Pipeline Security
TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes Gao ID: GAO-10-867 August 4, 2010The United States depends on avast network of pipelines to transport energy. GAO was asked to review the Transportation Security Administration's (TSA) efforts to help ensure pipeline security. This report addresses the extent to which TSA's Pipeline Security Division (PSD) has (1) assessed risk and prioritized efforts to help strengthen pipeline security, (2) implemented agency guidance and requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) regarding pipeline security, and (3) measured its performance in strengthening pipeline security. GAO reviewed PSD's risk assessment process and performance measures and observed 14 PSD reviews and inspections scheduled during the period of GAO's review. Although these observations are not generalizable, they provided GAO an understanding of how PSD conducts reviews and inspections.
PSD identified the 100 most critical pipeline systems and developed a pipeline risk assessment model based on threat, vulnerability, and consequence, but could improve the model's consequence component and better prioritize its efforts. The consequence component takes into account the economic impact of a possible pipeline attack, but not other possible impacts such as public health and safety, as called for in the Department of Homeland Security's (DHS) risk management guidance. PSD plans to improve its model by adding more vulnerability and consequence data, but has no time frames for doing so. Establishing a plan with time frames, as called for by standard management practices, could help PSD enhance the data in, and use of, its risk assessment model. Also, PSD procedures call for scheduling Corporate Security Reviews (CSR)--assessments of pipeline operators' security planning--based primarilyon a pipeline system's risk, but GAO's analysis of CSR data suggests a system's risk was not the primary consideration. Documenting a methodology for scheduling CSRs that includes how to balance risk with other factors could help PSD ensure it prioritizes its oversight of systems at the highest risk. PSD has taken actions to implement agency guidance that outlines voluntary actions for pipeline operators and 9/11 Commission Act requirements for pipeline security, but lacks a system for following up on its security recommendations to pipeline operators. PSD established CSR and Critical Facility Inspection (CFI) Programs in 2003 and 2008, respectively, and has completed CSRs of the 100 most at-risk systems, started conducting second CSRs, and completed 224 of 373 one-time CFIs. Both programs result in recommendations, but PSD does not generally send CSR recommendations to operators in writing or follow up to ensure that CSR and CFI recommendations were implemented. Standard project management practices call for plans that define approaches and start dates and Standards for Internal Control in the Federal Government calls for monitoring to ensure review findings are resolved. Developing a plan for how and when PSD will begin transmitting CSR recommendations to operators, and following up on CSR and CFI recommendations could better inform PSD of the state of pipeline security and whether operators have addressed vulnerabilities. PSD has taken steps to gauge its progress in strengthening pipeline security, but its ability to measure improvements is limited. In its pipeline security strategy, PSD does not include performance measures or link them to objectives, which GAO previously identified as desirable in security strategies. In addition, PSD developed performance measures, including one outcome measure to gauge its efforts to help operators reduce vulnerabilities identified in CSRs. However, the outcome measure does not link to all three of PSD's objectives and provides limited information on improvements in areas such as physical security. According to DHS risk management guidance, outcome measures should link to objectives. Including measures linked to objectives in its strategy and developing more outcome measures directly linked to all of its objectives could help PSD improve accountability and assess improvements. GAO recommends that TSA, among other things, establish time frames for improving risk model data, document its method for scheduling reviews, develop a plan for transmitting recommendations to operators, follow up on its recommendations, include performance measures linked to objectives in its pipeline strategy, and develop more outcome measures. DHS concurred with the recommendations and discussed planned actions, but not all will fully address the recommendations, as discussed in the report.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Stephen M. Lord Team: Government Accountability Office: Homeland Security and Justice Phone: (202) 512-4379GAO-10-867, Pipeline Security: TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes
This is the accessible text file for GAO report number GAO-10-867
entitled 'Pipeline Security: TSA Has Taken Actions to Help Strengthen
Security, but Could Improve Priority-Setting and Assessment Processes'
which was released on September 1, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
August 2010:
Pipeline Security:
TSA Has Taken Actions to Help Strengthen Security, but Could Improve
Priority-Setting and Assessment Processes:
GAO-10-867:
GAO Highlights:
Highlights of GAO-10-867, a report to congressional committees.
Why GAO Did This Study:
The United States depends on a vast network of pipelines to transport
energy. GAO was asked to review the Transportation Security
Administration‘s (TSA) efforts to help ensure pipeline security. This
report addresses the extent to which TSA‘s Pipeline Security Division
(PSD) has (1) assessed risk and prioritized efforts to help strengthen
pipeline security, (2) implemented agency guidance and requirements of
the Implementing Recommendations of the 9/11 Commission Act of 2007
(9/11 Commission Act) regarding pipeline security, and (3) measured
its performance in strengthening pipeline security. GAO reviewed PSD‘s
risk assessment process and performance measures and observed 14 PSD
reviews and inspections scheduled during the period of GAO‘s review.
Although these observations are not generalizable, they provided GAO
an understanding of how PSD conducts reviews and inspections.
What GAO Found:
PSD identified the 100 most critical pipeline systems and developed a
pipeline risk assessment model based on threat, vulnerability, and
consequence, but could improve the model‘s consequence component and
better prioritize its efforts. The consequence component takes into
account the economic impact of a possible pipeline attack, but not
other possible impacts such as public health and safety, as called for
in the Department of Homeland Security‘s (DHS) risk management
guidance. PSD plans to improve its model by adding more vulnerability
and consequence data, but has no time frames for doing so.
Establishing a plan with time frames, as called for by standard
management practices, could help PSD enhance the data in, and use of,
its risk assessment model. Also, PSD procedures call for scheduling
Corporate Security Reviews (CSR)”assessments of pipeline operators‘
security planning”based primarily on a pipeline system‘s risk, but GAO‘
s analysis of CSR data suggests a system‘s risk was not the primary
consideration. Documenting a methodology for scheduling CSRs that
includes how to balance risk with other factors could help PSD ensure
it prioritizes its oversight of systems at the highest risk.
PSD has taken actions to implement agency guidance that outlines
voluntary actions for pipeline operators and 9/11 Commission Act
requirements for pipeline security, but lacks a system for following
up on its security recommendations to pipeline operators. PSD
established CSR and Critical Facility Inspection (CFI) Programs in
2003 and 2008, respectively, and has completed CSRs of the 100 most at-
risk systems, started conducting second CSRs, and completed 224 of 373
one-time CFIs. Both programs result in recommendations, but PSD does
not generally send CSR recommendations to operators in writing or
follow up to ensure that CSR and CFI recommendations were implemented.
Standard project management practices call for plans that define
approaches and start dates and Standards for Internal Control in the
Federal Government calls for monitoring to ensure review findings are
resolved. Developing a plan for how and when PSD will begin
transmitting CSR recommendations to operators, and following up on CSR
and CFI recommendations could better inform PSD of the state of
pipeline security and whether operators have addressed vulnerabilities.
PSD has taken steps to gauge its progress in strengthening pipeline
security, but its ability to measure improvements is limited. In its
pipeline security strategy, PSD does not include performance measures
or link them to objectives, which GAO previously identified as
desirable in security strategies. In addition, PSD developed
performance measures, including one outcome measure to gauge its
efforts to help operators reduce vulnerabilities identified in CSRs.
However, the outcome measure does not link to all three of PSD‘s
objectives and provides limited information on improvements in areas
such as physical security. According to DHS risk management guidance,
outcome measures should link to objectives. Including measures linked
to objectives in its strategy and developing more outcome measures
directly linked to all of its objectives could help PSD improve
accountability and assess improvements.
What GAO Recommends:
GAO recommends that TSA, among other things, establish time frames for
improving risk model data, document its method for scheduling reviews,
develop a plan for transmitting recommendations to operators, follow
up on its recommendations, include performance measures linked to
objectives in its pipeline strategy, and develop more outcome
measures. DHS concurred with the recommendations and discussed planned
actions, but not all will fully address the recommendations, as
discussed in the report.
View [hyperlink, http://www.gao.gov/products/GAO-10-867] or key
components. For more information, contact Steve Lord at (202) 512-4379
or lords@gao.gov.
[End of section]
Contents:
Letter:
Background:
PSD Has Developed a Pipeline Risk Assessment Model, but Could
Strengthen the Data in the Model and Better Prioritize Security
Reviews and Inspections:
PSD Has Taken Actions to Implement Agency Guidance and 9/11 Commission
Act Requirements, but Lacks a System for Following Up on Its
Recommendations to Operators:
PSD Could Strengthen Its Documented Security Strategy and More
Reliably Report Security Improvements:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contact and Staff Acknowledgments:
Table:
Table 1: TSA Pipeline Security Assessment Activities Since 2003:
Figures:
Figure 1: Map of Hazardous Liquid and Natural Gas Transmission
Pipelines in the United States, September 28, 2009:
Figure 2: Physical Security Measures a Pipeline Operator Might Employ
at a Critical Facility:
Figure 3: NIPP Risk Management Framework:
Figure 4: Correlation Between a Pipeline System's Risk Ranking and the
Time Elapsed from the First to the Second CSR, as of May 2010:
Figure 5: Antiterrorism Crash Barrier Gate Installed inside Fenced
Perimeter of a Critical Facility:
Figure 6: Boulders Installed inside Perimeter Fencing at a Critical
Facility Serve as a Vehicle Barrier:
Figure 7: One of Many Closed-Circuit Television Cameras Installed at a
Critical Facility:
Figure 8: CFI Team Explains That Leaving the Entry Gate of a Critical
Facility Open during Business Hours Constitutes a Serious Lapse in
Security:
Figure 9: Excessive Vegetation Surrounding a Critical Facility Impedes
the Operator's Ability to Inspect Fencing and See Possible Intruders:
Figure 10: Transportation Sector Goals and Pipeline Security
Objectives:
Abbreviations:
AGA: American Gas Association:
AOPL: Association of Oil Pipe Lines:
APGA: American Public Gas Association:
API: American Petroleum Institute:
CFI: Critical Facility Inspection:
CSR: Corporate Security Review:
DOE: Department of Energy:
DHS: Department of Homeland Security:
DOT: Department of Transportation:
FBI: Federal Bureau of Investigation:
FMFIA: Federal Managers' Financial Integrity Act of 1982:
HSPD-7: Homeland Security Presidential Directive-7:
INGAA: Interstate Natural Gas Association of America:
MOU: memorandum of understanding:
NIPP: National Infrastructure Protection Plan:
PHMSA: Pipeline and Hazardous Materials Safety Administration:
PSD: Pipeline Security Division:
TSA: Transportation Security Administration:
TSNM: Office of Transportation Sector Network Management:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
August 4, 2010:
The Honorable John Rockefeller:
Chairman:
The Honorable Kay Bailey Hutchison:
Ranking Member:
Committee on Commerce, Science, and Transportation:
United States Senate:
The Honorable Frank R. Lautenberg:
Chairman:
The Honorable John Thune:
Ranking Member:
Subcommittee on Surface Transportation and Merchant Marine
Infrastructure, Safety, and Security:
Committee on Commerce, Science, and Transportation:
United States Senate:
U.S. citizens and businesses depend on the continued operation of vast
networks of pipelines that traverse hundreds of thousands of miles to
transport energy for operating air and surface vehicles, running
industrial equipment, heating homes, and generating electricity. The
United States has the largest network of energy pipelines of any
nation in the world. These pipelines transport nearly all the natural
gas and about two-thirds of the hazardous liquids, including crude and
refined petroleum products, consumed in the United States, making them
a potential target to those wanting to disrupt commerce and other
activities. Although attacks on U.S. pipelines have been rare--carried
out, for example, by individuals with unclear motives--attacks on
pipelines outside the United States by groups such as militant rebels
highlight potential vulnerabilities of pipelines. For example, in
Colombia, rebels attacked a major pipeline using explosives more than
600 times from 1996 through 2005, and in Nigeria, militant rebels have
repeatedly attacked pipelines and oil facilities. Within the United
States, a terrorist plot to attack jet fuel pipelines and storage
tanks at JFK International Airport was uncovered and foiled in 2007.
The same year, a U.S. citizen was convicted of attempting to provide
material support to terrorists, among other things, after he tried to
conspire with Al-Qaeda to blow up sections of the Trans Alaska
Pipeline System and sections of the Transcontinental Pipeline System,
which carries natural gas from the Gulf Coast to New York City. Such
events raise concerns that attacks could occur in the United States.
Securing the nation's pipeline system is a responsibility shared by
the federal government and the private sector. Prior to the terrorist
attacks of September 11, 2001, the federal government's involvement in
pipelines largely focused on safety, and security efforts were
minimal. In November 2001, the Aviation and Transportation Security
Act established the Transportation Security Administration (TSA)
within the Department of Transportation (DOT) and gave TSA the lead
responsibility for security in all modes of transportation, including
pipeline.[Footnote 1] In November 2002, the Homeland Security Act was
enacted, and upon the creation of the Department of Homeland Security,
TSA was transferred from DOT to DHS, where it currently resides.
[Footnote 2] In August 2007, the federal government enacted the
Implementing Recommendations of the 9/11 Commission Act of 2007, which
required the Secretary of Homeland Security, in consultation with the
Secretary of Transportation, to take specific pipeline security
actions.[Footnote 3] Within DHS, TSA's Pipeline Security Division
(PSD) leads pipeline security activities. TSA has not issued pipeline
security regulations, but works with the pipeline industry to
implement suggested security measures to make pipeline systems more
secure. Private companies who own and operate pipeline systems are
responsible for assessing their own specific security needs and incur
the costs associated with implementing security measures.
Since it is not feasible to protect all assets and systems against
every possible threat, DHS has called for using a risk management
approach to prioritize its investments, develop plans, and allocate
resources in a risk-informed way that balances security and commerce.
DHS detailed this approach in its National Infrastructure Protection
Plan (NIPP), which it issued in June 2006 and updated in 2009.
[Footnote 4]
You requested that we review TSA's efforts to help ensure pipeline
security. Specifically, this report addresses the following objectives:
* To what extent has TSA's Pipeline Security Division (PSD) identified
critical pipeline systems, assessed risk, and prioritized efforts,
consistent with the NIPP, to help strengthen the security of hazardous
liquid and natural gas pipeline systems?
* To what extent has PSD taken actions to implement agency guidance
and requirements of the Implementing Recommendations of the 9/11
Commission Act of 2007 regarding the security of hazardous liquid and
natural gas pipeline systems?
* To what extent has PSD measured its performance to help strengthen
the security of hazardous liquid and natural gas pipeline systems and
improvements in pipeline security?
To determine the extent to which PSD used a risk management process to
help strengthen the security of pipelines, we reviewed PSD's efforts
to identify critical pipeline systems, assess risk, and prioritize its
pipeline review efforts.[Footnote 5] We reviewed relevant documents,
including PSD's list of the 100 most critical pipeline systems, and
interviewed PSD officials about the methods they used to identify
these systems.[Footnote 6] We reviewed TSA assessments of threat,
vulnerability, and consequence from 2003 through May 2010--such as
TSA's annual pipeline threat assessment, Corporate Security Reviews
(CSR) that PSD uses as a vulnerability assessment, and consequence
assessments on natural gas disruptions sponsored by the Department of
Energy (DOE) and PSD--and discussed these with relevant agency
officials.[Footnote 7] TSA characterized these as threat,
vulnerability, and consequence assessments, but we did not assess the
extent to which these assessment activities met the NIPP criteria for
such assessments, as this was outside the scope of our work. We
analyzed PSD's risk assessment model, which integrates the various
assessments to develop a risk estimate and relative risk ranking for
each pipeline system, and the data PSD inputs into the model. We also
compared the time elapsed between PSD's first and subsequent CSRs for
each pipeline system with the system's ranking based on risk to
measure the strength of their relationship. Additionally, we compared
the order in which PSD conducted the first Critical Facility
Inspection (CFI) for each system with each system's risk ranking, and
measured the strength of that relationship.[Footnote 8] To assess the
reliability of April 2003 through May 2010 risk assessment model data,
we (1) performed testing of required data elements, (2) compared the
data with other sources of information, and (3) interviewed
knowledgeable agency officials. We determined that the data were
sufficiently reliable for the purposes of this report. We analyzed
agency guidance on risk management, including the NIPP and the
Transportation Systems Sector-Specific Plan, to determine criteria for
effectively implementing a risk management framework and associated
best practices for conducting risk assessments, and compared these
with PSD's risk management strategy.[Footnote 9] We also compared
PSD's approach for advancing its risk management program to standard
practices in program management planning.[Footnote 10]
To determine the extent to which PSD has taken actions to implement
agency guidance and Implementing Recommendations of the 9/11
Commission Act of 2007 (9/11 Commission Act) requirements regarding
pipeline security, we reviewed the Pipeline Security Information
Circular (2002 circular)[Footnote 11] and the 9/11 Commission Act and
actions described in agency documents.[Footnote 12] To learn more
about PSD's actions, we interviewed officials from PSD and DOT as well
as representatives of the major associations with ties to the pipeline
industry (American Petroleum Institute, Association of Oil Pipe Lines,
American Gas Association, Interstate Natural Gas Association of
America, and American Public Gas Association); attended the 2008
International Pipeline Security Forum organized by PSD and Natural
Resources Canada; and met with security personnel from 10 pipeline
operators with headquarters or significant operations in Houston.
