Researchers at the Mineta Transportation Institute urged transit agencies to have a unified risk management strategy and called on regulators to provide more guidance.
Transit agencies are unprepared for hacks and ransomware attacks and must think more strategically to deal with cyber threats, according to a report published late last month.
Researchers at the Mineta Transportation Institute at San Jose State University found that the entire industry needs a “twenty-first century security upgrade” as it cannot currently cope with the myriad cyber threats it faces.
Hardware and software life cycles are often “out of sync” at agencies, meaning that physical infrastructure is sometimes supported by software that is obsolete and not receiving security updates from vendors. This means it is increasingly vulnerable to attack, researchers said.
Researchers interviewed transit officials responsible for technology or information security, and they called on agencies to make better use of the procurement process to clarify their cyber needs, including by making sure agency staff understand cybersecurity practices and protocols are integrated into the process.
The report urged transit officials to better appreciate the difference between risk and security when evaluating their cyber needs, as having that understanding is “foundational.”
“Security is a state of being which organizations take steps to protect themselves—essentially creating an environment free from or resilient against harm,” the report stated. “Risk, on the other hand, is something that organizations would do well to accept as a constant chance or probability of exposure to hazards.”
To better prepare themselves for cyber threats, researchers recommended that transit agencies form an enterprise risk management strategy, which would incorporate the management of every element of risk it faces daily, including cyber.
The report also called for regulators to expand their guidance on cybersecurity for critical infrastructure, including public transportation, and for transit groups like the American Public Transportation Association, to develop its own standards. The report noted that the Transportation Security Administration already addressed cybersecurity for rail last December and recommended that other transportation modes follow that same guidance.
Researchers also urged vendors who contract with public transit agencies to conduct security audits of their products, share information and best practices with relevant groups and have a staff member available to advise the agency’s cybersecurity staff on risk management.