TRANSPORTATION

TSA Directives Are Now Permanent Rules

TSA SD-02F (pipeline), SD 1580/82 (rail), and the March 2023 Emergency Amendment (aviation) share four requirements: network segmentation, remote access controls, continuous monitoring, and patch management. The TSA November 2024 NPRM proposes to codify all four as permanent regulation. Build the architecture that satisfies the directives today and survives the rulemaking tomorrow.
20 minutes per site. Deployment requires no changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path.

BAKER HUGHES

ALTAGAS

GE VERONA

ALUAR

MITSUBISHI

TSA SD-02F

TSA SD 1580/82

TSA EMERGENCY AMENDMENT

SOC 2 TYPE II

KUPPINGERCOLE LEADER 2025

20 min

 Deployment per Site 

4

 TSA Pillars Covered 

3

 Transportation Modes 

$13,910/day

 Aviation Civil Penalty 
Xona-Transportation-Image

The Access Control Failure That Triggered Every TSA Directive

Colonial Pipeline lost operational control through a compromised VPN credential. One set of reused credentials. No multifactor authentication. No session isolation. The result: 5,500 miles of pipeline shut down, 17 states affected, and a national fuel shortage.

TSA responded with SD-02F for pipeline operators, SD 1580/82 for freight and passenger rail, and the March 2023 Emergency Amendment for airports and airlines. Every directive targets the same root cause: unsegmented, unmonitored, unrestricted remote access.

This was not a sophisticated cyberattack. It was an access control failure. The architecture every TSA directive is correcting is the one Colonial had in place.

How One Architecture Covers Three Directives

SD-02F, SD 1580/82, and the Emergency Amendment share the same four technical pillars. One CSG deployment covers all three.

One Architecture, Three Directives

Pipeline compressor stations, rail dispatch centers, and airport OT systems all require network segmentation, access controls with MFA, continuous monitoring, and patch management. One CSG deployment covers all three directives.

Result

Multi-mode operators satisfy every applicable TSA directive from a single architecture.

Protocol Isolation for Transportation OT

The CSG terminates Modbus, DNP3, and every SCADA-specific protocol at the gateway boundary. Zero protocol data crosses to the user side. Vendors see a browser interface.

Result

No lateral movement across thousands of miles of pipeline, rail wayside equipment, and airport ground systems.

Session Recording and Incident Reporting

TSA requires a 24-hour incident report. CSG gateways capture session recordings and real-time monitoring data. Xona Centralizer aggregates access logs and indexes recordings across every connected site to reconstruct what happened.

Result

24-hour incident documentation ready from day one, not assembled in a crisis.

Remote and Distributed Infrastructure

Pipeline compressor stations sit in remote locations with bandwidth measured in kilobits. Rail wayside equipment spans thousands of miles. The CSG operates locally at each site without a cloud dependency.

Result

No VPN exposure. No cloud dependency. No concessions on air-gap requirements.

20

minutes to deploy per site

Step 1: Install the CSG at the site. Register it with Centralizer. No changes to OT network topology or control system configurations. Step 2: Grant vendors time-limited, asset-scoped access through MFA. Step 3: SD-02F, SD 1580/82, and Emergency Amendment compliance from deployment.

Baker Hughes and AltaGas are confirmed deployments operating under TSA SD-02F pipeline security requirements. Baker Hughes standardized on Xona for third-party vendor access to remote pipeline OT infrastructure. AltaGas uses the platform to govern secure access across pipeline compressor stations and measurement facilities. These are not pilots.

Named "Leader in OT/ICS Secure Remote Access" by KuppingerCole Leadership Compass 2025. The SANS Institute 2025 OT cybersecurity survey ranked remote access vulnerabilities among the top attack vectors across critical infrastructure.

Who This Solves For

Pipeline/Rail Operations Manager

  • Reduce vendor access provisioning from days to minutes without opening persistent VPN tunnels into pipeline SCADA or rail dispatch systems
  • Deploy the same 20-minute architecture at compressor stations, rail dispatch centers, and maintenance facilities
  • Eliminate change control paperwork for firewall modifications every time a vendor needs maintenance access

OT/SCADA Engineer

  • Protocol isolation verified by Wireshark capture: zero Modbus, DNP3, or SCADA protocol packets on the vendor side
  • Session-level access replaces network-level VPN tunnels across geographically distributed infrastructure spanning thousands of miles
  • Air-gapped and bandwidth-constrained sites operate locally with no cloud dependency in the access path