[Footnote 13] We chose Houston because it has the highest
concentration of operators with systems on PSD's list of the 100 most
critical pipeline systems, and those with whom we met operate about
one-third of those systems. While the results of these interviews
cannot be generalized to all pipeline operators and industry
associations, they provided perspectives on how operators view PSD's
security efforts. Further, we accompanied PSD officials on 4 reviews
of pipeline systems operated by 4 different operators and 10
inspections of critical facilities operated by 3 different operators.
We observed these reviews and inspections because PSD had scheduled
them while we were conducting our work. These involved hazardous
liquid and natural gas pipelines as well as different size operators
with pipeline systems that varied in the amount of energy they carry,
their relative risk ranking, and their location (we observed CSRs in
four states and CFIs in three states). While the results of these
observations cannot be generalized to all CSRs and CFIs or all
pipeline systems and critical facilities, they provided us with an
understanding of how PSD conducts these reviews and inspections, and
some perspective on the security posture at different critical
facilities. We also interviewed representatives of Secure Solutions
International--a security and risk management consulting firm that
assisted PSD in developing and carrying out CFIs--about critical
facilities and the inspection process. In addition, we independently
observed the exterior of 10 other critical facilities. We selected
these facilities, which were located in four states and operated by 6
different operators, because of their proximity to our offices.
Although the results of these observations cannot be generalized to
all critical facilities, they provided us insight on security measures
at additional critical facilities. We compared PSD's processes for
transmitting and following up on CSR and CFI recommendations with
criteria in GAO Standards for Internal Control in the Federal
Government regarding recording and communicating deficiencies found
during evaluations.[Footnote 14] We also compared PSD's approach for
advancing its process for communicating CSR recommendations to
standard practices in project management.[Footnote 15]
To determine the extent to which PSD measured its performance in
strengthening the security of pipelines and improvements in pipeline
security, we reviewed PSD's performance measures and interviewed
Office of Transportation Sector Network Management and PSD officials
regarding those measures, and discussed PSD's related data collection
methodologies with PSD officials.[Footnote 16] We analyzed TSA's
national security strategy for pipeline systems--the Pipeline Modal
Annex--to determine the extent to which it conformed to provisions
related to goal setting and performance measurement found in Executive
Order 13416: Strengthening Surface Transportation Security,[Footnote
17] the NIPP, the Transportation Systems Sector-Specific
Plan,[Footnote 18] and guidance on desirable characteristics for a
national strategy that we developed in a previous report.[Footnote 19]
We also reviewed the NIPP and the 2007 Transportation Systems Sector-
Specific Plan to determine the risk management framework's recommended
approach to performance measurement and compared TSA's actions with
that guidance. In addition, we analyzed data PSD used as an outcome
measure to determine the extent of improvements in pipeline security
and evaluated both the reliability of the data and its sufficiency as
a measure of pipeline security outcomes. As part of this analysis, we
compared two successive data collection instruments--the original
instrument PSD developed in 2003 and used in conducting early CSRs
with the one TSA developed in 2004, which PSD subsequently used. Later
in this report we discuss concerns about the reliability of some of
these data. Appendix I contains a more detailed discussion of our
objectives, scope and methodology.
We conducted this performance audit from November 2008 to August 2010
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
Background:
Overview of U.S. Pipeline Systems:
More than 2.4 million miles of hazardous liquid and natural gas
pipeline--primarily buried underground in the continental United
States--run under remote and open terrain as well as densely populated
areas. These pipelines are comprised of three main types:
* Hazardous liquid: About 170,000 miles of hazardous liquid pipeline
transport crude oil, diesel fuel, gasoline, jet fuel, anhydrous
ammonia, and carbon dioxide.
* Natural gas transmission and storage: Over 320,000 miles of pipeline--
mostly interstate--transport natural gas from sources to communities.
* Natural gas distribution: About 1.9 million miles of pipeline--
mostly intrastate--transport natural gas from transmission pipelines
to residential, commercial, and industrial customers.
The network of hazardous liquid and natural gas transmission pipelines
in the United States can be seen in figure 1.
Figure 1: Map of Hazardous Liquid and Natural Gas Transmission
Pipelines in the United States, September 28, 2009:
[Refer to PDF for image: illustrated map of the United States]
Depicted on the map are:
Hazardous liquid pipelines;
Natural gas pipelines.
Source: Department of Transportation, Pipeline and Hazardous Materials
Safety Administration.
[End of figure]
More than 3,000 pipeline companies operate the nation's pipeline
systems. Pipeline systems are comprised of the pipelines themselves,
which can traverse multiple states and U.S. borders with Canada and
Mexico, as well as a variety of facilities, such as storage tanks,
compressor stations, and control centers. Some of these facilities are
considered critical and merit particular attention to security if, for
example, they are important to the nation's energy infrastructure;
serve installations critical to national defense; or, if attacked,
have the potential for mass casualties or significant impact on public
drinking water affecting a major population center. A significant
disruption of pipeline service has the potential to inflict economic
havoc on a region or the nation at large.
Notwithstanding the potential damage or harm that could result from an
attack, the inherent design and operation of U.S. pipeline systems
might reduce some of the potential impacts regarding loss of service.
For one thing, the pipeline sector is generally considered to be
resilient. Historically, pipeline operators have been able to quickly
respond to the adverse consequences of an incident--whether it is
damage from a major hurricane or a backhoe--and quickly restore
pipeline service. In addition, pipeline infrastructure is versatile
and includes such redundancies as parallel pipelines or looping
capabilities that enable operators to mitigate potential disruptions
by rerouting energy through the network.
Key Pipeline Security Stakeholder Roles and Responsibilities:
Protecting the nation's pipeline systems is a responsibility shared
primarily by the federal government and private industry. Since the
terrorist attacks of September 11, 2001, the role of federal agencies
in securing the nation's transportation systems has continued to
evolve. In response to those attacks, the federal government enacted
the Aviation and Transportation Security Act of 2001, which created
and conferred upon TSA broad responsibility for securing all modes of
transportation, including pipeline.[Footnote 20] In November 2002, the
federal government enacted the Homeland Security Act, which
established DHS, transferred TSA from DOT to DHS, and assigned DHS
responsibility for protecting the nation from terrorism, including
securing the nation's transportations systems.[Footnote 21]
Within TSA, the Office of Transportation Sector Network Management
(TSNM) manages all surface transportation security issues with
divisions dedicated to each surface mode of transportation, including
pipeline. Within TSNM, the Pipeline Security Division (PSD)--the
smallest of TSNM's surface transportation divisions--has lead
responsibility for the security of the nation's pipeline systems.
[Footnote 22] For fiscal year 2010, PSD has an authorized staffing
level of 13 and a budget of about $4 million. TSA's Office of
Intelligence is responsible for collecting and analyzing threat
information related to the transportation network; it shares with PSD
any information related to pipeline threats or suspicious incidents.
While TSA, within DHS, was given primary responsibility for pipeline
security, DOT's Pipeline and Hazardous Materials Safety Administration
(PHMSA) retained responsibility and authority for regulating the
transportation of hazardous materials via pipeline and pipeline
safety. In 2004, DHS and DOT entered into a memorandum of
understanding (MOU) delineating the agencies' roles and
responsibilities with respect to transportation security and
recognizing DHS as having primary responsibility for security in all
modes of transportation, including pipeline. In 2006, TSA and PHMSA
completed an annex to the MOU further clarifying both agencies' roles.
The annex identifies TSA as the lead federal entity for transportation
security, including hazardous materials and pipeline security, and
PHMSA as responsible for administering a national program of safety in
natural gas and hazardous liquid pipeline transportation, including
identifying pipeline safety concerns and developing uniform safety
standards. However, pipeline security and safety are intertwined, and
PSD and PHMSA coordinate on matters relating to pipeline security and
protection. TSA and DOE also work together on matters where pipeline
safety and security overlap and PSD and DOE worked closely on pipeline
security issues, programs, and activities, such as efforts to enhance
reliability and resiliency.
Although PSD has primary federal responsibility for pipeline security,
implementation of asset-specific protective security measures remains
the responsibility of pipeline operators in the private sector.
Particularly since the September 11, 2001, terrorist attacks,
operators' attention to security has increased and they have sought to
incorporate security practices and programs into their overall
business operations. Pipeline operators' interests and concerns are
represented by five major trade associations with ties to the pipeline
industry--the Interstate Natural Gas Association of America (INGAA),
American Gas Association (AGA), American Public Gas Association
(APGA), American Petroleum Institute (API), and Association of Oil
Pipe Lines (AOPL). These associations have worked closely with the
federal government on a variety of pipeline security-related issues.
In March 2002, API developed Security Guidelines for the Petroleum
Industry and in September 2002, INGAA and AGA developed Security
Guidelines for the Natural Gas Industry, which were adopted by APGA.
[Footnote 23] Both sets of guidelines emphasize security planning and
strategies that, to varying degrees, include identifying, analyzing,
and reducing vulnerabilities. Both reference some of the physical
security measures that operators can take to protect their critical
facilities, but provide caveats explaining the general nature of the
described security practices and the importance of each operator
determining the security measures that are appropriate for each
facility. Figure 2 illustrates some of the physical security measures
that operators may choose to employ at a critical facility.
Figure 2: Physical Security Measures a Pipeline Operator Might Employ
at a Critical Facility:
[Refer to PDF for image: illustration]
Closed-circuit TV camera;
Light;
Vehicle barrier;
Barbed wire-topped fence;
Key card access;
Security personnel;
Locked access gate;
Gate entry access control;
Lights;
No trespassing sign.
Sources: GAO analysis of Security Guidelines for the Petroleum
Industry and Security Practices Guidelines for the Natural Gas
Industry and Art Explosion (clip art).
[End of figure]
Laws and Agency Guidance Concerning Pipeline Security:
In September 2002, prior to the establishment of DHS, DOT issued
voluntary guidance for pipeline operators in the form of the Pipeline
Security Information Circular (the 2002 circular), which TSA later
adopted. The 2002 circular, developed in collaboration with pipeline
industry associations, recommended pipeline operators identify their
critical facilities, develop security plans consistent with prior
industry association guidance, and begin implementing appropriate
security measures at critical facilities. It also outlined steps the
federal government planned to take, including conducting onsite
reviews of pipeline operators' security plans to determine whether the
plans are consistent with security guidance published by their
industry. In collaboration with industry associations, PSD developed
new, draft pipeline security guidance to replace the 2002 circular. As
of May 2010, PSD had not yet issued the new guidance, but it
anticipates doing so sometime during 2010.
Pipeline Security Contingency Planning Guidance, also developed by DOT
in 2002 and considered part of the 2002 circular, provides criteria
for pipeline operators to use to identify critical facilities and
establishes guidelines for protective measures for critical facilities
under each threat condition corresponding to the Homeland Security
Advisory System. For example, during periods of elevated threat
conditions (yellow), operators should ensure, among many other things,
that employees are educated on security standards and procedures;
fencing, locks, camera surveillance, intruder alarms, and lighting are
in place and functioning; gates and barriers are closed and locked
except those needed for immediate entry and exit at critical
facilities; and visitation is limited and it is confirmed that every
visitor is expected and has a need to be at a critical facility.
However, similar to industry guidelines, the Pipeline Security
Contingency Planning Guidance also states that pipeline operators are
expected to use good judgment in incorporating measures into their
security plans as not all security measures are appropriate for all
types of facilities.[Footnote 24]
In August 2007, Congress passed the 9/11 Commission Act, which
identifies the following pipeline security requirements that the
Secretary of Homeland Security must implement. Some of these
requirements are shared responsibilities with the Secretary of
Transportation; others are to be carried out in consultation with the
Secretary of Transportation.[Footnote 25] Within DHS, PSD has
responsibility for carrying out the following pipeline security
requirements of the 9/11 Commission Act:
* Establish a program for reviewing pipeline operators' adoption of
the 2002 circular, including the review of pipeline security plans and
critical facility inspections.
* Develop and implement a plan for reviewing the pipeline security
plans of the 100 most critical pipeline operators covered by the 2002
circular.
* Develop and implement a plan for inspecting the critical facilities
of the 100 most critical pipeline operators covered by the 2002
circular.
* In conducting these reviews and inspections, use risk assessment
methodologies to prioritize risks and target inspections.
* Develop security recommendations for natural gas and hazardous
liquid pipelines and pipeline facilities and transmit to pipeline
operators.
* If the Secretary of Homeland Security determines that regulations
are appropriate, promulgate regulations and carry out necessary
inspection and enforcement actions.
* Develop a pipeline security and incident recovery protocols plan and
submit a report to the appropriate congressional committees. The
report is to include the plan and an estimate of the private and
public sector costs to implement any recommendations.
A Risk-Based Approach to Guide Pipeline Security:
In recent years, we, along with Congress, the executive branch, and
the 9/11 Commission, have recommended that federal agencies with
homeland security responsibilities utilize a risk management approach
to help ensure that finite national resources are dedicated to assets
or activities considered to have the highest security priority.
Homeland Security Presidential Directive 7 (HSPD-7) directed the
Secretary of Homeland Security to establish uniform policies,
approaches, guidelines, and methodologies for integrating federal
infrastructure protection and risk management activities.[Footnote 26]
It also called for the Secretary to produce a comprehensive,
integrated national plan for critical infrastructure and key resources
protection to outline national goals, objectives, milestones, and key
initiatives.
In response to HSPD-7, DHS released the NIPP in June 2006, and updated
it in 2009. The NIPP created a risk-based framework for the
development of sector-specific agency strategic plans. In keeping with
the NIPP and as required by Executive Order 13416, TSA developed the
Transportation Systems Sector-Specific Plan in 2007 to document the
process to be used in carrying out the national strategic priorities
outlined in the NIPP. The plan contains supporting modal
implementation plans for each transportation mode, including pipeline.
The Pipeline Modal Annex provides information on efforts to secure
pipelines, as well as TSA's overall goals and objectives related to
pipeline security. The cornerstone of the NIPP is the risk management
framework that entails a continual process of managing risk through
six interrelated activities, as illustrated in figure 3.
Figure 3: NIPP Risk Management Framework:
[Refer to PDF for image: illustration]
Physical:
Cyber:
Human:
Set goals and objectives;
Identify assets, systems, and networks;
Assess risks (consequences, vulnerabilities, and threats);
Prioritize;
Implement programs;
Measure effectiveness;
Continuous improvement to enhance protection of critical
infrastructure and key resources for each activity listed.
Source: GAO, DHS.
[End of figure]
* Set goals and objectives: Define specific outcomes, conditions, and
end points for an effective risk management posture.
* Identify assets, systems, and networks: Develop an inventory of the
assets, systems, and networks deemed to be critical, and collect
information pertinent to risk management.
* Assess risks: Evaluate risk as a function of threat, vulnerability,
and consequence. Once the three components of risk have been assessed
for one or more given assets, systems, or networks, integrate them
into a defensible model to produce risk estimates.
* Prioritize: Compare risk assessment results and establish priorities
based on risk. Accord the highest priority in risk management
activities to those assets, systems, or networks with the highest
expected losses.
* Implement programs: Select appropriate actions or programs to reduce
or manage the risk identified.
* Measure effectiveness: Use metrics and other evaluation tools to
measure progress and assess the effectiveness of protection programs
that have been implemented.
