Skip to main content

Critical Infrastructure Protection: Key Pipeline Security Documents Need to Reflect Current Operating Environment

GAO-19-426 Published: Jun 05, 2019. Publicly Released: Jun 05, 2019.
Jump To:

Fast Facts

More than 2.7 million miles of pipeline transport the natural gas, oil, and other hazardous liquids the nation needs. The Departments of Homeland Security and Transportation share responsibility for safeguarding these pipelines along with pipeline operators.

In 2010, DHS's Transportation Security Administration issued a plan to coordinate pipeline security incident responses among government agencies and with the private sector.

However, TSA has not updated this plan since its issuance, so it doesn't fully reflect developments in key areas, such as cybersecurity.

We recommended that TSA periodically review and update this plan.

Hazardous Liquid and Natural Gas Transmission Pipelines in the United States, September 2018

Map showing the pipelines

Map showing the pipelines

Skip to Highlights

Highlights

What GAO Found

The memorandum of understanding (MOU) Annex signed by the Transportation Security Administration (TSA) and Pipeline and Hazardous Materials Safety Administration (PHMSA) in 2006 delineates their mutually agreed-upon roles and responsibilities for pipeline security, but has not been reviewed to consider pipeline security developments since its inception. As a result, the annex may not fully reflect the agencies' pipeline security and safety-related activities. Efforts to update the annex were delayed by other priorities. As of June 2019, there are no timeframes for completion. By developing and implementing timeframes for reviewing the MOU Annex and updating it, as appropriate, TSA and PHMSA could better ensure any future changes to their respective roles and responsibilities are clearly delineated and updated on a regular basis.

TSA's Pipeline Security and Incident Recovery Protocol Plan, issued in March 2010, defines the roles and responsibilities of federal agencies and the private sector, among others, related to pipeline security incidents. For example, in response to a pipeline incident, TSA coordinates information sharing between federal and pipeline stakeholders and PHMSA coordinates federal activities with an affected pipeline operator to restore service. However, TSA has not revised the plan to reflect changes in at least three key areas: pipeline security threats, such as those related to cybersecurity, incident management policies, and DHS's terrorism alert system. By periodically reviewing and, as appropriate, updating its plan, TSA could better ensure it addresses changes in pipeline security threats and federal law and policy related to cybersecurity, incident management and DHS's terrorism alert system, among other things. TSA could also provide greater assurance that pipeline stakeholders understand federal roles and responsibilities related to pipeline incidents, including cyber incidents, and that response efforts to such incidents are well-coordinated.

Map of Hazardous Liquid and Natural Gas Transmission Pipelines in the United States, September 2018

U:\Work in Process\Teams\FY19 Reports\HSJ\103229\Graphics\HL_5 - 103229.tif

Why GAO Did This Study

More than 2.7 million miles of pipeline transport natural gas, oil, and other hazardous liquids needed to operate vehicles and heat homes, among other things, in the United States.

Responsibility for safeguarding these pipelines is shared by TSA, within the Department of Homeland Security (DHS); PHMSA, within the Department of Transportation (DOT); and pipeline operators. TSA oversees the security of all transportation modes, including pipelines. PHMSA oversees pipeline safety. DHS and DOT signed a MOU on their roles across all transportation modes in 2004. In 2006, TSA and PHMSA signed an annex to the MOU (MOU Annex) to further delineate their pipeline security-related responsibilities.

The TSA Modernization Act includes a provision for GAO to review DHS and DOT roles and responsibilities for pipeline security. This report addresses, among other things: (1) the extent the MOU Annex delineates TSA's and PHMSA's pipeline security roles and responsibilities; and (2) the extent TSA has communicated federal incident response procedures for pipeline breaches to stakeholders. GAO reviewed the MOU annex and related documents and TSA's Pipeline Security and Incident Recovery Protocol Plan, and interviewed officials from PHMSA, TSA, and four pipeline associations.

Recommendations

GAO is making five recommendations, including that: (1) TSA and PHMSA develop and implement a timeline for reviewing and, as appropriate, updating the 2006 MOU Annex; and (2) TSA periodically review, and as appropriate, update its 2010 pipeline incident recovery plan. DHS and DOT concurred with these recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Transportation Security Administration The TSA Administrator should work with the PHMSA Administrator to develop and implement a timeline with milestone dates for reviewing and, as appropriate, updating the 2006 MOU Annex. (Recommendation 1)
Closed – Implemented
In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.
Pipeline and Hazardous Materials Safety Administration The PHMSA Administrator should work with the TSA Administrator to develop and implement a timeline with milestone dates for reviewing and, as appropriate, updating, the 2006 MOU Annex. (Recommendation 2)
Closed – Implemented
In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.
Transportation Security Administration The TSA Administrator, in consultation with the PHMSA Administrator should revise the 2006 MOU Annex to include a provision requiring periodic reviews of, and as appropriate, corresponding updates to the Annex.(Recommendation 3)
Closed – Implemented
In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.
Pipeline and Hazardous Materials Safety Administration The PHMSA Administrator, in consultation with the TSA Administrator should revise the 2006 MOU Annex to include a provision requiring periodic reviews of, and as appropriate, corresponding updates to the Annex.(Recommendation 4)
Closed – Implemented
In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.
Transportation Security Administration The TSA Administrator should periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation's pipeline systems. (Recommendation 5)
Open – Partially Addressed
As of September 2024, TSA officials reported that they completed a review of the Pipeline Security Incident Recovery Protocol Plan and determined that updates are needed. According to the officials, the Protocol Plan is being revised to bring it into conformity with several national level policy documents, such as the National Response Framework, the National Cybersecurity Incident Response Plan, and the National Terrorism Advisory System. The officials stated that they anticipate completion of the updated Protocol Plan by end of July 2025. Once the updated Protocol Plan is completed, we will review it and determine whether it includes relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to pipeline security, as called for in our recommendation.

Full Report

GAO Contacts

Topics

Critical infrastructureCritical infrastructure protectionCybersecurityHazardous materialsNatural gasPipeline operationsPipeline operatorPipeline safetyPipeline systemsSafetyTransportation securityNatural gas pipelines