Case Study: Midstream Pipeline Operator Achieves TSA Compliance Across 20 Sites in Hours

Executive Summary

A leading midstream pipeline operator with 20 distributed pipeline and compressor station sites faced an approaching TSA Security Directive compliance deadline. The operator's existing remote access infrastructure relied on legacy tools that provided broad network access, supported cached credentials on shared OT assets, and offered no mechanism for instant access revocation during a cybersecurity incident. Low-bandwidth conditions at remote pipeline locations compounded the problem, making existing solutions unreliable.

The operator deployed Xona across all 20 sites in just a few hours, not weeks, not months. SSO configuration eliminated credential caching on shared OT assets. Centralized management enabled instant provisioning, monitoring, and termination of remote sessions. The result is zero direct network connectivity: users interact with OT systems in real time, but their endpoints are never connected to the OT network. The operator achieved full TSA-SD-2E compliance and gained the ability to immediately disconnect remote access fleet-wide in the event of a cybersecurity incident.

The Challenge

On May 7, 2021, a ransomware attack on Colonial Pipeline forced the shutdown of 5,500 miles of pipeline carrying 45% of the East Coast's fuel supply. The attack, which entered through a compromised VPN credential, triggered fuel shortages and emergency declarations across multiple states. The current TSA-SD Pipeline-2021-02E directive requires pipeline operators to implement network segmentation between IT and OT systems, access control measures enforcing least-privilege principles, continuous monitoring, secure remote access with MFA, the ability to instantly disconnect remote access during cybersecurity incidents, and incident reporting within 24 hours.

The operator managed 20 distributed pipeline and compressor station sites across a geographically dispersed midstream network. Their existing infrastructure had critical gaps:

• TSA-SD-2E compliance deadline. Existing tools did not meet requirements for access governance, session monitoring, or instant revocation.

• Low-bandwidth environments. Many pipeline and compressor station sites are in rural or remote locations served by constrained network links. Sessions were slow, unreliable, and frequently dropped, driving technicians to create workarounds.

• Shared assets with cached credentials. OT assets at pipeline sites were shared among multiple operators and vendors. Credentials were cached locally, making individual accountability impossible.

• No instant-disable capability. Revoking a vendor's access required manual intervention across multiple systems and sites, a process that could take hours.

• Inconsistent access controls. Access policies varied from site to site with no centralized view of who was connected, to which assets, or what they were doing.

The Xona Solution

The platform deploys a gateway at each site that terminates OT protocols inside the trusted network. Users connect through a browser over HTTPS port 443 and receive only encrypted pixel streams, never a direct connection to the OT asset. This architecture eliminates lateral movement, prevents malware traversal from endpoints to OT systems, and satisfies TSA requirements for network segmentation.

The platform integrates with the operator's identity provider via SAML 2.0, enforcing single sign-on with MFA for every session. This eliminates the credential caching problem at its root: users must authenticate through the platform for every session, and credentials for OT assets are injected by the gateway without ever being exposed to the user.

The platform's PNG-based pixel streaming is engineered for constrained network conditions, delivering usable, interactive sessions over the low-bandwidth links typical of remote pipeline sites. The Kill Button terminates any individual session instantly. A Lockbox feature can disable all remote access to a specific site, logically or by physically disabling Ethernet ports on the gateway hardware, satisfying the TSA requirement for immediate disconnection.
All 20 sites were deployed in just a few hours. The platform's overlay architecture requires only HTTPS port 443 outbound. Gateways were pre-configured and activated at each site without modifying existing network topology, firewall rules, or OT asset configurations. Zero operational disruption. Pipeline operations continued uninterrupted throughout the entire deployment.

The Results:

The operator met all requirements of the TSA Security Directive including access control with least-privilege enforcement, MFA, continuous session monitoring, and the ability to immediately disconnect remote access during a cybersecurity incident. Compliance evidence including session recordings, access logs, and policy configurations is available on demand.

SSO-enforced authentication and credential injection mean OT asset passwords are managed by the gateway and never exposed to users. Even on shared devices accessed by multiple operators and vendors, every session is attributable to a named individual. During the operator's most recent incident response drill, the team demonstrated the ability to cut all remote access to a site in under 10 seconds.