In a new report by the Mineta Transportation Institute at San Jose State University in California, transit agencies need to place security and technical expertise at the in the ranks of management, often a chief information security officer (CISO).
“Many of the big agencies have created a CISO-like position, and have stepped up,” said Scott Belcher, a professor at San Jose State and one of the authors of the report. He added that transit agencies have access to funding streams from the Transportation Security Administration (TSA) to help harden systems against cyber attacks.
“Most agencies rely on their IT departments and assume that penetration testing is enough,” said Belcher. “It is an awkward dance.”
The report advises that transit agencies should be writing cybersecurity expectations into the request for proposals (RFP) they release when calling for technology solutions or upgrades. But also, elevate cybersecurity into an “enterprise risk management strategy,” where risk management is an integral part of all agency functions and operations.
Public transit is seeing a rise in cyber threats. Weekly ransomware attacks on transit were up 186 percent since June 2020, according to the report. As the industry is integrating with micromobility, exploring the use of autonomous vehicles, upgrading systems to contactless ticketing, onboard Wi-Fi, and other improvements, the entry points for outside interference keep growing.
Buses and trains continue to be upgraded with features often seen as amenities. In 2010, only 1 percent of buses included onboard Wi-Fi. By 2020, it was 41 percent, according to the report. Vehicle location technology is now on at least 90 percent of buses. In 2010, only 60 percent included this GPS technology. Five percent of buses today include pedestrian detection technology.
Transit agencies spent some $43.1 billion with private-sector companies in 2019, 7.5 percent more than was spent in 2018, according to the report. And more spending is expected in the next five years as transit agencies take on significant modernization efforts, funded by the bipartisan Infrastructure Investment and Jobs Act (IIJA), which will send some $66 billion to public transit.
All of this technology generally comes to transit in the form of the contracts agencies make with private-sector vendors. And those vendors, said Belcher, tend to have a firmer understanding of cybersecurity risks then their public-sector transit partners.
“The more entry points, the greater the vulnerability,” said Belcher. “Criminals are looking to get access to operational data, personal data and financial data. Each of those data sets gives them leverage.”
“Going forward we will also have to be concerned about criminals taking control of vehicles and putting passengers at risk,” Belcher warned.
The lack of cybersecurity planning and concerns is not limited to certain agencies, say experts, noting large agencies can be “just as unsophisticated as the smaller agencies,” noted Belcher.
“In some cases, smaller agencies have an advantage in that they have not implemented as much technology, and do not have as much vulnerability,” Belcher added.
The act of infiltrating transit systems is often the work of bots, Belcher said, adding, they “don’t care if it is a large or small organization. There are plenty of examples of small agencies ‘with nothing’ that have been hacked.”
---------------------------------------------
Source: Mineta Transportation Institute