Pipeline operators in the United States must comply with the Transportation Security Administration (TSA) Security Directives, which mandate specific cybersecurity measures to protect critical oil and natural gas infrastructure from cyber threats. These directives require pipeline owners and operators to implement robust cybersecurity frameworks, report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and adopt a proactive threat exposure management approach. For US energy companies, non-compliance is not an option—it carries significant operational and financial risks.
What are the top cyber threats facing US pipeline operators?
The Colonial Pipeline ransomware attack in 2021 was a watershed moment, demonstrating that a single cyber incident could disrupt fuel supply across the entire Eastern Seaboard. Since then, the US pipeline sector has remained a high-value target for state-sponsored threat actors and ransomware groups. The primary threats include ransomware, which can halt operations; supply chain compromises targeting third-party OT vendors; and insider threats, whether malicious or accidental.
For US energy and utilities organizations, the attack surface is uniquely challenging. Operational Technology (OT) and Industrial Control Systems (ICS) that manage pipeline valves, pressure controls, and SCADA systems are often legacy infrastructure not built with modern cybersecurity in mind. This convergence of IT and OT creates vulnerabilities that adversaries are actively exploiting. According to CISA, the energy sector faces a higher frequency of ICS-specific attacks than any other critical infrastructure vertical, with an average breach cost in the energy sector reaching $4.72 million per incident according to IBM's 2023 Cost of a Data Breach report.
Key Takeaway for CISOs: The TSA Directives specifically call for network segmentation between IT and OT environments, continuous monitoring for anomalous activity, and the development of incident response plans that account for physical process disruption. Failing to address these areas can result in directive violations and mandatory CISA reporting.
Which TSA Security Directives apply to US pipeline cybersecurity?
The TSA has issued a series of Security Directives (SD) starting with SD-01 in 2021, followed by SD-02 and SD-03, which have made the initial emergency measures permanent and added new requirements. As of 2025, the key directive is the TSA Pipeline Cybersecurity Requirements, which mandates the following for all pipeline owners and operators that transport hazardous liquids and natural gas:
- Establish a Cybersecurity Coordinator: A primary point of contact available 24/7 to coordinate with TSA and CISA.
- Report Cybersecurity Incidents: Any confirmed or suspected incident affecting pipeline operations must be reported to CISA within 12 hours.
- Conduct a Cybersecurity Vulnerability Assessment: A detailed assessment of critical cyber systems, including IT and OT networks, must be performed and validated every 12 months.
- Implement Network Segmentation: Critical OT systems must be isolated from corporate IT networks and the internet.
- Deploy Multi-Factor Authentication (MFA): MFA is required for all remote access to pipeline control systems.
- Develop and Test Incident Response Plans: Plans must be reviewed annually and exercised at least every six months.
These requirements align closely with the NERC CIP standards for the bulk electric system, but they are specific to pipelines. For operators already compliant with NERC CIP, the TSA directives add a layer of incident reporting and continuous monitoring that often requires a dedicated threat exposure management solution.
Is your pipeline ready for the next TSA audit?
Energy sector leaders are using CyberSilo to automate TSA compliance evidence collection and reduce the manual burden of vulnerability assessments.
Which TSA controls are the hardest for energy companies to implement?
While each directive carries its own challenges, our work with energy and utilities clients reveals three areas where most pipeline operators struggle:
1. Continuous Monitoring of OT/ICS Environments
The TSA directive requires "continuous monitoring" of critical cyber systems, but traditional IT security tools like standard antivirus or EDR agents cannot be deployed on legacy PLCs or RTUs. Pipeline operators need passive network monitoring tools that can parse proprietary OT protocols (like Modbus, DNP3, or OPC) without disrupting operations. Energy and utilities cybersecurity specialists know that agentless monitoring and network traffic analysis are the only viable approaches here.
2. True IT/OT Network Segmentation
Many pipeline operators still rely on "air gaps" that are not truly air-gapped. The TSA directive demands demonstrable segmentation, which often requires deploying firewalls with deep packet inspection at OT boundaries, implementing jump hosts for remote access, and strictly controlling data diodes. This is a multi-year engineering effort for many mid-size operators.
3. Managing Third-Party Remote Access
Pipeline operators routinely rely on third-party vendors for SCADA maintenance, valve calibration, and software updates. Each vendor connection is a potential attack vector. The TSA directive requires MFA and session logging for all remote access, which demands a vendor access management program that many operators lack.
How does CyberSilo help pipeline operators meet TSA directives?
CyberSilo delivers a purpose-built Threat Exposure Management solution designed specifically for the operational realities of the US energy sector. Instead of a one-size-fits-all IT security tool, our platform provides an integrated approach to address the hardest TSA controls:
- OT-Aware Continuous Monitoring: Our platform ingests logs and network flow data from industrial control systems without requiring agents on legacy devices. It uses machine learning to establish baselines for normal pipeline operations and alerts on anomalies that indicate a cyber threat.
- Automated Vulnerability Assessment: We automate the TSA-required 12-month vulnerability assessment by continuously mapping your OT asset inventory against known CVEs (Common Vulnerabilities and Exposures) and providing a prioritized remediation plan.
- Incident Response Workflow: Our built-in SOAR (Security Orchestration, Automation, and Response) capabilities help you meet the 12-hour CISA reporting window by automating evidence collection and notification workflows.
- Third-Party Access Governance: We provide a vendor risk management module that enforces MFA, logs all sessions, and automatically revokes access when maintenance windows expire.
Executive Insight: "The TSA directives are not just an IT compliance exercise—they are an operational safety mandate. CyberSilo's threat exposure management approach allows our clients to see their OT/ICS risks in real-time and prioritize fixes that keep the product flowing." — CyberSilo Energy Sector Lead
Pipeline Cybersecurity TSA Compliance Checklist for US Operators
Use this checklist to quickly assess your posture against the core TSA directive requirements. This is not exhaustive but covers the most frequently cited findings from TSA inspections.
What about Canadian pipeline operators?
While this guide focuses on the US TSA directives, Canadian pipeline operators regulated by the Canada Energy Regulator (CER) face parallel requirements under Bill C-26 / CCSPA and the CCCS ITSG-33 framework. Canadian operators must also report cyber incidents to the Canadian Centre for Cyber Security and implement baseline controls that mirror many TSA requirements. For cross-border pipelines (e.g., Enbridge Mainline), compliance with both US and Canadian frameworks is mandatory. CyberSilo's platform supports dual-framework mapping, allowing operators to map a single control to both TSA and CCCS requirements.
Simplify your pipeline cybersecurity compliance
Whether you are facing a TSA audit or a CER review, CyberSilo's threat exposure management platform reduces the burden of evidence collection and continuous monitoring.
Our Conclusion & Recommendation
US pipeline operators are operating under a strict regulatory microscope. The TSA directives are not going away—they are becoming the baseline for critical infrastructure protection. The organizations that succeed are moving beyond a "tick-box" compliance approach and investing in continuous threat exposure management that addresses the unique OT/ICS attack surface. CyberSilo's platform is specifically architected to help energy companies meet these mandates without disrupting pipeline operations.
For CISOs and compliance officers: start with a vulnerability assessment gap analysis against the TSA directive matrix. The results will show you exactly where to prioritize your budget and your team's efforts.
Ready to meet TSA directives head-on?
Schedule a confidential discussion with our energy sector team to map your current posture against the latest TSA requirements.
