Pipeline Security: TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes
Highlights
The United States depends on avast network of pipelines to transport energy. GAO was asked to review the Transportation Security Administration's (TSA) efforts to help ensure pipeline security. This report addresses the extent to which TSA's Pipeline Security Division (PSD) has (1) assessed risk and prioritized efforts to help strengthen pipeline security, (2) implemented agency guidance and requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) regarding pipeline security, and (3) measured its performance in strengthening pipeline security. GAO reviewed PSD's risk assessment process and performance measures and observed 14 PSD reviews and inspections scheduled during the period of GAO's review. Although these observations are not generalizable, they provided GAO an understanding of how PSD conducts reviews and inspections.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Transportation Security Administration | To improve aspects of the Pipeline Security Division's (PSD) efforts to help ensure pipeline security and to ensure that PSD is managing risk effectively, the Assistant Secretary for the Transportation Security Administration should develop a plan with time frames and milestones for improving the data in the pipeline risk assessment model by, for example, adding more data to the consequence component. |
In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) developed a pipeline risk assessment model that assessed risk as a function of threat, vulnerability, and consequence. However, the consequence component of PSD's model is incomplete since it accounts for economic impact but not the impact on public health and safety. As a result, we recommended that PSD develop a plan for improving the risk model by, for example, adding more data to the consequence component. In response, DHS reported in October 2010 that PSD had added risk factors for High Consequence Areas and Highly Populated Areas to the consequence component and added a critical facility count to the vulnerability component of its model. As of May 2011, PSD had added such information to its pipeline risk assessment tool. These actions are consistent with our recommendation.
|
Transportation Security Administration | To improve aspects of the PSD's efforts to help ensure pipeline security and to ensure that PSD is managing risk effectively, the Assistant Secretary for the Transportation Security Administration should document a methodology for scheduling Corporate Security Reviews (CSR) and Critical Facility Inspections (CFI) that considers a pipeline system's risk ranking as the primary scheduling criteria and balances it with other practical considerations. |
In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) did not use a pipeline system's risk ranking as the primary consideration when scheduling Corporate Security Reviews (CSR) and Critical Facility Inspections (CFI). We recommended that PSD document a methodology for scheduling CSRs and CFIs that considers a pipeline system's risk ranking as the primary scheduling criteria and to balance that with other practical considerations. As a result, PSD revised its CSR Standard Operating Procedures, as documented in a copy dated May 20, 2011, to state that the primary criteria for scheduling CSR visits is the pipeline system's relative risk (i.e. risk ranking), although other factors and considerations, such as operator availability and geographic location will also play a role. In addition, PSD revised its Management Plan for the Inspection of Critical Facilities of the Top 100 U.S. Pipeline Systems to state that CFIs will be scheduled based primarily on a pipeline system's relative risk ranking and that other practical considerations will also be taken into account. These actions are consistent with our recommendation.
|
Transportation Security Administration | To improve aspects of the PSD's efforts to help ensure pipeline security and to help PSD maximize its CSR and CFI efforts and keep its knowledge of the security posture of the pipeline industry current, the Assistant Secretary for the Transportation Security Administration should develop a plan that includes a defined approach and time frame for how and when PSD intends to begin transmitting CSR recommendations in writing to pipeline operators. |
In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that after each Corporate Security Review (CSR) that TSA's Pipeline Security Division (PSD) conducts, officials document review findings and the recommendations they make in an internal report and provide oral recommendations aimed at enhancing that operator's security planning and preparedness to the pipeline operator's security personnel and sometimes management. However, PSD does not communicate these recommendations to the operator in writing as a matter of practice. Therefore, we recommended that PSD develop a plan for how and when it intends to begin transmitting CSR recommendations in writing to pipeline operators. As a result of our recommendation, DHS reported in October 2010 that PSD had started sharing the CSR reports, including recommendations, with operators for those CSRs conducted in and after March 2010, and its May 2011 revision of its CSR Standard Operating Procedure (SOP) reflects the process for sharing written reports and recommendations with pipeline operators. These actions are consistent with our recommendation.
|
Transportation Security Administration | To improve aspects of the PSD's efforts to help ensure pipeline security and to help PSD maximize its CSR and CFI efforts and keep its knowledge of the security posture of the pipeline industry current, the Assistant Secretary for the Transportation Security Administration should establish a database of CSR recommendations and develop a process for following up on the implementation of those recommendations. |
In August 2010, we reviewed and reported on TSA's efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) did not have a database of the recommendations it makes to pipeline operators as a result of its Corporate Security Reviews (CSR) nor a process for following up on those recommendations. Therefore, we recommended that it establish such a database and follow up with the pipeline operators so it knows if its recommendations are being implemented and whether the state of pipeline security is improving. PSD developed a process for following up on its recommendations. Its May 2011 revision to its CSR Standard Operating Procedure states that CSR recommendations are to be entered into a CSR database for recording, tracking, and follow up with operators and further states that operators will be contacted about 12 months after the CSR to follow up with a written query regarding the status of actions taken to address the recommendations. In June 2011, PSD had begun developing and testing a CSR database. PSD completed putting CSR data into the database in March 2012. These actions are consistent with our recommendation.
