Photo: Bar Vardi | Dreamstime.com

Public transit agencies face increasing risk of cyberattacks

17 August 2022

by Sarah Wray

US public transit agencies should appoint a Chief Security Officer and use procurement processes to raise cybersecurity standards, according to a new report.

The research from Mineta Transportation Institute at San Jose State University found that requirements in requests for proposals (RFPs) are a key driver of investment for vendors.

The report, titled Aligning the Transit Industry and Their Vendors in the Face of Increasing Cyber Risk, warns that the hardware and software lifecycles in public transit are “out of sync,” creating a situation where vehicles and other hardware designed to last for 15 years or more are being supported by software that stopped receiving security updates, leading to “serious vulnerabilities.”

Transit agencies are also urged to better understand their own risks and ensure they have the ability to communicate them in technical terms, particularly as vendors often provide connected services such as passenger counting, video surveillance, fare management, vehicle location tracking, data storage, and credit card processing. The growing use of first and last-mile services and connected and automated vehicles also increases digital interactions.

The need for transport CSOs

“There are several steps that transit agencies and their stakeholders can take to strengthen their collective cybersecurity posture,” said Scott Belcher, a professor at San Jose State University and one of the authors of the report. “For example, vendors for critical systems should make available a security lead to assist the agency in the management of the agency’s risk.

“Meanwhile, transit agencies should integrate their cyber risk management program with their existing physical security risk management organisation and infrastructure, creating a holistic Enterprise Risk Management programme. They should also elevate security within the organisation by appointing a Chief Security Officer (CSO).”

Some big agencies have created such a role but many transit organisations still rely on their IT departments and penetration testing.

Growing threats

The Bay Area Rapid Transit system, Southeast Pennsylvania Transportation Authority, Vancouver’s Translink, New York’s Metropolitan Transportation Authority, Dallas Area Rapid Transit, Ann Arbor Area Transportation Authority, and the Santa Clara Valley Transportation Authority are just some of those that have dealt with data breaches or ransomware attacks in the past few years.

According to Check Point Research, the global transit industry has experienced a 186 percent year-over-year increase in weekly ransomware attacks since June 2020.

“It is increasingly difficult to name a transit provider that has not faced a data breach or other disruptive cyber incident,” the report says. “In some cases, transit agencies report clean cyber bills of health only because they are unaware of system breaches.”

Planning for the worst

The researchers found that most agencies do not have many of the basic policies and procedures in place to respond in the event of a cyber breach – with 42 percent lacking an incident response plan. Similarly, 36 percent have no disaster recovery plan and 53 percent don’t have a continuity in operations plan. Two-thirds have no documented crisis communications strategy.

“A transit agency that provides essential transportation services to communities in need of economic assistance seems an unlikely target for a ransomware attack,” the authors say. “Unfortunately, most cybercriminals do not discriminate based on an organisation’s size, stature, or the nature of the services they provide. They pursue access.”

  • Reuters Automotive
https://cities-today.com/wp-content/uploads/2023/11/Dawn-crop.png

Technology inclusion goes beyond internet access in LA

  • Reuters Automotive