Regulatory Toolkit

TSA Security Directives
Tabletop Exercise Toolkit

TSA's cybersecurity security directives for Pipeline (SD-02C), Aviation (SD-01D), and Surface Transportation operators mandate 24-hour CISA incident reporting, cybersecurity coordinator designation, contingency planning, and annual architecture reviews. Skyhigh maps every exercise to these requirements — across all three transportation sectors.

Launch Your TSA Exercise → Download Buyer's Guide
⚠️ TSA Security Directives are SSI (Sensitive Security Information) protected documents. This toolkit references publicly-disclosed requirements from TSA press releases and Congressional testimony. Consult your legal counsel and TSA for official compliance guidance.
3 Sectors
Pipeline · Aviation · Surface Transport
24 Hours
CISA Incident Reporting Window
2021–2023
TSA SD Series Issued
US Critical Transport
Sector Coverage

TSA Security Directives — Pipeline, Aviation & Surface Transport

TSA issued a series of cybersecurity security directives beginning in 2021 in response to the Colonial Pipeline ransomware incident. These directives establish mandatory cybersecurity requirements for US critical transportation infrastructure operators.

🛢️
Pipeline Security Directives (SD-02C)
TSA Pipeline-2021-02C targets owners/operators of TSA-identified critical pipeline systems and LNG facilities. Key requirements include: designating a primary and alternate cybersecurity coordinator, reporting cybersecurity incidents to CISA within 24 hours, developing and implementing a cybersecurity incident response plan, conducting a cybersecurity architecture design review, and remediating specific vulnerabilities identified by TSA/CISA.
✈️
Aviation Security Directives (SD-01D)
TSA Aviation-2021-01D applies to airport operators and aircraft operators regulated under 49 CFR Part 1542 and 1544. Requirements include cybersecurity coordinator designation, 24-hour CISA incident reporting, developing cybersecurity contingency plans for critical OT systems, and annual access control / architecture reviews. Like pipeline directives, aviation SD requirements are regularly updated and enhanced.
🚆
Surface Transportation (Rail/Transit)
TSA Surface-2021-01 covers higher-risk freight railroad, passenger railroad, and rail transit operators. Requirements align with the pipeline/aviation directives: incident reporting, coordinator, response plan, and architecture review. Tabletop exercises are the primary vehicle for testing whether your response plan actually works — before a real incident tests it for you.

Requirements Mapping

How Skyhigh tabletop exercises map to each requirement.

Directive Requirement What's Required Skyhigh Coverage Evidence Generated
Cybersecurity Coordinator Designate primary + alternate 24/7 contact Supporting Exercises validate coordinator availability and escalation procedures
24-Hour CISA Reporting Report cybersecurity incidents to CISA within 24 hours Core Tabletops include notification timeline drills; 24h reporting process tested
Incident Response Plan Develop and implement cybersecurity response plan Core Exercise validates IR plan effectiveness; AAR documents gaps and improvements
Architecture Design Review Annual review of cybersecurity architecture Direct Exercises surface architecture gaps (segmentation, remote access, access control)
Network Segmentation OT/IT network separation and access control Direct IT/OT lateral movement scenarios test segmentation effectiveness
Patch Management (OT) Timely patching of critical vulnerabilities Supporting Patch delay scenarios surface vulnerability management gaps
Access Control Measures Multi-factor authentication, privileged access Direct Remote access abuse and insider threat scenarios test access controls
Contingency/DR Planning Maintain ops during/after cyber incident Core BCP/DR exercises test manual operations fallback and recovery procedures

How Skyhigh Supports TSA Security Directive Compliance

Purpose-built features to satisfy TSA cybersecurity testing requirements and generate inspection-ready evidence packages.

🗓️
Annual Exercise Requirement Evidence
TSA directives require documented cybersecurity training and testing activities. Skyhigh generates a dated exercise record — including scenario, participants, findings, and remediation commitments — that demonstrates your cybersecurity testing program is active and improving. Export PDF evidence packages for TSA/CISA inspection readiness.
Dated Record PDF Export TSA-Ready Inspection Evidence
24-Hour CISA Notification Drills
TSA's 24-hour CISA reporting requirement demands that staff know exactly what to do the moment an incident is detected. Skyhigh exercises embed CISA notification decision points into every scenario — teams practice the detection → classification → CISA reporting → coordinator escalation chain under realistic pressure.
24h Reporting CISA Notification Coordinator Drill Decision Points
🔧
OT/IT Segmentation Gap Analysis
TSA directives specifically require network architecture reviews and OT/IT separation. Skyhigh's ICS-specific scenario library (SCADA compromise, pipeline SCADA attack, control room isolation) surfaces segmentation gaps, remote access vulnerabilities, and access control weaknesses — giving you a prioritized remediation list before your TSA architecture review.
OT/IT Gaps SCADA Scenarios Architecture Review Segmentation Analysis

TSA Directives — Scenario Library

Exercises designed to generate compliance evidence in a single session.

PIPELINE · RANSOMWARE
Natural Gas Pipeline SCADA Ransomware Attack
Ransomware encrypts IT systems and begins lateral movement toward pipeline SCADA/HMI systems. Teams practice OT isolation, 24-hour CISA notification, operator fallback to manual control, and coordinating with TSA/CISA incident response.
SD-02C 24h CISA OT Isolation
AVIATION · SCADA
Airport SCADA System Compromise
Adversary compromises airport physical access control systems and begins pivoting toward airfield lighting and runway management systems. Tests aviation coordinator notification, CISA reporting, airport operations contingency, and TSA SD-01D incident criteria.
SD-01D CISA Report Contingency Plan
PIPELINE · PHYSICAL
Fuel Storage Terminal Cyber-Physical Attack
Coordinated cyber-physical attack targeting fuel terminal OT systems — manipulating tank gauging and emergency shutdown systems. Tests detection capabilities, safety system integrity verification, emergency response coordination with CISA and local authorities.
SD-02C Cyber-Physical ESD Response
PIPELINE · IT/OT
Control Room IT/OT Lateral Movement
Attacker gains initial access via phishing of a pipeline corporate user and begins lateral movement toward the control room network. Tests network segmentation effectiveness, OT monitoring alerts, IR plan activation, and 24-hour CISA reporting obligation.
SD-02C Segmentation IR Plan
RAIL · DISRUPTION
Freight Rail OT System Operational Disruption
Coordinated attack on positive train control (PTC) systems forces emergency service suspension across a freight rail corridor. Tests TSA Surface SD notification, CISA reporting, FRA coordination, and railroad contingency plan activation.
Surface SD PTC Contingency
PIPELINE · INSIDER
Control Room Insider Threat — Rogue Operator
A disgruntled control room operator begins making unauthorized changes to SCADA set-points. Tests insider threat detection capabilities, access revocation procedures, safety system integrity verification, and post-incident coordinator reporting obligations.
SD-02C Insider Threat Access Control

Evidence Artifacts Generated

Every exercise produces documented artifacts for regulatory submissions.

📄
TSA Exercise Record
Dated exercise completion log with participants, scope, and findings — TSA/CISA inspection-ready documentation
24h CISA Notification Drill Log
Decision point documentation from notification timeline exercise — demonstrates coordinator readiness
🗺️
Architecture Gap Report
OT/IT segmentation gap findings from exercise — input for annual TSA architecture design review
📋
IR Plan Validation Evidence
Gaps and improvements identified in IR plan — demonstrates active plan maintenance and testing

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your TSA Security Directive Exercise Program

TSA directives require a documented, tested cybersecurity response plan. Launch your first exercise today — free to start.

Start Free Today → View Pricing Contact Sales