TSA Pipeline Security Directives
TSA pipeline security directives impose mandatory cybersecurity requirements on critical U.S. pipeline operators after the Colonial Pipeline attack. They require incident reporting, IT/OT segmentation, access controls, and TSA-approved implementation plans.
What the TSA Pipeline Security Directives Are
The Transportation Security Administration (TSA) issued a series of pipeline cybersecurity directives following the May 2021 Colonial Pipeline ransomware attack, which disrupted fuel supply across the U.S. East Coast. TSA has authority over pipeline security under the Aviation and Transportation Security Act, and the directives convert previously voluntary guidance into mandatory requirements for designated critical pipelines carrying hazardous liquids and natural gas.
The directives have been revised and reissued, moving from prescriptive controls toward a performance-based model in which owners must achieve specific security outcomes and submit cybersecurity implementation plans for TSA approval.
Who It Applies To
The directives apply to owners and operators of TSA-designated critical pipeline and liquefied natural gas facilities. TSA notifies covered entities directly. Smaller or non-critical pipelines may receive different or voluntary expectations, but designated operators must comply with the binding directives.
Key Requirements
- Designate a cybersecurity coordinator available to TSA and CISA 24/7.
- Report cybersecurity incidents to CISA within prescribed timeframes.
- Develop and maintain a TSA-approved Cybersecurity Implementation Plan.
- Segment IT and operational technology (OT) networks so a compromise in one cannot cascade.
- Enforce access control measures, including securing and monitoring privileged accounts.
- Implement continuous monitoring and detection to identify and respond to threats.
- Reduce the risk of unpatched systems through risk-based patching and mitigations.
- Conduct an annual cybersecurity assessment and submit results to TSA.
Penalties for Non-Compliance
TSA can impose civil penalties for violations of security directives, and persistent non-compliance can trigger enforcement actions and heightened oversight. Because pipelines are critical infrastructure, failures also attract scrutiny from CISA, the Department of Energy, and Congress, with significant reputational and operational consequences.
How to Comply
Name an empowered cybersecurity coordinator and ensure round-the-clock reachability. Build a Cybersecurity Implementation Plan that maps measures to the required security outcomes, with particular attention to IT/OT segmentation, identity and access management, and incident detection. Establish clear incident reporting workflows to CISA. Run annual assessments, track remediation, and keep documentation current, since TSA reviews and approves plans and verifies implementation. Treat OT resilience and recovery as first-class objectives, not afterthoughts.