Pipeline Cybersecurity Directive Update — July 27, 2022
TSA’s revised pipeline cybersecurity directive requires operators to implement network segmentation, continuous monitoring, and annual assessment plans approved by the agency.
Executive briefing: On the Transportation Security Administration issued Security Directive Pipeline-2021-02C, replacing prescriptive control checklists with performance-based requirements. Owners and operators of hazardous liquid and natural gas pipelines must submit updated cybersecurity implementation plans within 60 days and maintain TSA-approved assessment programmes.
Key control expectations
- Network segmentation. Operators must separate operational technology environments from business IT networks and document access paths that remain.
- Continuous monitoring. The directive requires continuous monitoring for anomalies, timely patch management, and deployment of detection capabilities across OT assets.
- Incident response. Operators must maintain cyber incident response plans, conduct annual exercises, and notify CISA within 24 hours of confirmed incidents.
Implementation guidance
- Update the cybersecurity implementation plan with segmentation diagrams, monitoring tool coverage, and metrics that demonstrate ongoing effectiveness.
- Align vendor and managed service contracts with TSA requirements, including multi-factor authentication, remote access controls, and timely vulnerability remediation.
- Stage tabletop exercises with operations, IT, and executive teams to validate reporting chains and coordination with the Oil and Natural Gas ISAC.
Enablement moves
- Establish configuration baselines and asset inventories for control systems to prove compliance during TSA inspections.
- Automate evidence collection—log retention, change control, incident tickets—so annual self-assessments can be completed quickly.
- Coordinate with state regulators to harmonise TSA requirements with PHMSA safety rules and any state-level cyber mandates.
TSA has kept the directive in force, with the Transportation Security Oversight Board ratifying Pipeline-2021-02C in June 2023 and April 2024 to sustain inspection authority and require updated implementation plans.
Sources
- TSA — Updates Pipeline Cybersecurity Requirements
- CISA — Joint statement on strengthened pipeline cybersecurity
- Federal Register — Ratification of Security Directives (Pipeline-2021-02C)
- Federal Register — Continued ratification of Pipeline-2021-02C requirements
Zeph Tech helps pipeline operators implement TSA-aligned monitoring, response, and evidence programmes ready for agency validation.