Pipeline Security:

TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes

GAO-10-867: Published: Aug 4, 2010. Publicly Released: Sep 1, 2010.

Additional Materials:

Contact:

Stephen M. Lord
(202) 512-4379
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The United States depends on avast network of pipelines to transport energy. GAO was asked to review the Transportation Security Administration's (TSA) efforts to help ensure pipeline security. This report addresses the extent to which TSA's Pipeline Security Division (PSD) has (1) assessed risk and prioritized efforts to help strengthen pipeline security, (2) implemented agency guidance and requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) regarding pipeline security, and (3) measured its performance in strengthening pipeline security. GAO reviewed PSD's risk assessment process and performance measures and observed 14 PSD reviews and inspections scheduled during the period of GAO's review. Although these observations are not generalizable, they provided GAO an understanding of how PSD conducts reviews and inspections.

PSD identified the 100 most critical pipeline systems and developed a pipeline risk assessment model based on threat, vulnerability, and consequence, but could improve the model's consequence component and better prioritize its efforts. The consequence component takes into account the economic impact of a possible pipeline attack, but not other possible impacts such as public health and safety, as called for in the Department of Homeland Security's (DHS) risk management guidance. PSD plans to improve its model by adding more vulnerability and consequence data, but has no time frames for doing so. Establishing a plan with time frames, as called for by standard management practices, could help PSD enhance the data in, and use of, its risk assessment model. Also, PSD procedures call for scheduling Corporate Security Reviews (CSR)--assessments of pipeline operators' security planning--based primarilyon a pipeline system's risk, but GAO's analysis of CSR data suggests a system's risk was not the primary consideration. Documenting a methodology for scheduling CSRs that includes how to balance risk with other factors could help PSD ensure it prioritizes its oversight of systems at the highest risk. PSD has taken actions to implement agency guidance that outlines voluntary actions for pipeline operators and 9/11 Commission Act requirements for pipeline security, but lacks a system for following up on its security recommendations to pipeline operators. PSD established CSR and Critical Facility Inspection (CFI) Programs in 2003 and 2008, respectively, and has completed CSRs of the 100 most at-risk systems, started conducting second CSRs, and completed 224 of 373 one-time CFIs. Both programs result in recommendations, but PSD does not generally send CSR recommendations to operators in writing or follow up to ensure that CSR and CFI recommendations were implemented. Standard project management practices call for plans that define approaches and start dates and Standards for Internal Control in the Federal Government calls for monitoring to ensure review findings are resolved. Developing a plan for how and when PSD will begin transmitting CSR recommendations to operators, and following up on CSR and CFI recommendations could better inform PSD of the state of pipeline security and whether operators have addressed vulnerabilities. PSD has taken steps to gauge its progress in strengthening pipeline security, but its ability to measure improvements is limited. In its pipeline security strategy, PSD does not include performance measures or link them to objectives, which GAO previously identified as desirable in security strategies. In addition, PSD developed performance measures, including one outcome measure to gauge its efforts to help operators reduce vulnerabilities identified in CSRs. However, the outcome measure does not link to all three of PSD's objectives and provides limited information on improvements in areas such as physical security. According to DHS risk management guidance, outcome measures should link to objectives. Including measures linked to objectives in its strategy and developing more outcome measures directly linked to all of its objectives could help PSD improve accountability and assess improvements. GAO recommends that TSA, among other things, establish time frames for improving risk model data, document its method for scheduling reviews, develop a plan for transmitting recommendations to operators, follow up on its recommendations, include performance measures linked to objectives in its pipeline strategy, and develop more outcome measures. DHS concurred with the recommendations and discussed planned actions, but not all will fully address the recommendations, as discussed in the report.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In August 2010, we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division's (PSD) ability to measure improvements in pipeline security was limited because it had not developed outcome measures that enabled it to fully assess improvements related to pipeline security as a whole or evaluate one of its pipeline security objectives--to increase the level of resiliency and robustness of pipeline systems. As such, we recommended that PSD develop additional outcome measures. In August 2012, PSD issued an addendum to the 2010 Pipeline Modal Annex, which included additional outcome measures that were linked to Pipeline Modal objectives. For example, PSD tracks the percentage of critical facilities of the top 100 pipeline systems that have had vulnerability assessments and links this to its goal of reducing the level of risk through implementation of security programs. PSD has begun to track progress towards its objectives on a quarterly basis. These actions are consistent with our recommendation.

