Maritime Security
Progress Made, but Further Actions Needed to Secure the Maritime Energy Supply Gao ID: GAO-11-883T August 24, 2011The nation's economy and security are heavily dependent on oil, natural gas, and other energy commodities. Al-Qa'ida and other groups with malevolent intent have targeted energy tankers and offshore energy infrastructure because of their importance to the nation's economy and national security. The U.S. Coast Guard--a component of the Department of Homeland Security (DHS)--is the lead federal agency for maritime security, including the security of energy tankers and offshore energy infrastructure. The Federal Bureau of Investigation (FBI) also has responsibilities for preventing and responding to terrorist incidents. This testimony discusses the extent to which (1) the Coast Guard and the FBI have taken actions to address GAO's prior recommendations to prevent and respond to a terrorist incident involving energy tankers and (2) the Coast Guard has taken actions to assess the security risks to offshore energy infrastructure and related challenges. This testimony is based on products issued from December 2007 through March 2011 and recently completed work on the Coast Guard's actions to assess security risks. GAO reviewed documents from the Coast Guard's risk model and relevant laws, regulations, policies, and procedures; and interviewed Coast Guard officials.
The Coast Guard and the FBI have made progress implementing prior recommendations GAO made to enhance energy tanker security. In 2007, GAO made five recommendations to address challenges in ensuring the effectiveness of federal agencies' actions to protect energy tankers and implement response plans. The Coast Guard and the FBI have implemented two recommendations, specifically: (1) the Coast Guard, in coordination with U.S. Customs and Border Protection, developed protocols for facilitating the recovery and resumption of trade following a disruption to the maritime transportation system, and (2) the Coast Guard and the FBI participated in local port exercises that executed multiple response plans simultaneously. The Coast Guard has made progress on a third recommendation through work on a national strategy for the security of certain dangerous cargoes. It also plans to develop a resource allocation plan, starting in April 2012, which may help address the need to balance security responsibilities. However, the Coast Guard and the FBI have not yet taken action on a fourth recommendation to develop an operational plan to integrate the national spill and terrorism response plans. According to DHS, it plans to revise the National Response Framework, but no decision has been made regarding whether the separate response plans will be integrated. Also, DHS has not yet taken action on the final recommendation to develop explicit performance measures for emergency response capabilities and use them in risk-based analyses to set priorities for acquiring needed response resources. According to DHS, it is revising its emergency response grant programs, but does not have specific plans to develop performance measures as part of this effort. The Coast Guard has taken actions to assess the security risks to offshore energy infrastructure, which includes Outer Continental Shelf (OCS) facilities (facilities that are involved in producing oil or natural gas) and deepwater ports (facilities used to transfer oil and natural gas from tankers to shore), but improvements are needed. The Coast Guard has used its Maritime Security Risk Analysis Model (MSRAM) to examine the security risks to OCS facilities and deepwater ports. To do so, the Coast Guard has coordinated with the intelligence community and stakeholders, such as the Department of the Interior's Bureau of Ocean Energy Management, Regulation and Enforcement. However, the Coast Guard faces complex and technical challenges in assessing risks. For example, the Coast Guard does not have data on the ability of an OCS facility to withstand an attack. The Coast Guard generally recognizes these challenges and has actions underway to study or address them. Further, GAO determined that as of May 2011, the Coast Guard had not assessed security risks for 12 of the 50 security-regulated OCS facilities that are to be subjected to such assessments. Coast Guard officials later determined that they needed to add these OCS facilities to MSRAM for assessment and have completed the required assessments. However, while the list of security-regulated facilities may change each year based on factors such as production volume, the Coast Guard's current policies and procedures do not call for Coast Guard officials to provide an annual updated list of regulated OCS facilities to MSRAM analysts. Given the continuing threat to such offshore facilities, revising its procedures could help ensure that the Coast Guard carries out its risk assessment requirements for security-regulated OCS facilities. GAO is recommending that the Coast Guard revise policies and procedures to ensure its analysts receive the annual updated list of regulated offshore energy facilities to ensure risk assessments are conducted on those facilities. The Coast Guard concurred with this recommendation.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Stephen L. Caldwell Team: Government Accountability Office: Homeland Security and Justice Phone: (202) 512-9610GAO-11-883T, Maritime Security: Progress Made, but Further Actions Needed to Secure the Maritime Energy Supply
This is the accessible text file for GAO report number GAO-11-883T
entitled 'Maritime Security: Progress Made, but Further Actions Needed
to Secure the Maritime Energy Supply' which was released on August 24,
2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Oversight, Investigations, and Management,
Committee on Homeland Security, House of Representatives:
For Release on Delivery:
Expected at 10:00 a.m. CDT:
Wednesday, August 24, 2011:
Maritime Security:
Progress Made, but Further Actions Needed to Secure the Maritime
Energy Supply:
Statement of Stephen L. Caldwell:
Director:
Homeland Security and Justice Issues:
GAO-11-883T:
GAO Highlights:
Highlights of GAO-11-883T, a testimony before the Subcommittee on
Oversight, Investigations, and Management; Committee on Homeland
Security; House of Representatives.
Why GAO Did This Study:
The nation‘s economy and security are heavily dependent on oil,
natural gas, and other energy commodities. Al-Qa‘ida and other groups
with malevolent intent have targeted energy tankers and offshore
energy infrastructure because of their importance to the nation‘s
economy and national security. The U.S. Coast Guard”a component of the
Department of Homeland Security (DHS)”is the lead federal agency for
maritime security, including the security of energy tankers and
offshore energy infrastructure. The Federal Bureau of Investigation
(FBI) also has responsibilities for preventing and responding to
terrorist incidents. This testimony discusses the extent to which (1)
the Coast Guard and the FBI have taken actions to address GAO‘s prior
recommendations to prevent and respond to a terrorist incident
involving energy tankers and (2) the Coast Guard has taken actions to
assess the security risks to offshore energy infrastructure and
related challenges. This testimony is based on products issued from
December 2007 through March 2011 and recently completed work on the
Coast Guard‘s actions to assess security risks. GAO reviewed documents
from the Coast Guard‘s risk model and relevant laws, regulations,
policies, and procedures; and interviewed Coast Guard officials.
What GAO Found:
The Coast Guard and the FBI have made progress implementing prior
recommendations GAO made to enhance energy tanker security. In 2007,
GAO made five recommendations to address challenges in ensuring the
effectiveness of federal agencies‘ actions to protect energy tankers
and implement response plans. The Coast Guard and the FBI have
implemented two recommendations, specifically: (1) the Coast Guard, in
coordination with U.S. Customs and Border Protection, developed
protocols for facilitating the recovery and resumption of trade
following a disruption to the maritime transportation system, and (2)
the Coast Guard and the FBI participated in local port exercises that
executed multiple response plans simultaneously. The Coast Guard has
made progress on a third recommendation through work on a national
strategy for the security of certain dangerous cargoes. It also plans
to develop a resource allocation plan, starting in April 2012, which
may help address the need to balance security responsibilities.
