In November 2024, the Transportation Security Administration published a notice of proposed rulemaking about potentially mandating cyber risk management and reporting requirements for surface transportation owners and operators. The proposed rule calls for certain pipeline, passenger and freight rail operators and rail system companies with high-risk profiles to develop comprehensive cyber risk management programs. Pipeline, rail and certain bus transportation or transit systems would be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, and the sectors would report any physical security risk concerns to TSA.
The proposed mandates follow years of work to strengthen cybersecurity oversight on industrial control system (ICS) and operational technology (OT) environments, which were accelerated after the 2020 SolarWinds SUNBURST attacks and the 2021 Colonial Pipeline breach. However, today’s threats extend far beyond traditional ransomware. Modern attack frameworks like Pipedream demonstrate adversaries’ growing capability to not just encrypt data, but…
