TSA's cybersecurity Security Directives — the pipeline SD Pipeline-2021-02 series, the freight & passenger rail directives (1580/1582), and aviation — require designated owner/operators to implement a Cybersecurity Implementation Plan, a Cybersecurity Assessment Plan, and a Cybersecurity Incident Response Plan (CIRP) that must be exercised, plus reporting of cybersecurity incidents to CISA. CyberICS delivers the CIRP exercises, AI-generated After Action Reports, and audit-ready evidence — turning a recurring TSA obligation into demonstrable readiness across pipeline, rail, and aviation surface transportation.
TSA's cybersecurity Security Directives bind the owner/operators of higher-risk surface transportation systems — and the requirements run consistently across modes: identify critical cyber systems, plan and assess, and stand up and exercise a Cybersecurity Incident Response Plan.
Owner/operators of TSA-designated critical pipeline systems and facilities must implement the cybersecurity Security Directive program — a Cybersecurity Implementation Plan, a Cybersecurity Assessment Plan, and a Cybersecurity Incident Response Plan that is exercised — and report cybersecurity incidents to CISA.
Higher-risk freight railroads, public transportation and passenger rail agencies, and TSA-regulated airport and aircraft operators carry parallel cybersecurity Security Directive duties — identify critical cyber systems, segment networks, and exercise an incident response plan in their working language.
The cybersecurity Security Directives require designated owner/operators to exercise their Cybersecurity Incident Response Plan and to conduct periodic assessments — not just write a plan once. A standing CyberICS exercise program turns the annual CIRP exercise into a repeatable, evidence-generating cycle across pipeline, freight rail, passenger rail, and aviation — in your team's working language.
The cybersecurity Security Directives name specific planning, assessment, response, and reporting duties. Tabletop exercises directly satisfy the incident-response-plan exercise and reporting requirements, and generate evidence for several more.
| Reference | Requirement | Requirement Summary | CyberICS Capability | Coverage |
|---|---|---|---|---|
| CIRP | Cybersecurity Incident Response Plan | Develop and maintain a Cybersecurity Incident Response Plan addressing detection, response, and recovery for critical cyber systems | Live Session mode executes the CIRP end-to-end; the AI AAR documents detection, containment, eradication, and recovery against the plan's procedures | Core |
| CIRP · Exercise | Annual CIRP exercise requirement | The Cybersecurity Incident Response Plan must be exercised periodically (at least annually) to validate it works in practice | A standing exercise program is the CIRP-exercise system-of-record — recurring, timestamped sessions with participation logs and AARs retained as evidence | Core |
| CAP | Cybersecurity Assessment Plan | Develop and submit a Cybersecurity Assessment Plan and conduct ongoing assessments of cybersecurity measures' effectiveness | Exercise AARs and Gap Analysis feed the assessment with prioritized, dated findings; exercise history evidences ongoing assessment activity | Supporting |
| Report to CISA | Reporting cybersecurity incidents to CISA | Report cybersecurity incidents to CISA within the directive's timeline (24 hours), with required content and a designated point of contact | The CISA incident-reporting drill rehearses the who / what / 24-hour timeline of the report under realistic pressure | Core |
| Critical Systems | Critical-cyber-system identification | Identify and document the Critical Cyber Systems (OT and IT) whose compromise could disrupt safe and continuous operation | Scenario context drives owner/operators to name the critical OT/IT systems in play; AARs surface gaps in the identification | Partial |
| Segmentation | Network segmentation (IT/OT) | Implement network segmentation policies and controls to isolate OT systems if the IT network is compromised, and vice versa | IT→OT pivot scenarios exercise segmentation response and containment decisions; AARs flag segmentation weaknesses surfaced in play | Partial |
| Access Control | Access control policies | Implement access control measures to secure and prevent unauthorized access to Critical Cyber Systems | Credential-abuse and privilege-escalation scenarios exercise access-control response; AARs flag access-management gaps | Supporting |
| Detection | Continuous monitoring & detection | Implement continuous monitoring and detection policies to detect cybersecurity threats and anomalies affecting operations | Scenarios begin from realistic detection signals and exercise the triage and escalation path; AARs document monitoring/detection gaps | Partial |
| Recovery | Recovery & resilience | Ensure the CIRP provides for timely recovery and continuity of operations following a cybersecurity incident | Exercises run through containment to recovery and continuity decisions; AARs capture recovery-time and resilience gaps | Supporting |
Three core capabilities work together to deliver, document, and evidence the Cybersecurity Incident Response Plan exercise, assessment, and CISA reporting requirements.
Live Session mode runs real-time, multi-participant incident-response exercises. Every step, response, and host action is timestamped — producing the auditable CIRP-exercise record the cybersecurity Security Directives require owner/operators to retain.
Immediately after each exercise, CyberICS generates a structured AAR documenting the response, gaps, and SD requirement references — the artifact a Cybersecurity Coordinator files as proof the CIRP was exercised and what it found.
The Compliance Dashboard assembles an SD evidence package — CIRP exercise records, CISA reporting drills, assessment input, and a remediation timeline — so a Cybersecurity Coordinator can demonstrate the exercised plan with the file already built.
Six high-fidelity transportation scenarios — pipeline, freight rail, passenger rail, and aviation OT incidents — ready to run as a CIRP exercise with AI facilitator briefing included.
Ransomware reaches the enterprise network and forces a precautionary shutdown of pipeline SCADA. Exercises CIRP detection, the IT/OT containment decision, and the 24-hour report to CISA under time pressure.
An intruder gains access to OT at a remote compressor station and manipulates control logic, threatening safe operation. Tests CIRP response across the IT/OT boundary and critical-system identification.
A higher-risk freight railroad detects manipulation of dispatch and signaling OT, risking train movement safety. Exercises the CIRP, network segmentation response, and the CISA report.
A public transportation agency loses confidence in its traction-power and SCADA control systems mid-service. Exercises CIRP-driven service-continuity decisions and incident reporting to CISA.
An airport operator's baggage handling and building OT systems are disrupted by a cyber intrusion, threatening operations. Exercises the CIRP, critical-system identification, and CISA reporting.
A compromise of the corporate IT network attempts to pivot into transportation OT. Exercises the segmentation controls, the IT/OT isolation decision, and the CIRP escalation the Security Directives require.
Plus 300+ additional ICS/OT and enterprise scenarios spanning the transportation modes TSA regulates. Browse the full library →
Every CyberICS exercise generates four categories of evidence supporting the CIRP exercise, CISA reporting, and assessment requirements of the cybersecurity Security Directives.
Per-participant participation and completion roster for each annual Cybersecurity Incident Response Plan exercise — the retained record the SDs require.
Timestamped log of a CISA reporting drill — who decided what, and how fast — demonstrating readiness to report within the 24-hour timeline.
Gap and remediation findings from each exercise that feed the Cybersecurity Assessment Plan with dated, prioritized corrective actions.
Structured AAR mapping response actions and gaps to SD requirements — the artifact proving the CIRP was exercised and what it surfaced.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial — no credit card required. Or speak with our transportation security team about a standing CIRP exercise program for your pipeline, rail, or aviation operation.
Also explore: NIST SP 800-82 Toolkit · CISA CPG Toolkit · IEC 62443 Toolkit