However, the Coast Guard and the FBI have not yet taken action on a
fourth recommendation to develop an operational plan to integrate the
national spill and terrorism response plans. According to DHS, it
plans to revise the National Response Framework, but no decision has
been made regarding whether the separate response plans will be
integrated. Also, DHS has not yet taken action on the final
recommendation to develop explicit performance measures for emergency
response capabilities and use them in risk-based analyses to set
priorities for acquiring needed response resources. According to DHS,
it is revising its emergency response grant programs, but does not
have specific plans to develop performance measures as part of this
effort.
The Coast Guard has taken actions to assess the security risks to
offshore energy infrastructure, which includes Outer Continental Shelf
(OCS) facilities (facilities that are involved in producing oil or
natural gas) and deepwater ports (facilities used to transfer oil and
natural gas from tankers to shore), but improvements are needed. The
Coast Guard has used its Maritime Security Risk Analysis Model (MSRAM)
to examine the security risks to OCS facilities and deepwater ports.
To do so, the Coast Guard has coordinated with the intelligence
community and stakeholders, such as the Department of the Interior‘s
Bureau of Ocean Energy Management, Regulation and Enforcement.
However, the Coast Guard faces complex and technical challenges in
assessing risks. For example, the Coast Guard does not have data on
the ability of an OCS facility to withstand an attack. The Coast Guard
generally recognizes these challenges and has actions underway to
study or address them. Further, GAO determined that as of May 2011,
the Coast Guard had not assessed security risks for 12 of the 50
security-regulated OCS facilities that are to be subjected to such
assessments. Coast Guard officials later determined that they needed
to add these OCS facilities to MSRAM for assessment and have completed
the required assessments. However, while the list of security-
regulated facilities may change each year based on factors such as
production volume, the Coast Guard‘s current policies and procedures
do not call for Coast Guard officials to provide an annual updated
list of regulated OCS facilities to MSRAM analysts. Given the
continuing threat to such offshore facilities, revising its procedures
could help ensure that the Coast Guard carries out its risk assessment
requirements for security-regulated OCS facilities.
What GAO Recommends:
GAO is recommending that the Coast Guard revise policies and
procedures to ensure its analysts receive the annual updated list of
regulated offshore energy facilities to ensure risk assessments are
conducted on those facilities. The Coast Guard concurred with this
recommendation.
View [hyperlink, http://www.gao.gov/products/GAO-11-883T] or key
components. For more information, contact Stephen Caldwell at (202)
512-9610 or caldwells@gao.gov.
[End of section]
Chairman McCaul, Ranking Member Keating, and Members of the
Subcommittee:
[End of section]
I am pleased to be here today to discuss federal efforts to ensure the
security of energy tankers and the offshore energy infrastructure that
produces, transports, or receives oil and natural gas. The nation's
economy and security are heavily dependent on oil, natural gas, and
other energy commodities. Further, it is fitting that today's hearing
is in Houston because the city and the surrounding area play a central
role in the maritime energy sector. Houston is home to hundreds of
energy companies and many of these companies are involved in exploring
for and producing oil and natural gas in the Gulf of Mexico and
transporting it from sea to shore. In addition, energy tankers sail
through the Houston Ship Channel, and major facilities for refining
oil are located along or near the channel.
Al-Qa'ida and other groups with malevolent intent continue to target
energy tankers and offshore energy infrastructure because of their
importance to the nation's economy and national security. In May 2011,
the Department of Homeland Security (DHS) issued a press statement
that intelligence information showed that throughout 2010 there was
continuing interest by members of al-Qa'ida in targeting oil tankers
and commercial oil infrastructure at sea. While a terrorist attack on
energy tankers or offshore energy infrastructure has not occurred in
the United States, other countries have experienced such attacks.
Additionally, while it was not the result of an attack, the Deepwater
Horizon explosion in April 2010 showed that the consequences of an
incident on offshore energy infrastructure could be significant. The
explosion resulted in 11 deaths, serious injuries, and the largest oil
spill in the history of the United States. The response to the
incident encountered numerous challenges, and by the time the well was
sealed nearly 3 months later, over 4 million barrels of oil had
spilled into the Gulf. The spill created significant environmental
damage and had an adverse impact on workers and businesses, with an
estimated cost to compensate for these damages totaling billions of
dollars.
The U.S. Coast Guard--a component of DHS--is the lead federal agency
for maritime security, including security of energy tankers and
offshore energy infrastructure. The FBI--an agency in the Department
of Justice (DOJ)--shares responsibility with the Coast Guard for
preventing and responding to terrorist incidents in the maritime
environment, including incidents involving energy tankers. In December
2007, we issued a report that examined Coast Guard and FBI efforts to
prevent and respond to an incident involving energy tankers and we
made several recommendations to the Coast Guard and the FBI to improve
efforts in these areas.[Footnote 1]
My testimony today will address two main objectives:
* the extent to which the Coast Guard and the FBI have taken actions
to address our prior recommendations to prevent and respond to
terrorist incidents involving energy tankers, and:
* the extent to which the Coast Guard has taken actions to assess the
security risks to offshore energy infrastructure and the challenges,
if any, in conducting such assessments.
My statement is based on our past work on energy tankers issued in
December 2007 and recently completed work on actions the Coast Guard
has taken to assess security risks in the maritime environment.
[Footnote 2] To obtain information on the first objective, we reviewed
our prior reports on energy tankers, and asked the Coast Guard and the
FBI to provide us an update, along with supporting documentation, on
any actions that they have taken to address our recommendations from
the December 2007 report. To provide additional information on threats
to energy tankers, we also reviewed our recent work on piracy.
[Footnote 3] More detailed information on the scope and methodology
used for our past reviews appears in those reports.
To address the second objective, we interviewed officials in Coast
Guard headquarters and field offices in New Orleans, Louisiana and
Boston, Massachusetts because these officials were knowledgeable about
how the Coast Guard uses the Maritime Security Risk Analysis Model
(MSRAM)--a tool that the Coast Guard uses to assess the security risks
to vessels and offshore energy infrastructure.[Footnote 4] Moreover,
the New Orleans and Boston field offices are the only offices
presently conducting assessments of offshore energy infrastructure. We
also reviewed Coast Guard documents on MSRAM, such as Coast Guard
guidance to its field units and the MSRAM training manual. In
addition, we reviewed relevant laws and regulations, policies and
procedures, and other documents related to security risk assessments.
For example, we reviewed the DHS Quadrennial Review,[Footnote 5] the
National Infrastructure Protection Plan,[Footnote 6] and a National
Research Council report on risk assessments at DHS.[Footnote 7] We
also reviewed our prior report on risk assessment efforts carried out
by the Coast Guard.[Footnote 8] In addition, we compared the Coast
Guard's policies and procedures regarding security actions with
criteria in Standards for Internal Control in the Federal Government.
