updating the Guidelines over the next year.

Why GAO Did This Study

The nation’s pipelines are vulnerable to cyber-based attacks due to increased reliance on computerized systems. In May 2021 malicious cyber actors deployed ransomware against Colonial Pipeline’s business systems. The company subsequently disconnected certain systems that monitor and control physical pipeline functions so that they would not be compromised.

This statement discusses TSA’s actions to address previous GAO findings related to weaknesses in its pipeline security program and TSA’s guidance to pipeline owner/operators. It is based on prior GAO products issued in December 2018, June 2019, and March 2021, along with updates on actions TSA has taken to address GAO’s recommendations as of June 2021. To conduct the prior work, GAO analyzed TSA documents; interviewed TSA officials, industry association representatives, and a sample of pipeline operators selected based on type of commodity transported and other factors; and observed TSA security reviews. GAO also reviewed TSA’s May and July 2021 Pipeline Security Directives, TSA’s Pipeline Security Guidelines, and three federal security alerts issued in July 2020, May 2021, and June 2021.

More from:

News Network

  • Travel of Special Envoy for Sudan and South Sudan
    In Crime Control and Security News
    Office of the [Read More…]
  • Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
    In Crime News
    Fourteen members of the transnational criminal organization, QQAAZZ, were charged by a federal grand jury in the Western District of Pennsylvania in an indictment unsealed today.  A related indictment unsealed in October 2019 charged five members of QQAAZZ.  One additional conspirator, a Russian national, was arrested by criminal complaint in late March 2020 while visiting the United States, bringing the total number of charged defendants to 20.  Acting Assistant Attorney General Brian C. Rabbitt of the U.S. Department of Justice’s Criminal Division and U.S. Attorney Scott W. Brady for the Western District of Pennsylvania, made the announcement today.
    [Read More…]
  • Opioid Use Disorder: Treatment with Injectable and Implantable Buprenorphine
    In U.S GAO News
    Of the medications used to treat opioid use disorder (OUD), only buprenorphine is both a controlled substance and available as an injection or implant. Buprenorphine is used to treat patients with OUD because it reduces or eliminates opioid withdrawal symptoms and blunts the euphoria or dangerous side effects of other opioids, such as heroin. When used to treat OUD, buprenorphine, in any form, is subject to additional laws and regulations that are overseen by the Drug Enforcement Administration (DEA), within the Department of Justice (DOJ) and the Substance Abuse and Mental Health Services Administration (SAMHSA), within the Department of Health and Human Services (HHS). To ensure patient safety when injectable and implantable buprenorphine is used, the Food and Drug Administration (FDA), within HHS has also required drug companies to establish risk evaluation and mitigation strategies to help ensure the benefits of these medications outweigh their risks. Providers and pharmacies must follow a number of specific steps based on federal requirements when providing treatment with injectable and implantable buprenorphine. Providers are responsible for prescribing, storing, and administering injectable and implantable buprenorphine, while pharmacies are responsible for dispensing these medications (see figure). Representatives GAO interviewed from provider groups and pharmacies said they did not find the steps involved in treating patients to be difficult overall. However, they stated that careful and timely coordination with each other and patients is needed at key steps of the process to ensure that the patient receives treatment. Representatives from provider groups and pharmacies reported that the risk of diversion of injectable and implantable buprenorphine is low. For example, all of the provider groups GAO spoke with said that diversion of injectable or implantable buprenorphine is unlikely, and representatives from three of the six provider groups said that the design of these formulations reduces opportunities for diversion due to how they are administered. Process for Treating Opioid Use Disorder with Injectable and Implantable Buprenorphine The use of injectable and implantable buprenorphine to treat OUD is relatively low compared to oral forms of buprenorphine. HHS has reported that about 7,250 prescriptions were issued for injectable and implantable buprenorphine in fiscal year 2019, compared to over 700,000 patients who received buprenorphine prescriptions for oral formulations to treat OUD or pain in that year. In 2018, SAMHSA estimated that about one-quarter of the estimated 2 million people with OUD had received some form of substance use treatment in the prior year. One form of treatment—medication-assisted treatment (MAT)— combines behavioral therapy with the use of certain medications. HHS has identified expanding access to treatment for OUD as an important strategy for reducing opioid morbidity and mortality, which includes increasing the number of injectable and implantable buprenorphine prescriptions. Congress included a provision in the SUPPORT Act for GAO to review access to and the potential for the diversion of controlled substances administered by injection or implantation. This report focuses on injectable and implantable controlled substances that can be used to treat OUD and specifically, describes the process for treating OUD with injectable and implantable buprenorphine and what is known about their use. GAO reviewed laws, regulations, and documentation from DEA, FDA, and SAMHSA governing the process of providing treatment with buprenorphine and interviewed officials from those agencies. GAO also interviewed representatives from stakeholder groups representing MAT providers; drug companies that manufacture injectable or implantable buprenorphine; and pharmacies that dispense these medications. HHS and DOJ reviewed a draft of this report, and GAO incorporated their technical comments, as appropriate. For more information, contact James Cosgrove at (202) 512-7114 or cosgrovej@gao.gov.
