Report: Transit industry unprepared for more cybersecurity threats

The transit industry is unprepared for increased cybersecurity threats and attacks, according to a new report released by the Mineta Transportation Institution (MTI), a research center at San Jose State University.

MTI first released a report in 2020 that found the industry was not prepared for cyberthreats and attacks and recommended policy changes. The updated report released yesterday shows no significant improvement in preparedness.

Based on online survey results from 78 agencies, interviews with transit professionals and a literature review, the authors of the latest reported noted three major findings: There is a lack of knowledge about cyber security; many agencies do not have policies and procedures that address cybersecurity; and smaller agencies reported using fewer cybersecurity precautions than larger agencies.

“The increasing sophistication of cybercriminals, in combination with a greater reliance on technology within the transit industry, puts the industry at higher risk than in 2020,” the authors wrote. “Agencies are not conducting regular cybersecurity assessments or putting basic policies and procedures in place to minimize the likelihood of a cybersecurity breach and to recover from the harm when one occurs.”

The report recommended that transit agencies should:

• develop an annual updated and individualized cybersecurity plan;
• conduct a cybersecurity assessment annually and address the shortcomings;
• ensure they have cybersecurity policies and procedures in place; and 
• have at least one person on staff with a cybersecurity certificate to oversee the cybersecurity program.