Safety & Security: Think Mass Transit is Ready for Cybersecurity Breaches? Time to Think Again.

Dec. 21, 2021
The more connected companies and systems become, the greater the risk is of a potential security breach.

According to a study by the University of Maryland, a cyber-attack happens every 39 seconds, often preventable attacks when the correct measures are in place. As mass transit systems become more IP enabled and connected to the internet, these attacks are on the rise.

Transportation relates to more than just moving people. With COVID-19, transportation services were increasingly relied-upon for delivering everything from food, medicine and other vital services. COVID-19 also forced companies to pivot to remote work and a culture of working from anywhere. This transition required remote worker access to critical company computing systems via Virtual Private Networks (VPNs) and internet of things (IoT) portals, which opened up an array of gateways for hacking incidents to occur.

Recent Transportation Cyber-Attacks and Lessons Learned

At the heart of any functioning transportation system is reliable access to fuel. The recent cyberattack on the Colonial Pipeline, one of the largest private fuel pipeline operators in the United States and the supplier of approximately 45 percent of the fuel on the East Coast highlighted the problem. A compromised network password led to a ransomware attack and shutdown of the pipeline creating fuel shortages that greatly impacted East Coast transportation operations.

The attackers targeted the business side of the pipeline operations: making it clear that their motivation was money. However, had they targeted the operations side of the business, the crisis could have stretched beyond a single week. While a third-party security organization was hired to determine the source of the breach, the company did pay $5 million to the attackers to restore its systems.

Following the Colonial Pipeline incident, the Department of Homeland Security (DHS) issued new cybersecurity standards but some of these standards will take time and money to implement, which Colonial says it is doing.

The Colonial Pipeline hack is just one of many recent incidents impacting the North American transportation system. The San Francisco Municipal Transportation Agency suffered a ransomware attack on 2,000 computers. Toronto suffered a similar attack on its subway system, directly impacting control operations. And Martha’s Vineyard ferry service endured a ransomware attack in June of 2021.

The largest takeaway from these attacks? Mass transit systems responsible for transporting 34 million passengers a day are targets for increased cyberattacks and offer hackers and other bad actors a potential gold mine of opportunity.

Prevention and New Guidelines

One of the issues for transportation organizations is a lack of funding and internal/external staffing resources required for deploying a robust cybersecurity plan and defense against unwanted cyberattacks. While transportation network systems are becoming increasingly IP connected, they often use over-the-counter virus and cybersecurity software and firewalls that don’t offer the security protection they need.

As a result, the Cybersecurity and Infrastructure Security Agency (CISA) has instituted new rules: all pipeline operators need to have a Cybersecurity Coordinator who can be reached 24/7 in the event of any incident. In June of 2021, all pipeline operators had to report to CISA and the Transportation Security Administration (TSA) on the current state and protection of their systems and what their plans were for correcting any deficiencies.

By October, the TSA also went beyond mandates for pipelines and implemented guidelines for all the major rail systems, including Amtrak and larger transit and subway systems like those in New York, Washington, D.C., and even Chicago. Regulations include the requirement to have a cybersecurity response contact, that all breaches be reported to CISA and have an incident recovery plan.

Some feel that these regulations don’t go far enough. Bad actors continue to develop more sophisticated ways to attack vulnerable systems, and they include not only nation-states who intend to threaten national confidence and security, but criminal hackers and cybercriminals who are more motivated by money and ransom than the actual disruption of transportation systems.

It is important that both private companies, cities, states and regulators at the highest federal levels understand the threat to various systems, and the ways those threats can be mitigated. These areas include:

  • Rail systems - responsible for transportation of people, food, medication and other vital goods and supplies.
  • Mass transit - the systems responsible for transporting millions of passengers every day. 
  • Maritime and Ports - vital for our freight, logistics, and consumer goods transport.
  • Aviation - responsible for moving hundreds of millions of people daily along with an increasing amount of goods and freight. Also, increasingly vulnerable to attack as noted by recent cyber incidents involving Delta and Southwest Airlines. 
  • Ground Freight, Logistics and other Fleet Operations - increasingly “going digital” with everything from manifests to driver logs, load routing and more. 

 What’s the solution here? For each aspect of transportation that could potentially be impacted, a comprehensive cybersecurity plan must be developed and implemented.

The Impact of the Private Cybersecurity Sector on Mass Transit

Fortunately for mass transit and transportation companies of all sizes, there is no need to reinvent the cybersecurity wheel. Other highly-regulated industries such as healthcare and financial services are already taking steps to develop more comprehensive cybersecurity measures that can be applied for the benefit of the transportation industry:

  • Assess the organization using industry-standard frameworks to baseline the current state of maturity. Identify gaps, vulnerabilities and threats to quantify organizational risk.
  • Establish goals and milestones as part of an overall plan.
  • Formalize policies, standards, roles and responsibilities in case of an attack.
  • Assess and track risk until remediated.
  • Fully implement and enforce processes and new procedures.
  • Engage third-party expertise to identify and fill any talent or skill gaps.

