HR 3699 Introduced – TSA Pipeline Security

Last week Rep. Cleaver (D,MO) introduced HR 3699, the Pipeline Security Act. The bill would specifically make the Transportation Security Administration (TSA) responsible for cybersecurity and physical security oversight for gas and hazardous liquid pipelines. It would also establish a Pipeline Security Section within the TSA.

Cybersecurity Responsibility

Section 2 of the bill would amend 49 USC 114(f), Additional Duties and Powers, to add a new paragraph (16) that would provide for the TSA responsibility “relating to securing pipeline transportation and pipeline facilities (as such terms are defined in section 60101 [link added] of this title) against cybersecurity threats (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (Public Law 114– 113; 6 U.S.C. 1501 [link added])), an act of terrorism (as such term is defined in section 3077 of title 18), and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities”. The reliance on the §1501 definition for ‘cybersecurity threats’ would specifically include control systems in the cybersecurity responsibilities.

Pipeline Security Section

Section 3 of the bill would amend the Implementing Recommendations of the 9/11 Commission Act of 2007, by adding a new §1209. That section establishes within TSA “a pipeline security section to carry out pipeline security programs in furtherance of section 114(f)(16) of title 49 [as added by this bill], United States Code” {new §1209(a)}. The section would oversee the security of pipeline facilities against cybersecurity threats, terrorist attacks and “other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities” {new §1209(b)}.

The Pipeline Security Section would be headed by someone with “knowledge of the pipeline industry and security best practices” {new §1209(c)} and it would “be staffed by a workforce that includes personnel with cybersecurity expertise.”

The Section would be tasked with {new §1209(d)}:

• Developing guidelines for improving the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities;

• Updating such guidelines as necessary based on intelligence and risk assessments, but not less frequently than every three years;

• Sharing of such guidelines and, as appropriate, intelligence and information regarding such security threats to pipeline transportation and pipeline facilities, as appropriate, with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders;

• Conducting security assessments based on the guidelines developed above;

• Carrying out a program to inspect pipeline transportation and pipeline facilities, including inspections of pipeline facilities determined critical by the Administrator; and

• Preparing notice and comment regulations for publication, if determined necessary by the Administrator.

Moving Forward

Cleaver is a member of the House Homeland Security Committee and his influence has apparently been sufficient to have this bill considered in Committee in a markup hearing tomorrow. I suspect that there will be bipartisan support for this bill in Committee. If there is sufficient bipartisan support, this bill could move to the House floor under the suspension of the rules process. The relatively strong bipartisan support would be necessary there due to the requirement for a supermajority to pass under those provisions.

Commentary

There are a couple of problems with this bill. The first is that there is no mention of the Department of Transportation as a cooperative party in any of the provisions in the bill. DOT in general and the Pipeline and Hazardous Material Safety Administration have a major stake in the safe operation of gas and hazardous liquid pipelines. Existing federal law (6 USC 1207 for example) already requires that DHS consult with DOT on inspections, guidance development and crafting of security regulations. Those requirements should be referenced in this bill.

Safety and security go hand-in-hand, especially where emergency response activities are involved. And, that is another problem with this bill; there is no mention of emergency response planning or exercises. A security plan that does not include failure mode mitigation, is one that is going to end up doing a great deal of harm if a dedicated attacker is involved.

Furthermore, I do not understand why there is no mention of existing TSA pipeline security requirements in the §1209(d) outlining of responsibilities for the Pipeline Security Section. I have already mentioned 6 USC 1207, but 6 USC 1208 lists more existing TSA pipeline security requirements. Furthermore, §1208 already addresses the need for emergency response planning for security incidents. The new §1209 in this bill should reference these requirements as part of the responsibilities of the new Pipeline Security Section under paragraph (d).

Finally, there is no information sharing provisions in this bill. There should probably be a subparagraph in the new §1209(d) requiring the establishment of a security incident (to specifically include cybersecurity incidents) reporting system. It is probably too much to ask to make such reporting mandatory (though to be most effective it would have to be mandatory), but even voluntary information reporting with anonymized sharing of the information with other operator/owners could be valuable.