In May, Colonial Pipeline Company announced that it was the victim of a ransomware attack that led to temporary disruption in the delivery of gasoline and other petroleum products across much of the southeast U.S. This cyberattack exemplifies the cybersecurity threats to critical infrastructure that we at GAO have reported on and testified about for many years.
Yesterday, GAO’s Leslie Gordon—an acting director in our Homeland Security and Justice Team—testified before the Senate about steps the federal government has taken to address pipeline security, including since the May attack, and what weaknesses remain.
View video clips from her testimony and read on to learn more:
Weaknesses in TSA’s efforts
The Transportation Security Administration (TSA) has primary oversight responsibility for the physical security and cybersecurity of pipeline systems. Prior to the cyberattack in May, TSA’s efforts included issuing voluntary security guidelines and performing security reviews of privately owned and operated pipelines.
In 2018 and 2019, we identified some weaknesses in TSA’s oversight and guidance, and made recommendations, most of which TSA addressed. TSA clarified its pipeline security guidelines, improved performance monitoring, assessed staffing needs, and updated guidance on federal roles and responsibilities. However, as of June, TSA had not fully addressed 2 key weaknesses:
- Incomplete information for pipeline risk assessments. TSA’s risk assessment of pipeline security does not include a broad range of information about cybersecurity risks. We recommended that TSA identify and develop additional data sources relevant to pipeline threats, vulnerabilities, and consequences of disruptions. As of June, TSA had not fully addressed this recommendation.
- Aged protocols for responding to pipeline security incidents. TSA has not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline security threats, including those related to cybersecurity. We recommended that TSA periodically review, and update its 2010 plan. TSA has begun taking action in response to this recommendation. For example, TSA completed a review of the plan and determined updates are needed. But it has not fully address our recommendation.
Weaknesses in government-wide efforts
The attack on Colonial Pipeline highlights the urgent need to address long-standing cybersecurity challenges facing the nation. Most systems and networks used today, including those that are part of our nation’s critical infrastructure, are interconnected with other systems and the internet, and because of this they are vulnerable to cyberattacks.
The federal government must take immediate steps to prevent, more quickly detect, and mitigate the damage of future cyberattacks. In particular, our testimony yesterday highlighted the need for the government to develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. Since 2010, we have made nearly 3700 recommendations to agencies aimed at remedying cybersecurity shortcomings. As of July 2021, more than 950 of those recommendations are not yet implemented. We will continue to assess and report on critical infrastructure cybersecurity protection.
- Comments on GAO’s WatchBlog? Contact email@example.com.