(Adds comment from Homeland Security)
By Timothy Gardner
WASHINGTON, Dec 19 (Reuters) - Two Democratic lawmakers urged the Department of Homeland Security on Wednesday to better protect U.S. oil and gas pipelines from cyberattacks, after a report they requested detailed a lack of federal oversight of the critical conduits.
The report released on Wednesday said Homeland Security’s Transportation Security Administration, or TSA, does not have a process to update its pipeline security guidelines to reflect revisions to standards considered by experts and regulators to be the industry bible on cybersecurity.
The standards on avoiding hacker attacks are the Cybersecurity Framework from the National Institute of Standards and Technology.
The report by the General Accountability Office, or GAO, the investigative arm of Congress, was requested by Senator Maria Cantwell and Representative Frank Pallone.
“Protecting our pipelines, and the people who live and work near them, must be a top priority for our government and I hope this report will prompt the Trump administration to start treating this challenge with the urgency it deserves,” Cantwell said in a release.
A DHS official said TSA is “extremely proud” of its work on pipeline cybersecurity, which has included the publication of security guidelines, information sharing, and analysis of pipeline security reviews.
The GAO issued 10 recommendations for the TSA including implementing a process for reviewing, and if necessary revising, security guidelines at regular intervals. DHS agreed with all the recommendations in the report.
Energy infrastructure has long been a target of hackers. Last week, hackers using a variant of the notorious Shamoon virus crippled more than 300 computers owned by Italian oil services company Saipem and brought down servers in the Middle East and India. The company did not know who conducted the strike, but an official at cybersecurity company CrowdStrike said he believed Iran was responsible.
The report on Wednesday found TSA relied on self-evaluations by the pipeline industry to determine whether operators have critical facilities in their systems that could be the target of hackers. That is a classification the agency uses to determine calculations about the vulnerability of pipelines to cyberattacks.
As a result, operators for one third of the top U.S. 100 pipeline systems, based on volume, told the TSA they did not have critical facilities, and the TSA did not verify the self-evaluations, it said.
The report also said TSA had not tracked the status of security review recommendations to pipeline operators for the past five years.
The vulnerability of gas pipelines to cyberattacks has been one argument that U.S. Energy Secretary Rick Perry, a Republican, has used to justify asking the Federal Energy Regulatory Commission to bail out aging nuclear and coal power plants, which do not depend on pipelines.
Cyber experts said Perry’s plan would not shield the grid from hackers because they have a wide array of options for hitting electricity infrastructure. FERC, an independent agency of the Department of Energy, rejected the Perry directive, but the issue could come up again.
Reporting by Timothy Gardner; editing by Peter Cooney and Leslie Adler