In November 2024, the Transportation Security Administration published a notice of proposed rulemaking about potentially mandating cyber risk management and reporting requirements for surface transportation owners and operators. The proposed rule calls for certain pipeline, passenger and freight rail operators and rail system companies with high-risk profiles to develop comprehensive cyber risk management programs. Pipeline, rail and certain bus transportation or transit systems would be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, and the sectors would report any physical security risk concerns to TSA.
The proposed mandates follow years of work to strengthen cybersecurity oversight on industrial control system (ICS) and operational technology (OT) environments, which were accelerated after the 2020 SolarWinds SUNBURST attacks and the 2021 Colonial Pipeline breach. However, today’s threats extend far beyond traditional ransomware. Modern attack frameworks like Pipedream demonstrate adversaries’ growing capability to not just encrypt data, but potentially destroy physical infrastructure. These threats are increasingly scalable and capable of targeting multiple regions and system types simultaneously, raising the stakes for ICS/OT security.
While the TSA’s new requirements would establish a crucial governance framework, stricter compliance alone isn’t enough to secure U.S. critical infrastructure from accelerating threats. Alongside meeting regulatory requirements, it is crucial for organizations to align their cyber defense strategies with the unique intricacies of industrial security environments, starting with the five critical controls to effective ICS/OT security.
Five critical controls to ICS/OT security
The five critical controls that every industrial control system environment should implement serve as both tactical defense measures and strategic enablers of compliance. But their implementation requires careful consideration of operational realities and safety implications.
The foundation begins with ICS-specific incident response protocols that acknowledge the unique challenges of operational technology environments. Traditional IT incident response plans, focused primarily on data protection and system restoration, fall dangerously short in ICS environments where safety and operational continuity are paramount. When an incident occurs, engineering teams must lead the response with security teams in support — not the other way around. This requires regular testing through realistic tabletop exercises that reflect actual operational scenarios and sector-specific threats.
A defensible network architecture forms the second critical pillar, going far beyond simple network segmentation. Organizations need to design their ICS networks to support effective visibility of control system traffic, robust log collection and thorough asset identification. The architecture must include industrial DMZs and strict enforcement mechanisms for process communication integrity and reliability. This isn’t just about keeping threats out; it’s about enabling rapid detection and response when incidents occur while maintaining operational stability.
Network visibility and monitoring capabilities represent the third essential control, but this requires specialized tools that understand industrial protocols and can interpret system-to-system interactions without disrupting sensitive operations. According to SANS research, mature organizations consistently rank ICS network visibility as their most crucial security capability. This monitoring must be continuous and protocol-aware, allowing engineering and security teams to quickly identify potential risks to control, viewing and operational safety systems.
Remote access security serves as the fourth critical control, becoming increasingly important as organizations balance operational needs with security requirements. This goes beyond implementing multi-factor authentication — organizations must inventory all remote access pathways and allowed destinations, establish secure jump host platforms, and ensure all remote connections are monitored through properly architected network segments. The focus must remain on enabling necessary operational access while maintaining strict control over who can access what and when.
The fifth control, risk-based vulnerability management, requires a deep understanding of both security controls and ICS-specific risks. Unlike IT environments where patching can often be automated, ICS vulnerability management must prioritize operational safety and continuity. Teams need to carefully evaluate which vulnerabilities provide unique access or control capabilities to adversaries, implement patches during scheduled maintenance windows, and develop engineering-informed mitigations when immediate patching isn’t feasible.
IT vs. OT: Navigating implementation challenges and opportunities
Potential transitions to mandatory security requirements present organizations with significant practical hurdles that go beyond simply checking compliance boxes. Companies must secure additional budgets for specialized security capabilities while also developing the human expertise needed to effectively deploy and maintain these systems. This isn’t as simple as transferring IT security professionals into OT roles; the environments demand fundamentally different skill sets and approaches.
According to SANS ICS research, organizations struggle most with the specialized nature of ICS/OT security. These environments differ fundamentally from traditional IT, with unique mission priorities, risk profiles, and potentially catastrophic consequences for security failures. Success requires defenders who understand both cybersecurity principles and operational technology environments — a rare combination that can’t be developed overnight.
However, these challenges also present strategic opportunities for organizations to modernize their security programs and build more resilient operations. By embracing the distinctions between IT and ICS/OT environments, companies can develop security programs that truly support their operational mission rather than hinder it. Forward-thinking organizations are positioning their security teams as enablers of engineering tasks and key drivers of robust, organization-wide safety culture.
The most successful implementations occur when security teams work alongside engineering staff, learning the intricacies of industrial processes and safety requirements firsthand. SANS recommends having IT practitioners physically work with and shadow engineers in ICS environments for 2-3 months before attempting to implement security controls. This investment in cross-functional understanding pays dividends when designing and implementing security measures that protect operations without disrupting them.
Fostering a safer future
The TSA’s potential move to mandatory requirements represents a necessary evolution in critical infrastructure protection, even if some argue it should have come sooner. The success of these measures will depend not just on compliance with regulatory requirements, but on organizations’ ability to implement practical security controls that address real-world threats while supporting operational excellence.
As threats become more sophisticated and consequential, the security of our critical infrastructure depends on getting this right. Organizations must move beyond viewing ICS security as a regulatory burden and recognize it as a fundamental business requirement. After all, in organizations that operate industrial control systems, ICS is the business. The safety, reliability and security of these systems directly impact not just individual companies, but the communities and nations they serve.
The path forward requires a balanced approach that acknowledges both the unique challenges of ICS environments and the critical importance of protecting them. By implementing the five critical controls within a framework that prioritizes safety and operational continuity, organizations can build resilient systems capable of withstanding modern threats while maintaining the efficient operation that society depends on.
Dean Parsons is a certified SANS ICS instructor and ICS protector for critical infrastructure at the SANS Institute.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
