Pipeline Security, Visibility, and Detection at the OT Edge

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

How can you detect malicious or anomalous activity at the edge of your network, when your environment includes a pipeline or disparate facilities spanning thousands of miles?

Pipeline security has remained a major public and regulatory concern since the Colonial Pipeline ransomware incident brought the risks of limited OT visibility into the national spotlight. In the years since, the industry has made progress, but many pipeline operators still face the same core challenge: limited visibility into remote OT environments and too many blind spots at the edge. When organizations lack timely, usable data from those environments, a single operational or security decision can have outsized consequences.

The threat landscape has also continued to evolve. Ransomware remains a concern, but so do insecure remote access paths, actively exploited vulnerabilities, third-party and supply chain exposures, and opportunistic mass scanning of internet-exposed infrastructure. In many OT environments, organizations are still more likely to suffer operational disruption from indirect compromise, misconfiguration, or “splash damage” than from a highly tailored attack. For pipeline operators, that makes practical visibility and resilient detection just as important as perimeter defenses.

As a result, organizations are revisiting pipeline security strategies, hardening connectivity, reviewing remote operations, and implementing more scalable visibility and monitoring approaches. Regulations and directives have helped raise the baseline, but compliance alone does not guarantee meaningful risk reduction. The organizations improving their security posture most effectively are the ones turning requirements into operational insight.

This article provides an overview of modern pipeline visibility and pipeline security challenges, including the environmental and technical realities that make these systems difficult to monitor and defend. It also offers practical guidance on improving visibility and detection at the edge of your network, even when that “edge” is hundreds or thousands of miles from a control center or SOC.

Monitoring and Environmental Challenges

Pipelines run across large geographic distances, often through harsh environments with limited communications, constrained power, and little room for additional hardware. Operators are expected to maintain safety, reliability, and compliance while managing systems that may include aging infrastructure, modern remote connectivity, and an expanding mix of digital and operational technologies.

To meet environmental, safety, and operational demands, many organizations have continued deploying new applications that rely on improved WAN connectivity and remote data access. Leak detection, cathodic protection monitoring, video, audio, remote engineering support, and other operational technologies are increasingly interconnected across stations, terminals, and control centers. That interconnection improves efficiency, but it also expands the attack surface relevant to pipeline security.

The challenge is no longer simply collecting more data. It is integrating the right data sources and turning them into real-time or near-real-time visibility that operators and defenders can actually use. A pump station fault, for example, may generate an alert, but that alert alone may not explain whether the issue originated with a mechanical failure, communications loss, software issue, unauthorized access path, or some other upstream event. Without correlation across systems and locations, teams often know that something happened without understanding why it happened first.

To gain a more complete picture, pipeline operators need data from multiple sources that can be normalized, correlated, and analyzed in context. That is a major reason why I founded EmberOT: to help industrial operators get actionable OT edge data in a vendor-agnostic way and use it within the workflows and tools they already rely on, whether that means local operations, a SOC, an MSSP, a SIEM, or another analysis platform.

The Role of Regulation in Pipeline Security

Government directives and industry frameworks are still some of the first places organizations look when they need to strengthen pipeline security. After the 2021 pipeline disruptions, many requirements were issued quickly. Since then, the regulatory environment has matured, with TSA continuing to renew and refine its pipeline cybersecurity directives and the broader critical infrastructure community placing more emphasis on performance-based security outcomes rather than check-the-box compliance alone. TSA’s current pipeline directives remain active into 2026, and CISA has continued publishing OT-specific guidance focused on secure connectivity and practical security priorities.

Below is a list of some of the standards, frameworks, and guidance commonly referenced by organizations managing pipeline environments:

• IEC 62443
• NIST SP 800-53
• NIST Cybersecurity Framework
• ISO/IEC 27001
• API 1164
• TSA Pipeline Security Guidelines and Security Directives
• CISA Cross-Sector Cybersecurity Performance Goals
• NIS2, where applicable for organizations operating in or serving European jurisdictions

These frameworks help organizations establish a baseline for pipeline security, but they still depend heavily on good implementation. Segmentation, access control, asset identification, monitoring, incident response, and change management matter far more in practice than whether a document says they exist. Pipelines are especially challenging because many environments have a low tolerance for disruption, limited local staffing, and a growing number of connections to business systems, vendors, and remote users.

That combination creates a moving target. The technology stack keeps changing, the threat surface keeps expanding, and the workforce responsible for operating and securing these environments is often distributed and resource constrained. In that reality, visibility is foundational rather than optional.

