Introduction
The 2021 Colonial Pipeline ransomware attack marked a turning point in pipeline cybersecurity governance. Before the attack, US pipeline cybersecurity was almost entirely voluntary — the Transportation Security Administration (TSA) offered guidelines but imposed no mandatory requirements. The six-day disruption to fuel supply across the US East Coast, combined with the Biden administration’s emergency declaration, changed that calculus within weeks. TSA issued its first mandatory pipeline cybersecurity directives in May 2021, and the regulatory posture has continued to tighten since.
As of 2026, pipeline operators face a substantially changed compliance environment. This briefing covers the current regulatory requirements, the threat actors specifically targeting oil and gas OT infrastructure, and the technical controls that operators have found most effective.
The TSA Pipeline Security Directives
TSA has issued a series of security directives applicable to critical pipeline and liquefied natural gas (LNG) facility operators. The directives have evolved from prescriptive, short-term mandates toward a more risk-based performance framework.
Security Directive Pipeline-2021-01 (emergency directive, May 2021): Required critical pipeline operators to immediately implement specific cybersecurity measures, designate a cybersecurity coordinator, and report cybersecurity incidents to CISA within 12 hours. A follow-on directive required operators to conduct self-assessments against TSA’s cybersecurity framework.
Security Directive Pipeline-2021-02 (July 2021): Required critical pipeline operators to implement specific cybersecurity measures including: architecture reviews to determine whether adequate OT network segmentation exists; controls to prevent unauthorised access; continuous monitoring for cybersecurity threats; and patch management policies for OT systems.
Revised Security Directive (2022-2023): TSA moved from the prescriptive 2021 model to a performance-based framework giving operators flexibility in how they meet specific security outcomes. Key required outcomes include:
- Cybersecurity implementation plan — documenting how the operator achieves each required security outcome
- Annual assessment — independent evaluation of the plan’s effectiveness
- Incident response plan — OT-specific procedures, separate from IT incident response
- Network segmentation — documented controls preventing IT/OT lateral movement
- Access control — MFA requirements for remote access to OT environments
- Continuous monitoring — capability to detect and respond to OT threats
Violations carry civil penalties of up to $25,000 per day per violation. For large pipeline operators, a compliance gap in a fundamental area represents significant exposure.
The OT Threat Landscape for Oil and Gas
Volt Typhoon: Pre-Positioning for Disruption
The Chinese state-sponsored actor Volt Typhoon represents the most strategically significant threat to oil and gas OT infrastructure in 2026. The group’s documented objective is not data theft — it is maintaining persistent access to critical infrastructure that could be activated to cause disruption in a geopolitical crisis context.
CISA, the NSA, and Five Eyes partners have confirmed Volt Typhoon presence in the IT and OT-adjacent networks of US energy sector organisations, including pipeline operators. The group’s tradecraft is specifically designed to evade OT-aware detection: it uses legitimate remote management tools (LOTL — living off the land), avoids deploying custom malware where possible, and maintains persistent access over months or years without triggering operational anomalies.
For pipeline operators, Volt Typhoon’s pre-positioning in SCADA-adjacent networks represents an existential operational risk. Access from the IT network to the control network — enabled by the same remote monitoring infrastructure that operators rely on for efficiency — creates the pathway.
Ransomware Groups and OT Bleed-Over
Ransomware attacks on pipeline operators’ IT networks create OT risk through a different mechanism. The Colonial Pipeline attack demonstrated the pattern: the ransomware never reached the OT environment, but the operator shut down pipeline operations preemptively because they lacked sufficient visibility to determine whether the OT network was compromised, and they could not risk operating the pipeline while uncertain.
The operational lesson — that an IT ransomware event can produce an OT operational shutdown through information uncertainty rather than OT compromise — has changed how operators think about IT/OT segmentation documentation and monitoring. If the operator cannot credibly assure leadership and regulators that the OT network is clean, they will shut it down.
IRGC-Linked Actors and Destructive Capability
Iranian state-linked actors, including the group behind the 2021-2022 attacks on Israeli water infrastructure and the 2023 attacks on US water utilities using exposed Unitronics PLCs, have demonstrated willingness to cause physical operational disruption. Oil and gas SCADA equipment accessible via internet-facing interfaces is in scope for this threat category.
