These are some of the findings in a new report by the Mineta Transportation Institute at San Jose State University in California titled, Aligning the Transit Industry and Their Vendors in the Face of Increasing Cyber Risk.
“Many of the big agencies have created a CISO-like position, and have stepped up,” said Scott Belcher, a professor at San Jose State and one of the authors of the report, adding transit agencies have access to funding streams from the Transportation Security Administration (TSA) to help harden systems against cyber attacks.
“Most agencies rely on their IT departments and assume that penetration testing is enough,” said Belcher. “It is an awkward dance.”
For starters, transit agencies should be writing cybersecurity expectations into the RFPs they release when calling for technology solutions or upgrades. But also, elevate cybersecurity into an “enterprise risk management strategy,” where risk management is an integral part of all agency functions and operations, the report advises.
Public transit is seeing an uptick in illicit cyber activity. Weekly ransomware attacks on transit were up 186 percent since June 2020, according the report. And as the industry morphs into a more holistic transportation service, integrating with micromobility, exploring the use of autonomous vehicles and upgrading systems to contactless ticketing, onboard Wi-Fi and other improvements — which riders say they appreciate and expect — the entry points for outside interference keep growing.
Houston METRO, a vast transit network that includes more than 1,200 buses and 22 miles of light rail in one of the country’s largest and sprawling metro regions, has had a CISO on staff for several years.
“As reliance on technology increases and more cyber attacks occur for transit agencies, Houston METRO will continue to invest in cybersecurity to reduce risk,” said Nick Jones, METRO’s chief information security officer, in an email. Like other transit agencies, METRO was careful to disclose little in the area of cybersecurity, in part, to guard against would-be bad actors.
Buses and trains continue to be upgraded with features often seen as passenger amenities. In 2010, only 1 percent of buses included onboard Wi-Fi. By 2020, it was 41 percent, according to the Mineta report. Vehicle location technology is now on at least 90 percent of buses. In 2010, only 60 percent included this GPS technology. Five percent of buses today include pedestrian detection technology. In 2010, none of them did.
Transit agencies spent some $43.1 billion with private-sector companies in 2019, 7.5 percent more than was spent in 2018, according to the report. And more spending is expected in the next five years as transit agencies take on significant modernization efforts, funded by the Infrastructure Investment and Jobs Act, which will send some $66 billion to public transit.
All of this technology generally comes to transit in the form of the contracts agencies make with private-sector vendors. And those vendors, said Belcher, tend to have a firmer understanding of cybersecurity risks then their public-sector transit partners.
“The more entry points, the greater the vulnerability,” said Belcher. “Criminals are looking to get access to operational data, personal data and financial data. Each of those data sets gives them leverage.”
These are today’s concerns. Tomorrow and beyond, the dangers could get even more pronounced.
“Going forward we will also have to be concerned about criminals taking control of vehicles and putting passengers at risk,” Belcher warned.
Aside from taking on a holistic approach to security, led by a CISO overseeing the deployment of cybersecurity policies and protocols, as well as having a hand in writing RFPs to insure these reflect the agency’s cybersecurity requirements, transit officials are also advised to stay on top of the basics like software updates, since these are easy entry points.
Houston METRO addresses cybersecurity in agreements with private-sector vendors, said Jones.
“Technology provider vendors must include cybersecurity language in their contract or sign METRO’s cybersecurity addendum,” Jones explained.
The lack of cybersecurity planning and concerns is not limited to certain agencies, say experts, noting large agencies can be “just as unsophisticated as the smaller agencies,” said Belcher.
“In some cases, smaller agencies have an advantage in that they have not implemented as much technology, and do not have as much vulnerability,” Belcher explained.
The act of infiltrating transit systems is often the work of bots, Belcher noted, adding, they “don’t care if it is a large or small organization. There are plenty of examples of small agencies ‘with nothing’ that have been hacked.”
Cybersecurity Preparedness Among U.S. Transit Agencies
- Do not have Incident Response Plan — 42 percent
- Lacking a Disaster Recovery Plan — 36 percent
- No Continuity of Operations Plan — 53 percent
- Lacking a Continuity of Business Plan— 58 percent
- No Crisis Communication Plan — 67 percent