Critics say TSA is understaffed and ill-equipped for pipeline security mission
Only 34 employees are responsible for securing 2.7 million miles of pipeline.
In addition to screening bags and patting down passengers at airports all over the country, the Transportation Security Administration has an additional little-known responsibility -- overseeing the security of the nation’s pipeline network, including the Colonial Pipeline targeted last weekend by a ransomware attack.
While the TSA employs nearly 50,000 transportation security officers to keep America’s skies secure, the number of TSA personnel devoted to securing 2.7 million miles of pipeline that crisscross the country is surprisingly small.
The agency has just 34 staff positions, including headquarters personnel, policy planners and field inspectors, to perform its pipeline and cybersecurity mission, according to a TSA official. Of those, only eight have attended any specialized cybersecurity training.
Critics in Congress say the TSA is understaffed and ill-equipped for the pipeline security mission.
"I don't think they have really the personnel or the expertise to do the job right now," Rep. Jim Langevin, D-R.I., told ABC News. "We absolutely need more oversight on pipeline security and other areas of critical infrastructure."
Kiersten Todt, managing director of the Cyber Readiness Institute, echoed that sentiment.
"I don't think that TSA should be responsible for the cybersecurity of the pipelines," she told ABC News.
But House Homeland Security Committee Ranking Member John Katko believes oversight of pipeline security should remain with the TSA.
"Right now, we need to focus on building existing capabilities and resources while ensuring federal roles and responsibilities are clear," Katko said in a statement.
Katko is one of 12 bipartisan Homeland Security Committee members who introduced pipeline security legislation Friday, calling for the TSA’s pipeline security responsibilities to be codified into law and for the agency to be required to employ staff with cybersecurity expertise. The proposed "Pipeline Security Act" stops short of mandating any new security requirements for the pipeline industry.
The TSA’s tiny pipeline security division is considerably larger than it was just a few years ago. In 2019, TSA Surface Division Director Sonya Proctor testified that the agency’s pipeline security division had only five employees and none with cybersecurity expertise.
But the disruption caused by the ransomware attack on Colonial Pipeline has brought renewed attention to protecting critical infrastructure from crippling cyberattacks.
The TSA provides the oil and gas industry with physical and cybersecurity recommendations that pipeline operators "should" implement, but current and former Homeland Security officials tell ABC News that compliance with those security guidelines and practices is voluntary.
Colonial Pipeline's statement on its website says the company "complies with all guidelines established by [the TSA]," and "submits a risk-based security plan to the TSA for review on an annual basis."
While there are stringent regulations and safety standards for pipelines and the fuels and hazardous materials they carry, there are not comparable enforceable standards for securing those pipelines, according to industry observers.
Other parts of the U.S. energy infrastructure, like electric power grid operators, have far more significant security requirements, dedicated agencies that enforce them and face steep fines for failing to meet them.
"When you see a company like Colonial Pipeline, that is responsible for transporting 45% of the East Coast's gas and jet fuel not doing the basics when it comes to cybersecurity, that is all the more reason to look at ensuring that there are requirements for these companies," Todt said.