    Recommendation: To improve aspects of the PSD's efforts to help ensure pipeline security, and to better evaluate PSD's performance in helping strengthen the security of hazardous liquid and natural gas pipelines and improvements in pipeline security, the Assistant Secretary for the Transportation Security Administration should develop additional outcome measures that are directly linked to sector goals and modal objectives and track progress towards its stated pipeline security objectives.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

  2. Status: Closed - Implemented

    Comments: In August 2010, we reviewed and reported on TSA's efforts to help strengthen pipeline security. We found that the 2007 Pipeline Modal Annex to the Transportation Sector-Specific Plan--TSA's national strategy for pipeline systems--contained goals and objectives, but it did not incorporate the performance measures that TSA's Pipeline Security Division (PSD) used to evaluate the effectiveness of its security programs and activities. Therefore, we recommended that PSD revise future updates to the annex to incorporate performance measures for assessing PSD and pipeline industry progress and link those measures to pipeline security objectives. The 2010 Pipeline Modal Annex had already been drafted and submitted to the Department of Homeland Security in August 2010--the time when our report was issued--therefore PSD could not provide an update that included incorporating performance measures linked to pipeline security objectives. However, in August 2012, PSD issued an addendum to the 2010 Pipeline Modal Annex, which incorporated performance measures, and stated it would include the same performance measures in the 2014 Pipeline Modal Annex. These actions are consistent with our recommendation.

    Recommendation: To improve aspects of the PSD's efforts to help ensure pipeline security, and to better achieve the security strategy laid out in the Pipeline Modal Annex--the national security strategy for pipeline systems--to the extent feasible, the Assistant Secretary for the Transportation Security Administration should revise future updates of the annex to incorporate performance measures for assessing PSD and pipeline industry progress and link those measures to pipeline security objectives.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

  3. Status: Closed - Implemented

    Comments: In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) did not have a database of the recommendations it makes to operators as a result of its Critical Facility Inspections (CFI) nor a process for following up on those recommendations. Therefore, we recommended that it establish such a database and develop a process for following up with operators on the implementation of those recommendations. As a result of our recommendation, DHS reported in October 2010 that a database had been developed to contain all the recommendations made on CFI visits as well as a process for following up on those recommendations. In addition, PSD's May 2011 revision of its Management Plan for Inspection of the Critical Facilities of the Top 100 U.S. Pipeline Systems itemized the CFI process to include populating the database with the recommendations made at each facility and established a follow up process. PSD has begun to populate the database with its recommendations. Its management plan also calls for PSD to send a letter to the operator requesting the status of action(s) taken on CFI recommendations approximately 12 months after an inspection, and notes that a follow-up visit to the facility in lieu of or in addition to the letter may also be conducted. These actions are consistent with our recommendation.

    Recommendation: To improve aspects of the PSD's efforts to help ensure pipeline security and to help PSD maximize its CSR and CFI efforts and keep its knowledge of the security posture of the pipeline industry current, the Assistant Secretary for the Transportation Security Administration should establish a database of CFI recommendations and develop a process for following up on the implementation of those recommendations.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

  4. Status: Closed - Implemented

    Comments: In August 2010, we reviewed and reported on TSA's efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) did not have a database of the recommendations it makes to pipeline operators as a result of its Corporate Security Reviews (CSR) nor a process for following up on those recommendations. Therefore, we recommended that it establish such a database and follow up with the pipeline operators so it knows if its recommendations are being implemented and whether the state of pipeline security is improving. PSD developed a process for following up on its recommendations. Its May 2011 revision to its CSR Standard Operating Procedure states that CSR recommendations are to be entered into a CSR database for recording, tracking, and follow up with operators and further states that operators will be contacted about 12 months after the CSR to follow up with a written query regarding the status of actions taken to address the recommendations. In June 2011, PSD had begun developing and testing a CSR database. PSD completed putting CSR data into the database in March 2012. These actions are consistent with our recommendation.

    Recommendation: To improve aspects of the PSD's efforts to help ensure pipeline security and to help PSD maximize its CSR and CFI efforts and keep its knowledge of the security posture of the pipeline industry current, the Assistant Secretary for the Transportation Security Administration should establish a database of CSR recommendations and develop a process for following up on the implementation of those recommendations.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

  5. Status: Closed - Implemented

    Comments: In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that after each Corporate Security Review (CSR) that TSA's Pipeline Security Division (PSD) conducts, officials document review findings and the recommendations they make in an internal report and provide oral recommendations aimed at enhancing that operator's security planning and preparedness to the pipeline operator's security personnel and sometimes management. However, PSD does not communicate these recommendations to the operator in writing as a matter of practice. Therefore, we recommended that PSD develop a plan for how and when it intends to begin transmitting CSR recommendations in writing to pipeline operators. As a result of our recommendation, DHS reported in October 2010 that PSD had started sharing the CSR reports, including recommendations, with operators for those CSRs conducted in and after March 2010, and its May 2011 revision of its CSR Standard Operating Procedure (SOP) reflects the process for sharing written reports and recommendations with pipeline operators. These actions are consistent with our recommendation.

