Despite rising threats and increased reliance on digital systems, America’s transit agencies are still struggling to catch up with basic cybersecurity practices, according to a new report from the Mineta Transportation Institute (MTI).

In its follow-up to a 2020 study that highlighted the sector’s lack of preparedness, MTI’s new report — “Does the Transit Industry Understand the Risks of Cybersecurity and Are the Risks Being Appropriately Prioritized?” — paints a sobering picture: progress has been slow, uneven, and insufficient to meet the escalating risks posed by cybercriminals.

Minimal Progress Despite Mounting Threats

Drawing on surveys from 78 agencies, in-depth interviews with transit professionals, and a comprehensive literature review, the study identifies three core challenges still hampering cybersecurity across the industry:

• Widespread Leadership Disconnect: Many transit executives remain unaware of their organizations' specific cybersecurity risks. Even among those who recognize the danger, there’s often little understanding of the measures being taken — or not taken — by their teams.

• Missing or Incomplete Cyber Policies: Many agencies lack formal documentation of cybersecurity policies and procedures. These gaps leave them vulnerable to threats and unprepared for incident response.

• Small Agencies Falling Further Behind: While larger agencies have made some strides, smaller transit operators are lagging significantly. Adopting best practices — such as assessments, policy development, and staff training — is far less common at smaller organizations.

“The increasing sophistication of cybercriminals, in combination with a greater reliance on technology within the transit industry, puts the industry at higher risk than in 2020,” the report’s authors caution.

Recommendations for Closing the Gap

To reverse course, MTI outlines a clear set of action steps:

• Develop and regularly update a customized cybersecurity plan.

• Conduct annual cybersecurity assessments and act promptly on the findings.

• Establish and follow documented cybersecurity policies and procedures.

• Ensure at least one staff member holds a cybersecurity certification and is qualified to oversee internal systems and third-party vendors.

Without these foundational elements in place, agencies remain vulnerable to data breaches, service disruptions, and safety hazards tied to digital infrastructure failures.

A Call for Industry-Wide Coordination

The report makes it clear that cybersecurity is not just a technical concern — it’s a leadership, staffing, and strategic issue. Solving it requires a coordinated, industry-wide response.

As public transit's digital footprint continues to grow — from fare systems and vehicle telemetry to scheduling and customer service platforms — the consequences of inaction become more severe.

“Agencies are not conducting regular cybersecurity assessments or putting basic policies and procedures in place to minimize the likelihood of a cybersecurity breach and to recover from the harm when one occurs,” the report states.