Cybersecurity and Transit: What Transit Agencies Need to Know About Cyber Risk

Between June 2020 and June 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. As such, it is even more imperative that transit operators treat cybersecurity with the same seriousness as physical operational security.

by Scott Belcher, Terri Belcher, and Brandon Thomas

October 4, 2021

Cybersecurity and Transit: What Transit Agencies Need to Know About Cyber Risk — Recent events have demonstrated the need to be proactive when it comes to cybersecurity.
Credit:
Getty Images/gorodenkoff

5 min to read

Cyberattacks are occurring at an alarming rate across the U.S. and throughout the world. Ransomware attacks have targeted every industry, businesses of all sizes, government agencies, and individuals — no one is immune. In 2020, the FBI received more than 791,790 complaints to its Internet Crime Complaint Center about suspected internet crime, an increase of more than 300,000 cases from 2019. Many cyber experts fear that this reported number is far smaller than the number of actual attacks, as numerous ransomware attacks go unreported and/or are not discovered for weeks or months. Cyberattacks are occurring

Recent events have demonstrated the need to be proactive when it comes to cybersecurity. Major attacks, such as SolarWinds, the Colonial Pipeline, JBS Foods, and Acer, have caused significant interruption and cost to the global economy. The transit industry has experienced several high-profile attacks as well. Cyberattacks have involved the Metropolitan Transportation Authority (MTA) in New York City, the Martha’s Vineyard Ferry in Massachusetts, and the Southeastern Pennsylvania Transportation Authority (SEPTA) in Philadelphia. Between June 2020 and June 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks.

Cybercrime in Transit

Cybersecurity is defined as the practice of protecting systems, networks, and programs from digital attacks. These are the processes, infrastructure, systems, and personnel that are fundamental to a business’s operation. One year ago, the authors looked into the risks that cybersecurity posed to the transit industry in a study for the Mineta Transportation Institute (MTI) at San Jose State University (SJSU), “Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness.” During the research, which began in the fall of 2019 and continued during the COVID-19 pandemic, the team spoke with dozens of transit operators and surveyed hundreds of transit agencies across the U.S. What the team learned is that the transit industry, like other industries, is working to protect itself but is still ill prepared for the cyber revolution. Unfortunately, because of the sophisticated nature of cyber criminals and their ability to constantly evolve, improve, and penetrate even the most well protected organizations, it has been a struggle for many transit operators — particularly the small to mid-size agencies — to keep up.

Members of the research team have produced a couple of follow-up whitepapers for MTI and is working on a third report that examines the role of an agency’s supply chain in their cyber preparedness. The group’s most recent published work focused on the Biden Administration’s efforts to enforce more stringent “Buy America” provisions on the supply chain. This paper, “Will the Biden Administration’s ‘Made in America’ Executive Order Present Significant New Cybersecurity Obligations for Transit Operators?,” highlights the concerns about hostile nations’ attempts to digitally infiltrate U.S. infrastructure and technology and urged transit operators to familiarize themselves with the origin of their suppliers, Executive Order restrictions on suppliers from certain countries, and exemptions to these restrictions.

COVID’s Impact on Cybercrime

The COVID pandemic has exacerbated the escalation in cyberattacks by forcing organizations across the nation to meet new, urgent technology requirements to support remote work. Access to email is no longer the basic need; critical systems must be remotely accessible as well. In many cases, connections among systems had to be quickly stood up and made available. In meeting these requirements, many organizations turned to cloud computing, among other technologies, to quickly augment existing tools to support remote work. The security of these connections took a back seat to ensuring the systems remained accessible in a remote work environment.

As such, it is even more imperative that transit operators treat cybersecurity with the same seriousness as physical operational security — something that is core to the organizational mission, planned for, budgeted for, and addressed on a daily basis. Increasingly, cyber risk is encroaching on existing operational security programs, as more agencies leverage software and other digital tools to enhance their traditional security programs. Security is no longer limited to physical operations.