|
Transportation Security Administration | To improve aspects of the PSD's efforts to help ensure pipeline security and to help PSD maximize its CSR and CFI efforts and keep its knowledge of the security posture of the pipeline industry current, the Assistant Secretary for the Transportation Security Administration should establish a database of CFI recommendations and develop a process for following up on the implementation of those recommendations. |
In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division (PSD) did not have a database of the recommendations it makes to operators as a result of its Critical Facility Inspections (CFI) nor a process for following up on those recommendations. Therefore, we recommended that it establish such a database and develop a process for following up with operators on the implementation of those recommendations. As a result of our recommendation, DHS reported in October 2010 that a database had been developed to contain all the recommendations made on CFI visits as well as a process for following up on those recommendations. In addition, PSD's May 2011 revision of its Management Plan for Inspection of the Critical Facilities of the Top 100 U.S. Pipeline Systems itemized the CFI process to include populating the database with the recommendations made at each facility and established a follow up process. PSD has begun to populate the database with its recommendations. Its management plan also calls for PSD to send a letter to the operator requesting the status of action(s) taken on CFI recommendations approximately 12 months after an inspection, and notes that a follow-up visit to the facility in lieu of or in addition to the letter may also be conducted. These actions are consistent with our recommendation.
|
Transportation Security Administration | To improve aspects of the PSD's efforts to help ensure pipeline security, and to better achieve the security strategy laid out in the Pipeline Modal Annex--the national security strategy for pipeline systems--to the extent feasible, the Assistant Secretary for the Transportation Security Administration should revise future updates of the annex to incorporate performance measures for assessing PSD and pipeline industry progress and link those measures to pipeline security objectives. |
In August 2010, we reviewed and reported on TSA's efforts to help strengthen pipeline security. We found that the 2007 Pipeline Modal Annex to the Transportation Sector-Specific Plan--TSA's national strategy for pipeline systems--contained goals and objectives, but it did not incorporate the performance measures that TSA's Pipeline Security Division (PSD) used to evaluate the effectiveness of its security programs and activities. Therefore, we recommended that PSD revise future updates to the annex to incorporate performance measures for assessing PSD and pipeline industry progress and link those measures to pipeline security objectives. The 2010 Pipeline Modal Annex had already been drafted and submitted to the Department of Homeland Security in August 2010--the time when our report was issued--therefore PSD could not provide an update that included incorporating performance measures linked to pipeline security objectives. However, in August 2012, PSD issued an addendum to the 2010 Pipeline Modal Annex, which incorporated performance measures, and stated it would include the same performance measures in the 2014 Pipeline Modal Annex. These actions are consistent with our recommendation.
|
Transportation Security Administration | To improve aspects of the PSD's efforts to help ensure pipeline security, and to better evaluate PSD's performance in helping strengthen the security of hazardous liquid and natural gas pipelines and improvements in pipeline security, the Assistant Secretary for the Transportation Security Administration should develop additional outcome measures that are directly linked to sector goals and modal objectives and track progress towards its stated pipeline security objectives. |
In August 2010, we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that TSA's Pipeline Security Division's (PSD) ability to measure improvements in pipeline security was limited because it had not developed outcome measures that enabled it to fully assess improvements related to pipeline security as a whole or evaluate one of its pipeline security objectives--to increase the level of resiliency and robustness of pipeline systems. As such, we recommended that PSD develop additional outcome measures. In August 2012, PSD issued an addendum to the 2010 Pipeline Modal Annex, which included additional outcome measures that were linked to Pipeline Modal objectives. For example, PSD tracks the percentage of critical facilities of the top 100 pipeline systems that have had vulnerability assessments and links this to its goal of reducing the level of risk through implementation of security programs. PSD has begun to track progress towards its objectives on a quarterly basis. These actions are consistent with our recommendation.
|
Transportation Security Administration | To improve aspects of the PSD's efforts to help ensure pipeline security, and to help ensure reliable reporting of security improvements in the pipeline industry, the Assistant Secretary for the Transportation Security Administration should establish reliable baseline data and, until that time, refrain from using reconstructed baseline data to report progress in closing the vulnerability gap. |
In August 2010 we reported on the Transportation Security Administration's (TSA) efforts to help strengthen pipeline security. We found that baseline data TSA's Pipeline Security Division (PSD) used to measure improvements in reducing pipeline security vulnerabilities--the vulnerability gap--that relied on early (prior to mid-July 2004) Corporate Security Review (CSR) scores were reconstructed and might not be reliable. As such, we recommended that PSD establish reliable baseline data and refrain from using unreliable data in reporting on progress in closing the vulnerability gap. As a result of our recommendation, DHS reported in October 2010 that PSD had discontinued the use of reconstructed baseline data for all metric reporting. Further, PSD reported that as of May 24, 2011, all reconstructed Corporate Security Review data (the reliability of which we questioned in our report) will have been completely superseded with new CSR data, and this change was reflected in the Pipeline Relative Risk Ranking Tool. PSD provided a May 2011 risk ranking tool, which showed it was no longer using reconstructed baseline data. PSD's actions are consistent with our recommendation.
|