Cybersecurity and Transit: What Transit Agencies Need to Know About Cyber Risk

Cyberattacks are occurring at an alarming rate across the U.S. and throughout the world. Ransomware attacks have targeted every industry, businesses of all sizes, government agencies, and individuals — no one is immune. In 2020, the FBI received more than 791,790 complaints to its Internet Crime Complaint Center about suspected internet crime, an increase of more than 300,000 cases from 2019. Many cyber experts fear that this reported number is far smaller than the number of actual attacks, as numerous ransomware attacks go unreported and/or are not discovered for weeks or months. Cyberattacks are occurring

Recent events have demonstrated the need to be proactive when it comes to cybersecurity. Major attacks, such as SolarWinds, the Colonial Pipeline, JBS Foods, and Acer, have caused significant interruption and cost to the global economy. The transit industry has experienced several high-profile attacks as well. Cyberattacks have involved the Metropolitan Transportation Authority (MTA) in New York City, the Martha’s Vineyard Ferry in Massachusetts, and the Southeastern Pennsylvania Transportation Authority (SEPTA) in Philadelphia. Between June 2020 and June 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks.

Cybercrime in Transit

Cybersecurity is defined as the practice of protecting systems, networks, and programs from digital attacks. These are the processes, infrastructure, systems, and personnel that are fundamental to a business’s operation. One year ago, the authors looked into the risks that cybersecurity posed to the transit industry in a study for the Mineta Transportation Institute (MTI) at San Jose State University (SJSU), “Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness.” During the research, which began in the fall of 2019 and continued during the COVID-19 pandemic, the team spoke with dozens of transit operators and surveyed hundreds of transit agencies across the U.S. What the team learned is that the transit industry, like other industries, is working to protect itself but is still ill prepared for the cyber revolution. Unfortunately, because of the sophisticated nature of cyber criminals and their ability to constantly evolve, improve, and penetrate even the most well protected organizations, it has been a struggle for many transit operators — particularly the small to mid-size agencies — to keep up.

Members of the research team have produced a couple of follow-up whitepapers for MTI and is working on a third report that examines the role of an agency’s supply chain in their cyber preparedness. The group’s most recent published work focused on the Biden Administration’s efforts to enforce more stringent “Buy America” provisions on the supply chain. This paper, “Will the Biden Administration’s ‘Made in America’ Executive Order Present Significant New Cybersecurity Obligations for Transit Operators?,” highlights the concerns about hostile nations’ attempts to digitally infiltrate U.S. infrastructure and technology and urged transit operators to familiarize themselves with the origin of their suppliers, Executive Order restrictions on suppliers from certain countries, and exemptions to these restrictions.

COVID’s Impact on Cybercrime

The COVID pandemic has exacerbated the escalation in cyberattacks by forcing organizations across the nation to meet new, urgent technology requirements to support remote work. Access to email is no longer the basic need; critical systems must be remotely accessible as well. In many cases, connections among systems had to be quickly stood up and made available. In meeting these requirements, many organizations turned to cloud computing, among other technologies, to quickly augment existing tools to support remote work. The security of these connections took a back seat to ensuring the systems remained accessible in a remote work environment.

As such, it is even more imperative that transit operators treat cybersecurity with the same seriousness as physical operational security — something that is core to the organizational mission, planned for, budgeted for, and addressed on a daily basis. Increasingly, cyber risk is encroaching on existing operational security programs, as more agencies leverage software and other digital tools to enhance their traditional security programs. Security is no longer limited to physical operations.

Tip to Stay Vigilant

Research has shown that while most transit agencies engage in at least some cybersecurity practices, few have the dedicated resources necessary to effectively manage their cyber risk. As agencies transition from a physical operation that historically has been segmented from the internet to one that is becoming digitally dependent and interconnected, they must prioritize cybersecurity within their entire risk portfolio.

The need to develop and maintain mature enterprise risk management systems to mitigate threats to people, operations, and data is neither new nor unique to the transit industry. Part of running any business is taking steps to protect critical assets. The added challenge organizations face today, however, is the increasing role of digital technologies in all areas of business operations. The resulting need is to have robust cyber risk management practices in place — in addition to traditional non-cyber-related protections — to ensure the continued protection of critical assets.

So where do we go from here? Here are a few steps that you should be taking.

1. Identify a cybersecurity leader within your organization

This is not the information security tech in IT; this person should be on the leadership team and have direct access to every department. They must have the authority and mandate to work across the organization, beyond technology to also include governance and policy, as well as the culture of security that drives the organization.

2. Assess your current state (and your tolerance for risk)

Only from this baseline can progress be made. Assessments should occur on a regular cadence to understand if and how your cyber risk is maturing.

3. Engage your resources

The American Public Transportation Association, Cyber and Infrastructure Security Agency and others have resources at the ready to assist you in maturing your cyber risk program. Your vendors too are likely doing a lot in this realm already — dig in and understand what they are doing well and identify areas where they can better support you.

Transit agencies face several new challenges and demands every day and are in a time of unparalleled change. Nevertheless, the Biden Administration has already shown great interest in increasing resources (and requirements) for public transit agencies to mature their cybersecurity programs. Get ahead of the curve, as the best time to invest in a cyber risk program is before an incident. The second-best time to invest in cyber preparedness is now.