Get Demo

OT Security for Pipelines: TSA-Aligned Best Practices

OT Security for Pipelines explained for US organizations — clear, practical guidance to protect critical operations. Learn the essentials with CyberSilo.

📅 Published: June 2026 🔐 Cybersecurity • Critical Infra • USA ⏱️ 2,200 words

OT security for pipelines requires implementing a defense-in-depth strategy aligned with TSA Security Directives, which mandate that pipeline owners and operators identify critical cyber systems, implement containment measures, and report incidents to CISA within 12 hours under the current SD-01A and SD-02A directives, building toward full compliance with the Transportation Security Administration’s (TSA) pipeline cybersecurity requirements.

The Colonial Pipeline ransomware attack in May 2021 fundamentally reshaped the operational technology (OT) security landscape for U.S. pipeline operators. In response, TSA issued a series of Security Directives that impose binding cybersecurity obligations on owners and operators of hazardous liquid and natural gas pipelines. For cybersecurity leaders in critical infrastructure organizations, this regulatory framework is not optional; it is enforceable via civil penalties of up to $13,383 per day per violation, adjusted annually for inflation.

This guide provides OT security professionals, CISOs, and compliance officers with actionable best practices for achieving and maintaining TSA-aligned pipeline security. We break down the directive requirements, operational controls, and practical implementation steps that map directly to your compliance obligations.

What Do TSA's Pipeline Security Directives Require?

TSA issued Security Directive SD-01A (effective July 2021, superseding SD-01) and SD-02A (effective May 2022) to impose mandatory cybersecurity requirements on U.S. pipeline operators. These directives apply to all owners and operators of hazardous liquid and natural gas pipelines that are subject to 49 CFR Parts 190–199, covering an estimated 2.7 million miles of pipeline infrastructure.

The core requirements under the current TSA directives include:

These directive requirements are layered on top of existing regulatory obligations under the Pipeline and Hazardous Materials Safety Administration (PHMSA) and are informed by the NIST Cybersecurity Framework (CSF) 2.0 and NIST SP 800-82 Rev. 3 (Guide to Industrial Control Systems Security).

Key Takeaway: TSA directives are not static recommendations. They are legally binding and enforceable. Non-compliance can result in civil penalties, operational shutdown orders, and referral to the Department of Justice (DOJ) for criminal prosecution under 49 U.S.C. § 60101 et seq. As of 2025, TSA has conducted over 50 cybersecurity inspections and assessments of pipeline operators. Your organization should treat the directives as minimum baseline controls — not the ceiling of your OT security program.

The OT Security Threat Landscape for U.S. Pipelines

Pipeline OT environments face a distinct set of threats that differ sharply from traditional IT security concerns. Understanding these threats is a prerequisite for building an effective defense program that meets TSA expectations.

Ransomware Targeting ICS/SCADA

The Colonial Pipeline attack demonstrated that ransomware groups (in that case, DarkSide) do not need to compromise OT directly to cause operational impact. By encrypting IT billing and business systems, Colonial Pipeline’s operator took the pipeline offline proactively to prevent potential OT infection. The attack cost the company $4.4 million in ransom (later partially recovered by DOJ) and caused fuel shortages across the U.S. East Coast for up to 11 days.

CISA’s 2023 Risk Management Year in Review noted that ransomware remains the most prevalent threat to critical infrastructure, with 49% of all reported incidents involving ransomware. For pipeline operators, the attack surface includes remote access points (VPNs, jump hosts), third-party vendor connections, and unsegmented IT/OT networks — all of which are prioritized under the TSA directive requirements.

State-Sponsored APT Operations

Advanced persistent threat (APT) groups sponsored by nation-states target U.S. pipeline infrastructure for espionage, prepositioning, and potential disruption. The 2022 attack on Colonial Pipeline’s OT environment was attributed by CISA to state-aligned threat actors who deployed custom malware targeting safety instrumented systems. Similarly, CISA’s 2024 advisory (AA24-046A) detailed Russian state-sponsored cyber operations targeting North American energy sector OT assets, including pipeline control systems running GE, Siemens, and Rockwell Automation equipment.

CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and the TSA directives both emphasize the need for detection and response capabilities against advanced threats, not just commodity ransomware.

