- 73% have access to information to help implement a cybersecurity preparedness program
- 47% reported auditing their cybersecurity program at least once a year
- More than 50% don’t keep a log for longer than a year — one of the most basic cybersecurity preparedness requirements
- 36% don’t have a cyber disaster recovery plan
- 67% don’t have a cyber crisis communications plan
As a result, public transit agencies look to modernize their infrastructure to stay competitive in the industry, exposing them to a growing list of attack vectors:
- Larger sets of data to manage and secure
- Wider distributed network access points
- Longer supply chains to rely on
According to the U.S. Department of Homeland Security, the Transportation System Sector, including public transit, is critical infrastructure.
This sets public transit agencies on par with organizations in the defense sector, the energy sector, and the public health sector. But it hasn’t received the attention it should when it comes to cybersecurity.
Cybersecurity breaches are on the rise in the transit industry, in the form of ransomware attacks, private data breaches, and hardware that can have malware.
Public transit agencies need to increase their cybersecurity awareness to reap the benefits of innovation while limiting their exposure to these risks.
The importance of trusted partners
Interconnectivity is at the core of innovation in technology. This means standalone closed systems are a thing of the past, and cybersecurity is no longer exclusively a software issue.
More devices and virtual services mean that transit agencies need more help from partners and suppliers.
In recent years, governments around the world have made efforts to block untrustworthy suppliers from taking part in critical infrastructure projects. This is because of concerns over some manufacturers providing hardware with preloaded malware.
When it comes to cyber threats, an overwhelming 40% of all breaches are traced back to the supply chain.
That’s why transit agencies must find trusted partners that follow cybersecurity best practices for both their hardware and software.
The future of the public transit industry
We can expect regulators to put more effort towards protecting public transit as critical infrastructure. In the energy sector, the North American Electric Reliability Corporation (NERC) already responded by enforcing CIP-13, the supply chain risk management standard that requires power utilities to implement a supply chain risk management program.
How long until regulators step in to mitigate risk to other critical infrastructure?
As a proactive step in the meantime, transit agencies can vet each vendor’s cybersecurity readiness.