    [Read More…]
  • Final Defendants Sentenced in Federal Dog Fighting Case
    In Crime News
    The last four of 12 defendants convicted on federal dog fighting charges were sentenced today in Albany, Georgia, by the U.S. District Court for the Middle District of Georgia. Collectively, the court sentenced the defendants to a total of 272 months in prison.
    [Read More…]
  • Secretary Antony J. Blinken at OECD Opening and Keynote Address
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Embassy Construction: State Department Has Implemented Management Reforms, but Challenges Remain
    In U.S GAO News
    Since the 1998 bombings of two U.S. embassies in Africa, the State Department has done much to improve physical security at overseas posts. However, most overseas diplomatic office facilities still do not meet the security standards State developed to protect these sites from terrorist attacks and other dangers. To correct this problem, State in 1999 embarked on an estimated $21 billion embassy construction program. The program's key objective is to provide secure, safe, and functional compounds for employees overseas--in most cases by building replacement facilities. In 2001, State's Bureau of Overseas Buildings Operations (OBO)--which manages the program--began instituting reforms in its structure and operations to meet the challenges of the embassy construction program. This report discusses (1) OBO's mechanisms for more effectively managing the embassy construction program and (2) the status of and challenges facing the program. We received comments from State, which said that the report is a fair and accurate representation overall of the Department's overseas construction process.OBO in 2001 began instituting organizational and management reforms designed to cut costs, put in place standard designs and review processes, and reduce the construction period for new embassies and consulates. OBO now has mechanisms to more effectively manage the embassy construction program, including (1) an annual Long-Range Overseas Buildings Plan to guide the planning and execution of the program over a 6-year period; (2) monthly project reviews at headquarters; (3) an Industry Advisory Panel for input on current best practices in the construction industry; (4) expanded outreach to contractors in an effort to increase the number of bidders; (5) ongoing work to standardize and streamline the planning, design, and construction processes, including initiation of design-build contract delivery and a standard embassy design for most projects; (6) additional training for OBO headquarters and field staff; and (7) advance identification and acquisition of sites. State's program to replace about 185 vulnerable embassies and consulates is in its early stages, but the pace of initiating and completing new construction projects has increased significantly over the past two fiscal years. As of September 30, 2003, State had started construction of 22 projects to replace facilities at risk of terrorist or other attacks. Overall, 16 projects have encountered challenges that have led or, if not overcome, could ultimately lead to extensions in the completion date or cost increases in the construction contract. According to OBO, project delays have occurred because of such factors as changes in project design and security requirements; difficulties hiring appropriate American and local labor with the necessary clearances and skills; differing site conditions; and unforeseen events such as civil unrest. In addition, the U.S. government has had problems coordinating funding for projects that include buildings for the U.S. Agency for International Development. None of the projects started since OBO instituted its reforms has been completed; thus GAO believes it is too early to assess the effectiveness of the reforms in ensuring that new embassy and consulate compounds are built within the approved project budget and on time.
    [Read More…]
  • Secretary Blinken’s Meeting with French Ambassador Etienne
    In Crime Control and Security News
    Office of the [Read More…]
  • United States to Host Global Fund’s Seventh Replenishment Conference
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Texas Man Pleads Guilty to Federal Charges for Fraudulently Obtaining Over $1.6 Million in Paycheck Protection Program Loans
    In Crime News
    A Texas man pleaded guilty today in the Southern District of Texas to fraudulently obtaining more than $1.6 million in Paycheck Protection Program (PPP) loans guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief and Economic Security (CARES) Act.
    [Read More…]
  • Sri Lanka National Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Missing or Murdered Indigenous Women: New Efforts Are Underway but Opportunities Exist to Improve the Federal Response
    In U.S GAO News
    What GAO Found The total number of missing or murdered Indigenous women—referred to as American Indian and Alaska Native (AI/AN) women in this report— is unknown because, for several reasons, federal databases do not contain comprehensive national data on all AI/AN women reported missing. For example, federal law requires federal, state, and local law enforcement agencies—but not tribal law enforcement agencies—to report missing children under the age of 21, but not those over 21. In addition, instances of missing AI/AN women may be underreported due to mistrust of law enforcement and other reasons. Implementation of data-related requirements in two laws, enacted in October 2020, present opportunities to increase and improve data on the number of missing or murdered Indians, including AI/AN women. For example, Savanna's Act requires tribal consultations on how to improve tribal data relevance and access to databases. The Department of Justice (DOJ) has taken some steps to analyze data in federal databases related to cases of missing or murdered AI/AN women, including publishing more detailed single-year statistics in 2020 on missing persons by race, gender, and age. However, data analyses efforts are in the early stages, and DOJ does not have a plan to