CISO / Security Lead

  • TSA SD-02F, SD 1580/82, and Emergency Amendment audit coverage from a single architecture
  • SOC 2 Type II certified, KuppingerCole Leader in OT/ICS Secure Remote Access 2025
  • Every vendor session recorded, timestamped, user-attributed, and ready for 24-hour TSA incident reporting

Regulatory Compliance Officer

  • NPRM permanence readiness: the architecture satisfies the proposed permanent regulation without rework
  • 24-hour incident documentation from Centralizer session logs and user attribution in minutes, not days
  • SD-02F, SD 1580/82, SD-01G, and Emergency Amendment all covered by one platform

How Xona Compares

Capability
Deployment Time
Network Changes
Protocol Isolation
Session Recording

TSA SD-02F Coverage

TSA SD 1580/82 Coverage

Air-Gap Support
Vendor Access Control

Xone-Logo-White@2x

 

20 minutes per zone
No OT topology changes. Firewall policies may need minor updates.
Full. OT protocols terminate at boundary.
Every session. Timestamped. User-attributed.
All 4 pillars. Architecture-level.
 Coverage    Same architecture as SD-02F.
On-premises. No cloud required.
MFA, time-limited, asset-scoped.
Traditional VPN
Days to weeks
Firewall rules, VLANs
None. Tunnel carries all traffic.
IP-level logs only.
 Pillar 2 partial. No isolation.
Same gaps as SD-02F.
 Requires network path.
Network-level access.
Cloud ZTNA
Hours to days
Cloud connector config
Partial. Cloud relay.

Varies. Often cloud-stored.

Cloud dependency conflicts.
Same gaps as SD-02F.
Requires cloud connectivity.
Identity-based, cloud-dependent.
Jump Server
Days to weeks
Network segmentation
None. Direct session.
Screen recording add-on.
Manual audit assembly.
Same gaps as SD-02F.
Requires network path.
Shared credentials common.

TSA Compliance Mapping

Every TSA Transportation Security Directive builds on four pillars: network segmentation, access controls with MFA, continuous monitoring, and patch management. The CSG implements the access control and segmentation pillars directly. Centralizer provides the monitoring and documentation layer.

Directive

TSA SD-02F
TSA SD-01G
TSA SD 1580/82-2022-01D
TSA Emergency Amendment (March 2023)
Sector

 Pipeline operators

 Pipeline (enhanced)
Freight railroad, passenger rail, transit
Airports (Part 139), airlines (Parts 121, 125, 129)
Remote Access Requirement
 Pillar 2: MFA, least privilege, session logging, time-limited access
Same four pillars, enhanced CIP documentation
Four pillars; OT includes SCADA, DCS, ICS, PLCs, PACS
Four pillars; baggage, perimeter, access control, airfield OT
Xona Architecture
CSG = session isolation + MFA + Centralizer audit
Same architecture, additional attestation documentation
Same CSG deployment at rail dispatch, wayside OT
Same architecture; aviation OT deployment

TSA SD-02F: Pipeline Operators

SD-02F is the current cybersecurity requirement for designated critical pipeline operators. Effective May 2025 through May 2026, with SD-01G (January 2026) adding enhanced documentation requirements in parallel. SD-02F requires vendor access to pipeline SCADA, compressor stations, and measurement and control systems to be explicitly authorized, time-limited, and logged. Each vendor access request requires explicit administrator approval before the session begins. Centralizer enforces the time window and asset scope. Access terminates automatically when the session window closes. No persistent vendor connection remains. A VPN that puts vendor laptops on your control system network does not meet the access control requirements of SD-02F. Supported protocols include Telnet, VNC, HTTP/HTTPS, Modbus, DNP3, and pipeline-specific SCADA protocols. No protocol upgrades or endpoint agents required.
 
No VPN exposure. No lateral movement. No access that outlasts the maintenance window.

TSA SD 1580/82: Rail Operators

Security Directive 1580/82-2022-01D covers freight railroads (1580 series) and passenger rail and transit operators (1582 series). OT systems are explicitly in scope: SCADA, distributed control systems, ICS, PLCs, and physical access control systems at rail facilities. Rail OT networks span geographically distributed infrastructure, with dispatch centers, wayside equipment, and maintenance facilities all connected to centralized control. The same CSG deployment that covers a pipeline compressor station covers a rail dispatch center. Same 20-minute deployment. Same session recording. Same access controls.

