Pipeline operations are essential for the transportation of oil, gas, and other critical resources and, in light of recent cyber threats and incidents, the security of pipeline operations is increasingly under the microscope. As cybersecurity threats grow more sophisticated, securing Operational Technology (OT) systems, which control the physical infrastructure of pipelines, has become paramount.
In the United States, the Transportation Security Administration (TSA) has jurisdiction over pipeline security and issued mandatory cybersecurity directives in 2021 following the Colonial Pipeline ransomware attack that demonstrated how a single cyber intrusion could disrupt fuel distribution along the East Coast, resulting in widespread operational and economic consequences. These directives have been updated several times since 2021 in response to feedback from pipeline operators.
In November 2024, TSA issued a Notice of Proposed Rulemaking (NPRM) that aims to formalize TSA’s existing cybersecurity directives while incorporating the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) and the cross-sector cybersecurity performance goals established by the Cybersecurity and Infrastructure Security Agency (CISA). Most recently, the US Congress Committee on Homeland Security issued a letter to the TSA acting administrator requesting clarification on TSA’s cybersecurity posture and regulatory framework.
This article explores what OT professionals need to know about the TSA’s directives, the NPRM, and Homeland Security Committee’s letter and how all of this may impact pipeline operators and the industry’s approach to cybersecurity.
Understanding TSA’s Pipeline Security Directives
The TSA Pipeline Security Directives, initially issued in 2021 and updated annually, outlined critical measures to secure pipeline operations from cyberattacks, particularly in response to high-profile incidents like the Colonial Pipeline attack. These directives mandated pipeline operators to implement certain cybersecurity practices, including:
- Risk assessments of critical IT and OT systems.
- The implementation of local and remote access controls, network segmentation, patch management, monitoring & detection, and incident response plans.
- Cybersecurity training for personnel involved in pipeline control and operations.
These measures were essential for addressing vulnerabilities in pipeline control systems, especially those dependent on OT systems.
The 2024 NPRM: A Shift Toward OT-Centric Cybersecurity
The 2024 NPRM from the TSA represent a significant shift in regulatory focus. The updated rules explicitly recognize that OT systems are a primary target for cyberattacks and need enhanced protection. Some key changes include:
- Stronger Focus on OT Systems: The 2024 NPRM expand on previous directives by specifically addressing the cybersecurity of OT systems, which are often more vulnerable due to their long lifecycle, legacy systems, and lack of frequent updates. The rules call for comprehensive Cybersecurity Risk Management Programs (CRMPs) that integrate IT and OT cybersecurity efforts to provide a more holistic security approach.
- Risk-Based Cybersecurity: The TSA’s 2024 NPRM emphasize risk-based assessments for OT systems, requiring operators to assess threats and vulnerabilities in their critical control systems and consider the consequences of compromise. This aligns with established standards such as ISA/IEC 62443 and NIST 800-82, which focus on the cybersecurity of industrial control systems (ICS) and industrial networks.
- Continuous Monitoring and Reporting: The 2024 NPRM mandate continuous monitoring of OT systems for real-time threat detection. This will help operators quickly identify and respond to cyber threats before they can compromise pipeline operations. Additionally, operators are required to report cybersecurity incidents to the TSA and other agencies within a set time frame (e.g., 24 hours).
- Supply Chain Security: Recognizing that cyberattacks often come through third-party vendors, the new rules require pipeline operators to implement supply chain security measures to reduce the risk posed by external partners and vendors.
Broader Scope of Covered Pipeline Operators in the NPRM
One of the most significant differences between the 2021 TSA directives and the 2024 NPRM is the broadened scope of covered pipeline operators.
Under the 2021 directives, the TSA focused primarily on critical pipeline systems, particularly those considered high-risk due to their impact on national security or public safety. This included major operators that control large pipeline systems and networks transporting vital resources across long distances. The 2021 directives had a more limited focus, applying to a relatively smaller group of high-priority operators.
