Under the direction of the Department of Homeland Security (DHS), The Transportation Security Administration (TSA) secures transportation systems in the United States, including oil and natural gas pipelines. The TSA Pipeline Security Guidelines are recommended best practices that protect the over 2.7 million miles of pipelines transporting natural gas, oil, and other hazardous materials across the U.S. from physical and cyber threats.
Protect your organization from physical and cyber threats with UpGuard BreachSight >
What are the TSA Pipeline Security Guidelines?
The TSA Security Pipeline Guidelines provide a unified approach to enhancing the pipeline infrastructure's physical security, cybersecurity, and resilience, a critical part of the U.S. economy and national security. They cover various topics, including risk assessment, access control, pipeline cybersecurity, emergency response planning, and employee training.
The pipeline industry is a crucial part of the United States infrastructure, facilitating the transportation of essential resources such as natural gas, crude oil, refined petroleum products, and other hazardous materials in the energy sector. The industry consists of an extensive network of pipelines connecting production areas, refineries, storage facilities, and distribution centers.
Because pipelines are an integral infrastructure, they are highly susceptible to physical security threats and cyber threats that may impact their day-to-day workflow. Due to the growing material and cyber threat environments, the TSA developed the TSA Pipeline Security Guidelines, which replaced previous industry security practices. This is a concrete step by the U.S. federal government to secure a vital part of the nation’s critical infrastructure.
Corporate Security Program
One of the critical components of these guidelines is that pipeline operators should establish and implement a risk-based corporate security program. This program should address and document the organization’s policies and procedures for managing security-related threats, incidents, and responses.
Pipeline operators under this program conduct a criticality assessment, and if critical facilities are found, they should conduct a security vulnerability assessment (SVA) and adopt security measures as needed. Baseline security measures should be adopted at all facilities.
This program recommends developing and maintaining a cyber/Supervisory Control and Data Acquisition (SCADA) security plan or incorporating cyber/SCADA measures.
Risk Management
The next key component of the TSA Security Pipeline Guidelines is to employ a risk management process utilizing analysis and assessment methodologies. These include:
- Threat Assessments
- Vulnerability Assessments
- Risk Assessments
- Criticality Assessments
- Security Vulnerability Assessments
Criticality
Because the pipeline system in the United States is so vast, these guidelines include a section on criticality. This helps organizations determine which pipeline facilities are critical to ensure that reasonable security risk reduction measures are implemented to prevent service disruptions to critical infrastructure and the public.
Criticality is differentiated for the three significant pipelines: natural gas distribution, natural gas transmission, and hazardous liquid transmission. Critical facilities may include:
- Pipeline interconnections
- Metering and regulating systems
- Pump stations
- Compressor stations
- Operational control facilities
- Mainline valves
- Tank farms and terminals
Facility Security Measures
Once risk analysis is complete, pipeline operators can identify mitigation measures for critical and non-critical facilities. This section includes baseline and enhanced security measures that can be applied at all facilities and site-specific security measures for more specific locations. These security measures can include:
- Facility Security Controls: Fencing and barriers, gates, locks and key controls, lighting, etc.
- Personnel Security Controls: Access controls, personal I.D. and badging, background investigations, etc.
- Employee Training and Management: Communication, personnel training, drills and exercises, security incident procedures
- Equipment Management: Intrusion detection and monitoring, equipment maintenance and testing, design and construction
Cyber Asset Security Measures
Even though the pipeline industry is technically a physical infrastructure, operational technology (O.T.) plays a large part in managing the infrastructure, its products, and the industrial control systems (ICS). O.T. includes control systems, measurement, telemetry systems, and other information technology called “pipeline cyber assets.”
This guideline section outlines security measures for the pipeline cybersecurity framework, organized according to functions and categories presented in the NIST framework. These measures include:
- Asset Management
- Business Environment
- Governance
- Risk Management and Strategy
- Risk Assessment
- Access Control
- Awareness and Training
- Data and Information Security
- Protective Technology
- Anomalies and Events
- Continuous Security Monitoring
Who Must Comply with the TSA Pipeline Security Guidelines?
