Search Penny Hill Press

Friday, August 24, 2012

Pipeline Cybersecurity: Federal Policy


Paul W. Parfomak
Specialist in Energy and Infrastructure Policy

The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyber infiltration of supervisory control and data acquisition (SCADA) systems could allow successful “hackers” to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations. In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector.

The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines. An April 2011 White House proposal and the Cybersecurity Act of 2012 (S. 2105) both would mandate cybersecurity regulations for privately owned critical infrastructures sectors like pipelines. A revised version of S. 2105, S. 3414, would permit the issuance of regulations but would focus on voluntary cybersecurity measures.

While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways:

  • Pipelines in the United States have been the target of several confirmed terrorist plots and attempted physical attacks since September 11, 2001. 
  • Changes to pipeline computer networks over the past 20 years, more sophisticated hackers, and the emergence of specialized malicious software have made pipeline SCADA operations increasingly vulnerable to cyber attacks. 
  • There recently has been a coordinated series of cyber intrusions specifically targeting U.S. pipeline computer systems. 
  • TSA already has statutory authority to issue cybersecurity regulations for pipelines if the agency chooses to do so, but it may not have the resources to develop, implement, and enforce such regulations if they are mandated. 
TSA maintains that voluntary standards have been effective in protecting U.S. pipelines from cyber attacks. Based on the agency’s corporate security reviews, TSA believes cybersecurity among major U.S. pipeline systems is effective. However, without formal cybersecurity plans and reporting requirements, it is difficult for Congress to know for certain. Whether the self-interest of pipeline operators is sufficient to generate the level of cybersecurity appropriate for a critical infrastructure sector is open to debate. If Congress concludes that current voluntary measures are insufficient to ensure pipeline cybersecurity, it may decide to provide specific direction to the TSA to develop regulations and provide additional resources to support them, as such an effort may be beyond the TSA Pipeline Security Division’s existing capabilities.


Date of Report: August 16, 2012
Number of Pages: 13
Order Number: R42660
Price: $29.95

To Order:


R42660.pdf  to use the SECURE SHOPPING CART

e-mail congress@pennyhill.com

Phone 301-253-0881

For email and phone orders, provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.

Follow us on TWITTER at http://www.twitter.com/alertsPHP or #CRSreports