PSD Has Developed a Pipeline Risk Assessment Model, but Could
Strengthen Data in the Model and Better Prioritize Security Reviews
and Inspections:
PSD Identified the Most Critical Pipeline Systems and Developed a Risk
Model, but Some Model Components Could be Strengthened:
PSD identified the 100 most critical pipeline systems in the United
States,[Footnote 27] consistent with the NIPP, and developed a
pipeline risk assessment model to generate a risk score for those
systems; however, some components of PSD's model are incomplete.
[Footnote 28] The NIPP calls for agencies to identify the most
critical assets, systems, or networks within each sector, including
the transportation sector, in order to collect information pertinent
to risk management. PSD relied on each pipeline system's energy
throughput to identify the most critical systems from more than 3,000
systems in the United States. It has since been focusing its risk
management efforts on these 100 most critical systems, which,
according to PSD officials, move 85 percent of all energy within the
United States.
Once critical systems have been identified, the NIPP calls for
agencies to assess risk as a function of threat, vulnerability, and
consequence, and to integrate these individual assessments into a
model to produce a risk estimate. It further requires that the
consequence component of a risk assessment take into account the
impact that an event or incident would have on the economy and public
health and safety, among other things. PSD was the first of TSA's
surface transportation modes to develop a risk assessment model that
combines all three components of risk--threat, vulnerability, and
consequence--to generate a risk score. PSD's pipeline risk assessment
model generates a risk score for each of the 100 most critical systems
and ranks them according to risk.[Footnote 29] PSD holds the threat
score constant for all pipeline systems and uses the results of its
Corporate Security Reviews (CSR) in its vulnerability component.
However, its consequence component is incomplete in that it accounts
for economic impact, but not the impact on public health and safety.
The following provides more information on the assessments or
information for the threat, vulnerability, and consequence data that
PSD uses in its risk assessment model.
* Threat: In the case of terrorist attacks, the NIPP calls for the
threat component of the assessment to be calculated based on the
likelihood of the intent and capability of a terrorist attack on a
particular asset, system, or network. However, if threat likelihoods
cannot be estimated, an agency can use conditional risk values based
on vulnerability and consequence. TSA's Office of Intelligence
develops Pipeline Threat Assessments and, according to officials from
that office, the approach they use to assess threat is consistent
across transportation modes. They further explained that because they
have no actionable intelligence for specific pipeline systems, they
can not develop likelihood estimates.[Footnote 30] As such, PSD holds
threat constant in its model and bases each pipeline system's risk
score on vulnerability and consequence. Office of Intelligence
officials explained that if they were to receive intelligence
regarding a credible threat to a specific pipeline system, they would
work with PSD officials to adjust the threat level for that system in
PSD's risk assessment model.
* Vulnerability: According to the NIPP, agencies are responsible for
ensuring that vulnerability assessments are performed within their
sector in order to identify areas of weakness within a system under
review. PSD uses the results of the CSRs it conducts on each of the
most critical pipeline systems as the basis for the vulnerability
component in its risk assessment model. PSD uses a CSR protocol (i.e.,
a questionnaire that guides the CSR interview) to collect information
on an operator's security planning and management practices for a
given pipeline system, and calculates a CSR score by tallying points
associated with responses to each of 73 standard questions in the
protocol.[Footnote 31] Using the CSR score, PSD determines a pipeline
system's vulnerability by calculating the difference or "gap" between
a total possible score of 100 and an operator's CSR score. PSD uses
this gap, known as the "vulnerability gap," as the basis for the
vulnerability component in its risk assessment model. Using CSRs as
vulnerability assessments is consistent with the approach taken by
other surface transportation modes, such as freight rail and highway
infrastructure, on which we have previously reported.[Footnote 32]
* Consequence: According to the NIPP, consequence assessments should
measure key effects on the well being of the nation. This includes the
negative consequences on the economy, public health and safety, and
the environment, as well as the functioning of government that can be
expected if an asset, system, or network is damaged, destroyed, or
disrupted by a terrorist attack. Within its risk assessment model, PSD
uses the annual energy throughput of a pipeline system to help measure
the possible adverse economic impact of a terrorist attack or other
event on a pipeline system, but does not take into account other
possible adverse impacts, such as on public health and safety.
According to PSD officials, because the major consequence of an attack
on a pipeline would be the loss of energy, annual energy throughput
provides a good measure of this expected loss. However, the
consequences of some potential attacks might not be limited to the
economy. For example, under some circumstances, an attack on a
critical pipeline facility located near a waterway has the potential
to significantly contaminate drinking water or, if located in a highly
populated area, could result in significant casualties.
PSD officials explained that the pipeline risk assessment model is in
the early stages of development and they intend to improve it over
time by incorporating additional data. PSD has sponsored or conducted
assessments and collected information on pipeline systems, some of
which could be used to enhance individual components of its model. For
example, through its Critical Facility Inspection (CFI) Program, PSD
has collected information on critical facilities, such as the number
of facilities per system, and officials say they plan to eventually
use these data in their risk estimates. PSD officials explained that
the number of critical facilities can be an indicator of a system's
vulnerability--that is, the more critical facilities a system has, the
more vulnerable the system. Thus, incorporating this information into
the vulnerability component of PSD's risk assessment model and
including it in the risk estimate could enhance the model. In
addition, including information that might be available from other
sources, such as the number of miles of pipeline that run through a
high-consequence, or highly populated, area could also enhance the
consequence component of the model. PSD officials noted that such data
could be a good measure of the effects on public health and safety.
However, the officials explained that with a small staff, they have
not had time to make any specific enhancements to the model.
PSD officials also agreed that adding other information that could be
available in the future might further improve its model. For example,
PSD and DOE sponsored regional gas pipeline studies that include
information that could be used to improve the consequence component of
the model. These studies use computer-based modeling to evaluate the
impact of a major natural gas pipeline disruption. PSD officials told
us they would like to incorporate such information into the
consequence component of its risk model, but adding such information
for natural gas pipelines without adding comparable information for
hazardous liquid pipelines would skew its risk ranking of the most
critical pipeline systems. PSD officials told us in May 2010 that they
had secured funds to contract for a similar assessment of the
hazardous liquid pipeline market and expect the work to begin later in
fiscal year 2010. They also said they plan to use the results of their
CFIs to enhance the vulnerability components of the risk model;
however, they will need to wait until they complete inspections of all
critical facilities associated with the 100 most critical pipeline
systems. The officials told us they expect to complete these
inspections by the end of 2011.
Although PSD officials said they would like to add more information to
their pipeline risk assessment model and have included placeholders in
the model for incorporating other vulnerability and consequence
factors when additional information is known, they have not
established time frames or milestones (i.e., a schedule of actions
needed to achieve goals) for doing this. Standard practices for
program management call for establishing time frames and milestones as
part of a plan to ensure that results are achieved.[Footnote 33]
Developing a plan that includes time frames and milestones could help
PSD accomplish its goal of improving the data in its risk assessment
model. By including additional information in its risk model--some
that exists and some that should be available in the future--PSD could
improve its risk assessment of the most critical pipeline systems and
better assure it has the information it needs to guide decisions,
including allocating resources to the highest risk pipeline systems.
Table 1 summarizes all of TSA's assessment activities related to the
three individual components of risk for the pipeline industry, and
identifies which ones PSD includes in the data it inputs into its risk
assessment model.[Footnote 34]
Table 1: TSA Pipeline Security Assessment Activities Since 2003:
Entity: TSA Office of Intelligence;
Time frame: Annually;
Description: Annual Threat Assessments: TSA's Office of Intelligence
provides an overview of threats--including key actors and possible
attack tactics and targets--to pipeline systems. The assessments
include incidents of interest and suspicious activities targeting
pipeline systems in the United States and overseas;
Risk component addressed: Threat: [Check];
Risk component addressed: [Empty];
Risk component addressed: Vulnerability: [Empty];
Risk component addressed: Consequence: [Empty];
Included in pipeline risk assessment model: Yes. PSD uses this for the
threat component of the risk model.
Entity: TSA Pipeline Security Division;
Time frame: Ongoing since 2003;
Description: Corporate Security Reviews (CSR): PSD conducts CSRs to
assess pipeline security plans at the 100 most critical pipeline
systems in the United States. The intent of these on-site reviews of
pipeline companies is to develop firsthand knowledge of security
planning, establish communication with key pipeline security
personnel, and identify and share good security practices;
Risk component addressed: Threat: [Empty];
Risk component addressed: [Empty];
Risk component addressed: Vulnerability: [Check];
Risk component addressed: Consequence: [Check][A];
Included in pipeline risk assessment model: Yes. PSD uses CSRs for the
vulnerability component of the risk model.
Entity: TSA Pipeline Security Division;
Time frame: Ongoing since Nov. 2008;
Description: Critical Facility Inspections (CFI): PSD, with the help
of a contractor, conducts in-depth inspections of all the critical
facilities of the 100 most critical pipeline systems in the United
States;
Risk component addressed: Threat: [Empty];
Risk component addressed: [Empty];
Risk component addressed: Vulnerability: [Check];
Risk component addressed: Consequence: [Check];
Included in pipeline risk assessment model: No. PSD collects the
number of critical facilities per system, which could be used to
enhance the risk model. PSD also collects consequence information for
each system that could be used once PSD completes all inspections.
Entity: TSA Pipeline Security Division and Natural Resources Canada;
Time frame: 2004-2007;
Description: Pipeline-Cross-Border Vulnerability Assessments Program:
U.S. and Canadian teams assess pipeline operations, control systems,
interdependencies, and assault planning in critical cross-border
infrastructure;
Risk component addressed: Threat: [Empty];
Risk component addressed: [Empty];
Risk component addressed: Vulnerability: [Check];
Risk component addressed: Consequence: [Check];
Included in pipeline risk assessment model: No. PSD cannot use this in
its risk model because it involves only a few of the 100 most critical
pipeline systems.
Entity: TSA Pipeline Security Division - initiated by DOE;
Time frame: 2003-2008;
Description: Regional Gas Pipeline Studies: PSD, in coordination with
DOE, sponsored a series of studies using computer-based modeling, to
evaluate the impact of a major pipeline disruption[B];
Risk component addressed: Threat: [Empty];
Risk component addressed: [Empty];
Risk component addressed: Vulnerability: [Empty];
Risk component addressed: Consequence: [Check];
Included in pipeline risk assessment model: No. PSD cannot use this
information until a comparable study for hazardous liquid pipelines is
completed.
Entity: TSA Pipeline Security Division;
Time frame: Ongoing;
Description: Cued Assessments: When intelligence activities indicate
that a pipeline operator has been under possible terrorist
surveillance, PSD works with the operator to conduct vulnerability and
consequence assessments to determine the existing state of security
and gaps that need to be addressed. After these assessments, PSD makes
recommendations on how to close the security gaps;
Risk component addressed: Threat: [Empty];
Risk component addressed: [Empty];
Risk component addressed: Vulnerability: [Check];
Risk component addressed: Consequence: [Check];
Included in pipeline risk assessment model: No. PSD cannot use this
information because such assessments are isolated. Thus, PSD does not
have such information for all of the 100 most critical pipeline
systems.
Source: GAO and PSD.
[A] PSD collects consequence information during a CSR, but does not
conduct a consequence assessment.
[B] INGAA and AGA funded the first in this series of studies.
[End of table]
PSD Could Better Prioritize Its Reviews and Inspections of Critical
Pipeline Systems Based on Risk:
PSD's CSR procedures call for scheduling CSRs based primarily on a
pipeline system's risk ranking as determined by its risk assessment
model; however, we found a weak statistical correlation between a
system's risk ranking and the time elapsed between the first and
subsequent CSR for a pipeline system.[Footnote 35] This suggests that
a system's risk ranking was not the primary consideration in
scheduling these reviews. For the pipeline systems included in PSD's
risk assessment model dated May 2010, PSD had conducted 54 initial
CSRs of pipeline operators who operate the 100 most critical systems,
and 27 second CSRs of those operating 65 of the most critical pipeline
systems.[Footnote 36] Figure 4 illustrates the weak correlation we
found between risk ranking and time between reviews for the 27
operators with which PSD conducted a second CSR, as denoted by data
points that are not clustered near or on the line of best fit.
[Footnote 37] If a stronger correlation existed between these
variables, the data points would be clustered closer to the line of
best fit.
Figure 4: Correlation Between a Pipeline System's Risk Ranking and the
Time Elapsed from the First to the Second CSR, as of May 2010:
[Refer to PDF for image: plotted point graph]
The graph plots the pipeline system risk ranking (from most at risk to
least at risk) against year between first and second CSR.
Source: GAO analysis of PSD data.
Notes: n=27.
In 27 cases, PSD conducted two CSRs for the same operator. These CSRs
were conducted from April 2003 through May 2010. Because some pipeline
operators operate more than one system and a CSR usually covers all
the systems operated by a given operator, these 27 CSRs covered a
total of 65 of the 100 most critical pipeline systems.
[End of figure]
According to CSR procedures, using a pipeline system's risk ranking
when scheduling CSRs allows PSD to consider the importance of the
system to the nation's transportation infrastructure and the
likelihood that the system could be attacked. Similarly, according to
the NIPP, the highest priority in risk management efforts should be
accorded to those systems with the highest expected losses. In
addition, the 9/11 Commission Act requires that risk assessment
methodologies be used to prioritize risk and to target inspection
actions to the highest risk pipeline assets. According to PSD
officials, a pipeline system's relative risk ranking is the primary
factor driving their decision of when to schedule a subsequent CSR,
however, other factors, such as geographic proximity, also affect the
decision. For example, in some cases PSD officials schedule a CSR for
a lower risk-ranked system that might be located in the same
geographic area as a higher risk-ranked system to be efficient and
reduce travel time and costs.
We also found considerable variation in the time elapsed before PSD
returned to conduct a second CSR. For example, our analysis of the
data in PSD's risk assessment model showed:
* Within the 15 highest risk-ranked pipeline systems, the time between
the first and second CSR ranged from 1 to 7 years.[Footnote 38]
* For all pipeline systems, the average time elapsed between a first
and second CSR was 4.8 years, regardless of the system's risk ranking.
[Footnote 39]
* For 5 systems that rank in the top 15 in terms of risk,
approximately 6 years elapsed between a first and second CSR--more
than the average time for all systems.
PSD officials stated that although the time elapsed between a first
and second CSR might be longer than average for some of the highest
risk pipelines, this does not mean that PSD has not been focusing its
attention on these operators. For example, in one of these cases, the
officials explained they spent 6 weeks in 2009 inspecting dozens of
critical facilities belonging to this operator through the CFI
program, met with the company president to discuss the need for
security improvements, and had other contacts with the operator.
However, even after accounting for PSD inspecting one or more of an
operator's critical facilities before conducting a second CSR, we
still found a weak relationship between a pipeline system's risk
ranking and the time elapsed between that system's first and
subsequent CSR.[Footnote 40]
The NIPP calls for systems that are considered to have the highest
expected losses if damaged, disrupted, or destroyed, to receive more
scrutiny. Furthermore, PSD's CSR procedures state that the CSR program
should consider a pipeline system's risk level as one of the most
crucial factors when scheduling CSRs and PSD officials told us they
consider a system's risk to be the primary factor in these decisions.
However, PSD has not clearly stated in its CSR procedures that risk
should be the primary criteria in scheduling CSRs, nor has it
documented a methodology addressing how it is to balance other
practical considerations, such as travel efficiencies, with its
consideration of risk. Doing so could help PSD ensure it prioritizes
its oversight of pipeline systems that are most at risk.
Similarly, PSD has no documented procedures or methodology for using a
system's risk ranking when scheduling CFIs. According to PSD
officials, when they began the CFI program in November 2008, their
primary consideration in scheduling CFIs was to do so in a manner that
would allow them to complete a large number of inspections as soon as
possible. For example, if 10 critical facilities were located close
enough to each other to complete all 10 in 1 week, PSD would schedule
those inspections and leave the inspections of more geographically
dispersed critical facilities for a later time. The officials further
explained that because inspecting outdoor space is critical to a CFI,
they also consider weather when scheduling inspections (i.e.,
scheduling cold weather locations in warmer months). However, the NIPP
calls for according the highest priority in risk management efforts to
those systems with the highest expected losses. Furthermore, the 9/11
Commission Act requires that risk assessment methodologies be used to
prioritize risk and to target inspections to the highest risk pipeline
assets. Documenting a methodology for scheduling CFIs and including a
pipeline system's risk ranking as the primary criteria while
recognizing other considerations that can affect scheduling could help
PSD ensure it prioritizes its oversight of pipeline systems that are
most at risk.
