Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


The Implications of DHS-TSA Directive Pipeline 2021-1

The Department of Homeland Security has issued key guidance for oil and gas operations in the wake of recent cyberthreats. Here are three practical ways to disrupt attack paths in your OT infrastructure. 

The oil and gas industry heavily depends on automation for a variety of different operations. The symphony of operations required to find, extract, refine, mix, collaborate and ultimately deliver oil and gas all rely on operational technology (OT) infrastructure.

Recent disruptions in critical infrastructure OT environments, including the Colonial Pipeline incident, have underscored the susceptibility of critical infrastructure to cybersecurity vulnerabilities, threats and potential outages. 

Other attacks against the oil and gas sector include:

  • February 2020 - A cyberattack was launched against a natural gas facility concurrently encrypting both the IT and OT networks and locking access to the human-machine interface (HMI), data historians and polling servers. The pipeline was forced to shut down for two days.

  • December 2018 - An Italian oil and gas industry contractor fell victim to a cyberattack that hit servers based in the Middle East, India, Scotland and Italy.

  • April 2018 - A cyberattack on a shared data 
network forced four U.S. natural-gas pipeline operators to temporarily shut down computer communications with their customers.

  • August 2017 -  A Saudi Arabian oil and natural gas facility was shut down by the Xenotime group of hackers.

The DHS- TSA 2021-1 Pipeline Directive

On May 28, 2021, the U.S. Department of Homeland Security (DHS) - Transportation Security Administration (TSA) issued Security Directive 2021-1 specifically for pipeline operations. While other oil and gas industry standards have previously been enacted (see list below), this directive was issued due to an ongoing security threat to U.S. pipeline operations. It represents an important inflection point in securing critical infrastructure environments that might otherwise be at risk.

Security Directive Pipeline 2021-1 gives guidance to pipeline operators in three key areas:

  1. Owners and operators of pipeline operations must report security incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

  2. A cybersecurity coordinator must be assigned and available 24/7 to coordinate security practices, meet specific requirements outlined in the directive and react when incidents occur.

  3. Oil and gas facilities must assess their current cybersecurity practices and activities to address cyber risks against the TSA's 2018 Pipeline Security Guidelines, identify gaps between their current cybersecurity practices and those listed in the guidelines, and develop remediation plans to fill those gaps. 

Key standards relevant to the oil and gas industry

National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF): The pre-eminent framework adopted by companies in all industry sectors. Natural gas and oil companies increasingly orient enterprise-wide programs around NIST CSF.

International Electrotechnical Commission (IEC) 62443. Family of standards for industrial control systems (ICS) security. Widely adopted by the production segment of the natural gas and oil industry. Applicable to any type of natural gas and oil ICS.

API Standard 1164: Content unique to pipelines not covered by the NIST CSF and IEC 62443.

Department of Energy Cybersecurity Capability Maturity Model: Voluntary process using industry-accepted best practices to measure the maturity of an organization's cybersecurity capabilities and strengthen operations.

International Organization for Standardization (ISO) 27000: Leading standard providing requirements for an information security management system (ISMS).

Three Key OT Security Best Practices to Reduce Risk

While the DHS-TSA 2021-1 Directive highlights key needs relevant to oil and gas operators, the biggest challenge for most organizations is how to operationalize the three key components of the directive:

  • identifying risk; 

  • rooting out gaps in security; and

  • mitigating incidents when they occur. 

Here are three key OT security best practices we believe should be implemented thoroughly and with urgency to secure pipeline operations and keep them resilient.

  1. Gain visibility and deep insight. The oil and gas industry requires synchronized operations across the entire infrastructure as well as access to credentials by a wide, heterogeneous audience. Active Directory (AD) occupies a key role here and, in the case of Colonial Pipeline, the ransomware attack took advantage of this attack vector. Individuals that utilize AD may include authorized employees, partners, agents and subcontractors. Access requirements may extend beyond the actual plant to offsite and remote drilling locations or pipelines across the globe. Consequently, it is essential to maintain access and configuration control that spans from the main facility to all locations, regardless of how remote or distributed they are. The OT security solution must always have the intelligence of individual devices at all locations, including but not limited to programmable logic controllers (PLCs), HMI controllers, engineering stations, networking equipment, gateways and any other devices critical to  regular network operations. Deep knowledge, including visibility into all types of devices, patch levels, firmware versions and backplane information, is essential. It is also critical to account for dormant devices that are not communicating regularly over the network.

  2. Identify threats. While the OT operations of oil and gas providers were once isolated, today they are connected to IT and are accessible anywhere. This convergence creates an environment that can impact the integrity of oil exploration, extraction, refining and delivery. The elimination of air gapping enables bad actors to penetrate parts of the operations environment from either the IT or the OT side. To identify a variety of suspicious behaviors it is essential to leverage three detection engines:

    • Traffic mapping and traffic visualization to identify and alert against communication attempts from external sources, in addition to devices that should not be talking to one another.

    • Anomaly detection to pinpoint traffic patterns that are outside of the regular network operation.

    • Signature-based detection to identify known threats which are used by attackers.

  3. Close vulnerabilities faster. Most oil and gas environments contain a mix of older devices typically not found in IT environments. With various patch levels across each device type, it is difficult to maintain an up-to-date patch management program. Because oil and gas environments may not have frequent or long enough  maintenance windows, known vulnerabilities may not be patched for an extended time period. It's critical to maintain deep awareness of the state and characteristics of all devices. This includes accurate matching between specific device conditions and the available vulnerability knowledge base that has associated exploits. Because of the dynamic nature of oil and gas environments, this body of knowledge must be kept in sync with newly discovered vulnerabilities. Tenable's Vulnerability Priority Rating (VPR), for example, can provide a triaged list of vulnerabilities from most-  to least-serious, based on a variety of factors such as Common Vulnerability Scoring System (CVSS) score, vulnerability severity and exploitability,  and much more. 

In Summary

OT cybersecurity is now widely recognized as a core ingredient to ensuring a reliable, efficient and safe critical infrastructure that society relies on. You need full visibility, security and control into all of your operational assets. Best-in-class approaches to OT security are more critical than ever both with respect to complying with existing  standards as well as this newly released DHS directive, but also as part of a duty of care to our communities. Constantly changing threat conditions require deep situational awareness in real time, both at the network and devices level. Situational awareness should be updated regularly and kept in sync with newly discovered vulnerabilities, threats and gaps. Any deviation must be captured in real time and documented. Full paper trails, capturing all changes to the environment, are essential. Capturing and maintaining this detailed information can help speed incident response, highlight and prioritize newly discovered vulnerabilities and demonstrate proactive compliance both internally and to the required compliance organizations.

Learn more:

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.