Pipeline Cybersecurity Directive Update — July 27, 2022

Executive briefing: On 27 July 2022 the Transportation Security Administration (TSA) issued Security Directive Pipeline-2021-02C, replacing prescriptive checklists with performance-based cybersecurity requirements for owners and operators of hazardous liquid and natural gas pipelines.¹² The directive requires operators to submit updated Cybersecurity Implementation Plans (CIPs) within 60 days, maintain TSA-approved assessment programmes, and demonstrate continuous protection of operational technology (OT) environments.

Performance objectives

• Network segmentation. Operators must separate OT from IT environments, restrict connections to operationally necessary pathways, and document segmentation designs for TSA review.¹
• Access control. The directive mandates multifactor authentication for remote access, least-privilege access management, and monitoring of third-party connections.¹
• Continuous monitoring. Operators must deploy network monitoring and detection capabilities, including logging of anomalous activity across OT assets, timely vulnerability management, and configuration baselines.¹
• Incident response. CIPs must include incident response playbooks, 24-hour reporting to CISA for confirmed incidents, and annual exercises to validate coordination with TSA and federal partners.¹²
• Cybersecurity architecture design reviews. Operators must conduct annual self-assessments or third-party reviews to validate control effectiveness and incorporate lessons learned into remediation plans.¹

Implementation plan updates

Within 60 days of the directive, operators must submit revised CIPs detailing how they meet each performance objective.¹ Plans should include network diagrams, asset inventories, control mappings, timelines, and metrics for measuring effectiveness. TSA will review and approve CIPs, with operators responsible for maintaining documentation and demonstrating progress during inspections.

Assessment programmes

The directive requires operators to establish Cybersecurity Assessment Programmes that describe how they will test controls annually, document findings, and report remediation status to TSA.¹ Assessment methods may include penetration testing, red teaming, tabletop exercises, and control self-assessments. Operators must maintain evidence of completed assessments and corrective actions.

Operational considerations

• Asset management. Maintain up-to-date inventories of OT assets, software versions, and network connections to support segmentation and monitoring requirements.
• Patch and configuration management. Develop procedures for assessing vulnerabilities, prioritising patches, and mitigating risks where patching is not feasible for safety reasons.¹
• Vendor coordination. Align service-level agreements with TSA requirements, ensuring vendors support multifactor authentication, timely incident reporting, and security hardening of remote maintenance tools.
• Integration with PHMSA and state rules. Coordinate compliance efforts with pipeline safety regulations to avoid conflicting operational controls.

Controls and metrics

• Key risk indicators. Track number of unsegmented connections, delayed patch cycles, and incidents reported to TSA/CISA.
• Key performance indicators. Measure network monitoring coverage, mean time to detect anomalous activity, and completion rate of annual exercises.
• Testing metrics. Document findings from penetration tests, vulnerability scans, and tabletop exercises; monitor remediation status and repeat testing.
• Evidence readiness. Automate log retention, change management records, and incident tickets to streamline TSA inspections.

Incident response and reporting

Operators must maintain incident response plans that cover detection, containment, eradication, and recovery, including coordination with CISA’s Pipeline Cybersecurity Initiative.² Plans should define triggers for notifying TSA/CISA within 24 hours, establish communication channels with sector-specific agencies, and include processes for sharing indicators of compromise with the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC).

Training and exercises

The directive requires annual exercises involving OT engineers, IT security teams, and executive leadership.¹ Operators should conduct both discussion-based tabletop exercises and operations-based drills to test remote access scenarios, ransomware response, and manual operations procedures. Training programmes must cover segmentation enforcement, monitoring tools, and reporting protocols.

Programme risks and mitigations

• Legacy OT constraints. Mitigation: deploy compensating controls such as network segmentation gateways, unidirectional gateways, and endpoint monitoring sensors tailored to OT systems.
• Resource limitations. Mitigation: prioritise high-impact assets, leverage managed detection services, and coordinate with sector partners for threat intelligence.
• Vendor dependencies. Mitigation: include cybersecurity requirements in contracts, require attestation of security controls, and audit vendor remote access.
• Documentation burden. Mitigation: centralise CIP documentation, use configuration management databases, and automate updates when network changes occur.

Forward look

TSA and CISA will continue to collaborate on pipeline cybersecurity, with TSA conducting inspections to verify implementation and CISA providing technical support.¹² Future directives may expand to other surface transportation modes or refine performance metrics. Operators should maintain ongoing dialogue with regulators, participate in sector resilience programmes, and align investments with TSA’s performance objectives.

Sources

• ¹ TSA press release announcing updates to pipeline cybersecurity requirements.
• ² CISA and TSA joint statement on strengthened pipeline cybersecurity requirements.

Zeph Tech helps pipeline operators implement TSA-aligned monitoring, response, and evidence programmes ready for agency validation.

