Complying with TSA Pipeline Security Directives

Recent cybersecurity incidents have demonstrated that both U.S. public and private sectors are increasingly at risk of sophisticated, malicious cyber activity. To combat the increasing number of cyberattacks targeted at the Oil and Gas industry, the Department of Homeland Security’s Transportation Security Administration (TSA) issued four security directives in 2021-23. The TSA guidelines aim to increase the security posture of the owners and operators of US-based gas and liquid pipelines. 

The Latest Developments: What You Should Know

The TSA directives are applicable to operational oil and natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied natural gas facility operators.

TSA issued the first and second Pipeline Security directives in May 2021 and July 2021. These directives are known as the TSA Pipeline Security Directive 2021-02 series and require the owners and operators of pipeline systems to take specific actions to enhance pipeline cybersecurity. TSA’s second directive 2021-02B expired on July 26, 2022 and the TSA reissued a third directive that went into effect on July 27, 2022.

Most recently, TSA’s directive Security Directive Pipeline-2021-02D was renewed as of July 26, 2023, superseding previous versions in a continuation of the series of Pipeline Security Directives first published in July 2021. The renewed security directive takes a performance-based approach to enhancing security, allowing operators to leverage new technologies and be adaptive to changing environments to achieve the ultimate objective of cyber hardening critical Operational Technology (OT) and IT systems. The July 2023 updates to the directive are focused on testing and auditing of the cybersecurity measures required in the initial versions of the directive. The updates require pipeline operators to:

  • Annually submit an updated Cybersecurity Assessment Plan to TSA for review and approval. 
  • Annually report the results from previous year assessments, with a schedule for assessing and auditing specific cybersecurity measures for effectiveness. TSA requires 100% of an owner/ operator’s security measures be assessed every three years.  
  • According to the updated security directive, the five CIRP objectives identified by TSA for pipeline operators are containment, segregation, secure access to critical systems, integrity of backup data, and isolation of IT from OT systems. The directive requires that operators must test at least two of these Cybersecurity Incident Response Plan (CIRP) objectives, and report the findings to TSA each year. 

This fourth Security Directive continues to emphasize the need to invest in security solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response. TSA pipeline security guidelines include requirements for access control, credential management, least privilege management, role-based access, multi-factor authentication (MFA), and the use of “compensating controls” to allow pipeline operators to embrace the latest innovations.

The Path Forward

Xage offers owners and operators of pipelines a holistic approach to meet TSA requirements without having to rely on multiple point solutions. The Xage Fabric cybersecurity mesh approach eliminates the need to “rip and replace” any existing Operational Technology (OT) to rapidly comply with TSA pipeline security directives. Xage is being deployed now by the owners/operators of U.S. pipelines to comply with TSA requirements, improve security posture, and defend against escalating cyberattacks targeting critical infrastructure.

Xage Fabric provides Zero Trust Access (ZTA) capabilities to secure all the interactions in, out, and across operational, enterprise, and cloud environments. The Xage Fabric creates policies that set an identity-based perimeter around each user, app, device, machine, and data stream. That policy is then enforced anywhere without having to change existing assets or networks.

Xage Fabric provides the required technical controls for protection, monitoring, and response across the entire operation to comply with the TSA security directives. Specifically, Xage provides the following capabilities to meet the key requirements specified in the TSA security directives:

  • Access and Credential Management: TSA continues to stress the criticality of access control and credential management. Xage enables granular identity-based access and credential management for all assets– including legacy assets – powered by its patented Xage Fabric. The Xage Fabric seamlessly overlays an operation to impose granular control over all interactions, without any disruptive changes to your assets or operational network.
  • Compensating Controls and Multi-layer MFA: For the many critical systems that lack their own strong security controls and/or security integrations, the Xage Fabric provides zero trust-based access control with support for multi-layer MFA to deliver the “compensating controls” required in the newest TSA directive. Xage’s multi-layer MFA capability combines zero trust with a defense-in-depth authentication strategy.
  • Secure Zones, Multi-hop Conduits and Asset-centric Segmentation: TSA requires operational environments to be segmented into zones, interconnected with secure, controlled conduits, to prevent contagion from zone-to-zone in the event of breach. The Xage Fabric acts as a mesh, enabling session and protocol termination at each Xage node. The mesh approach guarantees the security of cross-zone conduits between the nodes and ensures that there is no unauthorized access to assets from outside or within each zone.
Request Demo

Related Resources