Dive Brief:

• Transit agencies in the United States are "ill prepared" for a cyberattack and are not doing enough to address the cybersecurity challenges they face, according to new research from the Mineta Transportation Institute (MTI) at San Jose State University.
• MTI researchers surveyed 90 transit agency technology leaders and found that while over 80% of agencies say they feel prepared for a threat, only 60% have a cybersecurity program in place and 43% say their plan is insufficient. The U.S. Department of Homeland Security (DHS) designates transportation as one of 16 critical infrastructure sectors that, if disrupted, would have a debilitating effect on national security.
• The report recommends a "collaborative effort" from the federal government, transit agencies, associations and other organizations to bolster public transportation's cybersecurity efforts. Researchers called for the Federal Transit Administration (FTA) to require minimum cybersecurity standards before an agency can receive federal funding, and that funds be allocated to the development of preparedness plans.

Dive Insight:

Cyberattacks on local governments have increased in frequency and intensity in recent years, with transit agencies suffering similar attacks.

The report notes that San Francisco's Bay Area Rapid Transit (BART) system was breached in 2017 when it installed more than 1,000 pieces of hardware that turned out to be spyware. And Scott Belcher, principal investigator on the report and an MTI research associate, noted in an interview that the Southeastern Pennsylvania Transportation Authority (SEPTA) in Philadelphia recently suffered an attack that resulted in disrupted communications, including with riders.

Many agencies struggle with financial deficits that have been exacerbated by the coronavirus pandemic (COVID-19). Belcher said a lack of funding means transit systems typically only invest in cybersecurity after an attack, rather than preemptively, or rely on a visionary leader to push a strategy forward.

MTI notes that more than half of surveyed agencies do not keep a log of their systems for longer than a year, which is seen as one of the most basic elements of cybersecurity preparedness. This lack of a plan can speak to a culture at some agencies that does not see the threat as serious enough, Belcher said.

"You've got some IT person in there who has a malware software package on their computers, and he or she thinks that they're prepared for cybersecurity," Belcher said. "They can't even spell cybersecurity if that's their perception of what being prepared for a cybersecurity attack is. I think, honestly, many of the transit agencies have that level of sophistication."

Belcher also warned that vulnerabilities will increase as agencies become more reliant on technology, especially contactless payment options, mobile apps and mobility-as-a-service (MaaS) offerings that look to unify transportation options on one platform. Those vulnerabilities can also be seen in more technologically-driven infrastructure, especially as agencies move toward more connected vehicles.

"There's an ironic twist here," Belcher said. "The less technically sophisticated you are, the less at risk you are because the fewer connections to the outside world and vulnerabilities you have. The more sophisticated you become, the more you access the internet, cellular or Wi-Fi, the more you do mobile payments, anything in which you open access to your network, you become more vulnerable."

And while the report acknowledged that financial help from the federal government may be unlikely, the transportation sector will need a unified effort to get these cybersecurity concerns under control and have more robust plans in place.

"The resources and knowledge are available; what is lacking is the focus at all levels," the report reads. "Mitigating this threat and reducing its impact requires concerted, coordinated effort among policy makers, industry representatives and public transit leadership."