The Transportation Security Administration has issued multiple security directives for pipeline operators over the past few years, with emphasis on cybersecurity, physical security, and incident reporting. These directives are not suggestions—they're compliance obligations for operators of critical pipeline infrastructure. Yet many regional and smaller operators struggle to understand what they mean in practice and how to demonstrate compliance to TSA auditors.
TSA directives tend to be high-level: establish cybersecurity programs, implement access controls, conduct vulnerability assessments, report incidents. The details—how you implement these, what evidence you gather, how you prove you're doing them—are left to you. This flexibility is both blessing and curse. You can tailor solutions to your operation, but you must be rigorous about documentation. TSA auditors will ask for evidence. If you can't show it, you're non-compliant.
Current Directive Focus Areas
Recent TSA pipeline security directives emphasize cybersecurity assessments, supply chain risk, and incident reporting. You are expected to conduct a cybersecurity assessment of your control systems and report results to TSA. You are expected to assess the security practices of your vendors and contractors—consultants, integrators, software providers, anyone with access to your systems. You are expected to report cybersecurity incidents to TSA within defined timeframes. These requirements are absolute. You cannot opt out of them; you can only choose how thoroughly you implement them.
Physical security requirements include access controls to critical facilities, surveillance monitoring, and personnel security. These are more straightforward than cyber requirements, but they interact with cyber security in important ways. A critical control room without camera coverage is a vulnerability. A data center with biometric access but default passwords on the industrial firewall is a vulnerability. TSA expects you to think holistically about security, not to check boxes independently.
Building a TSA-Ready Program
- Conduct a proper cybersecurity assessment: This isn't a penetration test; it's a methodical review of your control systems, your network architecture, and your security practices against a known framework (NIST Cybersecurity Framework is often used). Document findings and remediation plans.
- Establish vendor security requirements: Create a matrix of your vendors and contractors. For each, document what systems they can access, what security practices you require, and how you verify compliance. Update this annually.
- Build incident response and reporting procedures: Define what constitutes a cybersecurity incident in your operation. Establish a process for internal reporting, analysis, and escalation. Document your obligation to report to TSA and your timeline for doing so. Test this process with a tabletop exercise at least once a year.
- Document everything: TSA auditors will want to see your assessment report, your vendor contracts and their security clauses, your incident response procedures, and evidence that you're following them. Keep organized files with dates, approvals, and updates.
Working with TSA
Build a relationship with your TSA regional office before you need it. Many operators find that proactive communication about their security programs prevents misunderstandings during formal audits. If you discover a gap or a vulnerability, reporting it to TSA and explaining your remediation plan is far better than waiting for an audit to find it.
TSA compliance for pipeline operators is an ongoing requirement, not a one-time project. We help pipeline operators understand their obligations, build assessment programs, and prepare for TSA engagement. Contact us to discuss TSA readiness for your operation.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.