We identified almost no statistical correlation between the order in
which PSD conducted critical facility inspections and the risk ranking
of the pipeline system containing those facilities.[Footnote 41] For
example, PSD did not inspect any of the critical facilities of three
of the highest risk-ranked systems until early 2010, although it had
conducted CFIs of some of the lowest risk-ranked systems in the
previous year. PSD's oversight of the critical facilities belonging to
the most at-risk pipeline systems could be better prioritized by
scheduling inspections of facilities based on their system's risk
ranking.
PSD Has Taken Actions to Implement Agency Guidance and 9/11 Commission
Act Requirements, but Lacks a System for Following Up on Its
Recommendations to Operators:
PSD Established a Program for Reviewing Pipeline Security Plans:
PSD established an on-site CSR program in April 2003 that has been
evolving in response to, and consistent with, agency guidance--
specifically, DOT's September 2002 Pipeline Security Information
Circular (the 2002 circular)--and the 9/11 Commission Act. PSD
undertook CSRs to determine the state of security within the pipeline
industry and enhance the level of security planning and preparedness
throughout the industry. The 2002 circular outlines voluntary actions
that pipeline operators should take and describes actions the federal
government plans to take to improve pipeline security.[Footnote 42] It
gives operators some discretion to determine which security measures
are appropriate for each of their critical facilities and provides the
federal government with broad guidance and, thus, some flexibility, in
carrying out its reviews. According to the 2002 circular, pipeline
operators should take the following actions:
* Identify critical facilities.[Footnote 43]
* Develop a corporate security plan that is consistent with voluntary
security guidance published by the pipeline industry.[Footnote 44]
* Begin to implement appropriate security measures for the critical
facilities.
In addition, the 2002 circular describes the following actions the
federal government planned to take:
* Review pipeline operators' security plans on site.
* Determine whether operators' security plans are consistent with
security guidance published by their industry.
* Conduct spot checks of selected critical facilities in the field to
verify operators are implementing their security plans as written.
* Work with operators to correct security deficiencies.
CSRs emphasize the importance of pipeline operators' management
practices in prevention, protection, and response to threats. They
focus on pipeline operators' security plans and how operators manage
their security programs, and include recommendations to operators for
application in routine operational practices and during heightened
alert levels. These reviews are also intended to provide PSD a means
to establish and maintain relationships with pipeline operators' key
security personnel.
CSRs include detailed interviews with the pipeline operators' security
personnel--typically at operators' corporate headquarters; spot checks
of selected facilities; reviews of security plans and related
documents; and PSD feedback, including recommendations specific to the
operator.[Footnote 45] A CSR team, comprised of PSD officials,
conducts the interview using a CSR protocol that PSD developed based
on the 2002 circular and industry guidance.[Footnote 46] The protocol
includes 73 standard questions divided into 11 areas that include
vulnerability assessments, credentialing, security training, cyber
security,[Footnote 47] and physical security.[Footnote 48] According
to the PSD General Manager, the CSR process gives PSD some confidence
that operators are doing what their corporate security plans say.
Further, he expects that operators who do well on a CSR generally have
reasonably good security measures in place at their critical
facilities. However, he noted that it is difficult to be certain of
the physical security measures in place at critical facilities without
conducting full inspections.
When the 9/11 Commission Act was enacted in August 2007, it reinforced
the CSR program that PSD had underway by specifically requiring
reviews of pipeline operators' security plans for the 100 most
critical pipeline systems.[Footnote 49] Within the first 5 years of
conducting CSRs, PSD had reviewed the 100 most critical systems and
had begun a second round of CSRs. As of May 2010, it had completed 103
CSRs covering more than 125 pipeline systems, including 76 first-time
CSRs and 27 second-time CSRs.[Footnote 50] According to PSD officials,
CSRs have shown that pipeline operators are generally implementing
voluntary security measures and that second CSRs have indicated that
operators are generally improving their security posture.
We observed a CSR team conducting four CSRs from August through
October 2009. These represented a first CSR for two of the operators
and a second CSR for the remaining two operators--both of which had a
first CSR in 2004. The CSR team followed the same general process for
all four CSRs, asked all the questions in the CSR protocol, and
conducted the CSRs in a manner consistent with CSR program goals
(i.e., emphasizing the importance of security management practices,
establishing working relationships with pipeline security personnel,
and identifying and sharing knowledge of best practices).
The CSR team found that the security posture of these four operators
varied considerably. As part of each CSR, the team identified security
practices the operators were implementing well, but also made
recommendations regarding areas for improvement, tailored to each
operator and based on the results of each review. For the four CSRs we
observed, the CSR team made a total of 32 recommendations, ranging
from 3 recommendations to one operator and 17 recommendations to
another. For example, officials recommended that one operator conduct
vulnerability assessments for its critical facilities, another
operator should issue identification cards to contractors, and a third
should add certain emergency contact information to its security plan
and add its new headquarters to its list of critical facilities.
PSD Established a Program for Inspecting Critical Facilities of the
Most Critical Pipeline Systems:
PSD established the CFI program to conduct inspections of all the
critical facilities of the 100 most critical pipeline systems, as
required by the 9/11 Commission Act.[Footnote 51] According to PSD
officials, the purpose of the CFIs is to take a one-time snapshot of
each critical facility's security posture--that is, to collect
information on each critical facility's security measures and
equipment. PSD relied on pipeline operators to identify their own
critical facilities using criteria contained in the 2002 circular. As
of May 2010, operators of the 100 most critical systems had notified
PSD of a total of 373 critical facilities; however, PSD officials
explained that this number is fluid.
PSD manages the CFI program and has contracted with a security and
risk management consulting firm that focuses primarily on energy
infrastructure security to help with the program's design and
implementation. CFI teams (comprised of PSD staff and contractors from
the consulting firm) began conducting CFIs in November 2008 and, as of
May 2010, had completed 224 CFIs. Due to the time-and resource-
intensive nature of these inspections, PSD officials estimated they
will finish inspecting all the critical pipeline facilities operators
have identified by the end of 2011. Each CFI takes roughly 4 hours and
entails the following steps:
* The CFI team conducts an in-depth interview regarding the operator's
security practices using a CFI protocol that covers more than 150
items.
* The CFI team conducts an on-site physical inspection of the interior
and exterior of each critical facility, including the perimeter of the
property. Through physical observation and some testing, the CFI team
confirms that the security measures discussed during the CFI interview
are actually in place.
* The CFI team shares with the operator's security personnel its
observations of good security practices, areas for improvement, and
security recommendations.
* PSD sends the operator a final inspection report for each facility
inspected, including recommendations, subsequent to the CFI.
From June through August 2009, we observed the CFI team conduct 10
CFIs involving critical facilities operated by three different
pipeline operators. The CFI teams we observed followed the same
general process for each inspection and asked all the questions in the
CFI protocol. The security posture at these facilities varied
considerably, and the CFI team's observations and recommendations
varied accordingly. During each CFI, the team commended the operator
for specific security practices that were in place at the facility,
but also made recommendations for actions to improve security. The CFI
team made a total of 88 recommendations for the 10 CFIs we observed,
ranging from 4 recommendations at some facilities to 13
recommendations at others. For example, recommendations the CFI team
made to one operator included overhauling the procedure for obtaining
visitor badges and installing "no trespassing" signs and warnings
indicating that the property is under video surveillance.
Recommendations to another operator included securing all perimeter
gates when not in active use, installing an access control system at
the main gate that logs activity, upgrading main gate lighting, and
establishing a formal key management program.
Figures 5, 6, and 7 show several of the security measures for which
the CFI team commended the operator during a CFI we observed.
Figure 5: Antiterrorism Crash Barrier Gate Installed inside Fenced
Perimeter of a Critical Facility:
[Refer to PDF for image: photograph]
Source: GAO.
[End of figure]
Figure 6: Boulders Installed inside Perimeter Fencing at a Critical
Facility Serve as a Vehicle Barrier:
[Refer to PDF for image: photograph]
Source: GAO.
[End of figure]
Figure 7: One of Many Closed-Circuit Television Cameras Installed at a
Critical Facility:
[Refer to PDF for image: photograph]
Source: GAO.
[End of figure]
Figures 8 and 9 are photographs of two types of security lapses the
CFI team identified during two other CFIs we observed. The CFI team
made recommendations to the operator to address these and other
security vulnerabilities.
Figure 8: CFI Team Explains That Leaving the Entry Gate of a Critical
Facility Open during Business Hours Constitutes a Serious Lapse in
Security:
[Refer to PDF for image: photograph]
Source: GAO.
[End of figure]
Figure 9: Excessive Vegetation Surrounding a Critical Facility Impedes
the Operator's Ability to Inspect Fencing and See Possible Intruders:
[Refer to PDF for image: photograph]
Source: GAO.
[End of figure]
In addition to accompanying CFI teams on inspections, we independently
observed the exterior of 10 critical facilities operated by six
different pipeline operators. Based on what we could observe at these
facilities from outside the property perimeters, we saw variation in
the physical security measures that these operators appeared to have
in place--not dissimilar to what we observed when we accompanied CFI
teams on their inspections.
In contrast to CSRs, which look at pipeline operators' corporate
security plans and security management, CFIs, when all are completed,
are to yield information on security measures in place at every
individual critical pipeline facility that operators have identified.
According to PSD's General Manager, the CFI program fills a gap that
existed in the CSR program by providing PSD the ability to develop
first-hand knowledge of security measures in place at critical
pipeline sites. As designed, the program provides PSD with a single
point-in-time snapshot of the security posture of each critical
facility. PSD officials explained that the CSR and CFI programs are
complementary and that the CSRs' focus on management practices and the
CFIs' focus on security measures in place at critical facilities
provide PSD with needed information and are both important. They
further stated that, because of its value, they are discussing ways to
continue the CFI program after they complete all the inspections if
resources are available. Options discussed include repeating the full
set of CFIs after inspections of the critical facilities of the 100
most critical systems are completed; expanding inspections beyond
these 100 systems, including toxic inhalation hazard pipeline systems;
and enhancing CSRs to incorporate more thorough inspections of
critical facilities.[Footnote 52]
PSD Does Not Routinely Follow Up on Recommendations to Pipeline
Operators:
PSD does not routinely transmit its CSR recommendations in writing to
pipeline operators, nor does it have a database of the CSR or CFI
recommendations it makes or a process to routinely follow up on
pipeline operators' implementation of those recommendations. After
each CSR, PSD officials document review findings and the
recommendations they make in an internal PSD report and provide oral
recommendations aimed at enhancing that operator's security planning
and preparedness to the pipeline operator's security personnel and
sometimes management. However, PSD officials said they do not
communicate these recommendations to the operator in writing as a
matter of practice, but will transmit them in writing if an operator
asks. Of the four CSRs we observed, one operator asked that the
recommendations be put in writing, and PSD officials agreed to do so.
Standards for Internal Control in the Federal Government calls for
deficiencies found during evaluations to be communicated to the
individual responsible for the function and to at least one level of
management above that individual. It also calls for information to be
recorded and communicated to management and others within the entity
who need it and in a form and within a time frame that enables them to
carry out their internal control and other responsibilities. PSD
officials explained they had reasons for not transmitting written
recommendations to operators when they first started the CSR program,
and they subsequently continued the practice of sharing
recommendations orally.[Footnote 53] However, by transmitting written
recommendations to pipeline operators, PSD could better ensure that
operators have clear guidance on actions they can take to enhance
security.
PSD officials agreed that their pipeline security efforts would
benefit from transmitting CSR recommendations to pipeline operators in
writing and told us they intend to begin doing this after they issue
new Pipeline Security Guidance and revise their CSR protocol.[Footnote
54] However, they could not provide a specific time for when they
would begin transmitting the recommendations to operators. Standard
practices for project management call for developing a plan that
includes defined approaches as well as start dates for activities.
[Footnote 55] Developing such a plan could help PSD accomplish its
intended goal of transmitting CSR recommendations in writing to
pipeline operators.
In addition, PSD officials told us they do not have a database of the
recommendations they make to operators as a result of its CSRs;
rather, they document CSR recommendations in individual internal
reports PSD maintains on each operator. Having such a database could
allow PSD to analyze the recommendations it has made through the CSR
program. Moreover, the officials said they do not have a process for
following up on those recommendations other than through subsequent
CSRs that, on average, occur about every 5 years. According to PSD's
General Manager, the greatest challenge PSD officials face is that
they do not know if operators are implementing the recommendations PSD
makes as a result of the CSRs. He further stated that he would like to
conduct CSRs with each pipeline operator about once every 2 or 2.5
years to see if operators have implemented PSD's recommendations, but
with a small staff, PSD can only visit a company about once every 4 or
5 years.[Footnote 56]
Similarly, PSD officials said they do not have a database that would
allow them to readily analyze the CFI recommendations they make. The
CFI program, designed as a one-time inspection program of every
critical pipeline facility of the 100 most critical pipeline
facilities, includes recommendations that PSD sends to pipeline
operators and are specific to each facility it inspects. Although the
CFI contractor designed a database to capture the results of each
completed CFI, the database does not include the recommendations made.
Furthermore, PSD officials said they to not have a process for
following up to see if operators have implemented these
recommendations.
Standards for Internal Control in the Federal Government state that
internal controls should generally be designed to assure that ongoing
monitoring occurs, and further states that monitoring should include
policies and procedures for ensuring that the findings of reviews are
promptly resolved. Because PSD does not follow up on its CSR
recommendations other than through a subsequent CSR 5 years later, on
average, it lacks assurance that its recommendations are being
implemented and whether the state of pipeline security is improving.
PSD officials agreed that having a database that would allow them to
analyze CSR recommendations, and following up on recommendations more
frequently and systematically could increase PSD's knowledge of the
security posture and vulnerabilities of individual operators as well
as the pipeline industry, enhance its ability to monitor security
progress, and provide additional information about its pipeline
security efforts. In carrying out its CFI program, PSD has invested
resources in hiring a contractor, conducting inspections, making
recommendations, and developing a database. However, PSD officials
agreed that without including its CFI recommendations in that database
and following up on their implementation, they cannot analyze the
recommendations they have made and have limited information on whether
pipeline operators are addressing security vulnerabilities identified
at each critical facility. PSD officials told us in May 2010 that they
would like to follow up on the recommendations they make as a result
of their inspections and had been discussing ways they do this, but
they did not have specific plans or time frames for doing so.
Moreover, the 9/11 Commission Act states that DHS or DOT should issue
pipeline security regulations if DHS determines they are appropriate.
PSD officials told us in April 2009 that the results of the CSR and
CFI programs, together, will inform that decision and noted that they
are continually reassessing whether regulations are needed. They
explained that they have been learning about the security posture of
pipeline operators through these two programs and see indications that
operators are making progress in improving security. Still, in a
December 2009 quarterly report to the Office of Transportation Sector
Network Management (TSNM) based on the first 159 CFIs, PSD reported
that CFI data indicated that security improvements are needed. PSD
further reported that regulations were not needed at that time. PSD
officials agreed that by following up more frequently on whether
operators are implementing the recommendations PSD makes as a result
of its CSRs and developing a process for following up on the
recommendations it makes as a result of its CFIs, they could be better
informed of the state of the nation's pipeline security, including
whether their recommendations have been implemented. Additionally,
this would provide them information they say they plan to use to
decide whether pipeline security regulations are needed.
PSD Has Developed Pipeline Security Recommendations:
PSD reported that it met the 9/11 Commission Act mandate to develop
and transmit security recommendations to pipeline operators through
its issuance of Pipeline Security Smart Practices (Smart Practices).
PSD issued its Smart Practices in August 2006 to reflect lessons
learned from its first few years of conducting CSRs and to detail
security practices that can enhance the security of the pipeline
industry. The Smart Practices address a wide range of security
practices, such as risk assessments, vulnerability assessments, and
security planning; threat information; employment screening; vehicle
checkpoints; physical security; intrusion detection; security
awareness training; and drills, exercises, and regional cooperation.