The TSA Pipeline Security Guidelines apply to owners, operators, and stakeholders of pipeline systems throughout the United States. Specifically, individuals responsible for the operation, maintenance, and security of pipelines transporting natural gas, oil, and other hazardous materials should be well-versed in these guidelines.
Included with the large pipeline operators are pipeline systems of smaller sizes and complexities, like interstate and intrastate pipelines, distribution systems, and even storage facilities connected to pipeline systems and the natural gas industry. The guidelines aim to provide a comprehensive set of best practices and recommendations that can be adapted to any pipeline operation.
Since these are guidelines and not regulatory standards, participation is mainly voluntary. However, the TSA Pipeline Security Guidelines are a widely accepted framework considered reasonable and prudent regarding pipeline security and mitigates security risks and potential liabilities.
Updated Cybersecurity Measures
In May 2021, Colonial Pipeline, a southern American oil pipeline, suffered a massive cyber incident disrupting the supply chain for natural gas. This ransomware attack impacted computerized equipment managing the pipeline, resulting in a halt of all pipeline operations, southern fuel shortages at local airports, and panic buying among consumers at filling stations. Additionally, the FBI administered a $4.4 million ransom to restore the system, which still took six days and during which Georgia Governor Brian Kemp and U.S. President Joe Biden both declared a state of emergency.
After this high-profile cyber attack in the pipeline industry, the Department of Transportation and TSA issued new security directive revisions to critical pipeline owners and operators to implement urgently needed cybersecurity requirements. One of the references for the security directive and its guidelines is the Cybersecurity Framework Implementation Guidance provided by the U.S. Department of Energy (DOE).
Developed alongside the Cybersecurity and Infrastructure Security Agency (CISA), this TSA security directive requires TSA-specified owners and operators of pipeline systems to take specific steps to enhance their cybersecurity infrastructure, which are listed below.
Cybersecurity Implementation Plan
Pipeline owners and operators must implement cybersecurity measures across their critical cyber systems. These measures are designed to prevent operational disruption to the pipeline, system, supply chain, etc. These measures include:
- Network segmentation policies and controls
- Access control measures
- Continuous monitoring and detection policies
- Security patches and updates
Cybersecurity Incident Response Plan
TSA-specified owners/operators of pipelines must develop and maintain a cybersecurity incident response plan. This plan should identify an individual responsible for implementing the specific measures to help pipelines recover from a cybersecurity incident (data breach, unauthorized access, etc.), including:
- Prompt containment of an infected server or device
- Segregation of an infected device or network
- Security of backup data
- Capability to isolate the Information and O.T. systems in the event of a cybersecurity incident to prevent operational disruption
- Exercises to test the effectiveness of all policies, procedures, and personnel involved in the plan
Cybersecurity Assessment Plan
The security directive pipeline also indicates that organizations should develop a cybersecurity assessment plan that proactively assesses and audits cybersecurity measures. This is an ongoing assessment that may be repeated periodically and includes the following:
- Assess the effectiveness of the TSA-approved cybersecurity incident plan
- Cybersecurity architectures design review (at least once every two years)
- Incorporate other assessments (Penetration testing, etc.)
- Identify a schedule for assessing and auditing specific cybersecurity measures.
- Develop an annual report with the results of the assessment.
Prioritize Your Organization’s Cybersecurity with UpGuard
Even if your organization is not part of the pipeline industry in America, you can take steps today to manage your external attack surface with confidence using UpGuard.
UpGuard BreachSight is an all-in-one platform that helps you understand the risks impacting your external security posture, and rest assured that your assets are constantly monitored and protected.
- Be one step ahead with continuous monitoring: Be the first to know of risks impacting your external security posture and identify any vulnerabilities, changes, or potential threats around the clock.
- Gain confidence in your cybersecurity: Stay assured that your external assets are constantly monitored and protected with tracking/reporting, data leak protection, and total visibility.
- Protect your organization’s reputation: Proactively address and minimize risks to prevent reputational harm before your company ends up in the news headlines—for the wrong reasons.