[Footnote 9] Further, we interviewed representatives from two
companies that together operate 18 of the 50 Outer Continental Shelf
facilities, a type of offshore energy infrastructure, regulated for
security in 2011. While the information obtained from these interviews
is not generalizable to the offshore energy industry as a whole, it
provided insights into owners' and operators' concerns regarding
security and actions they have taken to address such concerns. This
testimony concludes our work on Coast Guard efforts to assess security
risks for offshore energy infrastructure.[Footnote 10]
We conducted this performance audit from October 2010 through August
2011 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
Background:
The nation's economy and security are heavily dependent on oil,
natural gas, and other energy commodities. Nearly half of the nation's
oil is transported from overseas by tankers. For example, about 49
percent of the nation's crude oil supply--one of the main sources of
gasoline, jet fuel, heating oil, and many other petroleum products--
was transported by tanker into the United States in 2009.[Footnote 11]
The remaining oil and natural gas used in the United States comes from
Canada by pipeline or is produced from domestic sources in areas such
as offshore facilities in the Gulf of Mexico. With regard to these
domestic sources, the area of federal jurisdiction--called the Outer
Continental Shelf (OCS)[Footnote 12]--contains an estimated 85 million
barrels of oil, more than all onshore resources and those in shallower
state waters combined.[Footnote 13] In addition, the Louisiana
Offshore Oil Port (LOOP), a deepwater port, is responsible for
transporting about 10 percent of imported oil into the United States.
Federal Agency Roles:
As the lead federal agency for maritime security, the Coast Guard
seeks to mitigate many kinds of security challenges in the maritime
environment. Doing so is a key part of its overall security mission
and a starting point for identifying security gaps and taking actions
to address them. Carrying out these responsibilities is a difficult
and challenging task because energy tankers often depart from foreign
ports and are registered in countries other than the United States,
which means the United States has limited authority to oversee the
security of such vessels until they enter U.S. waters. Offshore energy
infrastructure also presents its own set of security challenges
because some of this infrastructure is located many miles from shore.
The FBI shares responsibility with the Coast Guard for preventing and
responding to terrorist incidents in the maritime environment,
including incidents involving energy tankers.
Risks to Energy Tankers:
Energy tankers face risks from various types of attack. We identified
three primary types of attack methods against energy tankers in our
2007 report, including suicide attacks, armed assaults by terrorists
or armed bands, and launching a "standoff" missile attack using a
rocket or some other weapon fired from a distance. In recent years, we
have issued reports that discussed risks energy tankers face from
terrorist attacks and attacks from other criminals, such as pirates.
Terrorists have attempted--and in some cases carried out--attacks on
energy tankers since September 11, 2001. To date, these attacks have
included attempts to damage tankers or their related infrastructure at
overseas ports. For example, in 2002, terrorists conducted a suicide
boat attack against the French supertanker Limburg off the coast of
Yemen, and in 2010, an incident involving another supertanker, the M/V
M. Star, in the Strait of Hormuz is suspected to have been a terrorist
attack. Our work on energy tankers identified three main places in
which tankers may be at risk of an attack: (1) at foreign ports; (2)
in transit, especially at narrow channels, or chokepoints; and (3) at
U.S. ports. For example, foreign ports, where commodities are loaded
onto tankers, may vary in their levels of security, and the Coast
Guard is limited in the degree to which it can bring about
improvements abroad when security is substandard, in part because its
activities are limited by conditions set by host nations. In addition,
while tankers are in transit, they face risks because they travel on
direct routes that are known in advance and, for part of their
journey, they may have to travel through waters that do not allow them
to maneuver away from possible attacks. According to the Energy
Information Administration, chokepoints along a route make tankers
susceptible to attacks. Further, tankers remain at risk upon arrival
in the United States because of the inherent risks to port facilities.
For example, port facilities are generally accessible by land and sea
and are sprawling installations often close to population centers.
Beyond the relatively rare threat of terrorist attacks against
tankers, the threat of piracy has become relatively common.[Footnote
14] In particular, piracy threatens tankers transiting one of the
world's busiest shipping lanes near key energy corridors and the route
through the Suez Canal. The vast areas at risk for piracy off the Horn
of Africa, combined with the small number of military ships available
for patrolling them, make protecting energy tankers difficult.
According to the International Maritime Bureau, 30 percent (490 of
1,650) of vessels reporting pirate attacks worldwide from 2006 through
2010 were identified as tankers.[Footnote 15] See table 1 for a
summary of tankers attacked by pirates during 2006 through 2010.
Table 1: Number of Tankers Attacked by Pirates, 2006 - 2010:
Type of commodity transported: Bitumen[A];
2006: 0;
2007: 1;
2008: 0;
2009: 2;
2010: 2.
Type of commodity transported: Chemical/Product[B];
2006: 35;
2007: 52;
2008: 55;
2009: 69;
2010: 96.
Type of commodity transported: Crude Oil;
2006: 9;
2007: 25;
2008: 30;
2009: 41;
2010: 43.
Type of commodity transported: Liquefied Natural Gas;
2006: 0;
2007: 1;
2008: 0;
2009: 1;
2010: 1.
Type of commodity transported: Liquefied Petroleum Gas;
2006: 4;
2007: 5;
2008: 6;
2009: 5;
2010: 7.
Type of commodity transported: Totals;
2006: 48;
2007: 84;
2008: 91;
2009: 118;
2010: 149.
Source: International Maritime Bureau, Piracy and Armed Robbery
Against Ships Annual Report (United Kingdom, 2010):
[A] Bitumen is a heavy black viscous oil often used in paving
materials and sealants.
[B] This category includes tankers that transport chemicals or oil
products other than crude oil.
[End of table]
As shown in the table, pirate attacks against tankers have tripled in
the last 5 years, and the incidence of piracy against tankers
continues to rise. From January through June 2011, 100 tankers were
attacked, an increase of 37 percent compared to tankers attacked from
January through June 2010. Figure 1 shows one of the recent suspected
pirate attacks. In addition, tankers are fetching increasing ransom
demands from Somali pirates. Media reports indicate a steady increase
in ransoms for tankers, from $3 million in January 2009 for the Saudi
tanker Sirius Star, to $9.5 million in November 2010 for the South
Korean tanker Samho Dream, to $12 million in June 2011 for the Kuwaiti
tanker MV Zirku. The U.S. Maritime Administration and the Coast Guard
have issued guidance for commercial vessels to stay 200 miles away
from the Somali coast. However, pirates have adapted and increased
their capability to attack and hijack vessels to more than 1,000 miles
from Somalia using mother ships, from which they launch smaller boats
to conduct the attacks.[Footnote 16] To address the growing concern
over piracy, the Coast Guard has issued a directive with guidelines
for U.S. vessels operating in high-risk waters. This directive
provides vessel owners and operators with direction for responding to
emerging security risks.
Figure 1: Sailors from the U.S. Navy's USS Philippine Sea Rescue Crew
of the Tanker VLCC Brilliante Virtuoso in Response to a Suspected
Attack by Pirates, June 2011:
[Refer to PDF for image: photograph]
Source: U.S. Navy.
[End of figure]
Risks to Offshore Energy Infrastructure:
Offshore energy infrastructure also faces risks from various types of
attacks. For example, in 2004, a terrorist attacked an offshore oil
terminal in Iraq using speedboats packed with explosives, killing two
U.S. Navy sailors and a U.S. Coast Guardsman. Potential attack methods
against offshore energy infrastructure identified by the Coast Guard
or owners and operators include crashing an aircraft into it; using a
submarine vessel, diver, or other means of attacking it underwater;
ramming it with a vessel; and sabotage by an employee. Offshore energy
infrastructure may face security risks because this infrastructure is
located in open waters and generally many miles away from Coast Guard
assets and personnel.