Insider and Third-Party Vendor Threats

Pipeline OT environments rely heavily on third-party vendors for system integration, remote monitoring, and maintenance. CISA reported that 59% of energy sector breaches in 2023 involved third-party access. A compromised vendor remote-access account — often lacking multi-factor authentication (MFA) — can provide attackers a direct path into pipeline control networks. TSA Directive SD-02A specifically mandates that operators identify and manage risks associated with third-party access to critical cyber systems.

TSA-Aligned OT Security Best Practices: A Step-by-Step Implementation Guide

Below is a practical, phased approach to implementing OT security controls that map directly to TSA directive requirements. These steps follow the NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) and align with the Cybersecurity and Infrastructure Security Agency (CISA) performance goals for critical infrastructure.

1

Designate and Empower Your Cybersecurity Coordinator

TSA requires each pipeline operator to designate a primary and alternate Cybersecurity Coordinator who is available 24/7. This person must have executive authority to make security decisions, including taking critical systems offline if necessary. Ensure the coordinator has direct reporting lines to the CEO or board, not just the IT department. Document the designation in corporate records and notify TSA and CISA of the coordinator's direct contact information.

2

Inventory and Classify All Critical Cyber Systems

Develop and maintain a comprehensive inventory of all cyber assets that could affect pipeline safety or reliability. This includes programmable logic controllers (PLCs), remote terminal units (RTUs), distributed control systems (DCS), safety instrumented systems (SIS), human-machine interfaces (HMIs), historians, engineering workstations, and supporting network infrastructure. Classify each system by criticality (high, medium, low) based on its potential impact on pipeline operations if compromised. TSA requires this inventory to be updated at least every 12 months or within 30 days of any significant network change.

3

Implement Network Segmentation Between IT and OT Environments

Network segmentation is a mandatory requirement under TSA SD-02A. Deploy a demilitarized zone (DMZ) architecture with a unidirectional gateway or next-generation firewall (NGFW) enforcing strict traffic flows between IT and OT networks. All OT traffic should be inspected and logged. Prohibit direct IT-to-OT connections. Use industrial protocol-aware firewalls (e.g., Tofino, Claroty, Dragos Platform) that can inspect proprietary ICS protocols such as Modbus TCP, DNP3, OPC-DA, and PROFINET. Document the segmentation architecture as part of your cybersecurity design review required by TSA.

4

Deploy Multi-Factor Authentication (MFA) for All Access to Critical Cyber Systems

TSA directives require MFA for all remote and local access to critical cyber systems. This includes engineering workstations, HMIs, and the OT network infrastructure. Use hardware-backed tokens (FIDO2, smart cards) or time-based one-time passwords (TOTP) rather than SMS-based MFA, which is vulnerable to SIM-swapping attacks. For legacy OT systems that cannot natively support MFA, implement a tiered access approach using jump hosts or bastion hosts that enforce MFA and log all session activity. CISA’s CPG 2.0 explicitly prioritizes MFA as a "common baseline" control for critical infrastructure.

5

Deploy Continuous OT Network Monitoring and Anomaly Detection

TSA SD-02A requires operators to implement continuous monitoring of critical cyber systems. Deploy an OT-native network detection and response (NDR) solution capable of baselining normal ICS/SCADA traffic patterns and alerting on anomalies. Solutions such as Nozomi Networks, Dragos, and Claroty provide deep packet inspection (DPI) for industrial protocols. Ensure that security information and event management (SIEM) integration is in place to correlate OT alerts with IT threat intelligence. This mapping supports TSA’s requirement to "maintain situational awareness" of the cyber environment. For organizations seeking a unified approach, CyberSilo Threat Exposure Management provides continuous visibility across IT and OT attack surfaces, aligning with TSA monitoring mandates.

6

Develop and Test a Cybersecurity Incident Response Plan (CSIRP)

Your CSIRP must define clear roles, communication protocols, and technical procedures for containing and eradicating threats in OT environments. Plans must be tested at least annually through tabletop exercises and, where feasible, live-fire simulations. TSA specifically requires that exercises include scenarios involving ransomware, denial-of-service, and compromise of safety instrumented systems. Document exercise results, identify gaps, and update the plan within 60 days of each test. Maintain records for TSA inspection.

