New research from the Mineta Transportation Institute (MTI) has found that public transit agencies are highly dependent on vendors when it comes to maintaining critical technologies, which leaves transit agencies vulnerable to cyber incidents.
While vendors have varying cybersecurity postures, the research found, whatever those postures are will be shared with their clients, like transit agencies. MTI’s new report, Aligning the Transit Industry and Their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges, highlights how the transit industry and its vendor community can broaden their relationships and focus on cybersecurity together in order to create a more secure cyber environment.
The report focused on cyber literacy and procurement practices, the lifecycle of technology vis-à-vis transit hardware, and the importance of embracing risk as a road to resiliency.
Among the findings in the report, researchers found that transit agencies need to use the procurement process as an opportunity to explain their cyber needs to vendors. Additionally, the report found that transit agencies must understand their own risks and have the ability to communicate them in technical terms, and that they must understand that the lifecycles of hardware and software in public transit are out of sync, which creates a situation where vehicle designed to last 15 years or more are being supported by software that stopped receiving security updates creating vulnerabilities.
“There are several steps that transit agencies and their stakeholders can take to strengthen their collective cybersecurity posture,” the study’s authors explained. “For example, vendors for critical systems should make available a security lead to assist the agency in the management of the agency’s risk. Meanwhile, transit agencies should integrate their cyber risk management program with their existing physical security risk management organization and infrastructure, creating a holistic Enterprise Risk Management program. They should also elevate security within the organization by appointing a Chief Security Officer (CSO).”
Researchers said the measures that need to be taken to protect transit security require investment and cooperation across the transit ecosystem.