During CSRs, PSD officials remind operators of the Smart Practices and
disseminate the document. In addition, PSD officials told us they
inform operators of its availability through activities such as at the
annual International Pipeline Security Forum and disseminate it upon
request. PSD intends to periodically review and update the Smart
Practices to reflect advancements in security technology and maintain
the viability of the security practices described.
In addition, PSD officials stated that they will further address this
mandate by issuing new Pipeline Security Guidelines to replace the
2002 circular. According to these officials, the biggest difference
between the existing and new draft pipeline security guidelines is
that the new voluntary guidelines will apply to all pipeline
operators--including those who do not have any critical facilities.
Under the new guidelines, all operators will be expected to implement
some security measures at all their facilities, and implement even
more at critical facilities. In contrast, the 2002 circular applies
only to those operators that have critical facilities. In addition,
the new guidelines will contain a section on cyber security.[Footnote
57] As of May 2010, PSD officials said that the new guidelines were in
draft and expected they would be issued later in 2010.
PSD officials told us they worked closely with industry groups to
develop the new draft guidelines, and industry groups we spoke with
commended PSD's collaborative approach during this process. An INGAA
official explained that PSD used an iterative process to develop the
new guidelines that included holding multiple sessions with
stakeholders and forming work groups. An APGA official spoke of the
open process PSD used in inviting industry comments. Similarly, AGA
officials spoke highly of PSD's approach of inviting operator and
association participation, which they said contributed to new guidance
that applies to critical infrastructure and provides sensible baseline
guidance for operators--both large and small--for securing noncritical
infrastructure. API and AOPL officials also said that PSD worked
closely with them and commended PSD's coordination efforts.
PSD Officials Report Developing a Pipeline Security and Incident
Recovery Protocols Plan:
PSD officials stated that they have drafted a pipeline security and
incident recovery protocols plan, which the 9/11 Commission Act
required be completed by August 2009. The 9/11 Commission Act requires
that DHS develop a pipeline security and incident recovery protocols
plan that includes (1) increased federal security support to the most
critical pipelines under severe security threat alert levels or
specific threat information and (2) a plan to develop protocols for
the continued transportation of natural gas and hazardous liquids to
essential markets and for essential public health or national defense
uses in the event of an incident. The act required DHS to submit a
report to Congress by August 2009 that included the plan and the
implementation costs of any recommendations in the plan.
The plan is also to take into account actions and plans of private and
public entities and consult with DOT and other stakeholders specified
in the 9/11 Commission Act. The act requires DHS to develop this plan
in consultation with DOT and PHMSA and in accordance with the annex to
the DOT/DHS MOU, the National Strategy for Transportation Security,
and HSPD-7. The 9/11 Commission Act also identifies other parties that
are to be consulted as DHS develops the plan.[Footnote 58] According
to PSD, it consulted with the various parties called for by the act in
developing its plan. Starting in December 2008, PSD, in coordination
with the DOT, conducted a series of meetings and interviews with DOE,
DHS's Office of Infrastructure Protection, and the Federal Bureau of
Investigation (FBI).[Footnote 59] PSD subsequently held two workshops
(in April and May 2009) at the Johns Hopkins University Applied
Physics Laboratory to discuss and review the document with additional
security partners and stakeholders. PSD informed us that in developing
the plan, it consulted the representatives of numerous federal
agencies and agency components, as well as nonfederal organizations
and industry groups.[Footnote 60]
As of March 2010, PSD officials said they had not submitted the
required report to Congress. According to the officials, the pipeline
security and incident recovery protocols plan had been reviewed within
DHS and was being reviewed by the Office of Management and Budget.
They further said the draft plan clarifies the roles of federal
agencies during and after various types of incidents, but does not
contain any new responsibilities or recommendations for federal
agencies or industry. As such, there are no additional costs
associated with the plan and the report to Congress will not include a
cost estimate.
PSD Could Strengthen Its Documented Security Strategy and More
Reliably Report Security Improvements:
PSD's Security Strategy Could Be Strengthened by Incorporating
Performance Measures and Milestones:
The 2007 Pipeline Modal Annex to the Transportation Systems Sector-
Specific Plan--TSA's national security strategy for pipeline systems--
identified several goals and objectives for improving transportation
and pipeline security; however, the strategy lacks performance
measures and milestones. In prior work, we have identified the
inclusion of performance measures and milestones as a desirable
characteristic for a successful national strategy and reported that a
successful strategy should document what it seeks to achieve, the
steps necessary to get those results, and the performance measures and
milestones to gauge results.[Footnote 61] We also reported that a
strategy could accomplish this by stating its mission and then clearly
linking its goals, objectives, programs, and performance measures to
achieve results. PSD's strategy (the Pipeline Modal Annex) includes
TSA's transportation sector goals that apply to all modes of
transportation and identifies objectives specific to pipeline
security, as shown in figure 10.[Footnote 62] It also describes
government and industry programs and activities that support these
goals and objectives.
Figure 10: Transportation Sector Goals and Pipeline Security
Objectives:
[Refer to PDF for image: illustration]
Transportation Sector goals:
* Prevent and deter acts of terrorism using or against the
transportation system.
* Enhance resiliency of the U.S. transportation system.
* Improve the cost-effective use of resources for transportation
security.
Pipeline security objectives:
* Reduce the level of risk through analysis and implementation of
security programs that enhance deterrence and mitigate critical
infrastructure and key resources vulnerabilities against threats and
natural perils.
* Increase the level of resiliency and robustness of pipeline systems
and operations through collaborative implementation of measures that
increase response preparedness capabilities and minimize effects
caused by attack from threats or from natural perils.
* Increase the level of domain awareness and information sharing and
response planning and coordination through enhanced training, network
building and efficient research, and development application.
Source: GAO presentation of PSD information.
[End of figure]
Although the Pipeline Modal Annex contains goals and objectives, it
does not incorporate the performance measures and milestones PSD uses
to evaluate the effectiveness of its security programs and activities.
[Footnote 63] For example, the annex describes an objective to reduce
the level of risk through implementation of security programs and
aligns it with the CSR program, but does not incorporate the
performance measures and milestones PSD uses to evaluate the CSR
program's effectiveness in achieving this objective. According to PSD
officials, they considered performance measures and milestones in
writing the annex, but did not include them because the annex was
intended as a planning document and not an assessment tool.
Our prior work concluded that better identification of performance
measures and milestones would help parties achieve results in specific
time frames and enable more effective oversight and accountability.
[Footnote 64] Thus, using milestones and performance measures to gauge
progress in meeting its stated goals and objectives could help PSD
further develop and implement its national security strategy for
pipeline systems and enhance its usefulness in making resource and
policy decisions to better ensure accountability. Moreover, by drawing
a link in the pipeline security strategy between pipeline security
goals and objectives, milestones, performance measures, and programs,
PSD could better evaluate its progress in helping to improve pipeline
security--information that could be useful to decision makers during
the risk prioritization process--and achieve results in specific time
frames.
PSD Has Taken Steps to Measure Its Performance, but Could Better
Measure and More Reliably Report Industry Improvements:
PSD has initiated efforts to measure its performance in helping
strengthen the security of pipeline systems, but could improve its
performance measures to better evaluate and reliably report on the
extent of security improvements in the pipeline industry. As a part of
its risk management framework, the NIPP calls for agencies to measure
progress in security improvements against transportation sector goals,
using performance measures--(1) output data to track the progression
of tasks associated with a program or activity and (2) outcome data to
evaluate the extent to which a program achieves sector goals and
objectives. The NIPP also states that agencies must develop
performance measures that are specific and clear about what they are
measuring, practical in that the needed data are available, and built
on objectively measured data. NIPP Metrics Program guidance, intended
to help agencies develop performance measures, called for focusing on
output measures in 2008, but continuing progress toward outcome-based
performance measures in 2009.
PSD Has Developed Several Performance Measures:
Although the national security strategy for pipeline systems--the
Pipeline Modal Annex--does not include performance measures, PSD has
developed two output measures and one outcome measure to help evaluate
its progress in meeting program objectives, consistent with the
requirements of the NIPP. For its output measures, PSD tracks:
* the number of CSRs it conducts, with a milestone, or interim goal,
of 12 CSRs each year; and:
* the number of CFI trips it completes, with a milestone of 15 trips
each year.[Footnote 65]
According to PSD officials, they track CSR and CFI program progress
against these two performance milestones, and provide this information
to TSNM to consider in developing the transportation sector annual
report.[Footnote 66]
In addition, PSD officials told us that they collect performance
output data on other activities and have established the following
annual milestones:
* ten stakeholder conference calls,
* an International Pipeline Security Forum,
* quarterly meetings with DOT (per PHMSA's and TSA's annex to the MOU
between DHS and DOT), and:
* two pipeline Intermodal Security Training Exercise Program
exercises.[Footnote 67]
In 2009, PSD developed an outcome measure--the vulnerability gap--that
uses CSR program data to help evaluate the impact of its efforts to
improve pipeline security. This outcome measure is intended to
evaluate improvements in operators' security planning and preparedness
based on its CSR program evaluations. More specifically, it compares
the results of first and second CSRs to quantify the extent to which
operators have reduced security vulnerabilities identified through
CSRs.
Additional Outcome Measures Could Assist PSD in Measuring Pipeline
Security Improvements:
Although PSD has taken steps to gauge the progress of its programs,
its ability to measure improvements in pipeline security is limited.
The NIPP states that using performance measures as part of risk
management can enable agencies to assess security improvements, and it
instructs agencies to track progress toward a strategic goal or
objective by measuring results or outcomes. The NIPP further states
that the key to NIPP performance management is aligning outcome
performance measures to goals and objectives.
According to the Transportation Systems Sector-Specific Plan, outcome
measures should be used to assess program goals and objectives;
however, output measures may be used as proxies for outcome measures
in the early stages of its programs. In addition, we have reported on
the limitations of output-based measures in our prior work.
Specifically, we have stated that using output measures to evaluate
security program performance may not systematically target areas of
higher risk and may not result in the most effective use of resources
because these measures are not pointed toward outcomes, or what
activities are accomplishing.[Footnote 68]
PSD's outcome measure--the vulnerability gap--measures aspects of two
of its pipeline security objectives; however, PSD has not developed
outcome measures that enable it to fully assess improvements related
to pipeline security as a whole. The vulnerability gap focuses on what
PSD measures through its CSR program--primarily improvements in
pipeline operators' security planning and preparedness--but provides
limited information on improvements in other areas, such as physical
security. According to the Pipeline Modal Annex, the CSR program
evaluates aspects of two of the pipeline security objectives--(1) to
reduce risk and (2) to increase information sharing and response
planning and coordination. By extension, the vulnerability gap
measures these as well. For example, the vulnerability gap takes into
account operators' risk reduction activities such as how they assess
threats and vulnerabilities. It also measures increased information
sharing, such as how operators manage threat information.
However, according to the Pipeline Modal Annex, the CSR program does
not evaluate the third pipeline security objective--to increase the
level of resiliency and robustness of pipeline systems--and, thus, the
vulnerability gap does not measure this objective.[Footnote 69] As a
result, PSD is limited in its ability to measure or report on
improvements in this latter area of pipeline security. Furthermore,
according to PSD officials, collecting CSR information every 4 to 5
years limits their ability to measure the security improvements that
operators are making. Nevertheless, they said the changes they have
observed from operators' first to second CSRs provide them with a
strong level of confidence that improvements have occurred.
PSD officials explained that they are in the early stages of
performance measurement and have not yet developed additional outcome
measures or established time frames for doing so. We recognize
challenges PSD might face in developing outcome measures related to
reducing risk. In our prior work we acknowledged that assessing the
deterrent benefits of a program is inherently challenging because it
is often difficult to isolate the impact of an individual program on
behavior that may be affected by multiple other factors.[Footnote 70]
In the case of pipeline security, it may be difficult to isolate the
impact of PSD's programs on operators' security actions. Nevertheless,
outcome-based data could better inform decision makers of the extent
to which programs and activities have been able to reduce risk and
better enable them to determine funding priorities within and across
agencies. Also, developing additional outcome measures that assess the
impacts of its efforts to improve pipeline security and are directly
aligned with transportation sector goals and pipeline security
objectives could better enable PSD to evaluate security improvements
in the pipeline industry.
PSD Could Improve the Reliability of Data It Uses to Measure
Effectiveness:
PSD designed the vulnerability gap outcome measure to help evaluate
the impact of its efforts to improve pipeline security using CSR
program data, but the baseline data PSD used to measure its efforts
may not be reliable. When PSD officials began conducting CSRs in 2003,
they developed a CSR protocol to collect information on pipeline
systems' corporate security planning and preparedness. However,
according to PSD officials, they began using a different protocol in
August 2004 that TSA developed for all surface transportation modes to
use during their respective CSRs to ensure consistency among modes.
Many questions in the second protocol differed from those in the
first, although the topic areas were similar.[Footnote 71]
Although changes in the CSR protocol provide PSD with more information
on some topics, differences between the two protocols limited PSD's
ability to use CSR program data collected with the first protocol. PSD
officials explained they, therefore, sought to develop comparable CSR
data for all operators, regardless of which protocol PSD used during
CSRs. To accomplish this, PSD officials instructed staff to
reconstruct a new protocol (using the second CSR protocol) for each
pipeline operator PSD reviewed from mid-April 2003 through mid-July
2004--the 15-month period during which the first protocol was used.
[Footnote 72] Staff were to do this using available information from
the first completed protocol, any notes PSD officials took during the
CSR, and security plans or other documents PSD gathered during the
CSR. However, PSD officials said they did not provide written
instructions to staff or verify that staff accurately reconstructed
the data. Although the officials expressed confidence in their staff's
work, we could not be assured that the CSR information staff
reconstructed was accurate and reliable.
We analyzed the content, or substance, of the questions in both the
first and second protocols and identified concerns about whether
operator information could have been transferred reliably from the
first to the second protocol after the fact. We found that 41 of the
73 newer CSR protocol questions were either consistent with the
content of the first protocol or could have been consistently verified
using the security plan operators provided during the original CSR. We
therefore found it reasonable that PSD staff would have been able to
accurately transfer the completed information from the first protocol
to the second protocol for these 41 questions. However, we could not
be reasonably assured that PSD staff accurately transferred
information for the remaining 32 questions onto the second protocol
because the content of these questions was inconsistent and, thus, PSD
staff may not have been able to reliably reconstruct the data using
the security plans operators provided during the original CSRs. For
example, the second protocol contained the following questions
directed to operators, but we found no similar questions on the first
protocol:
* Do you have a 24/7 emergency response/operations center?
* Do you conduct different levels of background checks based on type
of employment (e.g., executive, operational, police)?
* Do you periodically conduct exercises and drills?
For these questions, and 29 others like them, PSD staff may have been
able to locate the information they needed in notes and documents to
reconstruct the second protocol, but we had no assurance that this was
possible or done in an accurate and reliable manner. We have
previously reported that performance measures should reliably assess
progress such that the same results would be achieved if applied
repeatedly to the same situation.[Footnote 73] Furthermore, errors in
data accuracy could alter conclusions about the extent to which
performance goals have been achieved, such as reporting performance at
either a higher or lower level than is actually being attained.
We have also reported that decision makers must have assurance that
the program data being used to measure performance are sufficiently
accurate and reliable if the data are to inform decision-making.
[Footnote 74] Thus, the usefulness of agency performance information
depends to a large degree on the reliability and accuracy of
performance data. Because of the changes in the CSR protocol questions
and concerns about the reliability of reconstructed operator responses
transferred to a different form, the baseline data PSD used in
comparing operators' first and second CSR scores and resulting reports
may not be accurate. As such, PSD's outcome performance measure--the
differences in vulnerability gaps as calculated using CSR scores--
suggests a level of precision that may not be supported.[Footnote 75]
PSD officials said they did not see this as a significant problem
because not all the baseline CSRs involved reconstructed data and, as
they continue to conduct CSRs, they will eventually be able to compare
the results of operators' second to third CSRs in reporting
improvements. Furthermore, although PSD's CSR data may be useful for
some analytical purposes, such as analyzing industry trends and
assessing individual operators' security planning and preparedness,
some of the early data are not useful for reporting the extent to
which the vulnerability gap has closed. PSD and decision makers could
be better informed and could more effectively prioritize efforts if
PSD maintains a more reliable baseline for its outcome performance
measure and does not use reconstructed data in reporting its baseline.
