Skip to main content
> TSA Pipeline Security

TSA Pipeline Cybersecurity Directives

Mandatory cybersecurity requirements for pipeline operators

Established: May 2021 (Security Directive Pipeline-2021-01) Last Updated: 2026 (SD-2021-01G / -02F; surface cyber NPRM pending) Scope: Hazardous Liquid and Natural Gas Pipeline Operators
Mandatory
Compliance

What do TSA pipeline cybersecurity directives require today?

TSA's pipeline cybersecurity directives are mandatory for owners and operators of hazardous liquid and natural gas pipelines designated critical to national security. The active directives are SD Pipeline-2021-02F (effective May 3, 2025) and SD Pipeline-2021-01G (effective January 16, 2026). Both require network segmentation between IT and OT systems, 12-hour incident reporting to CISA, continuous monitoring, risk-based patching, MFA for remote access, annual penetration testing, and independent third-party assessments. TSA also published a proposed rule in the Federal Register on November 7, 2024 (Docket TSA-2022-0001) to convert these directives into permanent regulations; public comments closed February 5, 2025, and the final rule has not yet been issued. Sources: tsa.gov pipeline security page; Federal Register 2024-24704.

// What is TSA Pipeline Security?

Following the Colonial Pipeline ransomware attack in May 2021, TSA issued mandatory cybersecurity directives for pipeline operators designated as critical to national security. These directives replaced decades of voluntary guidelines with enforceable requirements.

The directives require pipeline operators to implement specific cybersecurity measures, report incidents to CISA, designate a cybersecurity coordinator, and develop remediation plans for identified gaps. Unlike voluntary frameworks, non-compliance can result in civil penalties up to approximately $15,000 per day.

TSA has continued updating these requirements through successive reissuances. SD Pipeline-2021-02F (effective May 3, 2025) and SD Pipeline-2021-01G (effective January 16, 2026) carry forward and refine the performance-based cybersecurity requirements for hazardous liquid and natural gas operators respectively. In parallel, TSA published a Notice of Proposed Rulemaking titled 'Enhancing Surface Cyber Risk Management' (Federal Register Nov 7, 2024, Docket TSA-2022-0001) to convert the directives into permanent regulations; comments closed February 5, 2025, and the final rule has not yet been issued. The directives apply to owners and operators of pipelines that have been notified by TSA that they are critical.

// Inside the Regulation

TSA's pipeline security directives establish specific cybersecurity requirements across multiple security domains. Operators must implement these controls and maintain evidence of compliance.

1

Incident Reporting

SD Pipeline-2021-01

Mandatory reporting requirements for cybersecurity incidents.

CISA Reporting

Report cybersecurity incidents to CISA within 12 hours of identification.

Incident Types

Report unauthorized access, denial of service, malware, and other significant incidents.

Primary Contact

Designate a 24/7 primary and alternate cybersecurity coordinator for incident reporting.

2

Cybersecurity Implementation Plan

SD Pipeline-2021-02D

Required security measures owners/operators must implement.

Network Segmentation

Implement network segmentation policies ensuring OT systems can operate if IT systems are compromised.

Access Control

Implement access control measures preventing unauthorized access to critical cyber systems.

Continuous Monitoring

Build continuous monitoring and detection capabilities for cybersecurity threats.

Patch Management

Apply security patches and updates using risk-based methodology, addressing critical vulnerabilities timely.

Password Policies

Implement password policies meeting complexity and change requirements; MFA for remote access.

3

Cybersecurity Assessment

SD Pipeline-2021-02D

Requirements for assessing and testing security controls.

Architecture Assessment

Assess current cybersecurity architecture to identify gaps and vulnerabilities.

Penetration Testing

Conduct penetration testing of IT and OT systems annually at minimum.

Third-Party Assessment

Conduct independent third-party assessment of cybersecurity implementation plan.

4

Incident Response

SD Pipeline-2021-02D

Requirements for responding to and recovering from incidents.

Response Plan

Develop and maintain a cybersecurity incident response plan specific to pipeline operations.

Annual Testing

Test incident response capabilities annually through tabletop or functional exercises.

Recovery Capabilities

Maintain capabilities to restore systems from known-good backups within established timeframes.

Note: TSA conducts inspections to verify compliance. Operators must maintain documentation evidencing implementation of required measures. TSA has authority to require additional measures based on threat intelligence or identified vulnerabilities.

// Who Must Comply

  • 1 Owners/operators of hazardous liquid pipelines designated critical
  • 2 Owners/operators of natural gas and gas transmission pipelines designated critical
  • 3 Pipeline facility operators notified by TSA of designation
  • 4 Operators of liquefied natural gas facilities with TSA notification

// Key Requirements

Incident Reporting

Report cybersecurity incidents to CISA within 12 hours with designated 24/7 coordinator

Network Segmentation

Implement segmentation ensuring OT can operate independently if IT is compromised

Access Control

Prevent unauthorized access with strong authentication and MFA for remote access

Continuous Monitoring

Build detection capabilities for cybersecurity threats and anomalies

Patch Management

Risk-based patching with timely remediation of critical vulnerabilities

Annual Assessment

Annual penetration testing and independent third-party security assessment

// Enforcement & Penalties

TSA has authority to impose civil penalties for non-compliance with security directives. Penalties can be significant and accumulate daily. Operators may also face enforcement actions affecting their ability to operate.

Maximum Penalty

~$15,000 per day per violation

Examples:

  • Daily accumulating penalties for failure to implement required controls
  • Additional penalties for failure to report incidents within required timeframes
  • Enforcement actions for repeated or willful non-compliance
  • Operational restrictions for critical security gaps

// Cyber Insurance Impact

Pipeline cyber insurance policies now routinely ask about TSA directive compliance. Insurers may require evidence of compliance as a condition of coverage for pipeline operations. Non-compliance could void coverage or result in claim denials following an incident.

// Industries That Need TSA Pipeline Security

These industries commonly require TSA Pipeline Security compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873