In addition to our work on energy tankers, we have recently completed
work involving Coast Guard efforts to assess security risks and ensure
the security of offshore energy infrastructure. Specifically, our work
focused on two main types of offshore energy infrastructure that the
Coast Guard oversees for security. The first type are facilities that
operate on the OCS and are generally described as facilities
temporarily or permanently attached to the subsoil or seabed of the
OCS that engage in exploration, development, or production of oil,
natural gas, or mineral resources.[Footnote 17] As of September 2010,
there were about 3,900 such facilities, and if a facility of this type
meets or exceeds any one of three thresholds for production or
personnel, it is subject to 33 C.F.R. part 106 security requirements.
[Footnote 18] In this testimony, we focus on the 50 facilities that,
in 2011, are regulated for security because they meet or exceed the
threshold criteria. We refer to these security-regulated facilities as
OCS facilities. The second type of offshore energy infrastructure are
deepwater ports, which are fixed or floating manmade structures used
or intended for use as a port or terminal for the transportation,
storage, or handling of oil or natural gas to any state and includes
the transportation of oil or natural gas from the United States' OCS.
[Footnote 19] There are currently four licensed deepwater ports--two
in the Gulf of Mexico and two in Massachusetts Bay.[Footnote 20]
Unlike OCS facilities, which are involved in the production of oil or
natural gas, deepwater ports enable tankers to offload oil or
liquefied natural gas for transport to land by underwater pipelines.
Progress Made Addressing Our Recommendations, but Additional Actions
Could Help Improve Tanker Security:
In 2007, we assessed Coast Guard and FBI efforts to ensure the
security of energy tankers and respond to terrorist incidents
involving energy tankers.[Footnote 21] We found that actions were
being taken, internationally and domestically, to protect tankers and
port facilities at which tankers would be present. For example, the
Coast Guard visits foreign exporting ports to assess the effectiveness
of the anti-terrorism measures in place. Additionally, port
stakeholders in the United States have taken steps to address
vulnerabilities at domestic ports. For example, the Houston Ship
Channel Security District is a public-private partnership that was
established to increase preparedness and response capabilities with
the goal of improving security and safety for facilities, employees,
and communities surrounding the Houston Ship Channel. The security
district has installed technology, such as night vision and motion-
activated detection equipment, and conducts patrols on land and in the
water. However, we also reported on challenges that remained in (1)
making federal agencies' protective actions more effective and (2)
implementing plans for a response to an attack, if a terrorist attack
were to succeed despite the protective measures in place.
We made five recommendations in our 2007 report, three of which were
directed to the Secretary of Homeland Security and two of which were
directed jointly to the Secretary of Homeland Security and the
Attorney General. The departments concurred or partially concurred
with all of the recommendations. The Coast Guard and the FBI have made
progress in implementing these recommendations--two have been
implemented, and the Coast Guard is in the process of implementing a
third--but actions have not yet been taken to address the remaining
two recommendations. See table 2 for a summary of our findings,
recommendations, and the current status of agency efforts to implement
our recommendations.
Table 2: Status of GAO Recommendations on Tanker Security from GAO-08-
141:
Findings: Resource allocation. Based on Coast Guard records, we found
that Coast Guard field units in several energy-related ports had been
unable to accomplish many of the port security responsibilities called
for in Coast Guard guidance. According to the data we obtained and our
discussions with field unit officials, we determined that resource
shortfalls were the primary reasons for not meeting these
responsibilities. Furthermore, the Coast Guard had not yet developed a
plan for addressing new liquefied natural gas (LNG) security resource
demands;
Recommendation and Status:
Recommendation: We recommended that the Coast Guard develop a national
resource allocation plan that would balance the need to meet new LNG
security responsibilities with existing security responsibilities and
other Coast Guard missions;
Status: In progress. The Coast Guard has begun work on a national
strategy for reducing the maritime security risks present in the bulk
transportation and transfer of certain dangerous cargoes, including
LNG. Coast Guard officials expect to finalize the strategy in April
2012 at which point they expect to develop a resource allocation plan
to implement the strategy. In the interim, the Coast Guard has
published guidance to clarify the timing and scope of the process that
is necessary to ensure full consideration is given to safety and
security of the port, the facility, and the vessels transporting LNG.
Findings: Guidance for helping to mitigate economic consequences. We
reported that the economic consequences of a terrorist attack on a
tanker could be significant, particularly if one or more ports are
closed. We identified some ports that, on their own initiative, were
incorporating economic recovery considerations into their port-level
plans, but at the time of our review in 2007, there was no national-
level guidance for use by local ports;
Recommendation and Status:
Recommendation: We recommended that the Coast Guard develop guidance
that ports could use to plan for helping to mitigate economic
consequences, particularly in the case of port closures;
Status: Implemented. The Coast Guard and U.S. Customs and Border
Protection (CBP) have developed Joint Protocols for the Expeditious
Recovery of Trade. These protocols establish a communications process
and describe how the Coast Guard and CBP will coordinate with other
federal agencies and the maritime industry to facilitate recovery and
resumption of trade following an event that causes a major disruption
to the maritime transportation system.
Findings: Integration of spill and terrorism response at the national
level. We found that while national-and port-level plans exist to
address spill response or terrorism response, federal agencies and
ports could face challenges in using them effectively. We reported
that the separate spill and terrorism response plans should be
integrated for responding to an attack on an energy commodities tanker;
Recommendation and Status:
Recommendation: We recommended that the Coast Guard and the FBI
coordinate at the national level to help ensure that a detailed
operational plan be developed that integrates the different spill and
terrorism sections of the National Response Plan;
Status: Not implemented. The different spill and terrorism response
sections of the National Response Plan remain separate annexes in the
renamed National Response Framework. According to the Coast Guard, the
National Response Framework is currently under revision, but no
decision has been made regarding the spill and terrorism response
annexes. Pending that decision, the FBI has not taken any action to
implement this recommendation.
Findings: Integration of spill and terrorism response at the local
level. In addition to the need for operational plans as noted above,
we reported that agencies should conduct joint exercises that simulate
an attack and the agencies' responses. Without such exercises, it
would be questionable whether joint Coast Guard and FBI activities
would proceed as planned;
Recommendation and Status:
Recommendation: We recommended that the Coast Guard and FBI coordinate
at the local level to help ensure that spill and terrorism response
activities are integrated for the best possible response by maximizing
the integration of spill and terrorism response planning and exercises
at ports that receive energy commodities where attacks on tankers pose
a significant threat;
Status: Implemented. In April 2008, the Coast Guard updated guidance
which states that the ability to simultaneously execute multiple
plans, including federal, state, and local response and recovery
plans, should be part of an overall exercise and preparedness program.
In accordance with this guidance, the Coast Guard, along with the FBI
and other stakeholders, has conducted exercises that address an
integrated spill and terrorism response.
Findings: Performance measures for emergency response. We found that
some ports had reported difficulty in securing response resources to
carry out planned actions and decisions about the need for more
response capabilities were hindered by a lack of performance measures
tying resource needs to effectiveness in response;
Recommendation and Status:
Recommendation: We recommended that the Secretary of Homeland Security
work with federal, state, and local stakeholders to develop explicit
performance measures for emergency response capabilities and use them
in risk-based analyses to set priorities for acquiring needed response
resources;
Status: Not implemented. DHS has not yet developed explicit
performance measures for emergency response capabilities. According to
DHS, it is revising its grant programs, but performance measures have
not yet been developed as part of this effort.
