Following the Colonial Pipeline attack, the TSA issued a series of pipeline cybersecurity directives that are still in force — and still catching operators off guard at inspection time.
The TSA wants to see your OT asset inventory, firewall rules, network architecture, and traffic captures on demand. Industrial Defender makes all of it reportable from one platform, without requiring manual documentation sprints before every audit.
TSA renewed and revised its pipeline cybersecurity directive in July 2024. The core requirements — Cybersecurity Implementation Plan, Incident Response Plan, and annual Cybersecurity Assessment Plan — remain in force. The 2024 revision adds several compliance-relevant clarifications pipeline operators should be aware of:
.svg){kind=icon}
MSSP liability is now explicit. If you've delegated any security measures to a Managed Security Service Provider, you retain sole compliance responsibility. TSA will hold the owner/operator accountable regardless of who's doing the work.
Authorized Representatives carry joint liability. Contractors or agents acting on your behalf — coordinating or executing CIP requirements — are now formally defined, and both parties are liable for non-compliance.
Assessment cadence clarified. At least one-third of your TSA-approved CIP must be assessed each year, with 100% coverage over any rolling three-year period. Annual CAP submissions and reports are due no later than 12 months from TSA's approval of the previous CAP.
"Operational disruption" redefined. The directive now ties disruption to "business critical functions" — your own determination of the capacity and capabilities needed to meet operational and supply chain obligations. This gives operators more definitional control but also more documentation responsibility.
The directive is still performance-based — not prescriptive. TSA continues to inspect against your approved CIP, not a fixed checklist. That means the depth and accuracy of your asset inventory, change records, and traffic snapshots are the actual evidence base at inspection time.
TSA may request to inspect or copy any of the following at any time. Industrial Defender surfaces each item directly on the intuitive platform.
Hardware and software inventory including SCADA systems, PLCs, RTUs, and HMIs — with firmware versions, OS, open ports, and PLC key switch positions captured actively, not inferred from network traffic.
Complete firewall ruleset collection from OT network perimeters, including rule-by-rule visibility and change history to demonstrate ongoing configuration management.
Network diagrams, switch and router configurations, architecture diagrams, publicly mutable IP addresses, and VLAN documentation — maintained as a living record, not a one-time snapshot.
Documentation supporting your Cybersecurity Implementation Plan, Incident Response Plan, and Assessment Program — with audit trail evidence of actual implementation, not just written policy.
Endpoint and OT system logs collected automatically and stored with historical context. No manual log collection required at inspection time
Passive network traffic analysis tells you what's communicating. It cannot tell you:
Industrial Defender actively communicates with your OT assets at the device level — the same way your engineering tools do — so you get the configuration data, firmware versions, firewall rules, and user accounts that passive-only tools miss entirely.
Deep asset data from every device
D85A30
