TSA Pipeline Security Guidelines and ADR

In April 2021, the Transportation Security Administration (TSA) updated its TSA Pipeline Security Guidelines. The Colonial Pipeline ransomware attack means more attention will be paid to the cybersecurity posture of the oil and natural gas (ONG) industry. Understanding the changes to the TSA Pipeline Security Guidelines shows how Attack, Detect, and Response (ADR) can enhance security.

What does Section 5 (Criticality) say?

Section 5 outlines a series of considerations that pipeline operators should take into account  when designating a pipeline critical facility. 

Risk considerations

The considerations include whether something is a pipeline critical facility:

  • Identify critical facilities on TSA-designated pipeline systems
  • Provides primary service to designated critical infrastructure 
  • Lacks systematic backup, leaving it as a “single point of failure”
  • Conduct operational assessments to identify facilities
  • Coordinate with internal company business functions to identify pipeline feeds to potentially critical infrastructure
  • Adjustments based on impact caused by service disruption
  • Additional, more stringent criteria based on operator determination


Additionally, pipeline operators need to consider the following documentation:

  • System redundancies, contingency plans, and available mitigations
  • Contracts for interruptible service that may indicate lack of criticality
  • Demonstration of continued operations without impact on deliverability

Outage impact

Finally, Section 5 includes a chart with specific criteria and guidance for designating pipeline critical facilities. However, the seventh criteria applies to all three. Under the heading, “significantly disrupt pipeline system operations for an extended period of time,” critical infrastructure needs to consider: 

  • Where loss or disruption lasting more than 7 days would significantly impact overall deliverability and system safety
  • Whether facility contains components not readily available to the operator
  • Whether the facility contains critical pipeline cyber assets
  • Whether operational control rooms lack a backup control room that continuously runs all hardware and software operating on the main site. 

What is a critical pipeline cyber asset?

This term dates back to the 2018 update. However, in light of recent attacks to critical infrastructure, defining critical cyber assets becomes more important. 

Under 7.2 “Pipeline Cyber Assets Classification,” pipeline cyber assets should be evaluated and classified as follows:

  • Critical: Operational Technology (OT) system can control operations on the pipeline
  • Non-critical: OT systems monitoring operations on the pipeline

For critical pipeline cyber assets, operators need to use enhanced security measures. 

What does enhanced security measures mean?

“Enhanced security measures'' require more than basic security controls. Organizations need a sense of what that looks like and its potential impact.

Section 7.3 lists baseline and enhanced security measures across five control families:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Within those five categories, the TSA outlines thirty baseline controls aligning with traditional enterprise IT security, as well as  twelve enhanced security measures across four control families:


  • Maintaining an accurate inventory and ability to detect unauthorized components
  • Network connection reviews and detailed endpoint inventory
  • Annual review and assessment of cybersecurity policies, plans, processes, and supporting procedures
  • Making threat intelligence available to responsible parties


  • Restricting physical access to control systems and control networks
  • Monitoring physical and remote access to assets
  • Account management mechanisms
  • Role-based security training around recognizing and reporting potential indicators of compromise 


  • Third-party security assessments


  • Conduct cybersecurity incident response exercises
  • Establish and maintain 24-hour cyber incident response
  • TSA notification

Attack, Detect, and Respond (ADR) for Enhanced Security

OT environments are different from enterprise IT environments. Enhanced security measures like conducting incident response exercises pose unique challenges to OT environments. 

However, conducting security assessments on critical infrastructure can be problematic. The goal of an incident response exercise or third-party assessment is to determine whether the OT environment can be undermined. Ransomware attacks against these fragile environments are successful because measuring risk and locating entryways is difficult. 

With ADR, critical pipeline operators can engage in threat modeling and incident response exercises without worrying that they will compromise availability. 

Safely test environments

With ADR, ONG and other organizations with OT environments can run emulations without worrying about system impact. An ADR solution is a user-mode program. This means that despite using real world TTPs, it lacks the necessary system privileges to be destructive. 

For example, a ransomware attack on a beachhead product, a human machine interface, could cause a system outage. These systems are highly interconnected. Compromising one beachhead product ultimately leads to a full system outage. ADR gives you a way to run threat models against these risky devices without causing a system-wide outage.

Functionally, an ADR solution that emulates a ransomware attack works like this:

  • Operator chooses a folder to encrypt.
  • With a properly configured security product, the encryption fails. 
  • The ADR solution informs the operator that the action failed. 
  • If the security product is not configured properly, the ADR solution encrypts the data. Then, it turns that encrypted file into a new file. This process leaves the original files intact. 

From the technical perspective, the program does this:

Fundamentally, this approach preserves the current  state, running the attack emulation in parallel to the system the organization is testing. By preserving the current state, even if the emulation would have an impact, the platform ensures continued system availability. 

Build real-world threat models

ADR allows security teams to build threat models based on tactics, techniques, and procedures (TTPs) found in the wild. Simulations give you a way to track a predefined attack path. This means that once you run them, they’ve mostly done their job. 

ADR emulations give you the ability to create unique paths. With these paths, you can track your controls’ effectiveness and your tools’ detection capabilities. This means that you can see how well your controls stand up against new methodologies.

Source: Defending Business Interest by Defending Against Ransomware Report - by SCYTHE

Validate controls and fine-tune security products

A foundational requirement underlying the TSA Pipeline Security Guidelines is ongoing risk monitoring and assessment. This process gives you a way to validate controls beyond the annual penetration test and third-party assessments. 

The ONG industry needs to continuously test controls and fine tune security products protecting critical pipeline facilities and critical cyber assets. Securing the enterprise IT environment offers one level of validation. Running these same threat modeling processes against OT environments gives you a way to secure the entire infrastructure. 

SCYTHE: ADR for Enhanced Security Measures

With SCYTHE, ONG organizations can meet security and compliance requirements by creating a holistic approach to risk management. With our platform, you can stand up a campaign in minutes, aligning it with real-world TTPs. This capability allows you to build threat intelligence into your continuous system testing and validation processes. 

Threat actors looking to disrupt critical infrastructure will continue to attack fragile or sensitive OT devices. As ONG organizations look to secure beachhead products, they need security solutions that give them control over and visibility into vulnerabilities. With SCYTHE’s ADR solution, they can validate their technologies and processes for enhanced security.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.