continue these efforts past November 2021. Developing such a plan could provide DOJ and other stakeholders with information to better understand the nature of the missing or murdered AI/AN crisis and identify emerging trends. Artist Installation of Red Dresses to Depict the Disappearances and Deaths of Indigenous Women, the National Museum of the American Indian, 2019 Relevant DOJ and Department of the Interior (DOI) law enforcement agencies that investigate cases of missing or murdered Indian women in Indian country have engaged in other efforts to address the crisis, but they have not implemented certain requirements to increase intergovernmental coordination and data collection in the two 2020 laws, which remain unfulfilled past their statutory deadlines. For example, the Not Invisible Act of 2019 requires the Secretary of the Interior, in coordination with the Attorney General, to appoint members to a Joint Commission on Reducing Violence Against Indians by February 7, 2021, but as of October 15, 2021, no members have been appointed, and a draft plan to meet this requirement does not include milestones for all interim steps. Developing plans to meet this and other unfulfilled statutory requirements would provide more assurance that DOJ and DOI will meet their legal responsibilities, and support tribal partners in reducing violent crime. Why GAO Did This Study According to researchers, AI/AN women in the U.S. experience higher rates of violence than most other women, and tribal and federal officials have stated that this incidence of violence constitutes a crisis. Various federal officials and tribal stakeholders have raised concerns about challenges with cross-jurisdictional cooperation and a lack of comprehensive national data on cases. GAO was asked to review the federal response to the missing or murdered AI/AN women crisis. This report examines the extent to which (1) the number of missing or murdered AI/AN women in the U.S. is known and (2) DOJ and DOI have taken steps to address the crisis. GAO reviewed available data on missing persons and violent deaths, relevant reports, and agency documentation, including agency policies and procedures. Using agency data—which were determined to be reliable for location selection—and qualitative factors, GAO selected seven locations to interview federal, state, local, and tribal law enforcement officials; tribal officials; and nongovernmental victim service providers on the federal response to the crisis.
    [Read More…]
  • Syndemics and the Commitment to Quitting Equitably
    In Human Health, Resources and Services
    May 27, 2021 By: Leith [Read More…]
  • U.S.-Greenland Technical Engagement on Mining Sector Education and Training
    In Crime Control and Security News
    Office of the [Read More…]
  • Priority Open Recommendations: U.S. Agency for International Development
    In U.S GAO News
    What GAO Found In April 2020, GAO identified three priority recommendations for the U.S. Agency for International Development (USAID). Since then, USAID has implemented all three of those recommendations by taking actions to improve management and oversight of international food assistance projects, project performance data collection, and reform efforts. In May 2021, GAO identified three additional priority recommendations for USAID, bringing the total number to three. These recommendations involve the following areas: Complying with Equal Employment Opportunity requirements Improving financial information USAID's continued attention to these issues could lead to significant improvements in government operations. Why GAO Did This Study Priority open recommendations are the GAO recommendations that warrant priority attention from heads of key departments or agencies because their implementation could save large amounts of money; improve congressional and/or executive branch decision-making on major issues; eliminate mismanagement, fraud, and abuse; or ensure that programs comply with laws and funds are legally spent, among other benefits. Since 2015 GAO has sent letters to selected agencies to highlight the importance of implementing such recommendations. For more information, contact Thomas Melito at (202) 512-9601 or melitot@gao.gov.
    [Read More…]
  • Two Georgia Correctional Officers Indicted for Civil Rights and Related Offenses for Assaulting Inmates
    In Crime News
    A federal grand jury in Macon, Georgia, returned a 4-count indictment against former supervisory correctional officer Sergeant Patrick Sharpe, 29, and former correctional officer Jamal Scott, 33, of the Valdosta State Prison (VSP) for their roles in using excessive force against inmates incarcerated at the facility.
    [Read More…]
  • Six Individuals in Hawaii Charged with Conspiring to Defraud the IRS and Other Fraud Offenses
    In Crime News
    Three individuals were arrested this week in the District of Hawaii on conspiracy to defraud the IRS and other fraud charges.
    [Read More…]
  • 2020 Wiretap Report: Intercepts and Convictions Decrease
    In U.S Courts
    Federal and state courts reported a combined 26 percent decrease in authorized wiretaps in 2020, compared with 2019, according to the Judiciary’s 2020 Wiretap Report. Convictions in cases involving electronic surveillance also decreased.
    [Read More…]
  • Visit of Special Envoy for the Horn of Africa Jeffrey Feltman to Sudan
    In Crime Control and Security News
    Office of the [Read More…]
  • North Carolina Man Sentenced to 36 Months in Federal Prison for Preparing False Tax Returns
    In Crime News
    Gene Hersholt Williamson II, was sentenced yesterday to 36 months in prison for aiding and assisting in the preparation of a false tax return and ordered to pay $637,000 in restitution, announced Principal Deputy Assistant Attorney General Richard E. Zuckerman of the Justice Department’s Tax Division.
    [Read More…]
  • Former Army Green Beret Pleads Guilty to Russian Espionage Conspiracy
    In Crime News
     A former Army Green Beret pleaded guilty today to conspiring with Russian intelligence operatives to provide them with United States national defense information.
    [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.