Skip to main content

Our Testimony to Congress on Efforts to Secure Oil and Gas Pipelines Against Cyberattacks (video)

Posted on July 28, 2021

In May, Colonial Pipeline Company announced that it was the victim of a ransomware attack that led to temporary disruption in the delivery of gasoline and other petroleum products across much of the southeast U.S. This cyberattack exemplifies the cybersecurity threats to critical infrastructure that we at GAO have reported on and testified about for many years. 

Yesterday, GAO’s Leslie Gordon—an acting director in our Homeland Security and Justice Team—testified before the Senate about steps the federal government has taken to address pipeline security, including since the May attack, and what weaknesses remain. 

View video clips from her testimony and read on to learn more:

Weaknesses in TSA’s efforts

The Transportation Security Administration (TSA) has primary oversight responsibility for the physical security and cybersecurity of pipeline systems. Prior to the cyberattack in May, TSA’s efforts included issuing voluntary security guidelines and performing security reviews of privately owned and operated pipelines.

In 2018 and 2019, we identified some weaknesses in TSA’s oversight and guidance, and made recommendations, most of which TSA addressed. TSA clarified its pipeline security guidelines, improved performance monitoring, assessed staffing needs, and updated guidance on federal roles and responsibilities. However, as of June, TSA had not fully addressed 2 key weaknesses:

  • Incomplete information for pipeline risk assessments. TSA’s risk assessment of pipeline security does not include a broad range of information about cybersecurity risks. We recommended that TSA identify and develop additional data sources relevant to pipeline threats, vulnerabilities, and consequences of disruptions. As of June, TSA had not fully addressed this recommendation.
  • Aged protocols for responding to pipeline security incidents. TSA has not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline security threats, including those related to cybersecurity. We recommended that TSA periodically review, and update its 2010 plan. TSA has begun taking action in response to this recommendation. For example, TSA completed a review of the plan and determined updates are needed. But it has not fully address our recommendation.

Weaknesses in government-wide efforts

The attack on Colonial Pipeline highlights the urgent need to address long-standing cybersecurity challenges facing the nation. Most systems and networks used today, including those that are part of our  nation’s critical infrastructure, are interconnected with other systems and the internet, and because of this they are vulnerable to cyberattacks.

The federal government must take immediate steps to prevent, more quickly detect, and mitigate the damage of future cyberattacks. In particular, our testimony yesterday highlighted the need for the government to develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. Since 2010, we have made nearly 3700 recommendations to agencies aimed at remedying cybersecurity shortcomings. As of July 2021, more than 950 of those recommendations are not yet implemented. We will continue to assess and report on critical infrastructure cybersecurity protection.


GAO Contacts

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.