The Colonial Pipeline Catalyst
The Transportation Security Administration's (TSA) cybersecurity Security Directives exist because the May 2021 Colonial Pipeline ransomware attack made the absence of mandatory OT security requirements untenable. Colonial Pipeline, which supplies approximately 45% of fuel consumed on the U.S. East Coast, shut down 5,500 miles of pipeline for six days after a ransomware infection — not because the operational technology was directly compromised, but because Colonial's operators could not determine the extent of the compromise and chose to halt operations as a precaution. The resulting fuel shortages, panic buying, and declared states of emergency in four states demonstrated that OT security failures produce physical-world consequences at a national scale.
Prior to Colonial Pipeline, TSA had issued voluntary cybersecurity guidelines for pipeline operators. Within weeks of the incident, TSA issued the first emergency Security Directive mandating specific cybersecurity controls. Subsequent directives have been revised and expanded, and TSA has extended mandatory cybersecurity requirements to surface transportation and aviation sectors. The TSA Security Directive program represents the federal government's most direct example of converting voluntary guidance into mandatory regulation in response to a specific incident.
The Four Directives: Pipeline, Airport, Rail, and Highway
Pipeline Security Directives (SD-01 and SD-02D)
TSA issued its first pipeline Security Directive (SD Pipeline-2021-01) in May 2021 as an emergency measure, requiring pipeline operators to report cybersecurity incidents within 12 hours and designate a 24/7 cybersecurity coordinator. The substantive technical requirements came with SD-02, issued in July 2021 and subsequently revised — the current version, SD-02D, is the operative requirement for critical pipeline owners and operators.
SD-02D mandates: network segmentation between OT and IT networks; access control measures including multi-factor authentication for all access to OT systems; continuous monitoring of OT network traffic for anomalous activity; patch management for OT assets; and annual cybersecurity architecture review. Covered entities must submit a Cybersecurity Implementation Plan (CIP) to TSA for approval and demonstrate ongoing compliance through annual assessments. The performance-based framework gives operators flexibility in how they achieve the mandated outcomes — a design choice intended to accommodate the diversity of pipeline OT environments.
Aviation Security Directives
TSA issued cybersecurity Security Directives for airport and aircraft operators in 2021 and 2022. Aviation SD requirements mirror the pipeline framework: designation of a Cybersecurity Coordinator, incident reporting to CISA within 24 hours, and development of a Cybersecurity Incident Response Plan. The aviation SDs cover airport operators (with a focus on operational technology in baggage handling, access control, and building management systems) and aircraft operators (avionics and aircraft OT). Full implementation requirements under TSA's aviation cybersecurity program escalated through 2025.
Surface Transportation Security Directives
TSA extended mandatory cybersecurity requirements to passenger and freight rail operators in 2021, covering Amtrak, Class I freight railroads, and high-risk rail transit systems. Surface transportation SDs require the same foundational controls as the pipeline directives: cybersecurity coordinator designation, incident reporting, network segmentation, access control, and continuous monitoring. Full implementation for surface transportation operators was mandated through 2027, with TSA requiring approved Cybersecurity Implementation Plans for higher-risk operators.
Zero Trust Architecture Requirements
The TSA Security Directives do not use the term "Zero Trust" explicitly, but their technical requirements are structurally aligned with Zero Trust architecture. Network segmentation between OT and IT networks — the foundational OT Zero Trust control — is a direct SD requirement across all transportation sectors. Multi-factor authentication for OT system access is required under the pipeline directives. Continuous monitoring of OT network traffic is required and maps directly to the network visibility pillar of Zero Trust. Access control measures, combined with incident reporting and response plan requirements, complete the core Zero Trust control set.
CISA, which receives incident reports from TSA-regulated operators, has published technical guidance on Zero Trust implementation for pipeline and transportation operators. Organizations subject to TSA directives who build their security programs around CISA's Zero Trust Maturity Model and IEC 62443 are well-positioned to satisfy the performance-based SD requirements through their Implementation Plan submissions.
The Cybersecurity Implementation Plan Process
Covered pipeline operators are required to submit a Cybersecurity Implementation Plan to TSA for review and approval. The CIP must describe how the operator will achieve the outcomes required by the directive — not necessarily through a prescribed technical architecture, but through demonstrated controls mapped to the SD's performance requirements. TSA reviews CIPs with CISA input and may request revisions before approval. Annual assessments by a CISA-approved third-party assessor or the operator's own qualified staff are required to demonstrate ongoing compliance.
The CIP submission process is consequential: organizations that submit inadequate plans or fail to maintain controls demonstrated in their approved CIP face enforcement action. TSA has civil penalty authority and can refer persistent non-compliance to the Department of Justice. The first pipeline SD enforcement actions were initiated in 2023, establishing that TSA treats the directives as binding requirements rather than aspirational guidance.
Reporting Obligations
TSA Security Directives require covered operators to report cybersecurity incidents to CISA within 12 hours of identification for pipeline operators (24 hours for aviation and surface transportation). Reportable incidents include: unauthorized access to OT systems; discovery of malware on OT or IT systems; ransomware or extortion attempts regardless of impact to OT; and any incident that could affect the safe and efficient operation of the covered asset. The short reporting window requires pre-built incident response procedures that include CISA notification steps — improvised reporting in a 12-hour window during an active incident is operationally unrealistic.