TSA Pipeline Cybersecurity Directives
Mandatory cybersecurity requirements for pipeline operators
What do TSA pipeline cybersecurity directives require today?
TSA's pipeline cybersecurity directives are mandatory for owners and operators of hazardous liquid and natural gas pipelines designated critical to national security. The active directives are SD Pipeline-2021-02F (effective May 3, 2025) and SD Pipeline-2021-01G (effective January 16, 2026). Both require network segmentation between IT and OT systems, 12-hour incident reporting to CISA, continuous monitoring, risk-based patching, MFA for remote access, annual penetration testing, and independent third-party assessments. TSA also published a proposed rule in the Federal Register on November 7, 2024 (Docket TSA-2022-0001) to convert these directives into permanent regulations; public comments closed February 5, 2025, and the final rule has not yet been issued. Sources: tsa.gov pipeline security page; Federal Register 2024-24704.
// What is TSA Pipeline Security?
Following the Colonial Pipeline ransomware attack in May 2021, TSA issued mandatory cybersecurity directives for pipeline operators designated as critical to national security. These directives replaced decades of voluntary guidelines with enforceable requirements.
The directives require pipeline operators to implement specific cybersecurity measures, report incidents to CISA, designate a cybersecurity coordinator, and develop remediation plans for identified gaps. Unlike voluntary frameworks, non-compliance can result in civil penalties up to approximately $15,000 per day.
TSA has continued updating these requirements through successive reissuances. SD Pipeline-2021-02F (effective May 3, 2025) and SD Pipeline-2021-01G (effective January 16, 2026) carry forward and refine the performance-based cybersecurity requirements for hazardous liquid and natural gas operators respectively. In parallel, TSA published a Notice of Proposed Rulemaking titled 'Enhancing Surface Cyber Risk Management' (Federal Register Nov 7, 2024, Docket TSA-2022-0001) to convert the directives into permanent regulations; comments closed February 5, 2025, and the final rule has not yet been issued. The directives apply to owners and operators of pipelines that have been notified by TSA that they are critical.
// Inside the Regulation
TSA's pipeline security directives establish specific cybersecurity requirements across multiple security domains. Operators must implement these controls and maintain evidence of compliance.
Incident Reporting
SD Pipeline-2021-01Mandatory reporting requirements for cybersecurity incidents.
CISA Reporting
Report cybersecurity incidents to CISA within 12 hours of identification.
Incident Types
Report unauthorized access, denial of service, malware, and other significant incidents.
Primary Contact
Designate a 24/7 primary and alternate cybersecurity coordinator for incident reporting.
Cybersecurity Implementation Plan
SD Pipeline-2021-02DRequired security measures owners/operators must implement.
Network Segmentation
Implement network segmentation policies ensuring OT systems can operate if IT systems are compromised.
Access Control
Implement access control measures preventing unauthorized access to critical cyber systems.
Continuous Monitoring
Build continuous monitoring and detection capabilities for cybersecurity threats.
Patch Management
Apply security patches and updates using risk-based methodology, addressing critical vulnerabilities timely.
Password Policies
Implement password policies meeting complexity and change requirements; MFA for remote access.
Cybersecurity Assessment
SD Pipeline-2021-02DRequirements for assessing and testing security controls.
Architecture Assessment
Assess current cybersecurity architecture to identify gaps and vulnerabilities.
Penetration Testing
Conduct penetration testing of IT and OT systems annually at minimum.
Third-Party Assessment
Conduct independent third-party assessment of cybersecurity implementation plan.
Incident Response
SD Pipeline-2021-02DRequirements for responding to and recovering from incidents.
Response Plan
Develop and maintain a cybersecurity incident response plan specific to pipeline operations.
Annual Testing
Test incident response capabilities annually through tabletop or functional exercises.
Recovery Capabilities
Maintain capabilities to restore systems from known-good backups within established timeframes.
Note: TSA conducts inspections to verify compliance. Operators must maintain documentation evidencing implementation of required measures. TSA has authority to require additional measures based on threat intelligence or identified vulnerabilities.
// Who Must Comply
- 1 Owners/operators of hazardous liquid pipelines designated critical
- 2 Owners/operators of natural gas and gas transmission pipelines designated critical
- 3 Pipeline facility operators notified by TSA of designation
- 4 Operators of liquefied natural gas facilities with TSA notification
// Key Requirements
Incident Reporting
Report cybersecurity incidents to CISA within 12 hours with designated 24/7 coordinator
Network Segmentation
Implement segmentation ensuring OT can operate independently if IT is compromised
Access Control
Prevent unauthorized access with strong authentication and MFA for remote access
Continuous Monitoring
Build detection capabilities for cybersecurity threats and anomalies
Patch Management
Risk-based patching with timely remediation of critical vulnerabilities
Annual Assessment
Annual penetration testing and independent third-party security assessment
// Enforcement & Penalties
TSA has authority to impose civil penalties for non-compliance with security directives. Penalties can be significant and accumulate daily. Operators may also face enforcement actions affecting their ability to operate.
~$15,000 per day per violation
Examples:
- Daily accumulating penalties for failure to implement required controls
- Additional penalties for failure to report incidents within required timeframes
- Enforcement actions for repeated or willful non-compliance
- Operational restrictions for critical security gaps
// Cyber Insurance Impact
Pipeline cyber insurance policies now routinely ask about TSA directive compliance. Insurers may require evidence of compliance as a condition of coverage for pipeline operations. Non-compliance could void coverage or result in claim denials following an incident.
// How Breach Craft Helps
We help organizations achieve TSA Pipeline Security compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of TSA Pipeline Security.
Gap Assessment
Measure your security against industry standards.
Penetration Testing
Find the gaps before attackers do.
Vulnerability Assessment
Thorough security scanning and risk prioritization.
Tabletop Exercises
Practice your incident response.
Virtual CISO
Executive security leadership on demand.
// Industries That Need TSA Pipeline Security
These industries commonly require TSA Pipeline Security compliance as part of their regulatory obligations.
Guide last reviewed: June 15, 2026
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873