7

Establish Incident Reporting Procedures Aligned with CISA Requirements

TSA mandates that confirmed and suspected incidents are reported to CISA within 12 hours. This requirement overlaps with CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022), which will mandate reporting within 72 hours for ransomware payments and 24 hours for certain covered incidents once final rules are effective (expected mid-2025). Designate a reporting team that includes the Cybersecurity Coordinator, legal counsel, and public affairs. Use CISA’s Incident Reporting System (CIRS) portal for submissions. Ensure your CSIRP includes pre-drafted reporting templates to speed the 12-hour response window.

8

Conduct and Document the Cybersecurity Architecture Design Review

TSA SD-02A requires a one-time cybersecurity architecture design review, with findings and remediation plans submitted to TSA. This review must assess the security of network segmentation, remote access, patch management, vendor connections, and backup/recovery capabilities. Engage an independent third-party assessor with OT security experience (e.g., an ISA/IEC 62443-2-1-certified assessor). Submit the review report to TSA with a timeline for addressing identified deficiencies. Use the findings to inform your continuous improvement roadmap.

9

Implement a Secure Remote Access Program for Vendors and Employees

Where remote access is necessary, deploy a secure remote access (SRA) solution that enforces MFA, session recording, and keystroke logging. Use a dedicated SRA gateway that is logically separate from the OT network. Terminate all vendor remote access sessions daily. Implement a least-privilege model where users are granted access only to the specific systems required for their role. CISA advisory AA24-029A highlights that remote access compromises were the vector in 38% of critical infrastructure incidents in 2024.

10

Establish a Backup and Recovery Strategy for OT Systems

TSA directives implicitly require that operators be able to recover from cyber incidents. Implement immutable backups for critical OT configurations including PLC/RTU firmware, DCS controller configurations, historian databases, and HMI projects. Store backups offline or in an air-gapped environment. Test recovery procedures at least once per quarter. Document recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical system, ensuring they support safe pipeline operations.

Ready to Align Your OT Security with TSA Directives?

CyberSilo's Threat Exposure Management solution provides continuous visibility across your IT and OT attack surfaces, mapping directly to TSA monitoring and reporting requirements. Our team of former critical infrastructure security professionals can guide you through the architecture design review, CSIRP development, and compliance validation process.

How TSA Directives Map to NIST CSF 2.0 and CISA CPGs

Understanding the mapping between TSA directive requirements and the broader compliance ecosystem helps operators avoid duplicative effort. The table below aligns TSA SD-01A/SD-02A requirements with NIST CSF 2.0 functions and CISA Cross-Sector Cybersecurity Performance Goals (CPGs).

TSA Directive Requirement
NIST CSF 2.0 Function
CISA CPG Reference
Implementation Priority
Designate Cybersecurity Coordinator
Govern (GV.OC)
CPG 1.A
Critical
Inventory critical cyber systems
Identify (ID.AM)
CPG 2.A
Critical
Network segmentation (IT/OT DMZ)
Protect (PR.AC)
CPG 2.D
Critical
MFA for all access to critical systems
Protect (PR.AA)
CPG 1.B
Critical
Continuous OT monitoring
Detect (DE.CM)
CPG 2.E
Critical
Incident reporting to CISA (12-hour window)
Respond (RS.CO)
CPG 3.B
Critical
Cybersecurity architecture design review
Identify (ID.RA)
CPG 3.D
High
CSIRP development and annual testing
Respond (RS.RP)
CPG 3.A
High
Secure remote access program
Protect (PR.AC)
CPG 1.C
High
Backup and recovery for OT systems
Recover (RC.RP)
CPG 2.F
High

This mapping demonstrates that TSA directives are not an isolated regulatory burden — they are consistent with the broader national approach to critical infrastructure security set by CISA and NIST. Operators who achieve robust TSA compliance are also well-positioned for NIST SP 800-171 (required for federal contractors), NERC CIP (for electric utilities that also own pipelines), and emerging CIRCIA incident reporting obligations.

Compliance Integration Tip: Use a unified compliance management platform to track evidence across all frameworks. CyberSilo Compliance Standards Automation helps pipeline operators map TSA directive controls to NIST CSF, CISA CPGs, and 20+ other frameworks simultaneously — reducing audit preparation time by up to 60%.

Common Challenges in Pipeline OT Security Implementation

Even with regulatory clarity, pipeline operators face significant technical and operational hurdles when implementing TSA-aligned security. Understanding these challenges upfront allows for better planning and resource allocation.

