Transit Agencies Have Many Cybersecurity Gaps
According to the survey, only 60 percent of respondents actually have a cybersecurity preparedness program, and 43 percent reported they do not believe they have the resources necessary for cybersecurity preparedness. Under half of respondents, 47 percent, said they audit their cybersecurity programs at least once per year.
The survey also found that 42 percent of transit agencies don’t have an incident response plan; of those that have one, over half have not had a drill in over a year. The survey also found that 36 percent of agencies do not have a disaster recovery plan, 53 percent do not have a continuity in operations plan, 58 percent do not have a business continuity plan and 67 percent do not have a crisis communications plan.
“Transit agencies have failed to adopt basic plans that would be necessary in the event of an incident,” the report notes. “Agencies need to plan for incident response in parallel to taking steps to lessen its probability.”
The lack of agencies with a documented incident response plan and the lack of agencies conducting drills within the last year suggests that, according to the report, “to the extent that an agency knows that an incident has occurred, confusion and challenges in communication, among other issues, may hinder response effectiveness for the agency.”
Furthermore, 51 percent of agencies that responded do not retain their log data for a year or more, which the report notes is “one of the most basic requirements for cybersecurity preparedness.” Twelve percent of agencies surveyed do not retain their logs at all.