Mineta Transportation Institute Says Cybersecurity In Transit Is Still Not On Track

Courtesy of Wabtec

SAN JOSÉ, Calif. –– The Mineta Transportation Institute, an organization based at San Jose State University, which says its mission is to "create a connected world through research, education, and workforce development," has released an update to its 2020 report on cybersecurity at transit agencies.

The general conclusion of the update is that “transit agencies are at greater risk of cybersecurity threats and ill-prepared, especially smaller [transit] agencies.”

The 2020 report, entitled Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness concluded that “the transit industry was ill-prepared for cybersecurity threats and attacks”. The Institute goes on to say that “after four years and the development of new cybersecurity requirements and resources,” it has released an updated report, Does the Transit Industry Understand the Risks of Cybersecurity and are the Risks Being Appropriately Prioritized?, and reports there has not been a marked improvement in cybersecurity awareness.

The Institute surveyed 78 agencies online, conducted interviews with transit professionals, and reviewed the relevant literature. The researchers came away with three significant conclusions:

• “There is a lack of organizational knowledge about cybersecurity. Many executives do not appreciate the risks their organizations face, and if they do, many leaders do not know what their teams are doing to address these risks. 
• Many agencies lack important documented policies and procedures across a broad spectrum of requirements that are considered essential by most cybersecurity professionals. 
• Small agencies lag far behind. For the best practices discussed in the report, a bigger proportion of the larger agencies adhered than did smaller agencies.”

As a result of these conclusions, the authors of the report recommend:

• “Agencies should develop a yearly updated individualized cybersecurity plan. 
• Agencies should conduct a cybersecurity assessment at least annually and address the shortcomings identified in that assessment in a timely manner.
• Agencies should ensure that they have documented cybersecurity policies and procedures in place and that the organization is following them.
• Transit agencies should have at least one person on staff with a cybersecurity certificate qualified to oversee the cybersecurity program and/or vendors.”

The study’s authors say that “The increasing sophistication of cybercriminals, in combination with a greater reliance on technology within the transit industry, puts the industry at higher risk than in 2020. Agencies are not conducting regular cybersecurity assessments or putting basic policies and procedures in place to minimize the likelihood of a cybersecurity breach and to recover from the harm when one occurs.”

You can read and download both reports using the links above.