Conclusions:
Securing the nation's vast network of hazardous liquid and natural gas
pipeline systems is a formidable task. The importance of pipeline
systems to the nation's economy underscores the need for PSD to employ
a risk management approach to prioritize its security efforts. PSD has
taken actions to implement a risk management approach, including
identifying the 100 pipeline systems it considers most critical and
being the first of the surface transportation modes to develop a risk
assessment model. Nevertheless, work remains to ensure that the
highest risk pipeline systems are given the necessary scrutiny. PSD's
risk assessment model is in its early stages of development; however,
information is available or expected that could enhance the
vulnerability and consequence components of the model. By developing a
plan that includes time frames and milestones for adding information
to its risk assessment model, PSD could be better assured of reaching
its goal to improve the model. This could help PSD more accurately
rank pipeline systems according to risk and help guide resource
allocation decisions. In addition, documenting a methodology for
scheduling CSRs and CFIs that includes a pipeline system's risk
ranking as the primary criteria, while recognizing other
considerations that can affect scheduling, could help PSD ensure it
prioritizes its oversight of pipeline systems that are most at risk.
PSD has taken actions to encourage private pipeline operators to
employ security measures that will protect their pipeline systems,
including critical facilities. While PSD officials have said that
operators of the most critical pipeline systems are generally
implementing voluntary security measures, two of PSD's key efforts--
its CSR and CFI programs--have identified shortcomings in operators'
security programs and critical facilities that should be addressed to
reduce vulnerabilities. As such, an important aspect of the CSR and
CFI programs is the specific recommendations PSD makes and tailors to
each operator to address the vulnerabilities PSD has identified.
However, PSD is missing opportunities with respect to these
recommendations. PSD officials agreed that routinely transmitting CSR
recommendations in writing to operators could better ensure that
operators are clear on the actions they can take to enhance the
security of their pipeline system or systems, and they have said they
intend to do this. Developing a plan that includes a defined approach
and time frames for how and when PSD intends to begin transmitting CSR
recommendations in writing to pipeline operators could help PSD
accomplish its intended goal.
In addition, by establishing databases of the CSR and CFI
recommendations it makes, PSD could more readily and systematically
analyze its recommendations and be better informed of security
vulnerabilities in the pipeline industry. Furthermore, because CSRs
take place infrequently and CFIs are not repeated, following up on the
implementation of CSR and CFI recommendations is particularly
important. By doing so, PSD could enhance its knowledge of the state
of security of the pipeline industry as well as individual systems and
facilities, have an additional means for measuring the effectiveness
of its programs, and obtain information that could help inform its
decision on whether it would be appropriate to issue pipeline security
regulations.
The 2007 Pipeline Modal Annex represents a positive step toward
conveying TSA's strategy for helping the pipeline industry secure the
nation's pipelines. However, incorporating PSD's performance measures
and milestones and linking them to the goals and objectives in its
national security strategy for pipeline systems could aid PSD and the
pipeline industry in achieving results within specific time frames and
could facilitate more effective oversight and accountability. PSD has
developed some output-based performance measures and milestones to
track the progress of its programs and activities and has developed an
outcome measure to evaluate the impact of some of its efforts to
improve pipeline security. However, PSD's dependence on a single
outcome measure hinders its ability to evaluate the extent of
improvements related to all of its pipeline security objectives.
Developing additional outcome measures aligned with its objectives
could facilitate PSD's efforts to better evaluate its performance.
Moreover, PSD has collected data on the security posture of pipeline
operators through its CSR program and compared vulnerability gap data
over time to measure the progress operators have made. PSD's CSR data
may be useful to PSD for various analytical purposes. However, because
of reliability issues affecting the baseline data PSD uses for
calculating its vulnerability gap outcome measure, PSD would be better
informed if, going forward, it establishes reliable baseline data for
measuring and reporting improvements in pipeline security. Although
this would limit PSD's ability to report on improvements in operators'
security efforts from the first 15 months of the CSR program, it could
provide greater assurance that, in the future, PSD is more accurately
and reliably measuring those pipeline security improvements.
Recommendations for Executive Action:
To improve aspects of the Pipeline Security Division's (PSD) efforts
to help ensure pipeline security, we recommend that the Assistant
Secretary for the Transportation Security Administration take the
following eight actions.
To ensure that PSD is managing risk effectively,
* Develop a plan with time frames and milestones for improving the
data in the pipeline risk assessment model by, for example, adding
more data to the consequence component.
* Document a methodology for scheduling Corporate Security Reviews
(CSR) and Critical Facility Inspections (CFI) that considers a
pipeline system's risk ranking as the primary scheduling criteria and
balances it with other practical considerations.
To help PSD maximize its CSR and CFI efforts and keep its knowledge of
the security posture of the pipeline industry current,
* Develop a plan that includes a defined approach and time frame for
how and when PSD intends to begin transmitting CSR recommendations in
writing to pipeline operators.
* Establish a database of CSR recommendations and develop a process
for following up on the implementation of those recommendations.
* Establish a database of CFI recommendations and develop a process
for following up on the implementation of those recommendations.
To better achieve the security strategy laid out in the Pipeline Modal
Annex--the national security strategy for pipeline systems--to the
extent feasible, revise future updates of the annex to incorporate
performance measures for assessing PSD and pipeline industry progress
and link those measures to pipeline security objectives.
To better evaluate PSD's performance in helping strengthen the
security of hazardous liquid and natural gas pipelines and
improvements in pipeline security, develop additional outcome measures
that are directly linked to sector goals and modal objectives and
track progress towards its stated pipeline security objectives.
To help ensure reliable reporting of security improvements in the
pipeline industry, establish reliable baseline data and, until that
time, refrain from using reconstructed baseline data to report
progress in closing the vulnerability gap.
Agency Comments and Our Evaluation:
We provided a draft of our report to DHS on July 2, 2010, for review
and comment. On July 23, 2010, DHS provided written comments, which
are reprinted in appendix II. In commenting on the draft report, DHS
stated that it concurred with our findings and all eight
recommendations and discussed efforts planned or underway to address
them. However, the actions DHS reports it plans to take do not fully
address the intent of four of our eight recommendations.
DHS concurred with our first recommendation that TSA develop a plan
with time frames and milestones for improving the data in the pipeline
risk assessment model and stated that PSD will develop a plan to
coordinate security efforts that are underway that will help refine
the pipeline risk ranking tool (the pipeline risk assessment model).
DHS further stated that additional data from critical facility
inspections, the hazardous liquid pipeline assessment, and toxic
inhalation hazard study, among others, will help inform the
consequence component. We support PSD's intention to develop a plan
for taking such action and further encourage TSA to consider using
critical facility inspection data to inform the vulnerability
component of the pipeline risk model. The development of a plan for
improving the data in the pipeline risk assessment model will address
the intent of our recommendation, provided it includes time frames and
milestones.
DHS concurred with our second recommendation that TSA document a
methodology for scheduling CSRs and CFIs that considers a pipeline
system's risk ranking as the primary scheduling criteria and balances
it with other practical considerations. DHS stated that TSA's analysis
identified as critical those pipeline systems that transport the
greatest amount of energy and that PSD developed the risk ranking tool
to further enhance its risk-based effort. DHS further stated that to
increase the value of the risk ranking tool, PSD will develop
additional data to inform the tool's rankings and base its
programmatic efforts on the results. While we support PSD's intention
to develop additional data to inform its ranking of pipeline systems
based on risk and base programmatic efforts on those rankings, these
actions, alone, will not fully address the intent of our
recommendation. We believe that to better prioritize oversight of
pipeline systems among the 100 that are the most critical, and to
address our recommendation, TSA should document a methodology for how
it will schedule pipeline CSRs and CFIs in a manner that considers
risk as the primary scheduling criteria, while balancing other
practical scheduling considerations, such as travel efficiencies.
DHS concurred with our third recommendation that TSA develop a plan
that includes a defined approach and time frame for how and when PSD
intends to begin transmitting written CSR recommendations to pipeline
operators. DHS stated that PSD intends to modify its process of
providing oral recommendations for security improvements to pipeline
operators to include providing these recommendations to operators in
writing. Developing a plan that includes a defined approach for how it
will transmit its written recommendations to operators and a time
frame for when it will begin to do so will address the intent of our
recommendation.
DHS concurred with our fourth recommendation that TSA establish a
database of pipeline CSR recommendations and develop a process for
following up on the implementation of those recommendations. DHS
stated that PSD will initiate the development of such a database and
further stated that repeat CSRs will particularly focus on the
implementation of recommendations from prior reviews. Developing a
database will partially address this recommendation. However, while we
support a plan that includes PSD following up on prior CSR
recommendations during subsequent CSRs, this, alone, will not fully
address the intent of our recommendation. Because PSD conducts a CSR
for any given pipeline operator about every 5 years, on average, a
process for additional and timelier follow up is needed if PSD is to
be assured that its recommendations are being implemented.
DHS concurred with our fifth recommendation that PSD establish a
database of CFI recommendations and develop a process for following up
on the implementation of those recommendations. DHS stated that PSD
has initiated the development of a CFI recommendation database and
further stated that following up on those recommendations will enable
TSA to assess the pipeline industry's progress in mitigating
identified security deficiencies. Completing this database and
developing a process for following up on the CFI recommendations will
address the intent of our recommendation.
DHS concurred with our sixth recommendation that TSA revise future
updates of the Pipeline Modal Annex to incorporate performance
measures for assessing PSD and pipeline industry progress and link
those measures to pipeline security objectives. DHS stated that in
future updates to the Transportation Systems Sector-Specific Plan, PSD
will include performance measures within the Pipeline Modal Annex
consistent with the sector format and guidance. However, direction on
what is to be included in future updates of the Pipeline Modal Annex
originates with TSA, which provides transportation modes, including
pipeline, with guidance and a recommended format on how to revise or
rewrite modal annexes to the Transportation Systems Sector-Specific
Plan. TSA's 2010 Modal Plan Revision Guidance for transportation modes
does not explicitly call for incorporating performance measures for
assessing modal progress and, further, linking those measures to modal
objectives. Thus, without TSA direction to include performance
measures that are linked to objectives in modal annex updates, the
action DHS described to address our recommendation does not fully
address our intent.
DHS concurred with our seventh recommendation that TSA develop
additional outcome measures that are directly linked to sector goals
and modal objectives and track progress towards its stated pipeline
security objectives. DHS stated that PSD will develop appropriate
outcome measures that reflect the impact of its security programs and
the security status of the pipeline industry, and further stated that
this effort will be made consistent with the performance measurement
guidance of the Transportation Systems Sector-Specific Plan. We
support PSD's intention to develop additional outcome measures.
However, to fully address the intent of our recommendation, TSA should
ensure that its performance measurement guidance calls for outcome
measures to be directly linked to sector goals and modal objectives.
DHS concurred with our eighth recommendation that TSA establish
reliable baseline data for reporting security improvements in the
pipeline industry and, until that time, refrain from using
reconstructed baseline data to report progress in closing the
vulnerability gap. DHS stated that updated data from repeat CSRs will
be utilized to ensure more accurate reporting of the pipeline
industry's security status. Such action will address the intent of our
recommendation.
DHS also provided us with technical comments, which we considered and
incorporated in the report where appropriate.
As agreed with your office, unless you publicly announce the contents
of the report, we plan no further distribution for 30 days from the
report date. At that time, we will send copies to the Secretary of
Homeland Security, the Assistant Secretary of the Transportation
Security Administration, appropriate congressional committees, and
other interested parties. The report also is available at no charge on
the GAO Web site at [hyperlink, http://www.gao.gov/].
If you or your staff have any further questions about this report or
wish to discuss these matters further, please contact me at (202) 512-
4379 or lords@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. Key contributors to this report are listed in appendix III.
Signed by:
Stephen M. Lord:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Objectives:
You requested that we review the Transportation Security
Administration's (TSA) efforts to help ensure pipeline security.
Specifically, this report addresses the following questions:
* To what extent has TSA's Pipeline Security Division (PSD) identified
critical pipeline systems, assessed risk, and prioritized efforts,
consistent with the National Infrastructure Protection Plan (NIPP), to
help strengthen the security of hazardous liquid and natural gas
pipeline systems?
* To what extent has PSD taken actions to implement agency guidance
and requirements of the Implementing Recommendations of the 9/11
Commission Act of 2007 (9/11 Commission Act) regarding the security of
hazardous liquid and natural gas pipeline systems?
* To what extent has PSD measured its performance to help strengthen
the security of hazardous liquid and natural gas pipeline systems and
improvements in pipeline security?
Scope and Methodology:
To determine the extent to which PSD used a risk management process to
help strengthen the security of pipelines, we reviewed PSD's efforts
to (1) identify critical pipeline systems, (2) assess risk, and (3)
prioritize its pipeline review and inspection efforts. To evaluate
PSD's efforts to identify the most critical pipeline systems, we
reviewed relevant documents, including PSD's list of the 100 most
critical pipeline systems, and interviewed PSD officials about the
methods they used to identify the most critical pipeline systems.
To evaluate PSD's efforts to assess risk, we reviewed TSA assessments
of threat, vulnerability, and consequence that were conducted from
2003 through May 2010. Specifically, we reviewed TSA's Pipeline Threat
Assessments for 2008 and 2010 and interviewed officials at TSA's
Office of Intelligence. We also reviewed Corporate Security Reviews
(CSR) that PSD uses as vulnerability assessments, and consequence
assessments on natural gas disruptions sponsored by the Department of
Energy and PSD--and discussed these assessments with relevant agency
officials. TSA characterized these as threat, vulnerability, and
consequence assessments, but we did not assess the extent to which
these assessment activities met the NIPP criteria for threat,
vulnerability, and consequence assessments, as this analysis was
outside the scope of our work.
To evaluate PSD's efforts to prioritize risk, we analyzed its risk
assessment model--the Pipeline Relative Risk Ranking Tool, which
integrates the various assessments to produce a risk estimate and
relative risk ranking for each pipeline system--and the data PSD
inputs into the model. We also interviewed PSD officials about how
they decide when to schedule CSRs and Critical Facility Inspections
(CFI). Using correlation analysis and the data in the pipeline risk
assessment model, we compared the time elapsed between PSD's first and
subsequent CSR for each pipeline system with the system's ranking
based on risk to measure the strength of their relationship.[Footnote
76] Specifically, for those systems that had two CSRs, we assessed the
strength of the correlation between the time elapsed from the first
and second CSR and the system's risk ranking. We found a correlation
coefficient of 0.2, which indicates a weak correlation. A correlation
coefficient measures the strength and direction of linear association
between two variables without controlling for the effects of other
characteristics.
Because PSD officials said that the time elapsed between CSRs might be
misleading because it does not account for other significant contact
PSD might have had with an operator during that period, such as
through a CFI, we controlled for this by running a simple regression
equation.[Footnote 77] Specifically, the regression equation compared
the time elapsed between the first and second CSR against system risk
rank and a dummy variable to denote if PSD inspected at least one
critical facility belonging to an operator between the first and
second CSR. This regression equation explained about 21 percent of the
total variation in elapsed time between the first and second CSR. To
determine the extent to which PSD prioritized the CFIs it conducted,
we performed a correlation analysis to measure the strength and
direction of the relationship between a system's risk ranking and the
order in which PSD conducted a first CFI for that system compared with
other systems. We found a correlation coefficient of 0.03, which
denotes that almost no correlation exists between the two variables.
