DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators

by Stuart King

In response to the recent Colonial incident, the TSA this week issued “Security Directive (SD) Pipeline-2021-01: Enhancing Pipeline Cybersecurity.” Pipeline Owner/Operators of facilities deemed by the TSA to be critical will have been, or are in the process of being, notified that the Directive applies specifically to them.


The Directive mandates three “critical” actions focused on cybersecurity governance, incident reporting, and risk assessments:

  1. Owners and Operators must report security incidents to the CISA

  2. A cybersecurity coordinator must be appointed by the Owner/Operator and available 24/7

  3. Owners/Operators must assess their cybersecurity practices against TSA’s 2018 Pipeline Security Standards


While the Directive doesn’t state anything groundbreaking in terms of what it expects, achieving the mandate and making the key components (risk assessments, gap analysis, and incident response) operational, in both a timely and effective manner, is likely to be challenging for some organizations.


The Directive is allowing only 30 days from the date of issue to complete the self-assessment and gap analysis. Given the broad scope of the Guidelines, this is a major task and requires a good degree of situational awareness around critical asset management and associated security controls ranging from access management to monitoring.

aeSolutions has a proven track-record in assessing and mitigating cybersecurity risks for pipeline operators, and a tried-and-tested approach with the aeCyberPHA ® (Cyber Process Hazards Analysis) methodology. Contact us to learn how we can help you review your current practices to identify gaps and related remediation measures, to address cyber-related risks, and assist you in reporting those results in the TSA form.


We are uniquely experienced helping companies develop ICS security programs, frameworks, policies, and practices. Learn more our entire suite of services at aeCyberSolutions.com where we apply a risk-driven, consequence-based approach to everything we do.



Pipeline Cybersecurity: State of the Industry and Proposed Roadmap


2.6 million miles of pipelines deliver trillions of cubic feet of natural gas and hundreds of billions of tons of liquid petroleum products each year in the US. This infrastructure is largely operated by industrial control systems, typically referred to as SCADA systems, that are interconnected through an extensive combination of wired, wireless, public, and private networks. While there are voluntary standards and guidelines, there is currently no US regulation that encompasses cybersecurity for the pipeline sector. As such, the cybersecurity maturity of the pipeline sector is generally behind other energy sectors and there is wide variability in the cybersecurity readiness of pipeline operators.

This webinar will discuss the current state of pipeline cybersecurity, the challenges facing the sector, and the available standards and guidance. Afterwards, we present a recommended roadmap for pipeline operators based on findings from over 80 pipeline cybersecurity assessments performed over the last 7 years.


Watch Recording: https://aecyber.podia.com/pipeline-cybersecurity-state-of-the-industry-and-proposed-roadmap