In contrast, the 2024 NPRM are expected to expand the coverage to include more smaller operators and those operating less critical pipeline systems. This broader inclusion is intended to ensure that cybersecurity standards are applied more uniformly across the industry, regardless of the size or perceived importance of the pipeline system. Smaller operators, who may have fewer resources or cybersecurity expertise, will now be required to follow similar risk management practices, continuous monitoring, and incident reporting procedures.
This expanded scope means that a wider range of pipeline operators—whether large or small—will need to upgrade their cybersecurity practices to meet the new regulatory requirements. For OT professionals working in these smaller or less critical systems, the 2024 NPRM will bring new compliance responsibilities, including developing and implementing robust cybersecurity measures for their OT environments.
The Letter from Committee on Homeland Security to TSA
The letter dated March 6, 2025, from the Committee on Homeland Security (CHS) to the Transportation Security Administration (TSA), requests clarification about TSA’s cybersecurity posture and regulatory framework. The CHS emphasizes the importance of robust cybersecurity measures to protect national transportation infrastructure and names several recent incidents, such as the CrowdStrike faulty software update in July 2024, the August 2024 cyber incident at Seattle-Tacoma International Airport that disrupted TSA screening operations, and general concerns about the People’s Republic of China (PRC) cyber actor known as Volt Typhoon.
The letter requests responses to questions on TSA’s current cybersecurity strategies and plans for future improvements. It underscores the need for collaboration between TSA and other federal agencies to enhance the overall security framework and emphasizes that TSA’s cybersecurity framework must be agile enough to respond to multiple simultaneous cyber incidents without compromising operational continuity.
The letter also raises concerns that TSA’s approach may impose additional requirements on entities already facing a complex cyber regulatory landscape and caution that a rigid or overly burdensome approach could lead to operational challenges, while insufficient oversight might leave critical vulnerabilities unaddressed. They advocate for continuous engagement with industry partners, regular assessments of existing directives, and flexibility to adapt policies in response to emerging threats and technological advancements.
TSA’s response to the letter is due March 27, 2025, so, at the time this article was written, responses have not been provided.
What Does All of This Mean for OT Professionals?
For OT professionals working in the pipeline industry, the TSA’s 2021 directives, the 2024 NPRM, and the CHS letter signify a shift toward a more proactive cybersecurity posture. Here are the key takeaways for OT professionals:
- Increased Focus on OT Systems: The 2024 NPRM place OT systems at the heart of pipeline cybersecurity efforts. OT professionals must ensure their control systems are secure from cyber threats through regular risk assessments, patch management, and system updates.
- Broader Applicability: With the expanded scope of covered pipeline operators, OT professionals in smaller organizations and those managing less critical systems will now need to implement the same cybersecurity standards as large operators, ensuring more consistent security across the industry.
- Collaboration with IT Teams: The 2024 NPRM emphasize the integration of IT and OT cybersecurity efforts. OT professionals should work closely with IT teams to ensure that the full pipeline infrastructure is protected against cyber threats.
- Training and Awareness: Continuous training for OT personnel on recognizing and responding to cyber threats is a key component of the proposed rules. OT professionals should ensure their teams receive specialized training, continuous education, and readiness initiatives so they are prepared to handle potential security incidents.
Conclusion: A Collaborative Effort for Stronger Security
As cybersecurity threats to OT systems grow more sophisticated, pipeline operators and OT professionals must take proactive measures to secure their critical infrastructure. The 2024 TSA NPRM provide a roadmap for achieving stronger cybersecurity defenses, with a particular emphasis on OT systems. By integrating cybersecurity best practices, collaborating across teams, and following regulatory guidance, OT professionals can play a crucial role in safeguarding the integrity and reliability of pipeline operations.
For pipeline operators, the road ahead requires a more strategic, risk-based approach to cybersecurity—one that addresses the vulnerabilities inherent in OT systems and ensures pipeline safety and resilience in the face of evolving threats. With the expanded scope of covered pipeline operators, the entire industry must work together to meet these challenges and build a more secure future for pipeline operations.
