Menu Search Account

LegiStorm

Get LegiStorm App Visit Product Demo Website
» Get LegiStorm App
» Get LegiStorm Pro Free Demo

Pipeline Cybersecurity: Federal Policy (CRS Report for Congress)

Premium   Purchase PDF for $24.95 (13 pages)
add to cart or subscribe for unlimited access
Release Date Aug. 16, 2012
Report Number R42660
Report Type Report
Authors Paul W. Parfomak, Specialist in Energy and Infrastructure Policy
Source Agency Congressional Research Service
Summary:

The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyber infiltration of supervisory control and data acquisition (SCADA) systems could allow successful "hackers" to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations. In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector. The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines. An April 2011 White House proposal and the Cybersecurity Act of 2012 (S. 2105) both would mandate cybersecurity regulations for privately owned critical infrastructures sectors like pipelines. A revised version of S. 2105, S. 3414, would permit the issuance of regulations but would focus on voluntary cybersecurity measures. While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways: Pipelines in the United States have been the target of several confirmed terrorist plots and attempted physical attacks since September 11, 2001. Changes to pipeline computer networks over the past 20 years, more sophisticated hackers, and the emergence of specialized malicious software have made pipeline SCADA operations increasingly vulnerable to cyber attacks. There recently has been a coordinated series of cyber intrusions specifically targeting U.S. pipeline computer systems. TSA already has statutory authority to issue cybersecurity regulations for pipelines if the agency chooses to do so, but it may not have the resources to develop, implement, and enforce such regulations if they are mandated. TSA maintains that voluntary standards have been effective in protecting U.S. pipelines from cyber attacks. Based on the agency's corporate security reviews, TSA believes cybersecurity among major U.S. pipeline systems is effective. However, without formal cybersecurity plans and reporting requirements, it is difficult for Congress to know for certain. Whether the self-interest of pipeline operators is sufficient to generate the level of cybersecurity appropriate for a critical infrastructure sector is open to debate. If Congress concludes that current voluntary measures are insufficient to ensure pipeline cybersecurity, it may decide to provide specific direction to the TSA to develop regulations and provide additional resources to support them, as such an effort may be beyond the TSA Pipeline Security Division's existing capabilities.