Skip to main content

Cybersecurity risks in the transit industry

The transit industry is growing fast thanks to new technology and innovation. But these changes come with a higher number of threats, including ransomware attacks and private data breaches, among others. 
For transit agencies to take advantage of new trends and ensure the safety of employees and customers, they need to be treated as critical infrastructure.

Learn more about how Genetec approaches cybersecurity

A key finding in a recent study by Mineta Transportation Institute (MTI) showed that over 80% of public transit agencies felt prepared for a cybersecurity threat, even though only 60% have a cybersecurity strategy in place.
Other interesting findings show that:

- 73% have access to information to help implement a cybersecurity preparedness program

- 47% reported auditing their cybersecurity program at least once a year

- More than 50% don’t keep a log for longer than a year — one of the most basic cybersecurity preparedness requirements

- 36% don’t have a cyber disaster recovery plan

- 67% don’t have a cyber crisis communications plan

Cyber threats pose major risks to the transit industry
Increasing risk factors and impacts
Commuters expect to have information at their fingertips to help them make commuting decisions. Cities want to cater to these trends to become the next smart city.

As a result, public transit agencies look to modernize their infrastructure to stay competitive in the industry, exposing them to a growing list of attack vectors:

- Larger sets of data to manage and secure

- Wider distributed network access points

- Longer supply chains to rely on

These risks are not limited to operational data – everything and anything digitized is a target, including sensitive financial data and personal employee information.
The risks even extend to command and control systems that, if breached, could bring transportation to a standstill.
Transit is critical infrastructure

According to the U.S. Department of Homeland Security, the Transportation System Sector, including public transit, is critical infrastructure.

This sets public transit agencies on par with organizations in the defense sector, the energy sector, and the public health sector. But it hasn’t received the attention it should when it comes to cybersecurity. 

Cybersecurity breaches are on the rise in the transit industry, in the form of ransomware attacks, private data breaches, and hardware that can have malware.

Public transit agencies need to increase their cybersecurity awareness to reap the benefits of innovation while limiting their exposure to these risks.

The importance of trusted partners

Interconnectivity is at the core of innovation in technology. This means standalone closed systems are a thing of the past, and cybersecurity is no longer exclusively a software issue.

More devices and virtual services mean that transit agencies need more help from partners and suppliers. 

In recent years, governments around the world have made efforts to block untrustworthy suppliers from taking part in critical infrastructure projects. This is because of concerns over some manufacturers providing hardware with preloaded malware.

When it comes to cyber threats, an overwhelming 40% of all breaches are traced back to the supply chain.

That’s why transit agencies must find trusted partners that follow cybersecurity best practices for both their hardware and software.

The future of the public transit industry 

We can expect regulators to put more effort towards protecting public transit as critical infrastructure. In the energy sector, the North American Electric Reliability Corporation (NERC) already responded by enforcing CIP-13, the supply chain risk management standard that requires power utilities to implement a supply chain risk management program.

How long until regulators step in to mitigate risk to other critical infrastructure?

As a proactive step in the meantime, transit agencies can vet each vendor’s cybersecurity readiness.

Want to learn more about how Genetec approaches cybersecurity?