TSA Pipeline Security Directives (2021–2022)
The post-Colonial Pipeline security directives from TSA that imposed mandatory cybersecurity measures on US critical pipeline operators for the first time.
In the immediate aftermath of the May 2021 Colonial Pipeline ransomware attack — which disrupted fuel supply to the US East Coast for six days — the Transportation Security Administration (TSA) issued Security Directive Pipeline-2021-01 (May 28, 2021) requiring all TSA-designated critical pipeline owners and operators to report cybersecurity incidents to CISA within 12 hours, designate a cybersecurity coordinator available 24/7, and review their current practices against TSA and CISA cybersecurity guidelines. Security Directive Pipeline-2021-02 (July 2021) escalated requirements: operators must implement specific cybersecurity measures for critical systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review. Revised SD-02C (2022) and subsequent revisions replaced prescriptive controls with an outcome-based framework aligned to NIST CSF, IEC 62443, and ISA-99.
The architecture review requirements in SD-02 and its revisions demand rigorous OT/IT segmentation documentation. Operators must implement network segmentation controls that prevent IT network communications from directly accessing or traversing OT networks; access control measures that prevent unauthorized access to critical cyber systems; continuous monitoring and detection policies for OT environments; and patch management measures that reduce known vulnerabilities. For pipeline OT environments, "continuous monitoring" means deploying passive network monitoring tools (Claroty, Dragos, Nozomi Networks) that perform deep packet inspection of industrial protocols (Modbus, DNP3, EtherNet/IP, OPC-UA) without disrupting real-time control operations. Any active scanning or vulnerability assessment must be performed in a test environment or coordinated OT maintenance window.
The performance-based (outcome-based) approach of revised SD-02C is significant: TSA moved away from prescriptive control checklists toward requiring operators to demonstrate that they achieve specific security outcomes, with flexibility in implementation method. This aligns with CISA's Cross-Sector Cybersecurity Performance Goals (CPGs, October 2022) and the NIST CSF 2.0 framework. However, TSA retains authority to inspect compliance, and operators must maintain documentation sufficient to demonstrate that required outcomes are achieved. The 12-hour CISA incident reporting requirement under SD-01 is stricter than most other sector-specific reporting requirements and pre-dates CIRCIA's 72-hour reporting window, creating a dual-reporting obligation for pipeline operators also subject to CIRCIA.
We help pipeline operators design and document OT/IT segmentation architectures that satisfy TSA SD-02 outcome requirements, implement passive OT network monitoring without disrupting industrial process availability, and build 12-hour CISA incident notification workflows with automated evidence collection. We map client architectures to both TSA directives and NIST CSF 2.0 outcomes to create a unified compliance posture across regulatory obligations.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.