The Transportation Security Administration (TSA) announced on Wednesday an update to its cybersecurity requirements for oil and natural gas pipeline owners and operators.
The security directive for pipeline owners and operators — released following the disruptive cyberattack that hit Colonial Pipeline in 2021 — requires them to implement measures to improve their defenses against cyberattacks.
The TSA updated the requirements in July 2022 to offer more flexibility in achieving the outlined goals. Exactly one year later, the agency has released another updated version with additional requirements.
“Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans,” said TSA administrator David Pekoske.
Specifically, owners and operators are now required to annually submit an updated cybersecurity assessment plan to the TSA for review and approval.
They will also have to provide a schedule for assessing and auditing specific cybersecurity measures and submit an annual report with the results of the previous year’s assessment.
Organizations have been required to develop and maintain a cybersecurity incident response plan. They will now have to annually test at least two objectives of that incident response plan.
There are also some changes related to organizations that don’t have any critical cyber systems.
“Like the last version TSA’s update to its Security Directive for oil and natural gas pipeline cybersecurity focuses on performance-based, rather than prescriptive, measures. That, along with the fact that pipeline companies can incorporate these measures into their existing Cybersecurity Implementation Plans (CIP) to achieve the right outcomes while accommodating differences in systems and operations, shows strong progress in TSA’s support for the distinct needs of the sector and of individual companies,” said Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos.
“The update also gives owners and operators important flexibility to leverage various industry standards they already use—such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series. The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represent major improvements for all pipeline owners and operators.
“Given the increased audit language and reporting requirements in the updated regulation, we hope that TSA continues to align such requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities. We also hope that TSA continues to engage with private sector and industry experts as they update and revise the Security Directives moving forward,” Christopher added.
Related: TSA Requires Aviation Sector to Enhance Cybersecurity Resilience
Related: New TSA Directive Aims to Further Enhance Railway Cybersecurity
Related: Operations at US Natural Gas Facilities Disrupted by Ransomware Attack

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
