Is Regulatory Complexity Harming Pipeline Security?

By: Noah Vehafric

With the Transportation Security Administration releasing its first rules about pipeline cybersecurity, it is a good opportunity to take a look at the complex regulatory framework that pipeline operators face. 

Pipelines are a keystone of our infrastructure. Every year pipelines deliver trillions of cubic feet and billions of tons of liquid petroleum. Without the ability to move all of this fuel over such long distances, the American economy would be in a completely different place. That is why we saw such a strong reaction to the recent Colonial Pipeline Cyberattack. There were fuel shortages and panic buying. People were so desperately trying to stock up on gasoline, people resorted to using plastic grocery bags (which gasoline decomposes) and the Consumer Product Safety Commission had to remind everyone.  

The U.S. has no single “pipeline regulator” – and maybe there shouldn’t be, but what is clear is that there are a lot of “double dipping” in the oversight of pipelines.  

Perhaps the main regulator of pipelines is the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA). PHMSA is charged with creating performance-based standards for pipeline design, construction, operation, maintenance and much more.  

Before the pipeline can get set into motion, applications for construction must be submitted to the Federal Energy Regulatory Commission (FERC). FERC is a pseudo-independent agency under the Department of Energy that is more concerned with the economics of pipelines. They look to see if applications meet DOT guidelines. Once they are operational, they regulate the interstate rates charged by providers and ensure market stability. 

Back to the area of safety, the Occupational Health and Safety Administration (OSHA) also has oversight of the pipeline worker safety, however OSHA itself is unsure whether their jurisdiction is preempted by PHMSA. 

When there are failures involving pipelines, PHMSA has jurisdiction over the investigations, unless it involved a fatality, then jurisdiction is kicked over to the National Transportation Safety Board (NTSB). And if it involves a cybersecurity related matter, then its also kicked over to the TSA and CISA. 

This does not even touch environmental review of pipelines. The Environmental Protection Agency, FERC, OSHA, the Mineral Management Service, the Fish & Wildlife Service all have competing claims.  

This simplified description of pipeline regulation only covers the federal government’s oversight. There are state and local considerations as well. With pipelines being so critical to our economy and our national security ­– we need to evaluate the complexity that is involved with ensuring they are operating in a safe way. 

Photo Credit: Mike Benna