{
  "id": "IN11060",
  "type": "CRS Insight",
  "typeId": "INSIGHTS",
  "number": "IN11060",
  "active": true,
  "source": "EveryCRSReport.com",
  "versions": [
    {
      "source": "EveryCRSReport.com",
      "id": 597279,
      "date": "2019-03-01",
      "retrieved": "2019-05-03T14:24:07.641391",
      "title": "Pipeline Security: Homeland Security Issues in the 116th Congress",
      "summary": "/\n \nOngoing threats against the nation\u2019s natural gas, oil, and refined product pipelines have heightened concerns about the security risks to these pipelines, their linkage to the electric power sector, and federal programs to protect them. In a December 2018 study, the Government Accountability Office (GAO) stated that, since the terrorist attacks of September 11, 2001, \u201cnew threats to the nation\u2019s pipeline systems have evolved to include sabotage by environmental activists and cyber attack or intrusion by nations.\u201d In a 2018 Federal Register notice, the Transportation Security Administration stated that it expects pipeline companies will report approximately 32 \u201csecurity incidents\u201d annually\u2014both physical and cyber. The Pipeline and LNG Facility Cybersecurity Preparedness Act (H.R. 370, S. 300) would require the Secretary of Energy to enhance coordination among government agencies and the energy sector in pipeline security; coordinate incident response and recovery; support the development of pipeline cybersecurity applications, technologies, demonstration projects, and training curricula; and provide technical tools for pipeline security.\nPipeline Physical Security\nCongress and federal agencies have raised concerns since at least 2010 about the physical security of energy pipelines, especially cross-border oil pipelines. These security concerns were heightened in 2016 after environmentalists in the United States disrupted five pipelines transporting oil from Canada. In 2018, the Transportation Security Administration\u2019s Surface Security Plan identified improvised explosive devices as key risks to energy pipelines, which \u201care vulnerable to terrorist attacks largely due to their stationary nature, the volatility of transported products, and [their] dispersed nature.\u201d Among these risks, according to some analysts, are the possibility of multiple, coordinated attacks with explosives on the natural gas pipeline system, which potentially could \u201ccreate unprecedented challenges for restoring gas flows.\u201d\nPipeline Cybersecurity\nAs with any internet-enabled technology, the computer systems used to operate much of the pipeline system are vulnerable to outside manipulation. An attacker can exploit a pipeline control system in a number of ways to disrupt or damage pipelines. Such cybersecurity risks came to the fore in 2012 after reports of a series of cyber intrusions among U.S. natural gas pipeline operators. In April 2018, new cyberattacks reportedly caused the shutdown of the customer communications systems (separate from operation systems) at four of the nation\u2019s largest natural gas pipeline companies. Most recently, in January 2019, congressional testimony by the Director of National Intelligence singled out gas pipelines as critical infrastructure vulnerable to cyberattacks which could cause disruption \u201cfor days to weeks.\u201d\nPipeline and Electric Power Interdependency\nPipeline cybersecurity concerns are exacerbated by growing interdependency between the pipeline and electric power sectors. A 2017 Department of Energy (DOE) staff report highlighted the electric power sector\u2019s growing reliance upon natural gas-fired generation and, as a result, security vulnerabilities associated with pipeline gas supplies. These concerns were echoed in a June 2018 op-ed by two commissioners on the Federal Energy Regulatory Commission (FERC) who wrote, \u201cas ... natural gas has become a major part of the fuel mix, the cybersecurity threats to that supply have taken on new urgency.\u201d A November 2018 report by the PJM regional transmission organization concluded that \u201cwhile there is no imminent threat,\u201d the security of generation fuel supplies, especially natural gas and fuel oil, \u201chas become an increasing area of focus.\u201d In a February 2019 congressional hearing on electric grid security, the head of the North American Electric Reliability Corporation (NERC) testified that pipeline and electric grid interdependency \u201cis fundamental\u201d to security.\nThe Federal Pipeline Security Program\nThe Transportation Security Administration (TSA) within the Department of Homeland Security (DHS) administers the federal program for pipeline security. The Aviation and Transportation Security Act of 2001 (P.L. 107-71), which established TSA, authorized the agency \u201cto issue, rescind, and revise such regulations as are necessary\u201d to carry out its functions (\u00a7101). The Implementing Recommendations of the 9/11 Commission Act of 2007 (P.L. 110-53) directs TSA to promulgate pipeline security regulations and carry out necessary inspection and enforcement if the agency determines that regulations are appropriate (\u00a71557(d)). However, to date, TSA has not issued such regulations, relying instead upon industry compliance with voluntary guidelines for pipeline physical and cybersecurity. The pipeline industry maintains that regulations are unnecessary because pipeline operators have voluntarily implemented effective physical and cybersecurity programs. The 2018 GAO study identified a number of weaknesses in the TSA program, including inadequate staffing, outdated risk assessments, and uncertainty about the content and effectiveness of its security standards.\nIn fulfilling its responsibilities, TSA cooperates with the Department of Transportation\u2019s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA)\u2014the federal regulator of pipeline safety\u2014under the terms of a 2004 memorandum of understanding (MOU) and a 2006 annex to facilitate transportation security collaboration. TSA also cooperates with DOE\u2019s recently established Office of Cybersecurity, Energy Security, and Emergency Response (CESER), whose mission includes \u201cemergency preparedness and coordinated response to disruptions to the energy sector, including physical and cyber-attacks.\u201d TSA also collaborates with the Office of Energy Infrastructure Security at the Federal Energy Regulatory Commission\u2014the agency which regulates the reliability and security of the bulk power electric grid. \nIssues for Congress\nOver the last few years, most debate about the federal pipeline security program has revolved around four principal issues. Some in Congress have suggested that TSA\u2019s current pipeline security authority and voluntary standards approach may be appropriate, but that the agency may require greater resources to more effectively carry out its mission. Others stakeholders have debated whether security standards in the pipeline sector should be mandatory\u2014as they are in the electric power sector\u2014especially given their growing interdependency. Still others have questioned whether any of TSA\u2019s regulatory authority over pipeline security should move to another agency, such as the DOE, DOT, or FERC, which they believe could be better positioned to execute it. Concern about the quality, specificity, and sharing of information about pipeline threats also has been an issue.",
      "type": "CRS Insight",
      "typeId": "INSIGHTS",
      "active": true,
      "formats": [
        {
          "format": "HTML",
          "encoding": "utf-8",
          "url": "https://www.crs.gov/Reports/IN11060",
          "sha1": "f7786fe0fcd134499b5d9d6ce671ff9d2fb572bd",
          "filename": "files/20190301_IN11060_f7786fe0fcd134499b5d9d6ce671ff9d2fb572bd.html",
          "images": {
            "/products/Getimages/?directory=IN/ASPX/IN11060_files&id=/0.png": "files/20190301_IN11060_images_4c90792b4ac35865273673c3e0c671ab3bf94038.png"
          }
        },
        {
          "format": "PDF",
          "encoding": null,
          "url": "https://www.crs.gov/Reports/pdf/IN11060",
          "sha1": "513c61044a1d91e84dfb9c3b4408ba5a9a26cfc7",
          "filename": "files/20190301_IN11060_513c61044a1d91e84dfb9c3b4408ba5a9a26cfc7.pdf",
          "images": {}
        }
      ],
      "topics": []
    }
  ],
  "topics": [
    "CRS Insights"
  ]
}