TSA Pipeline Cybersecurity Directives
Mandatory cybersecurity requirements for pipeline operators
// What is TSA Pipeline Security?
Following the Colonial Pipeline ransomware attack in May 2021, TSA issued mandatory cybersecurity directives for pipeline operators designated as critical to national security. These directives replaced decades of voluntary guidelines with enforceable requirements.
The directives require pipeline operators to implement specific cybersecurity measures, report incidents to CISA, designate a cybersecurity coordinator, and develop remediation plans for identified gaps. Unlike voluntary frameworks, non-compliance can result in civil penalties up to approximately $15,000 per day.
TSA has progressively updated these requirements, with Security Directive 2021-02D (July 2023) providing performance-based requirements that allow operators flexibility in implementation while meeting security outcomes. The directives apply to owners and operators of pipelines that have been notified by TSA that they are critical.
// Inside the Regulation
TSA's pipeline security directives establish specific cybersecurity requirements across multiple security domains. Operators must implement these controls and maintain evidence of compliance.
Incident Reporting
SD Pipeline-2021-01Mandatory reporting requirements for cybersecurity incidents.
CISA Reporting
Report cybersecurity incidents to CISA within 12 hours of identification.
Incident Types
Report unauthorized access, denial of service, malware, and other significant incidents.
Primary Contact
Designate a 24/7 primary and alternate cybersecurity coordinator for incident reporting.
Cybersecurity Implementation Plan
SD Pipeline-2021-02DComprehensive security measures owners/operators must implement.
Network Segmentation
Implement network segmentation policies ensuring OT systems can operate if IT systems are compromised.
Access Control
Implement access control measures preventing unauthorized access to critical cyber systems.
Continuous Monitoring
Build continuous monitoring and detection capabilities for cybersecurity threats.
Patch Management
Apply security patches and updates using risk-based methodology, addressing critical vulnerabilities timely.
Password Policies
Implement password policies meeting complexity and change requirements; MFA for remote access.
Cybersecurity Assessment
SD Pipeline-2021-02DRequirements for assessing and testing security controls.
Architecture Assessment
Assess current cybersecurity architecture to identify gaps and vulnerabilities.
Penetration Testing
Conduct penetration testing of IT and OT systems annually at minimum.
Third-Party Assessment
Conduct independent third-party assessment of cybersecurity implementation plan.
Incident Response
SD Pipeline-2021-02DRequirements for responding to and recovering from incidents.
Response Plan
Develop and maintain a cybersecurity incident response plan specific to pipeline operations.
Annual Testing
Test incident response capabilities annually through tabletop or functional exercises.
Recovery Capabilities
Maintain capabilities to restore systems from known-good backups within established timeframes.
Note: TSA conducts inspections to verify compliance. Operators must maintain documentation evidencing implementation of required measures. TSA has authority to require additional measures based on threat intelligence or identified vulnerabilities.
// Who Must Comply
- 1 Owners/operators of hazardous liquid pipelines designated critical
- 2 Owners/operators of natural gas and gas transmission pipelines designated critical
- 3 Pipeline facility operators notified by TSA of designation
- 4 Operators of liquefied natural gas facilities with TSA notification
// Key Requirements
Incident Reporting
Report cybersecurity incidents to CISA within 12 hours with designated 24/7 coordinator
Network Segmentation
Implement segmentation ensuring OT can operate independently if IT is compromised
Access Control
Prevent unauthorized access with strong authentication and MFA for remote access
Continuous Monitoring
Build detection capabilities for cybersecurity threats and anomalies
Patch Management
Risk-based patching with timely remediation of critical vulnerabilities
Annual Assessment
Annual penetration testing and independent third-party security assessment
// Enforcement & Penalties
TSA has authority to impose civil penalties for non-compliance with security directives. Penalties can be significant and accumulate daily. Operators may also face enforcement actions affecting their ability to operate.
~$15,000 per day per violation
Examples:
- Daily accumulating penalties for failure to implement required controls
- Additional penalties for failure to report incidents within required timeframes
- Enforcement actions for repeated or willful non-compliance
- Operational restrictions for critical security gaps
// Cyber Insurance Impact
Pipeline cyber insurance policies now routinely ask about TSA directive compliance. Insurers may require evidence of compliance as a condition of coverage for pipeline operations. Non-compliance could void coverage or result in claim denials following an incident.
// How Breach Craft Helps
We help organizations achieve TSA Pipeline Security compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of TSA Pipeline Security.
Gap Assessment
Measure your security against industry standards.
Penetration Testing
Find the gaps before attackers do.
Vulnerability Assessment
Comprehensive security scanning and risk prioritization.
Tabletop Exercises
Practice your incident response.
Virtual CISO
Executive security leadership on demand.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873