To assess the reliability of the April 2003 through May 2010 data PSD
used in its risk assessment model, we (1) performed electronic testing
of required data elements, (2) compared data in the model with other
sources of information, and (3) interviewed agency officials
knowledgeable about the data. We determined that the data were
sufficiently reliable for the purposes of this report. We analyzed
agency guidance on risk management, including the NIPP and the
Transportation Systems Sector-Specific Plan, to determine criteria for
effectively implementing a risk management framework and associated
best practices for conducting risk assessments, and compared these
with PSD's risk management strategy. In addition, we compared PSD's
approach for advancing its risk management program to standard
practices in program management planning.[Footnote 78]
To determine the extent to which PSD has taken actions to implement
agency guidance and 9/11 Commission Act requirements regarding
pipeline security, we reviewed the Pipeline Security Information
Circular (2002 circular) and the 9/11 Commission Act and actions
described in agency documents. These documents included PSD's Pipeline
Modal Annex, CSR Standard Operating Procedures, CSR and CFI protocols,
and Pipeline Security Smart Practices.[Footnote 79] To learn more
about PSD's actions, we interviewed officials from PSD and DOT as well
as representatives of the major associations with ties to the pipeline
industry (American Petroleum Institute, Association of Oil Pipe Lines,
American Gas Association, and Interstate Natural Gas Association of
America, and American Public Gas Association); attended the 2008
International Pipeline Security Forum organized by PSD and Natural
Resources Canada; and met with security personnel from 10 pipeline
operators with headquarters or significant operations in Houston. We
chose Houston because it has the highest concentration of operators
with systems on PSD's list of the 100 most critical pipeline systems,
and those with whom we met operate about one-third of those systems.
While the results of these interviews cannot be generalized to all
pipeline operators, they provided perspectives on how operators view
PSD's security efforts.
To further our understanding of PSD's review and inspection processes,
pipeline operators' security planning efforts, and physical security
measures in place at selected critical pipeline facilities, we
accompanied PSD officials on four reviews of pipeline systems operated
by four different operators and 10 inspections of critical facilities
operated by three different operators. We observed these reviews and
inspections because PSD had scheduled them while we were conducting
our work. These involved hazardous liquid and natural gas pipelines as
well as different size operators with pipeline systems that varied in
the amount of energy they carry, their relative risk ranking, and
their location (we observed CSRs in four states and CFIs in three
states). These observations further included one cross-border pipeline
system and one port facility regulated under the Maritime
Transportation Security Act. While the results of these observations
cannot be generalized to all CSRs and CFIs or all pipeline systems and
critical facilities, they provided us with an understanding of how PSD
conducts these reviews and inspections, and some perspective on the
security posture at different critical facilities. We also interviewed
representatives of Secure Solutions International--a security and risk
management consulting firm that assisted PSD in developing and
carrying out CFIs--about critical facilities and the inspection
process. In addition, we independently observed the exterior of 10
other critical facilities. We selected these facilities, which were
located in four states and operated by six different operators,
because of their proximity to GAO offices. Although the results of
these observations cannot be generalized to all critical facilities,
they provided us insight on security measures at additional critical
facilities.
We also compared PSD's processes for transmitting and following up on
CSR and CFI recommendations with criteria in the Standards for
Internal Control in the Federal Government regarding the monitoring of
deficiencies found during evaluations.[Footnote 80] In addition, we
compared PSD's approach for advancing its process for communicating
CSR recommendation to standard practices in project management.
[Footnote 81]
To determine the extent to which PSD measured the impact of its
efforts to help strengthen the security of pipelines and improvements
in pipeline security, we reviewed PSD's performance measures and
milestones. We analyzed TSA's national security strategy for pipeline
systems--the 2007 Pipeline Modal Annex--to determine the extent to
which it conformed to provisions related to goal setting and
performance measurement found in Executive Order 13416: Strengthening
Surface Transportation Security[Footnote 82] and guidance on desirable
characteristics for a national strategy that we developed in a
previous report.[Footnote 83] We also interviewed Office of
Transportation Sector Network Management (TSNM) and PSD officials
regarding PSD's performance measures and milestones and related data
collection methodologies. In addition, we reviewed the 2009 NIPP and
the 2007 Transportation Systems Sector-Specific Plan to determine the
risk management framework's recommended approach to performance
measurement and compared TSA's actions to that guidance.
To assess the reliability of the data PSD used to develop its
vulnerability gap outcome measure in 2009 for reporting on the extent
of improvements in pipeline security, we reviewed and analyzed related
documentation and interviewed PSD officials knowledgeable about the
data and PSD's data collection methods. As part of this analysis, we
compared two successive data collection instruments--the original CSR
protocol that PSD developed and used in conducting CSRs from April
2003 to July 2004 and a newer protocol that PSD officials said they
began using in August 2004, after TSA developed a protocol to be used
by all the transportation modes.
More specifically, to analyze and categorize specific differences
between the two protocols, two analysts compared the first and second
protocols to determine the extent to which content from the 73
questions in the newer protocol corresponded with content in the
original protocol. To ensure the validity and reliability of our
analysis, the two analysts discussed and reconciled any differences.
With the assistance of a methodologist, the analysts mutually agreed
on how to categorize their assessment of the newer protocol questions.
They agreed on the following two categories to describe whether the
information could have been reliably transferred from one protocol to
the other:
* We were reasonably assured that PSD staff would have been able to
accurately transfer completed information from the first protocol to
the second.
* We could not be reasonably assured that PSD staff would have been
able to accurately transfer completed information from the first
protocol to the second.
Because we could not be reasonably assured of the accuracy of the
transferred data, we concluded that some of the baseline data key to
PSD's outcome measure may not be reliable, as called for in our prior
work that describes nine key attributes of successful performance
measures. Furthermore, we determined that these data were not
sufficiently reliable for the purposes of this report.
We conducted this performance audit from November 2008 to August 2010
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
July 23, 2010:
Mr. Steve Lord:
Director, Homeland Security and Justice Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Lord:
Thank you for the opportunity to comment on the draft report titled,
Pipeline Security, TSA Has Taken Actions to Help Strengthen Security,
but Could Improve Priority-Setting and Assessment Processes (GAO-10-
867).
The Transportation Security Administration (TSA) values the
investigative team's comprehensive review of this Agency's efforts in
addressing pipeline security and intends to immediately implement its
recommendations. TSA appreciates the professionalism demonstrated by
GAO's team members in conducting this difficult and broad-ranging
review.
TSA also appreciates GAO's acknowledgment that the Pipeline Security
Division (PSD) has (1) identified, consistent with the National
Infrastructure Protection Plan, the Nation's most critical pipeline
systems; and (2) developed a risk assessment model that combines all
three components of risk: threat, vulnerability, and consequence.
Further, the GAO report notes that the PSD has made significant
progress in completing the requirements of the 9/11 Commission Act,
which include establishing a program to review pipeline security
plans, initiating inspections of critical facilities of the most
essential pipeline systems, developing and promulgating security
recommendations, and drafting a Pipeline Security and Incident
Recovery Protocol Plan.
The success of TSA's risk-based pipeline security program has been the
result of a highly effective public-private partnership and close
coordination with other Federal agencies, particularly the U.S.
Department of Energy and the U.S. Department of Transportation's
Pipeline and Hazardous Materials Safety Administration. As GAO
discusses in the report, the PSD has actively engaged with pipeline
system operators on a number of security programs. In each of these
endeavors, TSA has benefited from the dedicated efforts of the
Pipeline Sector Coordinating Council, which plays a significant
communications and coordination role between the PSD and the pipeline
industry. As an example of this partnership, the International
Pipeline Security Form, now in its sixth year, is actively supported
by industry operator and trade association speakers and attendees.
Similarly, pipeline system operators have been enthusiastic
participants in TSA's development of training videos in security
awareness, improvised explosive device awareness, and pipeline
infrastructure security training for law enforcement personnel.
As GAO acknowledges, of particular note is PSD's close coordination
with Government and industry partners in developing TSA's Pipeline
Security Guidelines. As the guidelines were crafted and refined, the
process involved the active participation of pipeline industry
representatives in multiple meetings and conference calls. The
document, although a voluntary standard, provides TSA's expectations
for an effective security program for pipeline operators. The
guidelines will serve as the basis for PSD's Corporate Security
Reviews and other assessments of the pipeline industry's security
status.
The PSD has implemented a risk-based security program that will be
enhanced by the adoption of GAO's recommendations. TSA's specific
responses to the recommendations are identified below.
Recommendations for Executive Action:
To improve aspects of the Pipeline Security Division's (PSD) efforts
to help ensure pipeline security, GAO recommends that the Assistant
Secretary for the Transportation Security Administration take the
following eight actions:
Recommendation 1: To ensure that PSI) is managing risk effectively,
develop a plan with time frames and milestones for improving the data
in the pipeline risk assessment model by, for example, adding more
data to the consequence component.
TSA's Response: TSA concurs with this recommendation. The PSD will
develop a plan to coordinate the security efforts underway that will
help refine the risk ranking tool. Additional data from critical
facility inspections, the hazardous liquid pipeline assessment, and
toxic inhalation hazard study, among others, will help inform the
consequence component.
Recommendation 2: To ensure that PSD is managing risk effectively,
document a methodology for scheduling Corporate Security Reviews (CSR)
and Critical Facility Inspections (CFIs) that considers a pipeline
system's risk ranking as the primary scheduling criteria and balances
it with other practical considerations.
TSA's Response: TSA concurs with this recommendation. In TSA's
analysis, those pipeline systems that transport the greatest amount of
energy were identified as critical. PSD developed the risk ranking
tool to further enhance its risk-based effort. To increase the value
of this tool in its programs, PSD will develop additional data to
inform the tool's rankings and base its programmatic efforts on the
results.
Recommendation 3: To help PSD maximize its Corporate Security Review
and Critical Facility Inspection efforts and keep its knowledge of the
security posture of the pipeline industry current, develop a plan that
includes a defined approach and time frame for how and when PSD
intends to begin transmitting CSR recommendations in writing to
pipeline operators.
TSA's Response: TSA concurs with this recommendation. Although PSD has
provided initial briefings at the conclusion of CSRs and subsequently
followed up with more extensive briefings by teleconference, the
recommendations have not typically been provided in writing. PSD
intends to modify this process to ensure that pipeline operators are
provided with written recommendations for security improvements.
Recommendation 4: To help PSD maximize its Corporate Security Review
and Critical Facility Inspection efforts and keep its knowledge of the
security posture of the pipeline industry current, establish a
database of CSR recommendations and develop a process for following up
on the implementation of those recommendations.
TSA's Response: TSA concurs with this recommendation. PSD will
initiate the development of a CSR recommendations database. Repeat
reviews of pipeline corporations will particularly focus on the
implementation of recommendations from prior reviews.
Recommendation 5: To help PSD maximize its Corporate Security Review
and Critical Facility Inspection efforts and keep its knowledge of the
security posture of the pipeline industry current, establish a
database of CFI recommendations and develop a process for following up
on the implementation of those recommendations.
TSA's Response: TSA concurs with this recommendation. PSD has
initiated the development of a CFI recommendations database. Following
up on these recommendations will enable TSA to assess the pipeline
industry's progress in mitigating identified security deficiencies.
Recommendation 6: To better achieve the security strategy laid out in
its Pipeline Modal Annex”the national security strategy for pipeline
systems”to the extent feasible, revise future updates of the annex to
incorporate performance measures for assessing PSD and pipeline
industry progress and link those measures to the pipeline security
objectives.
TSA's Response: TSA concurs with this recommendation. In future
updates to the Transportation Systems Sector Specific Plan PSD will
include performance measures within the Pipeline Modal Annex
consistent with the sector format and guidance.
Recommendation 7: To better evaluate PSD's performance in helping
strengthen the security of hazardous liquid and natural gas pipelines
and improvements in pipeline security, develop additional outcome
measures that are directly linked to sector goals and modal objectives
and track progress towards its stated pipeline security objective.
TSA's Response: TSA concurs with this recommendation. PSD will develop
appropriate outcome measures that reflect the impact of its security
programs and the security status of the pipeline industry. In so
doing, this effort will be made consistent with the performance
measurement guidance of the Transportation Systems Sector Specific
Plan.
Recommendation 8: To help ensure reliable reporting of security
improvements in the pipeline industry, establish reliable baseline
data and, until that time, refrain from using reconstructed baseline
data to report progress in closing the vulnerability gap.
TSA's Response: TSA concurs with this recommendation. Updated data
from repeat Corporate Security Reviews will be utilized to insure more
accurate reporting of the pipeline industry's security status.
Thank you for the opportunity to comment on this Draft Report and we
look forward to working with you on future homeland security issues.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Stephen M. Lord (202) 512-4379 or lords@gao.gov:
Acknowledgments:
In addition to the contact named above, Edward J. George, Jr.,
Assistant Director, and Lori A. Weiss, Analyst-in-Charge, managed this
assignment. Valerie Kasindi and Jaclyn Nelson made significant
contributions to the work. Chuck Bausell, Jr. provided expertise on
risk management, David Bruno provided expertise on transportation
security issues, and Mark Gaffigan provided expertise on energy
issues. Tracey King provided legal support. Michele Fejfar and Amanda
Miller assisted with design, methodology, and data analysis.
Christopher Currie, Debra Sebastian, and Adam Vogt provided assistance
in report preparation and Lydia Araya developed the report's graphics.
[End of section]
Footnotes:
[1] Pub. L. No. 107-71, 115 Stat. 597 (2001).
[2] Pub. L. No. 107-296, 116 Stat. 2135 (2002).
[3] Pub. L. No. 110-53, 121 Stat. 266 (2007). The 9/11 Commission was
a congressionally chartered commission established by Congress on
November 27, 2002, to (1) investigate the relevant facts and
circumstances relating to the terrorist attacks of September 11, 2001;
(2) identify, review, and evaluate lessons learned from these attacks;
and (3) report to the President and the Congress on findings,
conclusions, and recommendations that generated from the investigation
and review.
[4] The NIPP provides a unifying structure for the integration of a
range of efforts for the protection and resilience of the nation's
critical infrastructure and key resources.
[5] Throughout this report, we use the term pipelines to refer to
either hazardous liquid or natural gas pipelines.
[6] A system is considered critical if it is so vital to the United
States that its incapacitation or destruction would have a
debilitating effect on security, national economic security, public
health or safety, or any combination thereof. PSD determined the most
critical pipeline systems based on the amount of energy they carry.
[7] Corporate Security Reviews are on-site reviews to assess corporate
security plans for pipeline systems. The intent of these reviews is to
develop first-hand knowledge of security planning, establish working
relationships with key pipeline security personnel, and identify and
share good security practices. PSD has conducted CSRs for the 100 most
critical pipeline systems.
[8] PSD established a program for inspecting all the critical
facilities of the 100 most critical pipeline systems, as required by
the Implementing Recommendations of the 9/11 Commission Act. These
physical inspections include the interior and exterior of each
critical facility.
[9] The NIPP obligates each sector to develop a sector-specific plan
that describes strategies to protect the nation's critical
infrastructure and key resources under its purview, outline a
coordinated approach to strengthen security efforts, and determine
appropriate programmatic funding levels. TSA, as the sector-specific
agency for the transportation sector, developed the Transportation
Systems Sector-Specific Plan, which describes the strategies to
protect all modes of transportation (aviation, maritime, mass transit,
highway, freight rail, and pipeline).
[10] The Project Management Institute, The Standard for Program
Management © (2006).
[11] The 2002 circular outlines voluntary actions that pipeline
operators should take and describes actions the federal government
plans to take to improve pipeline security. We also reviewed the
Pipeline Security Contingency Planning Guidance, which is considered
part of the 2002 circular.
[12] Documents we reviewed included PSD's Pipeline Modal Annex, CSR
Standard Operating Procedures, CSR and Critical Facility Inspection
(CFI) protocols, and Pipeline Security Smart Practices.
[13] Natural Resources Canada is the Canadian government agency that
seeks to enhance the responsible development and use of Canada's
natural resources and the competitiveness of Canada's natural
resources products.
[14] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999). These standards, issued pursuant to
the requirements of the Federal Managers' Financial Integrity Act of
1982 (FMFIA), provide the overall framework for establishing and
maintaining internal control in the federal government. Also pursuant
to FMFIA, the Office of Management and Budget issued Circular A-123,
revised December 21, 2004, to provide the specific requirements for
assessing the reporting on internal controls. Internal control
standards and the definition of internal control in Circular A-123 are
based on Standards for Internal Control in the Federal Government.
[15] Project Management Institute, A Guide to the Project Management
Body of Knowledge © (Fourth Edition, 2008).
[16] Within TSA, the Office of Transportation Sector Network
Management manages all surface transportation security issues with
divisions dedicated to each surface mode of transportation, including
pipeline.
[17] Exec. Order No. 13,416, 71 Fed. Reg. 71,033 (Dec. 5, 2006). The
order mandates that an annex shall be completed for each surface
transportation mode in support of the Transportation Systems Sector-
Specific Plan.
