The study, conducted by researchers from the Mineta Transportation Institute at San Jose State University in California, also found that more than 70 percent of agencies responding to the survey claim they have not experienced “many (or any) any cybersecurity incidents.”
“I think we were surprised at the lack of recognition for how vulnerable the transit agencies are,” said Scott Belcher, one of the authors of the study, speaking to Government Technology earlier this year.
“There really were a large percentage of agencies that we surveyed that did not believe they had experienced an attack.
“We went in with the expectation that transit would probably be behind the curve in terms of their cybersecurity preparedness. I guess we were a little surprised at how unprepared it was, or how unsecured it was,” he added.
Also, the unpreparedness in the cybersecurity space was found across the board, with large agencies just as likely to have security gaps as the smaller agencies, said Brandon Thomas, another author of the report, Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness.
The similarities between large and small agencies is hard to explain, given that more resources — including training, planning tools and experts from the Department of Homeland Security — are typically available to larger organizations.
The gaps in security raise added concerns as transit agencies become more technologically advanced, deploying digital products to aid in operations, ticketing, trip-planning, as well as offering ridership perks like onboard Wi-Fi.
“Now you have experiments and pilots on the ground with connected vehicles, autonomous vehicles, so there’s this whole new wave of emerging technology,” said Thomas, adding that emerging technologies expand the risk “more than just data.”
One of the first changes that needs to happen is a cultural shift within the transit industry to recognize the importance of cybersecurity, and putting in place public policy to ensure security and even adding personnel with expertise in cybersecurity.
“And so finding those people that can give you the combination of technology, plus process, plus, plus, plus of what it takes to be prepared. Really, to be honest, you’re not going to find those folks in the transit space,” said Thomas. “You’re not looking for someone who’s got 15 years doing cybersecurity in transit.”
The ideal candidate may be from an area as seemingly unrelated as finance, but is able to bring over expertise that can lead that sort of organizational shift that puts cybersecurity at the forefront, he explains.
“I think what we’ve found is that, interestingly, the ones that were the most impressive were the ones that hired cybersecurity professionals from other industries,” said Belcher, “and brought their expertise and brought best practices to the transit agency. And that really made a difference.”
In 2017, Sacramento Regional Transit (SacRT) in California grabbed headlines when bad actors launched a ransomware attack on the agency. The attack affected servers related to managing internal operations. No data was stolen in the attack, and transit officials noted the agency’s mobile ticketing app is on a separate and unaffected cloud-based system. However, the attack was disruptive, prompting SacRT to take down its webpage; and as a precaution, the agency temporarily disabled its system for processing credit card transactions.
Since then, SacRT has put in a range of tech and security improvements to safeguard against future attacks, said Jessica Gonzalez, a spokeswoman for SacRT.
“We implemented Carbon Black, a cloud-based system that provides endpoint protection, and we implemented Barracuda Cloud protection as a first level spam filtering for our email systems,” said Gonzalez.
The agency also hired Sandy Bobek, the former chief information officer of the San Diego Metropolitan Transit System, to serve as assistant vice president of technology, innovation and performance monitoring. The agency also hired a senior manager of IT projects and cybersecurity.
Given the many agreements and partnerships agencies increasingly establish with private-sector vendors, they should write cybersecurity protection language into the contracts as early in the process as possible.
Belcher argues that this effort will require a "cultural change within the transit organizations" to ensure that all third-party vendors are adequately prepared to protect not only the organization, but the customers that organization serves as well.