Source: GAO.
[End of table]
Regarding our recommendation that the Coast Guard and the FBI
coordinate to help ensure that a detailed operational plan be
developed that integrates the different spill and terrorism sections
of the National Response Framework, DHS is in the process of revising
this document and did not have further information regarding whether
or how the spill and terrorism response annexes may be revised.
Further, the FBI has not taken independent action to implement this
recommendation, in part because it did not concur with the need to
develop a separate operational plan. In the event of a successful
attack on an energy tanker, ports would need to provide an effective,
integrated response to (1) protect public safety and the environment,
(2) conduct an investigation, and (3) restore shipping operations in a
timely manner. Consequently, clearly defined and understood roles and
responsibilities for all essential stakeholders are needed to ensure
an effective response, and operational plans for the response should
be explicitly linked. Regarding our recommendation that DHS develop
performance measures for emergency response capabilities, DHS has
begun to revise its grant programs, but it is too early in that
process to determine whether and how performance measures will be
incorporated into those revisions. Performance measures would allow
DHS to set priorities for funding on the basis of reducing overall
risk, thereby helping ports obtain resources necessary to respond. We
continue to believe that the recommendations not yet addressed have
merit and should be fully implemented.
Coast Guard Had Not Assessed Risks to All OCS Facilities:
In accordance with federal statutes and presidential directives, the
Coast Guard assesses security risks as part of its responsibilities
for ensuring the security of OCS facilities and deepwater ports. In
doing so, the Coast Guard, among other things, uses a tool called the
Maritime Security Risk Analysis Model (MSRAM). Coast Guard units
throughout the country use this tool to assess security risks to about
28,000 key infrastructure in and around the nation's ports and
waterways. For example, MSRAM examines security risks to national
monuments, bridges, and oil and gas terminals.
The Coast Guard's efforts to assess security risks to OCS facilities
and deepwater ports are part of a broader effort by DHS to protect
critical infrastructure and key resources.[Footnote 22] To further
guide this effort, in 2009 DHS issued an updated version of the 2006
National Infrastructure Protection Plan which describes the
department's strategic approach to infrastructure protection.[Footnote
23] The plan placed an increased emphasis on risk management and it
centered attention on going beyond assessments of individual assets by
extending the scope of risk assessments to systems or networks.
[Footnote 24] For example, while the 2006 plan focused on assessing
the vulnerability of facilities, the 2009 plan discussed efforts to
conduct systemwide vulnerability assessments.
Progress Made Assessing Offshore Security Risks:
The Coast Guard has taken a number of actions in assessing security
risks to OCS facilities and deepwater ports. The Coast Guard has used
MSRAM to, among other things, examine security risks to OCS facilities
and deepwater ports by assessing three main factors--threats,
vulnerabilities, and consequences.[Footnote 25] First, Coast Guard
analysts use MSRAM to assess security risks against such energy
infrastructure by examining potential scenarios terrorists may use to
attack OCS facilities or deepwater ports. For example, MSRAM assesses
attack scenarios, such as an attack by a hijacked vessel, a small boat
attack, sabotage, or an attack by a swimmer or diver. Second, the
analysts use MSRAM to evaluate vulnerabilities of OCS facilities and
deepwater ports by examining the probability of a successful attack by
assessing factors such as the ability of key stakeholders, including
the owner, operator, or law enforcement, to interdict an attack and
the ability of a target to withstand an attack. Third, the analysts
use MSRAM to evaluate potential consequences of an attack, such as
deaths or injuries and economic and environmental impacts.[Footnote
26] MSRAM's output produces a risk index number for each maritime
target--such as an OCS facility or deepwater port--that allows Coast
Guard officials at the local, regional, and national levels to compare
and rank critical infrastructure for the purpose of informing security
decisions. According to Coast Guard officials, based on MSRAM's
output, which is a relative risk ranking, OCS facilities are not
considered to be high-risk targets.
To inform analysts' inputs into MSRAM, the Coast Guard has coordinated
efforts with the intelligence community and key stakeholders. For
example, the Coast Guard's Intelligence Coordination Center inputs
threat assessment data into MSRAM. Coast Guard analysts also use
information from other stakeholders, such as reports produced by the
Department of the Interior's Bureau of Ocean Energy Management,
Regulation and Enforcement (BOEMRE), which contain oil and gas
production data, to inform their evaluations of vulnerabilities and
consequences. Based on the assessments of threats, vulnerabilities,
and consequences, MSRAM produces a risk index number for each OCS
facility and deepwater port. The Coast Guard has also taken actions to
supplement MSRAM by, among other things, (1) including new data fields
on the frequency with which tankers visit a port and (2) adding
additional threat scenarios, such as a threat involving a cyber
attack, to its data set.
While MSRAM has been applied to deepwater ports, Coast Guard officials
have also used an independent risk assessment to assess security risks
as part of the application process for recently constructed deepwater
ports. For example, in December 2006, as part of the application
process for a proposed deepwater port in the Massachusetts Bay, the
Coast Guard, the owner and operator, and other stakeholders
collectively identified and assessed threat scenarios as well as the
potential consequences and vulnerabilities of each scenario. Based on
this assessment, stakeholders identified and agreed to carry out
security measures to mitigate the risks, such as installing camera
systems and increasing radar coverage.
Challenges in Data and Scope Hinder Risk Assessments:
The Coast Guard faces complex and technical challenges in assessing
security risks. The Coast Guard recognizes these challenges and
generally has actions underway to study or address them. Coast Guard
officials noted that some of these challenges are not unique to the
Coast Guard's risk assessment model and that these challenges are
faced by others in the homeland security community involved in
conducting risk assessments. Specific challenges are detailed below.
Challenges in Data:
* Vulnerability-related data: The Coast Guard does not have data on
the ability of an OCS facility to withstand an attack, which is
defined in MSRAM as target hardness. The Coast Guard recognizes that
target hardness is an important consideration in assessing the
vulnerability of OCS facilities. However, MSRAM analysts described
challenges in assessing target hardness because empirical data are not
available or research has not been conducted to do so. For example,
research on whether a hijacked boat or an underwater attack could sink
an offshore oil or natural gas platform would give the Coast Guard and
owners and operators a clearer sense of whether this attack scenario
could result in major consequences. Coast Guard officials and
corporate security officers with whom we spoke indicated that such
research would advance knowledge about the vulnerabilities of OCS
facilities and deepwater ports. Gaining a better understanding of
target hardness of these and other threat scenarios could improve the
quality of the output from MSRAM. According to Coast Guard's MSRAM
Program Manager, the Coast Guard may recommend conducting more
research on the vulnerability to and consequences of attack scenarios
as a result of a study it is currently conducting on OCS facilities in
the Gulf of Mexico. The Coast Guard initiated this study in the fall
of 2010 after the Deepwater Horizon incident. The study initially
reviewed the "lessons learned" from Deepwater Horizon and how those
lessons could be used to improve MSRAM. During the course of our
review, Coast Guard officials stated that the scope of the study has
been expanded to include OCS facilities and that the Coast Guard
expects to issue its report in the fall of 2011.
