Skip to main content
close search
site logo
Dive Brief

TSA revises cybersecurity requirements for oil and gas pipelines

The agency released performance-based requirements after extensive industry debate following the May 2021 Colonial Pipeline ransomware attack.

Published July 22, 2022
David Jones's headshot
Reporter
Courtesy of Colonial Pipeline Company
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • The Transportation Security Administration on Thursday issued revised cybersecurity directives for oil and gas providers more focused on performance-based measures, following extensive input from federal regulators and private industry stakeholders in the wake of the May 2021 ransomware attack on Colonial Pipeline.
  • The agency will require pipeline owners and operators to establish a cybersecurity implementation plan; develop an incident response plan to respond to attacks; and establish a longer-term assessment program to proactively test and audit cybersecurity measures. 
  • “The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” TSA Administrator David Pekoske said in the announcement. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”

Dive Insight:

The industry previously pushed back on requirements issued during the immediate aftermath of the Colonial attack, which forced one of the nation’s largest oil pipelines to cease operations for almost a week. 

Industry officials complained those regulations demanded too much of a one-size-fits-all approach and failed to offer the flexibility required by individual pipeline operators to maintain a secure operational technology environment. 

“Since there are a multitude of ways a pipeline operator can set up its cybersecurity and pipeline system, any new security directive should allow the experts in the pipeline system — the operators — to determine the specific method of security to meet TSA’s objective,” the American Gas Association said last month. 

The requirements are intended to ensure TSA-specified owners and operators of pipelines and liquefied natural gas take measures to prevent their systems from being degraded and disrupted in the event of a security incident. TSA wants these organizations to: 

  • Establish network segmentation policies and controls to make sure OT can continue to safely operate if an information technology system is compromised. 
  • Develop access control measures to prevent unauthorized access to critical cyber systems.
  • Build continuous monitoring and detection procedures to detect threats and fix anomalies that can impact critical cyber operations. 
  • Apply security patches and updates to lower the risk of exploitation in operating systems, firmware, drivers and applications.
Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
Abbott Laboratories Employees Credit Union (“ALEC”) Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Clay Platte Family Medicine Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Editors' picks
Latest in Policy & Regulation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell