New research asks: ‘How Prepared Is Transit for a Cyber Attack?’

Oct. 8, 2020
Only 60 percent of transit agencies have a cybersecurity preparedness plan, which leaves them ill prepared for a cyberattack.

Research performed by the Mineta Transportation Institute (MTI) to assess the readiness of transit agencies to understand, mitigate and respond to the growing threat of cybersecurity found there is a gap between their actual level of preparedness and what they believe their preparedness to be.  

Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness surveyed 90 transit agency technology leaders and found more than 80 percent of agencies reported feeling prepared for a cybersecurity threat, yet only 60 percent have a cybersecurity program in place.

Despite the U.S. Department of Homeland Security designating the Transportation System Sector as one of 16 critical infrastructure sectors whose disruption would have a debilitating effect on our nation’s security, the report found that most transit agencies, which fall within this sector, do not have many of the basic policies or personnel in place to respond to a cyber incident.

Other key findings include:

  • While 73 percent of respondents feel they have access to information to help implement a cybersecurity preparedness program, only 60 percent have a cybersecurity response plan in place and 43 percent do not find their plan sufficient;
  • 47 percent of agencies reported auditing their cybersecurity program at least once a year;
  • More than 50 percent of agencies do not keep a log for longer than a year– one of the most basic cybersecurity preparedness requirements;
  • 36 percent do not have a cyber disaster recovery plan; and
  • 67 percent do not have a cyber crisis communications plan.

“Fortunately, there is an abundance of information and tools, such as the Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance and accompanying workbook, available to public transit agencies to support a cybersecurity program,” said the report’s Principal Investigator Scott Belcher.

He goes on to describe how agencies that have become aware of the imminent threat have taken action to protect themselves from cyberattacks, including seeking technical leadership from outside the transit industry and contracting out the management of personally identifiable information (PII).

For the majority of transit agencies, resources for cybersecurity will remain scarce and, thus, there needs to be a collaborative effort from the federal government, the industry and agency leadership to establish, maintain and refine cybersecurity programs. The research team emphasizes that the Federal Transit Administration should require transit organizations to adopt and implement minimum cybersecurity standards prior to receiving federal funding.

The team also recommends federal funds be allocated for the development of comprehensive cybersecurity preparedness plans and their implementation. The report recommends industry trade associations should continue to develop, refine and improve existing cybersecurity guidance to enable transit agencies to adequately prepare for the inevitable cyber disruption and maintain a ready approach in the event of an attack.