The Mineta Transportation Institute (MTI) has released its latest research on how transit agencies and their vendors can step up their cybersecurity protection.
MTI says transit agencies are highly dependent on the services of vendors to help deliver and maintain critical technologies linked to everything they do. The vendor’s cybersecurity posture (the strength of their controls and protocols)—whether immature or advanced—is shared with their clients, and this leaves transit agencies of all sizes vulnerable to cyber incidents.
The new research, “Aligning the Transit Industry and Their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges,” demonstrates that the U.S. transit industry and its vendor community can broaden their relationships and focus on cybersecurity–both parties need to create a secure environment that can benefit from and augment the other.
The authors’ findings focus on three key areas: cyber literacy and procurement practices, the lifecycle of technology vis-à-vis transit hardware and the importance of embracing risk as a road to resiliency.
Key findings include:
- Transit agencies need to use the procurement process as an opportunity to articulate their cyber needs because the presence of such requirements in requests for proposals (RFPs) is a key driver of investment for vendors.
- Transit agencies must also understand their own risks and be able to communicate these risks in technical terms.
- The hardware and software lifecycles in public transit are out of sync, creating a situation in which vehicles and other hardware designed to last for 15 years or more are being supported by or carrying software that stopped receiving security updates, which creates serious vulnerabilities.
“There are several steps that transit agencies and their stakeholders can take to strengthen their collective cybersecurity posture,” explain the study’s authors. “For example, vendors for critical systems should make available a security lead to assist the agency in the management of the agency’s risk. Meanwhile, transit agencies should integrate their cyber risk management program with their existing physical security risk management organization and infrastructure, creating a holistic Enterprise Risk Management program. They should also elevate security within the organization by appointing a Chief Security Officer.”
Measures taken to protect transit security require executive focus and investment across the transit ecosystem. MTI says transit agencies, vendors, associations, the Department of Homeland Security and U.S. Department of Transportation, as well as the Federal Transit Administration can cooperate and collaborate to invest in risk management to ensure the safety, efficiency and reliability of the nation’s critical infrastructure.