Tip to Stay Vigilant

Research has shown that while most transit agencies engage in at least some cybersecurity practices, few have the dedicated resources necessary to effectively manage their cyber risk. As agencies transition from a physical operation that historically has been segmented from the internet to one that is becoming digitally dependent and interconnected, they must prioritize cybersecurity within their entire risk portfolio.

The need to develop and maintain mature enterprise risk management systems to mitigate threats to people, operations, and data is neither new nor unique to the transit industry. Part of running any business is taking steps to protect critical assets. The added challenge organizations face today, however, is the increasing role of digital technologies in all areas of business operations. The resulting need is to have robust cyber risk management practices in place — in addition to traditional non-cyber-related protections — to ensure the continued protection of critical assets.

So where do we go from here? Here are a few steps that you should be taking.

1. Identify a cybersecurity leader within your organization

This is not the information security tech in IT; this person should be on the leadership team and have direct access to every department. They must have the authority and mandate to work across the organization, beyond technology to also include governance and policy, as well as the culture of security that drives the organization.

2. Assess your current state (and your tolerance for risk)

Only from this baseline can progress be made. Assessments should occur on a regular cadence to understand if and how your cyber risk is maturing.

3. Engage your resources

The American Public Transportation Association, Cyber and Infrastructure Security Agency and others have resources at the ready to assist you in maturing your cyber risk program. Your vendors too are likely doing a lot in this realm already — dig in and understand what they are doing well and identify areas where they can better support you.

Transit agencies face several new challenges and demands every day and are in a time of unparalleled change. Nevertheless, the Biden Administration has already shown great interest in increasing resources (and requirements) for public transit agencies to mature their cybersecurity programs. Get ahead of the curve, as the best time to invest in a cyber risk program is before an incident. The second-best time to invest in cyber preparedness is now.

Topics:Cyberattacks Cybersecurity transit agencies Security and Safety Technology

Subscribe to Our Newsletter

More Technology

Technology•by Staff and News Reports•May 1, 2026

FINAL CALL: Apply Now for METRO's 2026 Innovative Solutions Awards

Now in its latest edition, the awards recognize forward-thinking solutions that improve safety, operational efficiency, sustainability, rider experience, and overall system performance.

Management•May 1, 2026

Data-Driven Maintenance: Focusing Effort Where It Matters Most

Advances in data and analytics are giving transit agencies new opportunities to refine maintenance practices, improve efficiency and make more informed decisions about asset performance.

Connectpoint Expands Digital Signage Strategy with LED Push

Connectpoint is enhancing its digital signage strategy by integrating LED technology into its services.

Cover photo for Part 2 with Cecil Blandon

Management•by Alex Roman•April 30, 2026

Bus Tech Talk: Part 2 with AC Transit’s Cecil Blandon

In Part 2 of a two-part conversation, AC Transit’s director of maintenance joins co-hosts Alex Roman and Mark Hollenbeck to discuss his maintenance team’s work with various types of vehicle, training, augmented reality, and more.

Management•by Alex Roman•April 29, 2026

How Transit Architecture Is Reshaping the Rider Journey

In this Consultant Roundtable, Carmen C. Cham shares insights on how agencies can create spaces that are intuitive, connected and built for long-term impact.

Siemens and LK Comstock photo for Fulton-Liberty Lines

Security and Safety•by Staff•April 27, 2026

NYC’s Fulton–Liberty Lines Get Digital Signal Upgrade from Siemens and L.K. Comstock

The Siemens CBTC System, Trainguard MT, in compliance with New York Subway Interoperability Interface Specifications, enables trains to run as close as 90 seconds apart, using next-generation signaling and continuous communication to keep operations moving seamlessly.

New Mobility•by Staff•April 24, 2026

MOIA America Teams with Beep to Grow US Footprint

Through the strategic partnership, MOIA America will provide MOIA’s turnkey autonomous mobility solution. This includes purpose-built, autonomous-ready ID. Buzz vehicles equipped with the self-driving system developed by Mobileye, as well as operator training and enablement.

DART's new Tolar bus stop with wayfinding signage.

Technology•by Staff•April 24, 2026

Metro Magazine