* Consequences-related data: The input for secondary economic impacts
[Footnote 27] can have a substantial effect on how MSRAM's output
ranks a facility relative to other potential targets. Undervaluing
secondary economic impacts could result in a lower relative risk
ranking that underestimates the security risk to a facility, or
inversely, overvaluing secondary economic impacts could result in
overestimating the security risk to a facility. However, the Coast
Guard has limited data for assessing secondary economic impacts from
an attack on OCS facilities or deepwater ports. Coast Guard analysts
stated that gathering these data is a challenge because there are few
models or guidance available for doing so. During the course of our
review, the Coast Guard started using a tool, called "IMPLAN," that
helps inform judgments of secondary economic impacts by showing what
the impact could be for different terrorist scenarios.[Footnote 28]
The tool, however, has limits in that it should not be used where the
consequences of a terrorist attack are mainly interruption to land or
water transportation. Enhancing DHS's and the Coast Guard's ability to
assess secondary economic impacts could improve a MSRAM analyst's
accuracy in assessing the relative risk of a particular target. Coast
Guard officials added that they are working with DHS's Office of Risk
Management and Analysis in studying ways to improve how it assesses
secondary economic impacts.
Challenges in Scope:
* Challenges in assessing security risks to OCS facilities: We
determined that the Coast Guard did not conduct MSRAM assessments for
all 50 of the OCS facilities that are subject to federal security
requirements in 2011. Coast Guard guidance calls for MSRAM analysts to
identify and assess all significant targets that fall within a unit's
area of responsibility, which includes all security-regulated OCS
facilities. Specifically, as of May 2011, we found that MSRAM did not
include 12 of the 50 OCS facilities operating at that time. Coast
Guard officials generally agreed with our finding and they have since
incorporated these 12 facilities into MSRAM and completed the required
risk assessments. While the Coast Guard plans to update its policies
and procedures for inspecting and ensuring the security of OCS
facilities in the future, the current set of policies and procedures
do not call for an updated list of OCS facilities to be provided to
MSRAM analysts to assess the security risks to such facilities
annually. Coast Guard officials acknowledged that their policies and
procedures did not include this requirement. Revising policies and
procedures to include such a requirement is important in that the
number of OCS facilities could change each year. For example, some
facilities may drop below the production or personnel thresholds
described earlier in this statement, thereby falling outside the scope
of 33 C.F.R. part 106, or other facilities could meet or exceed such
thresholds, thereby rendering them subject to part 106. Standards for
Internal Control in the Federal Government state that policies and
procedures enforce management directives and help ensure that actions
are taken to address risks.[Footnote 29] In addition, internal control
standards state that such control activities are an integral part of
an entity's planning, implementing, reviewing, and accountability for
stewardship of government resources and for achieving effective
results. Developing such procedures could help ensure that the Coast
Guard carries out its risk assessment requirements for such security-
regulated OCS facilities.
* Challenges in assessing security risks to offshore energy
infrastructure that is not subject to security requirements: With
respect to OCS facilities, analysts only use MSRAM to assess security
risks associated with those OCS facilities that are regulated for
security under 33 C.F.R. part 106. For example, the Deepwater Horizon
did not meet the threshold criteria subjecting it to regulation under
part 106, and therefore, MSRAM was not used to assess its security
risks (see figure 2 for a photo of the Deepwater Horizon explosion).
According to Coast Guard officials, mobile offshore drilling units
(MODUs), such as the Deepwater Horizon, do not generally pose a risk
of a terrorist attack since there is little chance of an oil spill
when these units are drilling and have not struck oil.[Footnote 30]
However, the officials noted that there is a brief period of time when
a drilling unit strikes a well, but the well has yet to be sealed
prior to connecting it to a production facility. The Deepwater Horizon
was in this stage when it resulted in such a large oil spill. During
that period of time, MODUs could be at risk of a terrorist attack that
could have significant consequences despite a facility not meeting the
production or personnel thresholds. For example, such risks could
involve the reliability of blowout preventer valves--specialized
valves that prevent a well from spewing oil in the case of a blowout.
Gaining a fuller understanding of the security risks associated with
MODUs, such as the Deepwater Horizon, could improve the quality of
program decisions made by Coast Guard managers on whether actions may
be needed to ensure the security of this type of facility. According
to Coast Guard officials, they are studying the "lessons learned" from
the Deepwater Horizon incident and part of the study involves
examining whether analysts should use MSRAM to assess MODUs in the
future.
Figure 2: Explosion of the Deepwater Horizon Drilling Unit in the Gulf
of Mexico, April 2010:
[Refer to PDF for image: photograph]
Source: U.S. Coast Guard.
[End of figure]
* Challenges in assessing systemic or network risks: MSRAM does not
assess systemic or network risks because, according to Coast Guard
officials, these types of assessments are beyond the intended use of
MSRAM. The 2009 National Infrastructure Protection Plan, 2010 DHS
Quadrennial Review,[Footnote 31] and a National Research Council
evaluation of DHS risk assessment efforts[Footnote 32] have determined
that gaining a better understanding of network risks would help to
understand multiplying consequences of a terrorist attack or
simultaneous attacks on key facilities. Understanding "network" risks
involves gaining a greater understanding of how a network is
vulnerable to a diverse range of threats. Examining how such
vulnerabilities create strategic opportunities for intelligent
adversaries with malevolent intent is central to this understanding.
For example, knowing what damage a malicious adversary could achieve
by exploiting weaknesses in an oil-distribution network offers
opportunities for improving the resiliency of the network within a
given budget.[Footnote 33]
How the Coast Guard assesses offshore infrastructure within the
broader set of networks is important. The findings of the National
Commission on the BP Deepwater Horizon Oil Spill incident illustrate
how examining networks or systems from a safety or engineering
perspective can bring greater knowledge of how single facilities
intersect with broader systems.[Footnote 34] The report noted that
"complex systems almost always fail in complex ways" and cautioned
that attempting to identify a single cause for the Deepwater Horizon
incident would provide a dangerously incomplete picture of what
happened. As a result, the report examined the Deepwater Horizon
incident with an expansive view toward the role that industry and
government sectors played in assessing vulnerabilities and the impact
the incident had on economic, social, and environmental systems.
Enhancing knowledge about the vulnerabilities of networks or systems
with which OCS facilities and deepwater ports intersect could improve
the quality of information that informs program and budget decisions
on how to best ensure security and use scarce resources in a
constrained fiscal environment. Doing so would also be consistent with
DHS's Quadrennial Review and other DHS guidance and would provide
information to decision makers that could minimize the likelihood of
being unprepared for a potential attack. Coast Guard officials agreed
that assessing "network effects" is a challenge and they are examining
ways to meet this challenge. However, the Coast Guard's work is this
area is in its infancy and there is uncertainty regarding the way in
which the Coast Guard will move forward in measuring "network effects."