    Recommendation: To improve aspects of the PSD's efforts to help ensure pipeline security and to help PSD maximize its CSR and CFI efforts and keep its knowledge of the security posture of the pipeline industry current, the Assistant Secretary for the Transportation Security Administration should develop a plan that includes a defined approach and time frame for how and when PSD intends to begin transmitting CSR recommendations in writing to pipeline operators.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

  6. Status: Closed - Implemented

    Comments: In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) did not use a pipeline system's risk ranking as the primary consideration when scheduling Corporate Security Reviews (CSR) and Critical Facility Inspections (CFI). We recommended that PSD document a methodology for scheduling CSRs and CFIs that considers a pipeline system's risk ranking as the primary scheduling criteria and to balance that with other practical considerations. As a result, PSD revised its CSR Standard Operating Procedures, as documented in a copy dated May 20, 2011, to state that the primary criteria for scheduling CSR visits is the pipeline system's relative risk (i.e. risk ranking), although other factors and considerations, such as operator availability and geographic location will also play a role. In addition, PSD revised its Management Plan for the Inspection of Critical Facilities of the Top 100 U.S. Pipeline Systems to state that CFIs will be scheduled based primarily on a pipeline system's relative risk ranking and that other practical considerations will also be taken into account. These actions are consistent with our recommendation.

    Recommendation: To improve aspects of the PSD's efforts to help ensure pipeline security and to ensure that PSD is managing risk effectively, the Assistant Secretary for the Transportation Security Administration should document a methodology for scheduling Corporate Security Reviews (CSR) and Critical Facility Inspections (CFI) that considers a pipeline system's risk ranking as the primary scheduling criteria and balances it with other practical considerations.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

  7. Status: Closed - Implemented

    Comments: In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) developed a pipeline risk assessment model that assessed risk as a function of threat, vulnerability, and consequence. However, the consequence component of PSD's model is incomplete since it accounts for economic impact but not the impact on public health and safety. As a result, we recommended that PSD develop a plan for improving the risk model by, for example, adding more data to the consequence component. In response, DHS reported in October 2010 that PSD had added risk factors for High Consequence Areas and Highly Populated Areas to the consequence component and added a critical facility count to the vulnerability component of its model. As of May 2011, PSD had added such information to its pipeline risk assessment tool. These actions are consistent with our recommendation.

    Recommendation: To improve aspects of the Pipeline Security Division's (PSD) efforts to help ensure pipeline security and to ensure that PSD is managing risk effectively, the Assistant Secretary for the Transportation Security Administration should develop a plan with time frames and milestones for improving the data in the pipeline risk assessment model by, for example, adding more data to the consequence component.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

  8. Status: Closed - Implemented

    Comments: In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that baseline data TSA's Pipeline Security Division (PSD) used to measure improvements in reducing pipeline security vulnerabilities--the vulnerability gap--that relied on early (prior to mid-July 2004) Corporate Security Review (CSR) scores were reconstructed and might not be reliable. As such, we recommended that PSD establish reliable baseline data and refrain from using unreliable data in reporting on progress in closing the vulnerability gap. As a result of our recommendation, DHS reported in October 2010 that PSD had discontinued the use of reconstructed baseline data for all metric reporting. Further, PSD reported that as of May 24, 2011, all reconstructed Corporate Security Review data (the reliability of which we questioned in our report) will have been completely superseded with new CSR data, and this change was reflected in the Pipeline Relative Risk Ranking Tool. PSD provided a May 2011 risk ranking tool, which showed it was no longer using reconstructed baseline data. PSD's actions are consistent with our recommendation.

    Recommendation: To improve aspects of the PSD's efforts to help ensure pipeline security, and to help ensure reliable reporting of security improvements in the pipeline industry, the Assistant Secretary for the Transportation Security Administration should establish reliable baseline data and, until that time, refrain from using reconstructed baseline data to report progress in closing the vulnerability gap.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

 

Explore the full database of GAO's Open Recommendations »

Sep 15, 2014

Sep 10, 2014

Sep 9, 2014

Sep 8, 2014

Jul 31, 2014

Jul 29, 2014

Jul 24, 2014

Jul 16, 2014

Jun 27, 2014

Looking for more? Browse all our products here