OT security for pipelines requires implementing a defense-in-depth strategy aligned with TSA Security Directives, which mandate that pipeline owners and operators identify critical cyber systems, implement containment measures, and report incidents to CISA within 12 hours under the current SD-01A and SD-02A directives, building toward full compliance with the Transportation Security Administration’s (TSA) pipeline cybersecurity requirements.
The Colonial Pipeline ransomware attack in May 2021 fundamentally reshaped the operational technology (OT) security landscape for U.S. pipeline operators. In response, TSA issued a series of Security Directives that impose binding cybersecurity obligations on owners and operators of hazardous liquid and natural gas pipelines. For cybersecurity leaders in critical infrastructure organizations, this regulatory framework is not optional; it is enforceable via civil penalties of up to $13,383 per day per violation, adjusted annually for inflation.
This guide provides OT security professionals, CISOs, and compliance officers with actionable best practices for achieving and maintaining TSA-aligned pipeline security. We break down the directive requirements, operational controls, and practical implementation steps that map directly to your compliance obligations.
What Do TSA's Pipeline Security Directives Require?
TSA issued Security Directive SD-01A (effective July 2021, superseding SD-01) and SD-02A (effective May 2022) to impose mandatory cybersecurity requirements on U.S. pipeline operators. These directives apply to all owners and operators of hazardous liquid and natural gas pipelines that are subject to 49 CFR Parts 190–199, covering an estimated 2.7 million miles of pipeline infrastructure.
The core requirements under the current TSA directives include:
- Designation of a Cybersecurity Coordinator — A single point of contact available to TSA and CISA 24/7 for cybersecurity incident coordination.
- Reporting of confirmed and suspected cybersecurity incidents — Any incident that impacts or could impact pipeline operations must be reported to CISA within 12 hours of confirmation. This includes ransomware, unauthorized access to OT systems, and denial-of-service attacks affecting ICS/SCADA environments.
- Identification and assessment of critical cyber systems — Operators must inventory all digital control systems, safety instrumented systems (SIS), and supporting IT networks that could affect pipeline safety or reliability.
- Implementation of containment measures — Network segmentation between IT and OT environments, application of access controls, and deployment of continuous monitoring capabilities are mandatory.
- Development and testing of a Cybersecurity Incident Response Plan (CSIRP) — Plans must be tested at least annually, with results documented and provided to TSA upon request.
- Conducting a cybersecurity architecture design review — A one-time review, with findings and remediation plans submitted to TSA.
These directive requirements are layered on top of existing regulatory obligations under the Pipeline and Hazardous Materials Safety Administration (PHMSA) and are informed by the NIST Cybersecurity Framework (CSF) 2.0 and NIST SP 800-82 Rev. 3 (Guide to Industrial Control Systems Security).
Key Takeaway: TSA directives are not static recommendations. They are legally binding and enforceable. Non-compliance can result in civil penalties, operational shutdown orders, and referral to the Department of Justice (DOJ) for criminal prosecution under 49 U.S.C. § 60101 et seq. As of 2025, TSA has conducted over 50 cybersecurity inspections and assessments of pipeline operators. Your organization should treat the directives as minimum baseline controls — not the ceiling of your OT security program.
The OT Security Threat Landscape for U.S. Pipelines
Pipeline OT environments face a distinct set of threats that differ sharply from traditional IT security concerns. Understanding these threats is a prerequisite for building an effective defense program that meets TSA expectations.
Ransomware Targeting ICS/SCADA
The Colonial Pipeline attack demonstrated that ransomware groups (in that case, DarkSide) do not need to compromise OT directly to cause operational impact. By encrypting IT billing and business systems, Colonial Pipeline’s operator took the pipeline offline proactively to prevent potential OT infection. The attack cost the company $4.4 million in ransom (later partially recovered by DOJ) and caused fuel shortages across the U.S. East Coast for up to 11 days.
CISA’s 2023 Risk Management Year in Review noted that ransomware remains the most prevalent threat to critical infrastructure, with 49% of all reported incidents involving ransomware. For pipeline operators, the attack surface includes remote access points (VPNs, jump hosts), third-party vendor connections, and unsegmented IT/OT networks — all of which are prioritized under the TSA directive requirements.
State-Sponsored APT Operations
Advanced persistent threat (APT) groups sponsored by nation-states target U.S. pipeline infrastructure for espionage, prepositioning, and potential disruption. The 2022 attack on Colonial Pipeline’s OT environment was attributed by CISA to state-aligned threat actors who deployed custom malware targeting safety instrumented systems. Similarly, CISA’s 2024 advisory (AA24-046A) detailed Russian state-sponsored cyber operations targeting North American energy sector OT assets, including pipeline control systems running GE, Siemens, and Rockwell Automation equipment.
CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and the TSA directives both emphasize the need for detection and response capabilities against advanced threats, not just commodity ransomware.
Insider and Third-Party Vendor Threats
Pipeline OT environments rely heavily on third-party vendors for system integration, remote monitoring, and maintenance. CISA reported that 59% of energy sector breaches in 2023 involved third-party access. A compromised vendor remote-access account — often lacking multi-factor authentication (MFA) — can provide attackers a direct path into pipeline control networks. TSA Directive SD-02A specifically mandates that operators identify and manage risks associated with third-party access to critical cyber systems.
TSA-Aligned OT Security Best Practices: A Step-by-Step Implementation Guide
Below is a practical, phased approach to implementing OT security controls that map directly to TSA directive requirements. These steps follow the NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) and align with the Cybersecurity and Infrastructure Security Agency (CISA) performance goals for critical infrastructure.
Designate and Empower Your Cybersecurity Coordinator
TSA requires each pipeline operator to designate a primary and alternate Cybersecurity Coordinator who is available 24/7. This person must have executive authority to make security decisions, including taking critical systems offline if necessary. Ensure the coordinator has direct reporting lines to the CEO or board, not just the IT department. Document the designation in corporate records and notify TSA and CISA of the coordinator's direct contact information.
Inventory and Classify All Critical Cyber Systems
Develop and maintain a comprehensive inventory of all cyber assets that could affect pipeline safety or reliability. This includes programmable logic controllers (PLCs), remote terminal units (RTUs), distributed control systems (DCS), safety instrumented systems (SIS), human-machine interfaces (HMIs), historians, engineering workstations, and supporting network infrastructure. Classify each system by criticality (high, medium, low) based on its potential impact on pipeline operations if compromised. TSA requires this inventory to be updated at least every 12 months or within 30 days of any significant network change.
Implement Network Segmentation Between IT and OT Environments
Network segmentation is a mandatory requirement under TSA SD-02A. Deploy a demilitarized zone (DMZ) architecture with a unidirectional gateway or next-generation firewall (NGFW) enforcing strict traffic flows between IT and OT networks. All OT traffic should be inspected and logged. Prohibit direct IT-to-OT connections. Use industrial protocol-aware firewalls (e.g., Tofino, Claroty, Dragos Platform) that can inspect proprietary ICS protocols such as Modbus TCP, DNP3, OPC-DA, and PROFINET. Document the segmentation architecture as part of your cybersecurity design review required by TSA.
Deploy Multi-Factor Authentication (MFA) for All Access to Critical Cyber Systems
TSA directives require MFA for all remote and local access to critical cyber systems. This includes engineering workstations, HMIs, and the OT network infrastructure. Use hardware-backed tokens (FIDO2, smart cards) or time-based one-time passwords (TOTP) rather than SMS-based MFA, which is vulnerable to SIM-swapping attacks. For legacy OT systems that cannot natively support MFA, implement a tiered access approach using jump hosts or bastion hosts that enforce MFA and log all session activity. CISA’s CPG 2.0 explicitly prioritizes MFA as a "common baseline" control for critical infrastructure.
Deploy Continuous OT Network Monitoring and Anomaly Detection
TSA SD-02A requires operators to implement continuous monitoring of critical cyber systems. Deploy an OT-native network detection and response (NDR) solution capable of baselining normal ICS/SCADA traffic patterns and alerting on anomalies. Solutions such as Nozomi Networks, Dragos, and Claroty provide deep packet inspection (DPI) for industrial protocols. Ensure that security information and event management (SIEM) integration is in place to correlate OT alerts with IT threat intelligence. This mapping supports TSA’s requirement to "maintain situational awareness" of the cyber environment. For organizations seeking a unified approach, CyberSilo Threat Exposure Management provides continuous visibility across IT and OT attack surfaces, aligning with TSA monitoring mandates.
Develop and Test a Cybersecurity Incident Response Plan (CSIRP)
Your CSIRP must define clear roles, communication protocols, and technical procedures for containing and eradicating threats in OT environments. Plans must be tested at least annually through tabletop exercises and, where feasible, live-fire simulations. TSA specifically requires that exercises include scenarios involving ransomware, denial-of-service, and compromise of safety instrumented systems. Document exercise results, identify gaps, and update the plan within 60 days of each test. Maintain records for TSA inspection.
