Cyber Attackers are Coming for Transit Agencies, Here's How to Strengthen Your Security Posture
The demand from riders for convenient, reliable and efficient public transit systems has prompted transit agencies to implement new and innovative technologies as a catalyst for smart cities. Transit systems have continually implemented more and more technology, especially during the height of the pandemic, with riders pushing for contactless, mobile-based fare collection and modernized systems. It is believed these technologies have helped transit agencies rebound from low ridership. According to the American Public Transportation Association, in September 2022, ridership had rebounded to more than 70 percent of pre-pandemic levels.
However, with this smart city boom, rapid development and implementation of new technology into existing transit systems and operations, a vast amount of data is collected. Whenever sensitive data is collected and stored, there is an increased cybersecurity risk. The Mineta Transportation Institute reported in 2022, “weekly ransomware attacks on transit systems were up 186 percent since June 2020.” Since the transit sector has proven to be a target for malicious threat actors, it is vital for agencies to understand the risks and how to best protect their organization, employees and customers from cyberattacks.
A Recent Increase in Cyberattacks
Earlier this year, Washington Metropolitan Area Transit Authority’s (WMATA) cloud-based computer network was breached by a personal computer in Russia. It was later discovered this cyberattack was initiated by a former IT employee contracted by WMATA. The WMATA Inspector General’s Office found the authority’s increased reliance on technology had created long-standing security issues and increased vulnerabilities that could have included threats to train safety for a system that more than 600,000 people rely on every day.
More recently, the U.S. Department of Transportation reported a data breach in May that affected administrative systems processing employee transportation benefits. This breach exposed 237,000 current and former employees’ personal information. While an investigation into this breach is underway, the transportation benefit system has been frozen.
Given recent events, it’s clear why cybersecurity has become increasingly top of mind in today’s transit landscape. The risk of a cyberattack is real, and it can be extremely damaging. From riders' personal information being leaked like payment details and social security numbers to the disruption of a transit system's operations and widespread outages, the negative impact is severe and can damage an agency’s reputation, creating doubt from customers and having long-term effects.
While technology can bring cybersecurity risks, it’s also incredibly beneficial and necessary for agencies to implement to meet customer demands, stay competitive and provide the best rider experience. Being proactive, following best practices and having plans in place in case of a threat are all ways to utilize innovative technologies while improving your cybersecurity posture.
Strategies that agencies can follow to mitigate cybersecurity risks
The Transportation Security Administration requires freight railroads, passenger rail and rail transit owners and operators to “designate a cybersecurity coordinator, report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours and develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption.” Developing an incident response plan that details what your agency should do before, during and after a cyberattack is critical. In addition to developing a plan, conducting tabletop exercises will help ensure the plan is ready and will be successful. Finding an agency to help conduct these exercises brings additional challenges.
To be more proactive when it comes to cybersecurity efforts, larger transit agencies are hiring Chief Security Officers and Chief Information Security Officers While creating these positions within agencies is one of the best ways to strengthen the agencies security posture, they also come with large salaries that some agencies cannot afford. If this is the case, the agency's IRP is a good place to focus efforts. Additionally, cyber insurance is another way to be proactive and protect your organization against losses.
Another best practice for public transportation agencies is separating their information technology and operational technology networks to limit the attack surface and the potential number of affected entities in the event of a breach. Using a virtual local area network and network segmentation is crucial.
Agencies should also consider focusing cybersecurity efforts towards vendor partnership. Before diving into a partnership, agencies need to remember that vendors might have varying levels of cybersecurity compliance and, at the end of the day, it’s the agency's responsibility to protect the data of customers. Agencies should ensure vendors are compliant with the latest cybersecurity standards like Payment Card Industry Data Security Standard and Systems and Organization Controls (SOC 2). It is up to transit agencies to do their due diligence in assessing their security vulnerabilities with third-party vendors to protect the integrity of their systems. To determine vulnerabilities ahead of time and address them before an issue arises, using tools like multi-factor authentication and network scanners are a must.
In a time where technology plays an increasingly important role in public transit, prioritizing cybersecurity is critical. Through adopting proactive measures and prioritizing cybersecurity efforts, transit agencies can lower the risk of a cyberattack, improve their resilience and ultimately protect their riders.
------
David Avery has been with South Central Transit Authority (SCTA) for 10 years and serves as director of IT overseeing infrastructure of Red Rose Transit Authority and Berks Area Regional Transportation Authority.
Additional resources
- The Cybersecurity Assessment Tool for Transit (CATT) helps public transit agencies formalize and develop their cybersecurity program.
- American Public Transportation Association has compiled many resources available on the association’s website. These include informational videos from the FTC, recommended practices, toolkits, reports, trainings and much more.
David Avery
David Avery has been with South Central Transit Authority (SCTA) for 10 years and serves as director of IT, overseeing infrastructure of Red Rose Transit Authority and Berks Area Regional Transportation Authority. Prior to SCTA, Dave worked for global supply chain provider, SuperValu, for 10 years, where he served as a senior technical analyst over the robotic facilities for the Eastern Region. Before Supervalu, he was a microsoft consultant and partnered with local IT companies to serve private industry within Pennsylvania.