For more than a decade, governments and industry leaders have worked to strengthen cybersecurity across critical infrastructure. Energy, utilities, healthcare, and financial services have rightly received significant attention. But the transportation sector has lagged behind, even as it becomes more digital, more connected, and more exposed.
This gap is no longer sustainable.
Transportation systems are critical infrastructure in the truest sense of the term. Their disruption doesn’t just affect data or revenue, it can impact public safety, emergency response, and economic stability. A cyberattack on transit systems and the subsequent evacuation and response efforts, can very quickly lead to a danger to life. The risk is real, and it’s growing.
Many of these systems rely heavily on wireless connectivity. Many run on legacy technology that was never designed to be secured. And unlike power plants or factories, much of this infrastructure is literally in motion.
From a cybersecurity perspective, this creates a unique risk profile, one that doesn’t map cleanly to traditional IT security models. It also explains why attacks against transit systems have increased in both frequency and severity in recent years. Attackers are drawn to complexity, blind spots, and environments where uptime pressures make patching and remediation difficult.
The Progression From Incidents To Exposures
What I find most encouraging about NIST’s draft framework is not just that it exists, but how it reframes the problem.
The framework aligns with NIST Cybersecurity Framework 2.0, while acknowledging a critical reality: cybersecurity and physical safety are now inseparable in modern transportation systems. Federal agencies like the Federal Transit Administration have already moved in this direction by requiring rail operators to certify that they have processes in place to identify and reduce cyber risk as part of their safety programs.
This reflects a broader shift we’re seeing across critical infrastructure: away from purely reactive security and toward proactive exposure management.
Reactive security asks:
“Is there someone in the house?”
Proactive security asks the more powerful question:
“Which windows are open, and which ones matter most?”
Why We Still Need To Talk About Visibility
The lack of complete visibility across OT, IoT, and unmanaged assets is still a huge issue. These blind spots are where attackers operate. They exploit unknown devices, unpatched systems, weak configurations, and trust relationships that were never designed for today’s threat landscape.
The proposed NIST framework reinforces the importance of starting with visibility and prioritization, particularly for systems that, if disrupted, could threaten passenger safety or service continuity. Signaling, communications, dispatching, and control systems must come first.
This isn’t about starting from square one with your security, it’s about understanding which assets are most critical and which exposures are most exploitable through situational awareness- it is not enough to know the make and model number.
The Foundation For What Comes Next
NIST’s draft Transit Cybersecurity Framework doesn’t promise instant fixes or dramatic breakthroughs. And that’s exactly why it matters.
It provides a practical formula for managing cyber risk in systems that millions of people depend on every day. These systems are unique in the way they operate and can’t afford to fail. It reinforces the idea that proactive, exposure-driven security is no longer optional for critical infrastructure.
At Armis, we see this shift happening across every sector we support. Organizations that succeed are the ones that focus on continuous visibility, intelligent prioritization, early warning, and collaboration, not just alerts after damage is done.
Share this Article
Get Updates
Sign up to receive the latest from Armis