In coordination with the TSA, PHMSA issued an advisory to remind the industry of the importance of safeguarding pipeline facilities and monitoring SCADA systems for indications of unauthorized access or interference with pipeline operations.  This advisory was issued in response to October 11, 2016  attempts by unauthorized individuals to shut down major pipeline facilities in four states across the U.S.  Such activities endangered public safety by creating the potential for death, injury, serious infrastructure damage, and significant economic and environmental harm.  The individuals were arrested and face serious charges.  In the advisory, PHMSA highlights the need for increased awareness and vigilance by the industry and the public.

With respect to pipeline operators and owners, the advisory highlighted regulations that require certain pipeline facilities to be secured (e.g., 195.420(c) (duty to protect valves on liquid pipelines)); 195.436 (requirement to protect pump stations, breakout tank areas and other exposed facilities from vandalism and unauthorized entry); 192.179(b)(1) (duty to protect valves and opening devices from tampering and damage)).  In addition, PHMSA outlined the following recommendations to operators to safeguard and secure their pipeline facilities:

  1. ROW Security Patrols:  Advises operators to consider increasing frequency of security patrols of the ROW.  This may include the use of new technologies such as unmanned aerial systems (where authorized).  Suspicious behavior should be promptly forwarded to federal, state and local law enforcement.
  2. Protection of Facilities:
    a. Valve and facility protection measures: review existing measures and consider additional steps to secure these facilities, including making mechanical operation of valves more difficult without proper equipment.
    b. Signage:  use of deterrent signage that outlines potential consequences of a rupture and references PHMSA criminal liability provisions (49 CFR Part 190.291).
    c. Motion Sensors:  Consider equipping facilities with motion sensing cameras and/or motion detectors to alert control centers to tampering.
  3. SCADA:  Harden physical and software borders around SCADA systems to limit risks of physical and cyber intrusions, referencing DHS’s Industrial Control System Cyber Emergency Response Team guidance (Recommended Practice:  Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies).  Possible improvements include:
    a. Segregating control system network from the corporate network;
    b. Limiting remote connection ports to the control system and requiring token-based authentication to gain access;
    c. Adding physical protection around remote sites with SCADA network access;
    d. Enhancing user access control on SCADA system networks and devices and limiting access to critical system to individuals with a safety/business need;
    e. Employing application whitelisting and strict policies on peripheral devices (to include removable media, printers, scanners, etc.) connected to SCADA.
  4. Reporting:  Recommends reporting any physical security event that may interference with safe operation of a pipeline to the NRC (but only unclassified events).  Notes TSA’s recommendation that operators report security concerns or suspicious activities  to Transportation Security Operations by phone or email and recommends notifying DHS’s ICS-CERT if the operator has an Industrial Control System concern with a cyber security nexus by email or phone.

Finally, PHMSA reminds the public that those who willingly and knowingly attempt to injure or destroy a pipeline facility are criminally liable under the Pipeline Safety Act.  Individuals who observe suspicious activities are advised to contact local law enforcement, “if you see something, say something.”  Even though advisories do not set forth legal requirements, given the current highly charged and politicized oil and gas construction and operational environment, it may be prudent for owners and operators of pipeline facilities to reevaluate their physical and cyber security measures, with the above recommendations in mind.