Getting Back to Basics

There is no single regulation or product that can eliminate all risk. But for most operators, a strong pipeline security program still starts with the basics:

Segmentation – Separate networks and devices based on function, risk, and location.
Air-Gapped Networks – Separate networks based on geographic distance.
Physical Access Control – Limit physical access to only those who have been granted authorization. Consistently check your physical perimeter to ensure that controls are being maintained.
Controlled Remote Access – Secure and tightly govern remote connectivity into OT environments.
Asset Inventory – Maintain an accurate, continuously updated understanding of what is actually connected.
Log Management – Collect and review logs that can support both security investigations and operational troubleshooting.
Network Monitoring/IDS – Monitor network traffic for unusual behavior, unauthorized access, or deviations from expected device behavior.
Firewalling and Policy Enforcement – Restrict unnecessary communications and reduce exposure to known malicious infrastructure.
Vulnerability Management – Remain vigilant and aware of new vulnerabilities as they are reported. Understand the risk to your environment and patch vulnerabilities promptly (we know this can be tricky in ICS environments, but it’s still an important part of a robust security program).
Security Awareness and Role-Based Training – Ensure employees, engineers, and contractors understand how to handle access, data, and operational risk appropriately.

While ICS and pipeline environments offer unique challenges, it’s important to start with a foundation of the basic security elements listed above.

Technical Challenges to Increasing Visibility

Increasing visibility in support of pipeline security is rarely straightforward. Communications architectures often carry multiple traffic types across a mix of wired and wireless paths with primary and failover routing requirements. Operators may rely on Ethernet, MPLS, cellular, serial, radio, satellite, and other transport mechanisms depending on geography, cost, and availability.

These environments also have practical limits around power, space, cooling, ruggedization, and on-site support. In many cases, there is little tolerance for deploying large appliances or high-overhead tooling at remote facilities. At the same time, the network still needs to support deterministic operations, fast failover, path redundancy, quality-of-service requirements, and service-level expectations.

Another challenge is form factor. The equipment enclosures managing leak detection, valves, PLCs, RTUs, and other field assets are often small and resource constrained. Asset owners need visibility solutions that can operate in those environments without demanding bulky new hardware, major redesigns, or constant local maintenance.

That’s a major design consideration for EmberOT, and it’s why our approach centers on lightweight software-based sensors and flexible deployment options so operators can collect and curate useful OT data at the edge without introducing large hardware footprints or unnecessary complexity.

Mitigating Future Risks Through Improved Edge Visibility

A mature visibility program does more than support cyber defense. It also provides the metrics needed to improve performance management, configuration management, fault analysis, and overall operational reliability. For pipeline operators, that matters because many systems are expected to perform continuously, in real time, and with fewer maintenance windows than other industries.

Better edge visibility also helps organizations use capital and operating budgets more effectively. Instead of overspending on oversized tooling or flying blind between periodic site visits, teams can make more informed decisions based on what is actually happening in the environment. That is one of the clearest business outcomes of stronger pipeline security: fewer surprises, better prioritization, and a more resilient operation.

Network Visibility Improves Reliability

A reliable network is essential to the safe and efficient operation of pipeline systems. When communications fail, data is delayed, or operational blind spots persist, reliability suffers. And in critical infrastructure, reliability issues quickly become safety, service, and financial issues.

Greater visibility improves reliability because it helps teams detect issues earlier, understand dependencies more clearly, and respond with better context. In practice, stronger pipeline security supports reliability by reducing uncertainty: what is connected, what changed, what is talking to what, and what needs attention first.

Increased Visibility Drives Innovation

Visibility also enables innovation. When organizations can see how assets, traffic flows, and remote sites behave over time, they can build better metrics, improve workflows, and create smarter ways to manage operations.

For example, increased visibility makes it easier to identify traffic patterns, spot abnormal behavior, compare site baselines, and correlate events across network and operational layers. It also reduces the need to send personnel into the field just to answer basic diagnostic questions that could have been resolved remotely with better data (i.e., stop sending Tim or Tammy in a truck down to a facility when you can view data showing the anomalous activity remotely). Modern pipeline security is an enabler of operational maturity.

Visibility Provides Insight Into Operational Performance and Efficiency

Operational performance is one of the key measures of success for any pipeline business. High availability, scalability, and dependable performance do not happen by accident. They depend on regular monitoring, analysis, and informed decision-making.

By increasing visibility at the OT edge, organizations gain insight into how the entire operation is performing, not just isolated fragments of it. They can identify congestion, discover bottlenecks, detect hardware or communications issues earlier, and understand whether a problem is local, systemic, operational, or security-related. That broader context is one of the most valuable outcomes of investing in pipeline security and visibility together.

The Ultimate Goals: Safety & Reliability

Asset owners, operators, and analysts in critical infrastructure usually don’t pursue cybersecurity for its own sake sake… they want safety and reliability. While implementing foundational security basics, maintaining compliance with new regulations, and increasing visibility into the edge of your networks is important, it all comes down to safety and reliability.

International pipeline operations are a critical part of many other organizations, and consumers and regulatory entities will continue to maintain their focus on the reliability and security of the industry.

Whether you choose to use a software solution like EmberOT or any other monitoring and detection platform, gaining visibility into the edge of your OT networks will help to reduce risk, improve uptime, strengthen response, and support safer, more reliable operations.

~Jori 🤘🔥