Connect with us

Hi, what are you looking for?



TSA Updates Pipeline Cybersecurity Requirements

The TSA has released updated cybersecurity requirements for pipeline owners and operators, instructing them to test assessment and incident response plans.

The Transportation Security Administration (TSA) announced on Wednesday an update to its cybersecurity requirements for oil and natural gas pipeline owners and operators.

The security directive for pipeline owners and operators — released following the disruptive cyberattack that hit Colonial Pipeline in 2021 — requires them to implement measures to improve their defenses against cyberattacks.  

The TSA updated the requirements in July 2022 to offer more flexibility in achieving the outlined goals. Exactly one year later, the agency has released another updated version with additional requirements.

“Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans,” said TSA administrator David Pekoske. 

Specifically, owners and operators are now required to annually submit an updated cybersecurity assessment plan to the TSA for review and approval. 

They will also have to provide a schedule for assessing and auditing specific cybersecurity measures and submit an annual report with the results of the previous year’s assessment. 

Organizations have been required to develop and maintain a cybersecurity incident response plan. They will now have to annually test at least two objectives of that incident response plan. 

Advertisement. Scroll to continue reading.

There are also some changes related to organizations that don’t have any critical cyber systems. 

“Like the last version TSA’s update to its Security Directive for oil and natural gas pipeline cybersecurity focuses on performance-based, rather than prescriptive, measures. That, along with the fact that pipeline companies can incorporate these measures into their existing Cybersecurity Implementation Plans (CIP) to achieve the right outcomes while accommodating differences in systems and operations, shows strong progress in TSA’s support for the distinct needs of the sector and of individual companies,” said Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos.

“The update also gives owners and operators important flexibility to leverage various industry standards they already use—such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series. The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represent major improvements for all pipeline owners and operators.

“Given the increased audit language and reporting requirements in the updated regulation, we hope that TSA continues to align such requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities. We also hope that TSA continues to engage with private sector and industry experts as they update and revise the Security Directives moving forward,” Christopher added.

Related: TSA Requires Aviation Sector to Enhance Cybersecurity Resilience

Related: New TSA Directive Aims to Further Enhance Railway Cybersecurity

Related: Operations at US Natural Gas Facilities Disrupted by Ransomware Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.


TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.