Navigating the new TSA directive for pipelines (and other future industry targets) – Lessons learned from a regulated industry

The recent increase in ransomware events coupled with one of the targets being a large pipeline company has compelled the TSA to issue a new cyber security directive. This means many OT organizations are now scrambling (some more or less than others) to stand up a multi-disciplined security program for a very diverse, distributed OT environment. This looks and feels a lot like the Power Industry was confronted with when NERC CIP was first introduced and so we, as security practitioners, can learn a great deal of lessons from an industry that has already run down this path. Challenges in understanding scope, standing up multiple security initiatives, organizational changes for responsibility, maintenance and response activities and most notably day to day maintenance and compliance can be significant obstacles for operating companies to overcome.

Join Verve’s VP Solutions Rick Kaun as he reviews a number of security learnings around setting up and maintaining an OT security compliance program such as:

  • A multi-disciplined approach is key – treating individual security tasks as silos will create gaps, increase effort and decrease efficiency
  • Remediation is a key consideration – simply mapping vulnerabilities or enabling perimeter/network monitoring is just a drop in the bucket – need to be able to reduce risk and attack surface as well as react to emerging situations
  • Monitoring – as risk is reduced and new threats emerge the current risk status is always in flux. Being able to monitor and report on current status, changes to the threat landscape or show progress/compliance are key components of a sustainable program
  • Automation – as many of these tasks and insights that can be automated the better. OT staff is spread too thin and traditional OT risk reduction approaches are far to manual to provide meaningful and consistent risk management

Related Resources


Colonial Pipeline Attack: Lessons Learned for Ransomware Protection

How to leverage lessons learned from the Colonial Pipeline ransomware attack to prepare for cyber-related threats in oil & gas.

Learn More

DHS issues cyber order to pipeline operators

The Transportation Security Administration issed the first mandatory cybersecurity practices for pipelines.

Learn More
Case Study

Security Risk Management in Oil & Gas

Learn how Verve helps oil & gas companies dramatically improve their OT/ICS cyber security posture through risk management solutions.

Learn More