Establish Incident Reporting Procedures Aligned with CISA Requirements
TSA mandates that confirmed and suspected incidents are reported to CISA within 12 hours. This requirement overlaps with CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022), which will mandate reporting within 72 hours for ransomware payments and 24 hours for certain covered incidents once final rules are effective (expected mid-2025). Designate a reporting team that includes the Cybersecurity Coordinator, legal counsel, and public affairs. Use CISA’s Incident Reporting System (CIRS) portal for submissions. Ensure your CSIRP includes pre-drafted reporting templates to speed the 12-hour response window.
Conduct and Document the Cybersecurity Architecture Design Review
TSA SD-02A requires a one-time cybersecurity architecture design review, with findings and remediation plans submitted to TSA. This review must assess the security of network segmentation, remote access, patch management, vendor connections, and backup/recovery capabilities. Engage an independent third-party assessor with OT security experience (e.g., an ISA/IEC 62443-2-1-certified assessor). Submit the review report to TSA with a timeline for addressing identified deficiencies. Use the findings to inform your continuous improvement roadmap.
Implement a Secure Remote Access Program for Vendors and Employees
Where remote access is necessary, deploy a secure remote access (SRA) solution that enforces MFA, session recording, and keystroke logging. Use a dedicated SRA gateway that is logically separate from the OT network. Terminate all vendor remote access sessions daily. Implement a least-privilege model where users are granted access only to the specific systems required for their role. CISA advisory AA24-029A highlights that remote access compromises were the vector in 38% of critical infrastructure incidents in 2024.
Establish a Backup and Recovery Strategy for OT Systems
TSA directives implicitly require that operators be able to recover from cyber incidents. Implement immutable backups for critical OT configurations including PLC/RTU firmware, DCS controller configurations, historian databases, and HMI projects. Store backups offline or in an air-gapped environment. Test recovery procedures at least once per quarter. Document recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical system, ensuring they support safe pipeline operations.
Ready to Align Your OT Security with TSA Directives?
CyberSilo's Threat Exposure Management solution provides continuous visibility across your IT and OT attack surfaces, mapping directly to TSA monitoring and reporting requirements. Our team of former critical infrastructure security professionals can guide you through the architecture design review, CSIRP development, and compliance validation process.
How TSA Directives Map to NIST CSF 2.0 and CISA CPGs
Understanding the mapping between TSA directive requirements and the broader compliance ecosystem helps operators avoid duplicative effort. The table below aligns TSA SD-01A/SD-02A requirements with NIST CSF 2.0 functions and CISA Cross-Sector Cybersecurity Performance Goals (CPGs).
This mapping demonstrates that TSA directives are not an isolated regulatory burden — they are consistent with the broader national approach to critical infrastructure security set by CISA and NIST. Operators who achieve robust TSA compliance are also well-positioned for NIST SP 800-171 (required for federal contractors), NERC CIP (for electric utilities that also own pipelines), and emerging CIRCIA incident reporting obligations.
Compliance Integration Tip: Use a unified compliance management platform to track evidence across all frameworks. CyberSilo Compliance Standards Automation helps pipeline operators map TSA directive controls to NIST CSF, CISA CPGs, and 20+ other frameworks simultaneously — reducing audit preparation time by up to 60%.
Common Challenges in Pipeline OT Security Implementation
Even with regulatory clarity, pipeline operators face significant technical and operational hurdles when implementing TSA-aligned security. Understanding these challenges upfront allows for better planning and resource allocation.
Legacy ICS/SCADA Equipment Without Security Capabilities
Many pipelines still run on programmable logic controllers (PLCs) and remote terminal units (RTUs) that are 15–20 years old, running proprietary, unpatched operating systems. These devices typically lack built-in logging, encryption, or authentication capabilities. Forcing security agents onto these devices is often infeasible. Instead, deploy out-of-band network monitoring taps or port mirrors on the OT network to monitor traffic without impacting operational continuity. Where feasible, replace end-of-life devices with modern equivalents that support ISA/IEC 62443-4-2 security-by-design principles.
Bandwidth Limitations in Remote Pipeline Locations
Pipeline assets — including pump stations, valve sites, and meter stations — are often located in remote areas with limited or unreliable connectivity (satellite or cellular at 1–5 Mbps). Sending full packet captures from these locations is impractical. Use edge-based data processing: deploy OT monitoring sensors at each remote site that pre-process network data, discard benign traffic, and send only correlated alerts or summary telemetry to the central SOC. This approach aligns with CISA’s guidance for constrained operational environments.
Skilled Workforce Shortage in OT Security
The demand for cybersecurity professionals with both IT security and ICS/OT domain expertise far outstrips supply. According to the 2024 ICS/OT Cybersecurity Workforce Report by Dragos, 49% of energy organizations report difficulty hiring OT security analysts. Mitigate this by augmenting in-house teams with managed SOC services in the USA that offer 24/7 OT monitoring coverage and access to threat intelligence specific to the energy sector.