Conclusions:
The threat of terrorism against energy tankers and offshore energy
infrastructure highlights the importance of the Coast Guard having
policies and procedures in place to better ensure the security of
energy tankers, OCS facilities, and deepwater ports. The Coast Guard
has taken steps to implement prior GAO recommendations to enhance
energy tanker security, and it continues to work towards implementing
the three outstanding recommendations. Improvements in security could
help to prevent a terrorist attack against this infrastructure, which
could have significant consequences, such as those resulting from the
Deepwater Horizon incident. While the Coast Guard does not consider
OCS facilities that it has assessed in MSRAM to be high risk, it is
important to assess all OCS facilities as required by Coast Guard
guidance. Since May 2011, when we determined that some OCS facilities
were not assessed, the Coast Guard has completed its assessments for
the previously omitted facilities. However, given that the list of
security-regulated facilities may change each year based on factors
such as production volume, it is important to ensure that any
facilities added to the list in the future will be assessed for
security risks in MSRAM. By revising policies and procedures to help
ensure that an updated list of OCS facilities is provided to MSRAM
analysts on an annual basis, the Coast Guard would be better
positioned to ensure that all risk assessments for facilities
requiring such assessments be conducted in a manner consistent with
the law and presidential directive.
Recommendations for Executive Action:
To strengthen the Coast Guard's efforts to assess security risks and
ensure the security of OCS facilities, we recommend that the
Commandant of the Coast Guard revise policies and procedures to ensure
that MSRAM analysts receive the annual updated list of security-
regulated OCS facilities to ensure that risk assessments have been
conducted on all such OCS facilities.
Agency Comments and Our Evaluation:
We provided a draft of this testimony to DHS and DOJ for comment. The
Coast Guard concurred with our recommendation to revise policies and
procedures to ensure that MSRAM analysts receive the annual updated
list of security-regulated OCS facilities. DHS and DOJ provided oral
and technical comments, which we incorporated as appropriate.
Chairman McCaul, Ranking Member Keating, and Members of the
Subcommittee, this concludes my prepared statement. This testimony
concludes our work on Coast Guard efforts to assess security risks for
offshore energy infrastructure. However, we will continue our broader
work looking at the security of offshore energy infrastructure,
including Coast Guard security inspections and other challenges. Our
evaluation will focus on Coast Guard security inspections and other
measures to better secure OCS facilities and deepwater ports.[Footnote
35] We will continue to work with the Coast Guard to develop solutions
to ensure that inspections of OCS facilities are completed as required.
I would be happy to respond to any questions you may have.
GAO Contact and Staff Acknowledgments:
Key contributors to this testimony were Christopher Conrad, Assistant
Director; Neil Asaba, Analyst-in-Charge; Alana Finley; Christine Kehr;
Colleen McEnearney; Erin O'Brien; Jodie Sandel; and Suzanne Wren.
Chuck Bausell contributed economics expertise, Pamela Davidson
assisted with design and methodology, Tom Lombardi provided legal
support, and Jessica Orr provided assistance in testimony preparation.
[End of section]
Related GAO Products:
Maritime Security: Updating U.S. Counterpiracy Action Plan Gains
Urgency as Piracy Escalates off the Horn of Africa. [hyperlink,
http://www.gao.gov/products/GAO-11-449T]. Washington, D.C.: March 15,
2011.
Quadrennial Homeland Security Review: 2010 Reports Addressed Many
Required Elements, but Budget Planning Not Yet Completed. [hyperlink,
http://www.gao.gov/products/GAO-11-153R]. Washington, D.C.: December
16, 2010.
Maritime Security: DHS Progress and Challenges in Key Areas of Port
Security. [hyperlink, http://www.gao.gov/products/GAO-10-940T].
Washington, D.C.: July 21, 2010.
Maritime Security: Actions Needed to Assess and Update Plan And
Enhance Collaboration among Partners Involved in Countering Piracy off
the Horn of Africa. [hyperlink,
http://www.gao.gov/products/GAO-10-856]. Washington, D.C.: September
24, 2010.
Critical Infrastructure Protection: Update to National Infrastructure
Protection Plan Includes Increased Emphasis on Risk Management and
Resilience. [hyperlink, http://www.gao.gov/products/GAO-10-296].
Washington, D.C.: March 5, 2010.
Maritime Security: Federal Efforts Needed to Address Challenges in
Preventing and Responding to Terrorist Attacks on Energy Commodity
Tankers. [hyperlink, http://www.gao.gov/products/GAO-08-141].
Washington, D.C.: December 10, 2007.
Risk Management: Further Refinements Needed to Assess Risks and
Prioritize Protective Measures at Ports and Other Critical
Infrastructure. [hyperlink, http://www.gao.gov/products/GAO-06-91].
Washington, D.C.: December 15, 2005.
[End of section]
Footnotes:
[1] GAO, Maritime Security: Federal Efforts Needed to Address
Challenges in Preventing and Responding to Terrorist Attacks on Energy
Commodity Tankers, [hyperlink, http://www.gao.gov/products/GAO-08-141]
(Washington, D.C.: Dec. 10, 2007).
[2] [hyperlink, http://www.gao.gov/products/GAO-08-141].
[3] GAO, Maritime Security: Actions Needed to Assess and Update Plan
And Enhance Collaboration among Partners Involved in Countering Piracy
off the Horn of Africa, [hyperlink,
http://www.gao.gov/products/GAO-10-856] (Washington, D.C.: Sept. 24,
2010); and Maritime Security: Updating U.S. Counterpiracy Action Plan
Gains Urgency as Piracy Escalates off the Horn of Africa, [hyperlink,
http://www.gao.gov/products/GAO-11-449T] (Washington, D.C.: Mar. 15,
2011).
[4] In looking at the Coast Guard's assessments of risks, we focused
on security risks--risks emanating from terrorists or others that
would purposely attack or sabotage offshore energy infrastructure. We
did not focus on accidental risks to such infrastructure. However, we
have ongoing work to assess industry plans for developing new methods
or technologies to control and contain blowouts occurring in subsea
environments. We are conducting this work at the request of the
Ranking Member of the House Committee on Energy and Commerce. We
expect to issue this related report in the winter of 2012. We are also
conducting broader work examining the Coast Guard's use of MSRAM for
the Chairman of the Senate Committee on Commerce, Science, and
Transportation; the Ranking Member of the Senate Committee on Homeland
Security and Governmental Affairs; and the Chairwoman of the House
Homeland Security Committee, Subcommittee on Border and Maritime
Security. We expect to issue this report later in 2011.
[5] The DHS Quadrennial Review outlines a strategic framework for
stakeholders, including federal, state, local, tribal, territorial,
nongovernmental, and private-sector entities, in responding to
security threats. For more information about the DHS Quadrennial
Review, see GAO, Quadrennial Homeland Security Review: 2010 Reports
Addressed Many Required Elements, but Budget Planning Not Yet
Completed, [hyperlink, http://www.gao.gov/products/GAO-11-153R]
(Washington, D.C.: Dec. 16, 2010).
[6] The National Infrastructure Protection Plan represents a strategy
for protecting critical infrastructure and key resources, and it
offers a framework for assessing risk. For more information about the
National Infrastructure Protection Plan, see GAO, Critical
Infrastructure Protection: Update to National Infrastructure
Protection Plan Includes Increased Emphasis on Risk Management and
Resilience, [hyperlink, http://www.gao.gov/products/GAO-10-296]
(Washington, D.C.: Mar. 5, 2010).
[7] National Research Council: Review of the Department of Homeland
Security's Approach to Risk Analysis (Washington, D.C.: 2010).
[8] GAO, Risk Management: Further Refinements Needed to Assess Risks
and Prioritize Protective Measures at Ports and Other Critical
Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-06-91]
(Washington, D.C.: Dec. 15, 2005) and Maritime Security: DHS Progress
and Challenges in Key Areas of Port Security, [hyperlink,
http://www.gao.gov/products/GAO-10-940T] (Washington, D.C.: July 21,
2010).
