New Mineta Transportation Institute (MTI) research, "Aligning the Transit Industry and Their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges," demonstrates that the U.S. transit industry and its vendor community have the opportunity to broaden their relationships and focus on cybersecurity. Both parties need to create a secure environment that can benefit from and augment the other.

The authors’ findings focus on three key areas: cyber literacy and procurement practices, the lifecycle of technology vis-à-vis transit hardware, and the importance of embracing risk as a road to resiliency.

Key findings include:

• Transit agencies need to use the procurement process as an opportunity to articulate their cyber needs because the presence of such requirements in requests for proposals (RFPs) is a key driver of investment for vendors.

• Transit agencies must also understand their own risks and have the ability to communicate these risks in technical terms.

• The hardware and software lifecycles in public transit are out of sync, creating a situation in which vehicles and other hardware designed to last for 15 years or more are being supported by or carrying software that stopped receiving security updates, which creates serious vulnerabilities. 

“There are several steps that transit agencies and their stakeholders can take to strengthen their collective cybersecurity posture,” explained the study’s authors. “For example, vendors for critical systems should make available a security lead to assist the agency in the management of the agency’s risk. Meanwhile, transit agencies should integrate their cyber risk management program with their existing physical security risk management organization and infrastructure, creating a holistic Enterprise Risk Management program. They should also elevate security within the organization by appointing a Chief Security Officer (CSO).”