Building a TSA-Ready Incident Response Plan for Pipeline Environments
Your Cybersecurity Incident Response Plan (CSIRP) must address the unique realities of OT environments. Unlike IT systems, you cannot simply reboot or reformat a compromised PLC if it controls a high-pressure natural gas pipeline. Below are the critical components TSA inspectors expect to see in your CSIRP.
Define OT-Specific Scenarios
Your tabletop exercises should cover at least three distinct OT attack scenarios per annual cycle:
- Scenario A: Ransomware in the IT/OT boundary — Attackers compromise an engineering workstation that has a persistent VPN connection to OT. The ransomware encrypts HMI project files. Exercise focuses on containment without shutting down the pipeline.
- Scenario B: Remote access compromise of a pump station — A third-party vendor’s credentials are stolen and used to access an RTU at a remote booster station. Exercise focuses on isolating the station and verifying integrity of control logic.
- Scenario C: Safety instrumented system (SIS) alert manipulation — Attackers modify SIS configuration to prevent emergency shutdown signals. Exercise focuses on manual override procedures and physical safety team coordination.
Define Communication Protocols with Regulators
Include a specific protocol for notifying TSA and CISA within the 12-hour reporting window. This should include:
- Primary and backup methods for reaching the CISA Central Watch Desk (telephone: 1-888-282-0870, web: CIRS portal).
- A pre-approved internal declaration authority (the Cybersecurity Coordinator or delegate) who can authorize reporting.
- Legal counsel review templates for public disclosure and SEC Form 8-K filing under the SEC Cyber Disclosure Rule (if publicly traded).
Define OT Recovery Procedures
For each critical system, document step-by-step recovery procedures that include:
- Identifying and verifying the integrity of known-good backup configurations.
- Restore sequence (e.g., restore network switches before PLCs, restore DCS controllers before HMIs).
- Post-restore validation tests (e.g., verify actuator response, pressure sensor accuracy).
- Documentation of "fail-safe" and "fail-steady" states for each controlled device.
Need Help Building Your Pipeline CSIRP?
CyberSilo's incident response team has directly supported pipeline operators in real-world ransomware and state-sponsored intrusion scenarios. We combine OT domain expertise with regulatory submission readiness to ensure your plan meets TSA and CISA expectations.
The Path Forward: What's Coming for Pipeline Cybersecurity
TSA has signaled that the current Security Directives will eventually be replaced by a permanent regulation under 49 CFR. In TSA's 2024 Advance Notice of Proposed Rulemaking (ANPRM), the agency requested public comment on requirements including:
- Mandatory adoption of NIST SP 800-82 Rev. 3 as a baseline standard.
- Independent third-party assessment at least every 3 years.
- Supply chain risk management requirements for OT equipment procurement.
- Expanded reporting categories beyond "incidents" to include near-misses and precursor events.
- Potential alignment with CIRCIA's two-tier reporting structure (24-hour initial notice, 72-hour detailed report).
Additionally, the Cybersecurity and Infrastructure Security Agency's 2025 Roadmap for Critical Infrastructure Resilience identifies pipeline OT systems as a priority area for cross-sector information sharing. Operators should prepare for more prescriptive requirements around supply chain assurance, including vulnerability disclosure programs for OT hardware and firmware.
The TSA cybersecurity compliance page on CyberSilo is updated quarterly to reflect regulatory changes and provides a consolidated resource for pipeline operators navigating this evolving landscape.
Our Conclusion & Recommendation
TSA-aligned OT security for pipelines is no longer a discretionary investment — it is a binding regulatory requirement with enforceable penalties. The Colonial Pipeline attack demonstrated that the consequences of insufficient OT security extend far beyond the balance sheet, affecting fuel supply chains, public safety, and national security. For CISOs and compliance officers in pipeline organizations, the path forward requires a systematic approach: inventory critical systems, enforce network segmentation and MFA, deploy continuous monitoring, and maintain a battle-tested incident response plan.
The organizations that invest in robust OT security now will be best positioned to meet incoming regulatory obligations under the forthcoming TSA permanent rule and CIRCIA requirements. CyberSilo's Threat Exposure Management solution provides continuous visibility, risk prioritization, and evidence collection across your entire OT attack surface — helping you demonstrate compliance and build cyber resilience. We recommend scheduling a compliance assessment to benchmark your current posture against TSA requirements and identify gaps before your next inspection.
Get a TSA Compliance Assessment
Our critical infrastructure security experts will map your current OT security controls to TSA directives, NIST CSF 2.0, and CISA CPGs — delivering a prioritized remediation roadmap within two weeks.