[9] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[10] We will continue our broader work looking at the security of
offshore energy infrastructure, including Coast Guard security
inspections and other challenges.
[11] This figure is based on the most recently available data for a
full year from the U.S. Energy Information Administration.
[12] The OCS is a designation for all submerged lands of which the
subsoil and seabed are outside the territorial jurisdiction of a U.S.
state, but within U.S. jurisdiction and control.
[13] Based on an estimate from the National Commission on the BP
Deepwater Horizon Oil Spill and Offshore Drilling, Deep Water: The
Gulf Oil Disaster and the Future of Offshore Drilling (Washington,
D.C.: January 2011).
[14] The motivation behind an attack may distinguish piracy from
terrorism. For example, the motivation for piracy is often monetary,
whereas terrorism is politically motivated.
[15] The International Chamber of Commerce's International Maritime
Bureau operates a Piracy Reporting Center that collects data on pirate
attacks worldwide.
[16] For more information on U.S. government efforts to combat piracy,
see [hyperlink, http://www.gao.gov/products/GAO-10-856], which
discusses the Coast Guard's and other agencies' progress in
implementing efforts to prevent piracy attacks. This report contains
recommendations to improve U.S. government efforts to combat piracy.
[17] See 33 C.F.R. § 106.105.
[18] Facilities meeting any of the threshold criteria are often
referred to as Maritime Transportation and Security Act (MTSA)-
regulated facilities. The production or personnel thresholds for
determining whether an OCS facility will be subject to security
requirements in accordance with 33 C.F.R. part 106 are: (1) producing
greater than 100,000 barrels of oil a day, (2) producing more than 200
million cubic feet of natural gas per day, or (3) hosting more than
150 persons for 12 hours or more in each 24 hour period continuously
for 30 days or more. According to 33 C.F.R. § 140.10, production means
those activities which take place after the successful completion of
any means for the removal of minerals, including, but not limited to,
such removal, field operations, transfer of minerals to shore,
operation monitoring, maintenance, and workover. According to the
Coast Guard, the statement; "transfer of minerals to shore"
encompasses fixed facilities that operate as "Transmission
Facilities." Production quantities shall be calculated as the sum of
all sources of production from wells on the primary and any attending
platform(s), including the throughput of other pipelines transferring
product across the same platform(s).
[19] See 33 C.F.R. § 148.5. Although deepwater ports are generally not
regulated for security in accordance with MTSA, owners and operators
generally carry out similar measures to those carried out for OCS
facilities by, among other things, developing security plans
comparable to those implemented by OCS facilities pursuant to part
106. See 33 C.F.R. § 150.15(x).
[20] According to the Coast Guard, one of the Gulf of Mexico deepwater
ports is expected to be decommissioned in the near future.
[21] [hyperlink, http://www.gao.gov/products/GAO-08-141].
[22] The Homeland Security Act of 2002, enacted the same day as MTSA
(November 25, 2002), established DHS and gave the department wide-
ranging responsibilities for, among other things, leading and
coordinating the overall national critical infrastructure protection
effort. Title II of the Homeland Security Act, as amended, primarily
addresses the department's responsibilities for critical
infrastructure protection. According to DHS, there are thousands of
facilities in the United States that if degraded or destroyed by a
manmade or natural disaster could cause some combination of
significant casualties, major economic losses, or widespread and long-
term disruptions to national well-being and governance capacity.
[23] DHS, National Infrastructure Protection Plan, Partnering to
Enhance Protection and Resiliency (Washington, D.C: January 2009).
This plan represents a strategy for protecting critical infrastructure
and key resources and it offers a framework for assessing risk. DHS
issued the original plan in June 2006.
[24] Network effects involve the ripple effect of an incident or
simultaneous incidents on key sectors of the economy. For example,
production facilities, pipelines, transfer stations, and refineries
are part of the oil and natural gas network in and around the Gulf of
New Mexico. Assessing network effects could involve determining
whether a terrorist attack on a few key assets would have a
disproportionate effect on the performance of this network. Such an
assessment could examine the degree to which such an incident could
disrupt the flow of oil or natural gas to industries that use these
types of energy as inputs to their production functions.
[25] DHS defines threat as a natural or manmade occurrence,
individual, entity, or action that has or indicates the potential to
harm life, information, operations, the environment, and/or property.
For the purpose of calculating risk, the threat of an intentional
hazard is generally estimated as the likelihood of an attack being
attempted by an adversary; for other hazards, threat is generally
estimated as the likelihood that a hazard will manifest itself. In the
case of terrorist attacks, the threat likelihood is estimated based on
the intent and capability of the adversary. DHS defines vulnerability
as a physical feature or operational attribute that renders an entity
open to exploitation or susceptible to a given hazard. In calculating
the risk of an intentional hazard, a measure of vulnerability is the
likelihood that an attack is successful, given that it is attempted.
DHS defines consequence as the effect of an event, incident, or
occurrence; reflects the level, duration, and nature of the loss
resulting from the incident. For the purposes of the National
Infrastructure Protection Plan, consequences are divided into four
main categories: public health and safety (i.e., loss of life and
illness); economic (direct and indirect); psychological; and
governance/mission impacts.
[26] MSRAM assesses consequences of six factors: (1) deaths and
injuries, (2) primary economic impact, (3) environmental impact, (4)
national security impacts, (5) symbolic impacts, and (6) secondary
economic impacts.
[27] According to the Coast Guard, secondary economic impacts are a
factor representing a description of follow-on economic effects of a
successful attack.
[28] IMPLAN stands for IMpact Analysis for PLANning. It is a tool that
assesses economic relationships between primary economic impacts and
secondary economic impacts.
[29] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[30] MODUs engage in drilling rather than production.
[31] U.S. Department of Homeland Security: Quadrennial Homeland
Security Review Report: A Strategic Framework for a Secure Homeland
(Washington D.C.: February 2010).
[32] National Research Council: Review of the Department of Homeland
Security's Approach to Risk Analysis (Washington D.C.: 2010).
[33] See Gerald G. Brown, W. Matthew Carlyle, Javier Salmerón, and
Kevin Wood, Operations Research Department, Naval Postgraduate School:
Analyzing the Vulnerability of Critical Infrastructure to Attack and
Planning Defenses (Monterrey, California: 2005). According to DHS,
resiliency is the ability to resist, absorb, recover from, or
successfully adapt to adversity or a change in conditions.
[34] National Commission on the BP Deepwater Horizon Oil Spill and
Offshore Drilling, Deep Water: The Gulf Oil Disaster and the Future of
Offshore Drilling (Washington D.C.: January 2011).
[35] We are conducting this work for the Chairman of the Senate
Committee on Commerce, Science, and Transportation; the Ranking Member
of the Senate Committee of Homeland Security and Governmental Affairs;
the House Committee on Energy and Commerce; the Chairman of the House
Committee on Transportation and Infrastructure; the Ranking Member of
the House Committee on Homeland Security; and the Ranking Member of
the House Committee on Natural Resources; and the Chairman of the
House Homeland Security Committee's Subcommittee on Oversight,
Investigations, and Management.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
