MTI research shows transit agencies still lacking in cybersecurity preparedness

    May 14, 2025
    MTI researchers found that transit agencies are at a greater risk of cybersecurity threats and are ill-prepared, particularly for smaller agencies.
    Related To:
    Adobe Stock
    6824ad73f5bc1a7df9006f2f Screenshot 20250514 At 9

    The Mineta Transportation Institute’s (MTI) latest research report shows transit agencies’ cybersecurity preparedness has not markedly improved since MTI published its initial report in 2020. The updated report, Does the Transit Industry Understand the Risks of Cybersecurity and are the Risks Being Appropriately Prioritized, builds upon the institute’s report, Is the Transit Industry Prepared for the Cyber Revolution, released four years ago. Both reports revealed the transit industry is ill-prepared for cybersecurity threats and attacks.  

    Based on online surveys from 78 agencies, interviews with transit professionals and a review of relevant literature, the study revealed three major findings: 

    • There is a lack of organizational knowledge about cybersecurity. Many executives do not appreciate the risks their organizations face, and if they do, many leaders do not know what their teams are doing to address these risks.  
    • Many agencies lack important documented policies and procedures across a broad spectrum of requirements that are considered essential by most cybersecurity professionals.  
    • Small agencies lag far behind. For the best practices discussed in the report, a bigger proportion of the larger agencies adhered than did smaller agencies. 

    The authors’ recommendations include: 

    • Agencies should develop a yearly updated individualized cybersecurity plan.  
    • Agencies should conduct a cybersecurity assessment at least annually and address the shortcomings identified in that assessment in a timely manner. 
    • Agencies should ensure that they have documented cybersecurity policies and procedures in place and that the organization is following them. 
    • Transit agencies should have at least one person on staff with a cybersecurity certificate qualified to oversee the cybersecurity program and/or vendors. 

    “The increasing sophistication of cybercriminals, in combination with a greater reliance on technology within the transit industry, puts the industry at higher risk than in 2020,” explain the study’s authors. “Agencies are not conducting regular cybersecurity assessments or putting basic policies and procedures in place to minimize the likelihood of a cybersecurity breach and to recover from the harm when one occurs.” 

    Ultimately, the researchers say, only with a coordinated effort can this threat and its impact be mitigated and the nation’s critical systems be protected. 

    Adobe Stock

    WMATA
    On May 9, 22 recruit officers graduated from the inaugural MTPD Criminal Justice Academy.