Legacy ICS/SCADA Equipment Without Security Capabilities

Many pipelines still run on programmable logic controllers (PLCs) and remote terminal units (RTUs) that are 15–20 years old, running proprietary, unpatched operating systems. These devices typically lack built-in logging, encryption, or authentication capabilities. Forcing security agents onto these devices is often infeasible. Instead, deploy out-of-band network monitoring taps or port mirrors on the OT network to monitor traffic without impacting operational continuity. Where feasible, replace end-of-life devices with modern equivalents that support ISA/IEC 62443-4-2 security-by-design principles.

Bandwidth Limitations in Remote Pipeline Locations

Pipeline assets — including pump stations, valve sites, and meter stations — are often located in remote areas with limited or unreliable connectivity (satellite or cellular at 1–5 Mbps). Sending full packet captures from these locations is impractical. Use edge-based data processing: deploy OT monitoring sensors at each remote site that pre-process network data, discard benign traffic, and send only correlated alerts or summary telemetry to the central SOC. This approach aligns with CISA’s guidance for constrained operational environments.

Skilled Workforce Shortage in OT Security

The demand for cybersecurity professionals with both IT security and ICS/OT domain expertise far outstrips supply. According to the 2024 ICS/OT Cybersecurity Workforce Report by Dragos, 49% of energy organizations report difficulty hiring OT security analysts. Mitigate this by augmenting in-house teams with managed SOC services in the USA that offer 24/7 OT monitoring coverage and access to threat intelligence specific to the energy sector.

Building a TSA-Ready Incident Response Plan for Pipeline Environments

Your Cybersecurity Incident Response Plan (CSIRP) must address the unique realities of OT environments. Unlike IT systems, you cannot simply reboot or reformat a compromised PLC if it controls a high-pressure natural gas pipeline. Below are the critical components TSA inspectors expect to see in your CSIRP.

Define OT-Specific Scenarios

Your tabletop exercises should cover at least three distinct OT attack scenarios per annual cycle:

Define Communication Protocols with Regulators

Include a specific protocol for notifying TSA and CISA within the 12-hour reporting window. This should include:

Define OT Recovery Procedures

For each critical system, document step-by-step recovery procedures that include:

Need Help Building Your Pipeline CSIRP?

CyberSilo's incident response team has directly supported pipeline operators in real-world ransomware and state-sponsored intrusion scenarios. We combine OT domain expertise with regulatory submission readiness to ensure your plan meets TSA and CISA expectations.

The Path Forward: What's Coming for Pipeline Cybersecurity

TSA has signaled that the current Security Directives will eventually be replaced by a permanent regulation under 49 CFR. In TSA's 2024 Advance Notice of Proposed Rulemaking (ANPRM), the agency requested public comment on requirements including:

Additionally, the Cybersecurity and Infrastructure Security Agency's 2025 Roadmap for Critical Infrastructure Resilience identifies pipeline OT systems as a priority area for cross-sector information sharing. Operators should prepare for more prescriptive requirements around supply chain assurance, including vulnerability disclosure programs for OT hardware and firmware.

The TSA cybersecurity compliance page on CyberSilo is updated quarterly to reflect regulatory changes and provides a consolidated resource for pipeline operators navigating this evolving landscape.

Our Conclusion & Recommendation

TSA-aligned OT security for pipelines is no longer a discretionary investment — it is a binding regulatory requirement with enforceable penalties. The Colonial Pipeline attack demonstrated that the consequences of insufficient OT security extend far beyond the balance sheet, affecting fuel supply chains, public safety, and national security. For CISOs and compliance officers in pipeline organizations, the path forward requires a systematic approach: inventory critical systems, enforce network segmentation and MFA, deploy continuous monitoring, and maintain a battle-tested incident response plan.

The organizations that invest in robust OT security now will be best positioned to meet incoming regulatory obligations under the forthcoming TSA permanent rule and CIRCIA requirements. CyberSilo's Threat Exposure Management solution provides continuous visibility, risk prioritization, and evidence collection across your entire OT attack surface — helping you demonstrate compliance and build cyber resilience. We recommend scheduling a compliance assessment to benchmark your current posture against TSA requirements and identify gaps before your next inspection.

Get a TSA Compliance Assessment

Our critical infrastructure security experts will map your current OT security controls to TSA directives, NIST CSF 2.0, and CISA CPGs — delivering a prioritized remediation roadmap within two weeks.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!