Documentation and evidence

• Runbooks. Maintain up-to-date playbooks for segmentation changes, patching, and incident response. TSA inspectors may request evidence of change approvals, testing results, and rollback plans.
• Metrics packages. Prepare monthly metrics summarising asset coverage, monitoring alerts, vulnerability remediation timelines, and exercise outcomes; share summaries with executive leadership.
• Third-party attestations. Collect security attestations from managed service providers and technology vendors supporting pipeline operations to demonstrate compliance with TSA objectives.

Coordination with government partners

Operators should establish clear points of contact with TSA, CISA, the Department of Energy, and state emergency management agencies.² Pre-arranged communication channels accelerate incident reporting and allow operators to access federal technical assistance when responding to cyber events.

Future-proofing the programme

Security Directive 2021-02C is part of TSA’s broader effort to modernise pipeline cybersecurity oversight. Operators should monitor additional guidance, including TSA’s forthcoming rulemaking and sector risk management plans, and align investments with zero-trust architectures, OT visibility, and supply-chain assurance.

Timeline management

Operators must track directive deadlines—initial CIP submission within 60 days, annual assessment cycles, and any remediation milestones agreed with TSA.¹ Programme managers should maintain Gantt charts or project plans to coordinate engineering tasks, procurement of monitoring tools, and training schedules.

Alignment with broader frameworks

Map TSA requirements to NIST Cybersecurity Framework categories, DOE’s Cybersecurity Capability Maturity Model, and industry standards (API 1164) to streamline compliance and avoid duplicate efforts.

Operators should also scrutinise supply-chain risks by inventorying OT software bills of materials, validating vendor patch processes, and monitoring third-party remote access for compromise indicators that could bypass segmentation controls.

Control validation and regulatory liaison

Once TSA approves the Cybersecurity Implementation Plan (CIP) and Cybersecurity Assessment Plan (CAP), operators should schedule semiannual performance tests that trace TSA's required control objectives end to end. Exercises should show, for example, how a role-based access review triggers revocation of dormant OT accounts within seven days, how network segmentation prevents lateral movement between enterprise IT and SCADA zones, and how the incident response plan meets the directive's 24-hour reporting obligation. Document the drill outputs—including packet captures, historian logs, and privileged access tickets—in a CIP evidence binder that sits alongside the annual Section 7 self-certification letter signed by the corporate officer accountable to TSA.

Operators must also maintain a stakeholder map that covers TSA Surface Division personnel, the Transportation Security Operations Center (TSOC), the Cybersecurity and Infrastructure Security Agency (CISA), and sector risk management agencies. Quarterly calls should confirm points of contact, rehearse how to escalate a cybersecurity incident, and review implementation backlog items or exceptions granted under the directive. When suppliers deliver managed detection, remote support, or physical security services, require contract clauses that align with TSA's 36-hour notification requirement and mandate participation in joint testing events.

TSA expects measurable progress on vulnerability remediation, backup testing, and tabletop exercises. Use digital Gantt charts or compliance automation tools to show TSA inspectors the live status of every directive action item. Retain evidence of adverse findings from red teams or third-party assessors, the management response, and the schedule for retesting closed gaps. This disciplined operating rhythm demonstrates that the operator is not only compliant on paper but also resilient in the field, a key shift from the prescriptive approach of earlier TSA directives.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 40/100 · May 7, 2021

Cybersecurity Briefing — Colonial Pipeline ransomware attack disrupts U.S. fuel supply

On 7 May 2021 ransomware operators compromised Colonial Pipeline’s IT network, prompting a shutdown of fuel deliveries across the U.S. East Coast and federal emergency waivers.

Cybersecurity · Credibility 94/100 · February 24, 2022

CISA Raises Shields Up Guidance — February 24, 2022

CISA’s Shields Up campaign urges U.S. and allied organizations to heighten cyber resilience amid Russia’s invasion of Ukraine, mandating rapid control reviews, executive engagement, and supplier coordination across…

Cybersecurity · Credibility 93/100 · March 7, 2024

Volt Typhoon Living-Off-the-Land Tactics Detailed — March 7, 2024

Joint advisory AA24-064A shows PRC actor Volt Typhoon living off the land inside U.S. critical infrastructure, pushing operators to harden edge devices, hunt for credential abuse, and accelerate segmentation across IT…

Cybersecurity · Credibility 90/100 · May 10, 2024

Cyber Threat Briefing — Black Basta Joint Advisory

CISA, FBI, and HHS issued a joint advisory on Black Basta ransomware operations after tracking more than 500 global victims across 12 critical infrastructure sectors since 2022.

Cybersecurity · Credibility 88/100 · July 13, 2022

Security Briefing — Amazon GuardDuty Malware Protection

AWS expanded GuardDuty with agentless Malware Protection that security teams must operationalize with outcome-based testing, automated evidence capture, and ongoing spend governance across EC2, EKS, and Elastic Block…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.