With new directives and policies in place and evolving as the need arises, for many mass transit systems, it makes sense to find a trusted third-party partner. It’s simpler and in many cases less costly than developing and hiring for a cybersecurity department from the ground up. Just be sure the company you work with is familiar with the unique challenges of mass transit system cybersecurity and has the agility to pivot as both threats and security systems evolve.

Think your transportation system is prepared for a cybersecurity breach? It’s time to think again, but not to stop there. It’s time to be proactive before you’re forced into a costly reaction.


Jason Stokes is chief information security officer (CISO) and vice president, Security Services at Secuvant, LLC.

Chris Barker is a Secuvant Executive Board Member, Transportation and smart cities advisor.

About the Author

Chris Barker | Secuvant Executive Board Member, Transportation & Smart Cities Advisor

Chris Barker is a veteran of the global technology and transportation industry with more than 20 years of experience. He is the founder of the technology and transportation consulting firm CBC, where he has worked with industry companies, cities and governments around the world to advance new forms of mobility, energy services and city development projects. Barker is currently a transportation/smart cities advisor for the Cities Today Institute, helping cities worldwide with transportation infrastructure and autonomous surface transportation planning. In 2016, Barker was an advisor to Vulcan on the USDOT Smart City Challenge project and had continued to advance smart city/transportation development projects across the globe. His CBC team has also developed and deployed self-driving car simulators for state DOTs/DMVs, universities, museums and other public facilities – to teach the public about self-driving vehicles.

Barker was previously the vice president of New Mobility at Keolis, helping introduce new transportation options to cities and communities across North America. Keolis provides heavy rail, light-rail, bus, autonomous shuttles and taxis, car share, bike share and sky tram service to 26 countries, moving 3.5 billion people a year. Barker helped launch the first autonomous/electric shuttle operations on open roads in North America – in downtown Las Vegas and Montreal. He’s also played a lead role in helping multiple US cities migrate their transit systems to electrified transit fleets with electric bus conversions in Southern California, Nevada, and South Carolina.

Prior to Keolis, Barker held senior business leadership positions with multiple Fortune 50 companies. He served as the Global Director of Business Development and Communications for Honeywell Aerospace, Head of Public Sector Business Development, Communications and Marketing at Cisco, and Senior Executive Manager for the Office of the President at Boeing. He’s also been a VP/SVP of business development and marketing for Text 100 Communications and Waggener Edstrom Worldwide.

Barker is a National Board Member for the Association for Commuter Transportation. He’s also a global keynote speaker on topics ranging from smart cities and new mobility services to cybersecurity, alternative energy options, and advancements in artificial intelligence. He’s previously been a featured speaker at CES (Las Vegas), SXSW (Austin), RSA (San Francisco), CE Week (New York), A-Bace (Shanghai), and IAA (Frankfurt).

About the Author

Jason Stokes | Chief Information Security Officer (CISO) and Vice President, Security Services, Secuvant, LLC

Jason Stokes is an accomplished cybersecurity executive with more than 30 years of experience defending networks, fighting for the Department of Defense (DoD) and working alongside one of the leading information security organizations globally, Mandiant.

Prior to becoming vice president security services, Stokes held several increasingly responsible roles at Mandiant, where he spent almost eight years developing numerous service offerings that were designed to measure maturity balanced with risk tolerance, develop and implement entire programmatic lifecycles and fully operate those security programs on behalf of the customer.

Before working in the civilian sector, Stokes held numerous leadership and technical positions as a DoD contractor, both stateside and abroad, over the span of 12 years. He served as an Engineering Lead with the US Marines, tasked to rebuild and restructure large portions of its infrastructure in Afghanistan. Stokes also worked as a Security Engineer and Deputy SOC Lead in Djibouti, Africa, and the rebuilding of the USAFRICOM security program from the ground up.

As a technical manager on numerous missions in Iraq, Jason managed teams of security engineers and analysts while working with theater enterprise management to ensure configuration and security requirements were met. Stokes was also a Risk Management Officer responsible for accessing and tracking the risk associated with over 200 enterprise systems in Iraq. Additionally, he was a primary advisor to the Director of Communications and Information Systems. Having served as an Information Security Officer at Victory Base, Iraq, he was responsible for the security of more than 120,000 mission-critical endpoints.

Preceding his six years working overseas, Stokes worked as an engineer for DISA and a Technical Project Manager for a sizeable native-owned company where he integrated IT and InfoSec resources at numerous military installations. Stokes also spent 12 years on active duty in the US Army and separated as a Senior Non-commissioned Officer.

As a strategist and leader, Stokes is known for building well-rounded teams with expertise in developing and delivering tailored solutions for a myriad of industry verticals. His strong project management skills and ability to build flexible, long-term plans have resulted in increasingly significant renewals and scope for customer organizations.

His career is committed to security engineering, increasing visibility, risk management, and improving efficiency while using automation wherever possible.

When Stokes is not actively developing innovative solutions to reduce cyber risk, he can be found woodworking, gardening, camping and canoeing in Florida, as well as enjoying quality time with his daughter. Stokes believes in the elegance and efficiency of simplicity in life and work. Identity is the only perimeter. Fight bad guys and defend the network.