The attack pattern — compromising internet-exposed OT equipment using default or reused credentials, then disrupting process operations — is low-sophistication but operationally effective against poorly segmented environments.
Technical Controls: What the Directives Require and What Actually Works
Network Segmentation and the Purdue Model
TSA’s directives require documented controls preventing lateral movement between IT and OT networks. In practice, this means:
Unidirectional gateways (data diodes) between OT and IT where process data needs to flow to IT systems for monitoring. Data diodes physically enforce one-way data flow — no traffic can pass from IT to OT through them. They eliminate an entire category of IT-to-OT attack path.
Industrial demilitarised zones (iDMZ) where bidirectional communication is necessary. Historians, OPC UA servers, and data aggregation systems should sit in an iDMZ, not with direct IT or OT network access.
Removal of direct IT/OT connectivity. Many operators discover, during segmentation reviews, connectivity pathways established by vendors for remote support or by engineers for convenience that were never intentionally designed. Eliminate these or route them through the iDMZ with proper access controls.
Multi-Factor Authentication for Remote Access
TSA’s directive requires MFA for remote access to OT environments. For pipeline control systems, this typically means:
- Jump servers or bastion hosts in the iDMZ with MFA enforced before any OT access
- Vendor remote access via dedicated, monitored channels with session recording
- Elimination of direct vendor VPN access that terminates inside the OT network
OT-aware PAM (Privileged Access Management) tools that support industrial protocols are the recommended approach. Vendor accounts should be time-limited and require explicit activation for each session.
OT-Specific Monitoring
Standard IT SIEM tooling does not understand industrial protocols. Deploying OT-specific network monitoring — Claroty, Dragos Platform, Nozomi Networks, or equivalent — provides passive visibility into SCADA traffic without touching the OT devices themselves. Passive monitoring is essential in environments where active scanning would disrupt process operations.
Key detection capabilities to prioritise:
- New device discovery (unauthorised devices appearing on the OT network)
- Protocol anomalies (Modbus commands to unexpected registers, DNP3 unauthorised function codes)
- Unusual engineering workstation connections to PLCs (especially outside maintenance windows)
- Remote access from unexpected locations or at unexpected times
Patch Management in OT Environments
TSA requires patch management policies for OT systems. The practical challenge is that OT patching differs fundamentally from IT patching:
- Patches for PLCs, RTUs, and SCADA software require vendor testing and certification before application
- Applying a patch may require a process shutdown, which has operational and safety implications
- Many legacy devices cannot be patched at all — the manufacturer no longer provides updates
A defensible OT patch management programme for TSA purposes should: maintain a current inventory of OT assets with firmware versions, track vendor security advisories for each asset, document compensating controls for unpatched systems, and apply patches during scheduled maintenance windows with appropriate change management.
Incident Reporting Requirements
TSA’s directives require reporting of cybersecurity incidents to CISA within 12 hours of identification. For pipeline operators, this includes:
- Unauthorised access to OT network or SCADA systems
- Discovery of malware on OT network
- Denial of service against OT systems
- Physical security events believed to be cybersecurity-related
The 12-hour timeline is aggressive and requires pre-positioned incident response capability. Most operators that have struggled with reporting timelines have addressed this by pre-populating reporting templates and maintaining 24/7 contact with their CISA regional coordinator.
Compliance Programme Maturity
The gap between nominal TSA compliance (having the required documents) and meaningful security capability (being able to detect and respond to a Volt Typhoon-level intrusion) is large for most operators. The directives set a floor, not a ceiling.
The operators that have meaningfully improved their security posture have invested beyond compliance in: continuous OT monitoring with 24/7 SOC coverage by OT-capable analysts, regular tabletop exercises that specifically test OT incident response, and red team engagements by teams with industrial control system expertise.
For operators still building programme maturity, the priority sequence is: segmentation first (eliminating direct IT/OT connectivity), then monitoring (passive OT visibility), then MFA and access controls, then patch management programme formalisation. That sequence addresses the highest-impact controls before the more operationally complex ones.