TSA Pipeline Security Guidelines – Navigating Change to Protect Critical Assets

American pipeline operators are at the forefront of efforts to protect domestic oil and gas infrastructure under the Transportation Security Administration’s (TSA) ever-evolving pipeline security initiatives. Since September 11, 2001 the Department of Transportation (DOT) and other federal agencies have also worked to develop and communicate security- related best practices and guidance to pipeline owners and operators. The TSA’s Office of Security Policy and Industry Engagement’s Surface Division has repeatedly published updated iterations of the  Pipeline Security Guidelines as the agency works with operators to address known and emerging threats (both cyber and physical) against millions of miles of pipeline infrastructure and proprietary operations. Protecting against new threats and staying on top of constantly changing security guidance requires agility. Pipeline operators must adopt a continuous improvement ethos that supports infrastructure, efficiency and human capital improvements across their organizations and the industry.

A New Frontier, Many New Guidelines

The Guidelines – previously known as the “Pipeline Security Information Circular” and “Pipeline Security Contingency Planning Guidance” – were first released by DOT in 2002. In 2010, TSA issued its initial version of the Pipeline Security Guidelines. Since that time, TSA has published many other resources for operators:

• 2011 Guidelines, second iteration
• 2011, “Pipelines Security Smart Practice Observations”
• 2018, Guidelines, third iteration
• 2021, Security Directives 1 & 2
• 2021, Guidelines, fourth and current iteration

Through these efforts, the Department of Homeland Security  (DHS) and TSA – with the buy-in of operators and industry groups- have worked to secure America’s millions of miles of pipelines and related infrastructure from attacks by actors who attempt to disrupt the flow of energy through vulnerabilities on the ground or by using sophisticated cyber-attacks.

Ultimately, the use of the Guidelines is intended to help operators adopt a stronger and more resilient security posture through identifying and closing gaps, improving internal communication, and strengthening relationships with external partners across industry and emergency management to maintain the safe and dependable flow of energy.

Hitting a Moving Target

In addition to uniting the entire pipeline industry around a single set of goals, an evolving threat environment requires stakeholders to adapt, be creative and demonstrate agility to counter potential attacks. Due to the speed of changing technologies across the industry, threat actors have attempted to exploit (in some cases successfully) gaps in operators’ cyber and physical security programs to gain access to this critical infrastructure. While keeping up with continuous changes to regulatory guidance may seem onerous, frequent updates are necessary to meet evolving and sophisticated threats. Optimal management of internal processes, coordination of efforts across departments and stakeholders, project timelines, planning for a comprehensive security program and relying on support for interpretation and implementation of TSA guidelines can help protect critical assets.

Breaking Down Silos, Building Up Security

Across a pipeline operation, multiple departments are often responsible for the health and maintenance of the various systems involved. These may include groups such as Information Technology, Cyber Security, Enterprise Security, Legal Counsel, Integrity Management, Emergency Management, Asset Class Managers, Government Affairs, Public Relations, Customer Accounts, Metering and Regulation, Geographic Information Systems, Risk Management, Ethics and Compliance, and the executive team. Each is engaged and responsible for myriad tasks each day and has their own operational goals. Security, though, needs to be a priority goal for every department and individual in each organization. With each group focused on its established priorities, it can be difficult to assign additional tasks and goals, especially if they are in a state of flux. Prioritizing security across departments and developing a coordinated planning and security and emergency management program that engages each group in a collaborative manner is crucial to protecting pipeline operations.

Left Hand, Meet Right Hand

Pipeline Operators must interpret and apply the TSA’s most recent version of the Guidelines to include:

• System reviews for facility and system criticality determination
• Gap analyses between current operations and baseline or enhanced measures as required by the Guidelines
• Identification and assessment of operational impacts
• Assistance in responding to TSA’s most recent request for information
• Development of high-level planning and budgetary estimates for reaching full compliance
• Interpreting the requirements to support compliance while minimizing disruptions and costs

Operators must also work to develop an approach within their risk tolerance and culture, to build consensus across internal and external silos, to achieve meaningful enhancements to the cyber and physical security of their sites and systems, and to enhance their operational resilience.

Pipeline Industry Leaders with an Eye to the Future

As the pipeline industry deals with myriad challenges in the energy, environment, and security realms, TRC can be a trusted partner to guide your organization into a more resilient, sustainable, and secure future. Navigating a changing regulatory landscape, enhancing the security and safety culture throughout an organization, and giving staff, customers, and stakeholders peace of mind all contribute to ongoing success.

For more information, please contact Bill Hawk (Cybersecurity) at 512-694-0426 or Larry Fitzgerald (Physical Security) at 207-620-4452.