TSA Emergency Amendment: Aviation

On March 7, 2023, TSA issued an Emergency Amendment requiring cybersecurity measures from TSA-regulated airports (14 CFR Part 139) and aircraft operators (Parts 121, 125, 129, and CRAF). This is not a numbered Security Directive. The same four pillars apply to airport OT: baggage handling automation, perimeter control systems, access control systems for secure areas, and airfield ground lighting controls. Civil penalty for aviation: $13,910 per day per violation.

The TSA NPRM: November 2024

In November 2024, TSA published a Notice of Proposed Rulemaking to codify the Security Directives for pipeline, rail, and bus operators into permanent federal regulation. Operators who implement the architecture the directives require today are building for the permanent rule, not the annual renewal. International Context: Saudi OTCC-1:2022 Control 3.3 applies to petrochemical and pipeline-adjacent operations with equivalent remote access requirements.

TSA SD-02F

TSA SD 1580/82

TSA Emergency Amendment

SOC 2 Type II

Technical Specifications

Protocols
Modbus
DNP3
Telnet
VNC
HTTP/HTTPS
SCADA-specific protocols
Architecture
CSG (Xona Secure Gateway) + Centralizer for multi-site governance
Deployment
On-premises
hybrid
air-gapped
No cloud dependency required
Endpoints
Agentless
No software on OT endpoints.
Certifications
SOC 2 Type II
KuppingerCole Leader 2025
Communication
Outbound-only communication
No inbound ports opened
Role-based access control

Frequently Asked Questions

We operate both pipeline and rail. Do we need separate solutions for each TSA directive?

No. SD-02F and SD 1580/82 share the same four technical requirements. Pipeline compressor stations and rail dispatch centers share the same CSG deployment model. One architecture. One vendor management process. One audit trail.

What does "Critical Cyber Systems" mean under TSA SD-02F?

SCADA, supervisory control systems, field measurement and control equipment, and emergency shutdown systems. Remote access to all of these must meet Pillar 2 requirements: MFA where technically feasible, least-privilege access, session logging, and time-limited access windows.

How does TSA SD-01G differ from SD-02F?

SD-01G (January 2026) adds enhanced documentation expectations for the Cybersecurity Implementation Plan and additional incident reporting requirements. The technical architecture requirements are the same four pillars. Building for SD-02F today also satisfies SD-01G.

Does the aviation Emergency Amendment apply to our airline's maintenance operations?

Yes. The March 2023 Emergency Amendment covers aircraft operators under Parts 121, 125, and 129. Airline maintenance operations involving remote access to aircraft ground support systems and hangar automation are in scope.

How does Centralizer support TSA incident reporting requirements?

Centralized governance across every connected site. Administrators see every session, enforce policy, and replay access recordings from one console. When TSA requires a 24-hour incident report, Centralizer provides the session logs, access timestamps, and user attribution needed to reconstruct what happened. The audit trail is automatic, not assembled after the fact.

What is the difference between the TSA Security Directives and the NPRM?

Security Directives are annual renewals issued under existing TSA authority. The November 2024 NPRM proposes to convert the directive requirements into permanent codified federal regulation through formal rulemaking. The technical requirements are the same. The legal durability is different. Building for the directive today builds for the permanent rule.

How does PHMSA 49 CFR Part 195 interact with TSA SD-02F for pipeline operators?

PHMSA 49 CFR Part 195 governs pipeline integrity management, including management of change (MOC) documentation for modifications to pipeline control systems. TSA SD-02F governs the cybersecurity architecture for remote access to those same systems. Operators subject to both must document vendor access in MOC records. Centralizer session logs and access attestations provide the audit trail for both TSA and PHMSA documentation requirements.

We are a multi-mode operator (pipeline and rail under the same parent). Can we standardize?

Yes. SD-02F (pipeline) and SD 1580/82 (rail) share the same four pillars and the same technical requirements. Centralizer provides centralized governance across both modes. One deployment model, one access policy framework, one audit trail. Multi-mode operators avoid maintaining parallel compliance architectures.

Stop Renewing Directive Compliance. Start Building the Architecture That Survives Rulemaking.

20-minute deployment per site

3 TSA modes covered

NPRM-ready architecture

The NPRM will make the Security Directives permanent. Operators who built for the directive requirements are already built for the rule. No OT topology changes. No parallel compliance projects.

 Secure access for the systems that keep the world running.
© Xona Systems, 2026
Cookie Policy
Privacy Policy
Disclosure Policy
Website Terms of Service
Terms & Conditions