[18] The NIPP obligates each sector to develop a sector-specific plan
that, among other things, describes strategies to protect the nation's
critical infrastructure and key resources under its purview. TSA
developed the Transportation Systems Sector-Specific Plan, which
describes the strategies to protect all modes of transportation,
including pipeline.
[19] GAO, Combating Terrorism: Evaluation of Selected Characteristics
in National Strategies Related to Terrorism, [hyperlink,
http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3,
2004).
[20] Pub. L. No. 107-71, 115 Stat. 597 (2001).
[21] Pub. L. No. 107-296, 116 Stat. 2135 (2002).
[22] The Pipeline Security Division was established as a separate
modal division in November 2005.
[23] API issued a second edition of its guidelines in April 2003 and a
third edition in April 2005. INGAA and AGA updated and published their
guidelines internally in May 2008.
[24] Although security measures are generally voluntary for operators
of critical pipeline facilities, some operators have off-shore or port
facilities that are regulated under the Maritime Transportation
Security Act and are required to implement certain protective measures.
[25] Pub. L. No. 110-53, §§ 1557, 1558, 121 Stat. 266, 475-77 (2007).
[26] Recognizing that each sector possesses its own unique
characteristics and risk landscape, HSPD-7 established sector-specific
agencies for each of the critical infrastructure sectors and assigned
those agencies responsibility for protecting the critical
infrastructure within their area of expertise. HSPD-7 established 17
sectors and DHS later added an 18th sector. The 18 sectors are:
agriculture and food; defense industrial base; energy; healthcare and
public health; national monuments and icons; banking and finance;
water; chemical; commercial facilities; critical manufacturing; dams;
emergency services; nuclear reactors, materials, and waste;
information technology; communications; postal and shipping;
transportation systems; and government facilities. DHS serves as the
sector-specific agency for transportation systems and 10 other
sectors, and designated TSA as the lead sector-specific agency for
transportation, including pipeline.
[27] PSD uses system annual throughput in determining pipeline system
criticality, which is based on the amount of hazardous liquid or
natural gas product transported through a pipeline in 1 year (i.e.,
annual throughput). PSD officials told us they purchase a database
containing annual pipeline throughput information to determine the 100
most critical pipeline systems and contact pipeline operators to
verify information if needed. The 100 most critical systems can shift
from year to year. For example, a system might be among the 100 most
critical systems one year, but not the next, due to changes that
affect each system's throughput. Changes that can affect an operator's
position or even presence among the 100 most critical systems include
increasing or decreasing annual throughput, going out of business, or
selling or purchasing parts or all of a pipeline system.
[28] DHS defines a risk score as a numerical result of a
semiquantitative risk assessment methodology and is a numerical
representation that gauges the combination of threat, vulnerability,
and consequence at a specific moment.
[29] PSD calls its risk assessment model the Pipeline Relative Risk
Ranking Tool.
[30] The Office of Intelligence also disseminates additional threat
and suspicious incident information related to the pipeline sector to
key federal and nonfederal stakeholders, as needed.
[31] "Standard" questions refer to the ones that PSD scores and uses
in calculating the CSR score. The CSR protocol includes five
additional questions that are not scored, such as questions on the
operator's view of the threat to the pipeline industry and how cost
affected the operator's ability to implement security enhancements.
[32] GAO, Highway Infrastructure: Federal Efforts to Strengthen
Security Should Be Better Coordinated and Targeted on the Nation's
Most Critical Highway Infrastructure, [hyperlink,
http://www.gao.gov/products/GAO-09-57] (Washington, D.C.: January 30,
2009); Commercial Vehicle Security: Risk-Based Approach Needed to
Secure the Commercial Vehicle Sector, [hyperlink,
http://www.gao.gov/products/GAO-09-85] (Washington, D.C.: February 27,
2009); and Freight Rail Security: Actions Have Been Taken to Enhance
Security, but the Federal Strategy Can Be Strengthened and Security
Efforts Better Monitored, [hyperlink,
http://www.gao.gov/products/GAO-09-243] (Washington, D.C.: April 21,
2009).
[33] The Project Management Institute, The Standard for Program
Management © (2006).
[34] DHS's Office of Infrastructure Protection also conducts
vulnerability assessments on some pipeline facilities. However,
because these assessments are conducted at the facility level rather
than the system level, PSD cannot use these assessments in its risk
assessment model, which focuses on the system level.
[35] We calculated a simple correlation coefficient to measure the
strength and direction of the linear relationship between systems'
risk rankings and the time elapsed between PSD's first and subsequent
CSRs for the pipeline systems that had two CSRs. This resulted in a
correlation coefficient score of 0.2, which indicates a weak
correlation. The magnitude of the correlation coefficient determines
the strength of the correlation. A perfect correlation equals 1 and no
correlation equals 0.
[36] PSD conducts CSRs with operators of the 100 most critical
pipeline systems. If an operator owns or operates more than one system
among the 100 that are most critical, and uses the same corporate
security plan for all its systems, PSD conducts a single CSR for that
operator. As a result, PSD did not need to conduct 100 CSRs to
complete CSRs for the 100 most critical pipeline systems.
[37] The line of best fit is found by using the least squares method,
which involves finding the minimum of the sum of the squares of the
vertical distances of each data point from the proposed line. It is
often useful to attempt to represent data with the equation of a
straight line in order to predict values that may not be displayed on
a scatter plot. The slope of the line of best fit generally does not
reflect the magnitude of the correlation.
[38] As of May 2010, PSD had conducted second CSRs for 9 of the top 15
highest risk-ranked systems. PSD conducted first CSRs for the other 6
systems in 2006 or later.
[39] Because some CSRs cover multiple systems (since some operators
operate more than one system), we accounted for one system, or one
CSR, per operator in our calculations.
[40] We calculated a regression equation to see the extent to which
values of the two independent variables--(1) a system's risk ranking
and (2) whether PSD had inspected any critical facilities belonging to
a system's operator--were associated with values of the dependent
variable--i.e., the time elapsed between a first and second CSR. We
found little variation in the time elapsed between CSRs that could be
explained by the two independent variables. Although PSD officials
might have had contact with pipeline operators through other means, we
could not quantify other forms of contact and, therefore, could not
include them in the analysis.
[41] As of April 2010, 64 systems included in PSD's risk assessment
model had at least one critical facility, according to information
operators reported, and PSD had inspected at least one critical
facility of 43 of these 64 systems. We calculated a simple correlation
coefficient to measure the strength and direction of the linear
relationship between the systems' risk rankings and when (i.e., the
order in which) PSD conducted the first critical facility inspection
of that system. This resulted in a correlation coefficient score of
0.03, which indicates almost no correlation.
[42] Although these security measures are generally voluntary for
operators of critical pipeline facilities, some operators have off-
shore or port facilities that are regulated under the Maritime
Transportation Security Act and are required to implement certain
protective measures.
[43] If an operator considers none of its facilities to be critical,
the operator should document the basis for this conclusion.
[44] INGAA and AGA published security guidelines for the natural gas
industry, which were adopted by APGA; API published security
guidelines for the petroleum industry.
[45] PSD officials explained they began conducting inspections of
critical facilities as part of a new program in November 2008 and
curtailed CSR spot checks of selected facilities at that time.
[46] We compared industry guidance to the CSR protocol and found that
the protocol generally allows PSD to determine whether a pipeline
operator's corporate security plan is consistent with industry
guidance.
[47] CSRs include questions pertaining to cyber security, but
according to PSD officials, they do not involve in-depth inspections
or assessment of an operator's cyber security system and its
vulnerabilities because PSD does not possess this expertise. They
explained that other federal component agencies, such as DHS's
National Cyber Security Division, have this expertise, and pipeline
operators typically have in-house expertise or contract for it.
[48] The CSR protocol is divided into the following 11 functional
areas: threat assessment, vulnerability assessment, security planning,
credentialing, secure areas, critical infrastructure, physical
security, cyber security, security training, communications, and
exercises.
[49] The 9/11 Commission Act requires DHS to establish a program for
reviewing pipeline operator adoption of the recommendations of the
2002 circular, including the review of pipeline security plans, and
requires DHS to develop and implement a plan to review the pipeline
security plans of the 100 most critical pipeline operators covered by
the 2002 circular. Pub. L. No. 110-53, § 1557(a), (b), 121 Stat. 266,
475 (2007).
[50] Because PSD updates the 100 most critical systems annually using
pipeline system energy throughput data, which is revised annually, PSD
has conducted CSRs of operators whose systems once were, but may no
longer be, on the most critical list. Also, as noted earlier, because
some pipeline operators own or operate more than one of the 100 most
critical systems, PSD did not need to conduct 100 CSRs to cover all
100 most critical systems.
[51] The 9/11 Commission Act requires DHS to establish a program for
reviewing pipeline operator adoption of the recommendations of the
2002 circular, including critical facility inspections, and requires
DHS to develop and implement a plan to inspect the critical facilities
of the 100 most critical pipeline operators covered by the 2002
circular. Pub. L. No. 110-53, § 1557(a), (b), 121 Stat. 266, 475
(2007).
[52] Toxic inhalation hazard pipelines, such as those transporting
anhydrous ammonia and chlorine gas, are among the most dangerous.
These pipelines, which have relatively low energy throughputs, are not
addressed by the 2002 circular or the 9/11 Commission Act;
nevertheless, PSD officials have told us the security of these
pipelines is important and should be addressed.
[53] In trying to recall the origin of the decision to not communicate
recommendations in writing, PSD officials said it was based on
concerns about an operator's potential liability if it did not
implement the recommendations and its pipeline system was later
attacked. However, officials acknowledged that they send operators
written recommendations for their newer program--the CFI program--
without such concerns.
[54] PSD has contracted with Johns Hopkins University Applied Physics
Laboratory to revise the CSR protocol.
[55] Project Management Institute, A Guide to the Project Management
Body of Knowledge © (Fourth Edition, 2008).
[56] During the course of our review, the number of PSD staff ranged
from 11 to 12. Three of these staff generally conducted CSRs.
[57] Some pipelines may be vulnerable to "cyber attacks" on computer
control systems that are used to collect data from pipeline sensors in
real time and display these data to controllers, who monitor the data
and operate pipeline control equipment remotely. A pipeline operator's
control system represents a significant investment on the part of the
operator and is a critical resource for response and recovery in the
event of a pipeline incident of almost any type.
[58] The 9/11 Commission Act states that interstate and intrastate
transmission and distribution pipeline operators, nonprofit employee
organizations representing pipeline employees, emergency responders,
offerors, state pipeline safety agencies, public safety officials, and
any other relevant parties are to be consulted. The incident recovery
protocols plan is also to be developed in conjunction with interstate
and intrastate pipeline operators and terminal and facility operators
connected to pipelines.
[59] The Office of Infrastructure Protection leads the coordinated
national program to reduce risks to the nation's critical
infrastructure and key resources posed by acts of terrorism, and to
strengthen national preparedness, timely response, and rapid recovery
in the event of an attack, natural disaster, or other emergency.
[60] PSD officials reported to us that they had coordinated the plan
with DHS/TSA components and other DHS components, DOT/PHMSA, DOE,
Department of Justice/FBI, Department of Interior/Minerals Management
Service, National Transportation Safety Board, Federal Energy
Regulatory Commission, Environmental Protection Agency, Federal Energy
Regulatory Commission, Department of Defense/U.S. Army Corps of
Engineers, National Association of Regulatory Utility Commissioners,
National Association of State Energy Officials, National Governors
Association, National Emergency Managers Association, National
Association of Pipeline Safety Representatives, International
Association of Fire Chiefs, International Association of Chiefs of
Police, National Sheriff's Association, Pipeliners Union Local 798,
Interstate Natural Gas Association of America, and Association of Oil
Pipe Lines Owners/Operators.
[61] In prior work we identified a set of desirable characteristics to
aid responsible parties in further developing and implementing
national strategies, and to enhance the usefulness of those strategies
in resource and policy decisions and better ensure accountability. For
a more detailed discussion of these characteristics, see GAO,
Combating Terrorism: Evaluation of Selected Characteristics in
National Strategies Related to Terrorism, GAO-04-408T (Washington,
D.C.: Feb. 3, 2004).
[62] The Pipeline Modal Annex also identifies supporting strategies
PSD will pursue to achieve pipeline security objectives and presents
information to explain what TSA, other federal components, or industry
is doing and how those activities correspond with these strategies.
For example, the Pipeline Modal Annex describes the CSR program as a
program to promote the implementation of layered threat deterrence and
vulnerability mitigation programs and to conduct network enhancement
and information-sharing activities.
[63] According to PSD officials, they have prepared a 2010 revision to
the 2007 Pipeline Modal Annex, which also does not incorporate
performance measures and milestones. Officials told us in May 2010
that the revised annex was in internal review.
[64] See [hyperlink, http://www.gao.gov/products/GAO-04-408T].
[65] Each CFI trip involves inspections of multiple critical
facilities.
[66] According to PSD and TSNM officials, an appendix to the 2010
Sector Critical Infrastructure and Key Resources Protection Annual
Report for the Transportation Systems Sector will discuss other
performance measures related to two risk mitigation activities--(1)
the percentage of the 100 most critical pipeline systems that have had
a CSR or a repeat CSR and (2) the percentage of the 100 most critical
systems that have conducted annual security exercises and drills
(specifically, the percentage that has participated in Intermodal
Security Training Exercise Program exercises). As of May 2010, this
report was in internal review.
[67] TSA's Intermodal Security Training Exercise Program offers an
intermodal transportation security exercise program for transportation
sector network communities. The program is intended to enhance the
preparedness of the nation's surface transportation sector network
with evaluations of prevention, preparedness, and the ability to
respond to terrorist-related incidents.
[68] GAO, Risk Management: Further Refinements Needed to Assess Risks
and Prioritize Protective Measures at Ports and Other Infrastructure,
[hyperlink, http://www.gao.gov/products/GAO-06-91] (Washington, D.C.:
December 15, 2005.)
[69] The Pipeline Modal Annex identifies other programs and activities
that seek to increase resiliency and robustness.
[70] GAO, Aviation Security: A National Strategy and Other Actions
Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters
and Access Controls, [hyperlink,
http://www.gao.gov/products/GAO-09-399] (Washington, D.C.: September
30, 2009).
[71] PSD subsequently made minor revisions to the second CSR protocol
that did not affect our analysis or the data PSD uses for its outcome
measure.
[72] According to PSD officials, they completed 31 CSRs from mid-April
2003 through mid-July 2004.
[73] GAO, Tax Administration: IRS Needs to Further Refine Its Tax
Filing Season Performance Measures, GAO-03-143 (Washington, D.C.: Nov.
22, 2002). In this report, GAO reported on nine key attributes of
successful performance measures including the reliability of measures.
[74] GAO, Managing for Results: Challenges Agencies Face in Producing
Credible Performance Information, [hyperlink,
http://www.gao.gov/products/GAO-GGD-00-52] (Washington, D.C.: Feb. 4,
2000).
[75] An operator's CSR score is calculated based on the 73 standard
questions in the newer CSR protocol.
[76] For pipeline operators that operate more than one system, we used
only the highest risk-ranked system for that operator in our analysis
to control for the possibility that PSD also conducted a second CSR
for a lower risk system belonging to the same operator.
[77] Although PSD officials might have contact with pipeline operators
through means other than CSRs and CFIs, we could not quantify other
forms of contact and, therefore, could not include them in the
analysis.
[78] The Project Management Institute, The Standard for Program
Management © (2006).
[79] Our review of the 2002 circular included the Pipeline Security
Contingency Planning Guidance.
[80] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[81] Project Management Institute, A Guide to the Project Management
Body of Knowledge © (Fourth Edition, 2008).
[82] Exec. Order No. 13,416, 71 Fed. Reg. 71,033 (Dec. 5, 2006).
[83] GAO, Combating Terrorism: Evaluation of Selected Characteristics
in National Strategies Related to Terrorism, [hyperlink,
http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3,
2004).
[84] GAO, Tax Administration: IRS Needs to Further Refine Its Tax
Filing Season Performance Measures, [hyperlink,
http://www.gao.gov/products/GAO-03-143] (Washington, D.C.: Nov. 22,
2002).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
