Nov 10 2020

How Transit Agencies Can Enhance Their Cybersecurity

A recent survey found that transit agencies do not have an accurate sense of their cybersecurity preparedness, and staff needs more IT security skills and training.

In early October, the Southeastern Pennsylvania Transportation Authority was still recovering from an August malware attack. The attack, according to The Philadelphia Inquirer, forced the transit agency to halt employee email access as well as sharing real-time travel information with riders.

Such a cyberattack is something that transit agencies should be concerned about but are likely ill-prepared to respond to, according to a recent survey of transit officials. According to a survey released in September by the Mineta Transportation Institute at San Jose State University, which surveyed 90 transit agency technology leaders, 81 percent of agencies that responded said they are prepared to manage and defend against cybersecurity threats.

However, the survey reveals that such confidence may be misplaced. According to the survey, many transit agency IT leaders are actually unprepared to respond to cyberattacks and are not taking basic cybersecurity measures, and transit agency staff do not have enough cybersecurity training. The report on the survey makes several policy recommendations to enhance transit agency cybersecurity, including the creation of minimum cybersecurity standards for transit agencies, the creation of cybersecurity response plans by agencies and more training for staff.

“Fortunately, there is an abundance of information and tools, such as the Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance and accompanying workbook, available to public transit agencies to support a cybersecurity program,” the report’s principal investigator, Scott Belcher, a transportation consultant and former president of the Intelligent Transportation Society of America, said in a statement.

“The problem may be that cybersecurity is not yet widely seen as a critical issue among public transit leadership,” the report notes. “The incidents that have happened have not spurred the action one would expect. Both reporting and accountability of them are murky given the current regulatory environment. There is an exponentially expanding gap between the cybersecurity preparedness that should exist and the growing exposure to threats from increased reliance on technology and the opportunity for access by malicious actors.”

Transit Agencies Have Many Cybersecurity Gaps

According to the survey, only 60 percent of respondents actually have a cybersecurity preparedness program, and 43 percent reported they do not believe they have the resources necessary for cybersecurity preparedness. Under half of respondents, 47 percent, said they audit their cybersecurity programs at least once per year.

The survey also found that 42 percent of transit agencies don’t have an incident response plan; of those that have one, over half have not had a drill in over a year. The survey also found that 36 percent of agencies do not have a disaster recovery plan, 53 percent do not have a continuity in operations plan, 58 percent do not have a business continuity plan and 67 percent do not have a crisis communications plan.

“Transit agencies have failed to adopt basic plans that would be necessary in the event of an incident,” the report notes. “Agencies need to plan for incident response in parallel to taking steps to lessen its probability.”

The lack of agencies with a documented incident response plan and the lack of agencies conducting drills within the last year suggests that, according to the report, “to the extent that an agency knows that an incident has occurred, confusion and challenges in communication, among other issues, may hinder response effectiveness for the agency.”

Furthermore, 51 percent of agencies that responded do not retain their log data for a year or more, which the report notes is “one of the most basic requirements for cybersecurity preparedness.” Twelve percent of agencies surveyed do not retain their logs at all.

42%

The percentage of transit agencies don’t have an incident response plan

Source: "Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness," September 2020

“Log maintenance is a complicated issue, and every organization should have a formal log maintenance plan that speaks to each type of log being captured, how it is retained, for how long, and how it is disposed of,” the report notes. “Beyond mere retention of a log, the failure to analyze that log data is the primary reason intrusions go undetected for months or years after they have occurred. The evidence of the intrusion may sit languishing in unexamined log files.”

In terms of training, only 41 percent of agencies provide at least annual cybersecurity training for staff. Only 38 of the 90 survey respondents have certified cybersecurity specialists on staff, according to the report, “and there is no consensus within the industry on which certification to require among potential new hires.”

EXPLORE: What are the cybersecurity benefits of centralizing logs?

Recommendations for Boosting Transit Agency Cybersecurity

The report recommends several ways transit agencies’ cybersecurity could be improved. The report notes the Department of Homeland Security and the U.S Department of Transportation should, working with input from the American Public Transportation Association (APTA) and other industry organizations, “promulgate a set of minimum cybersecurity standards and cybersecurity assessment tools and determine how they should best be developed, managed, and implemented.”

DHS and U.S. DOT should “provide technical guidance to transit agencies on the collection, retention, and assessment of system logs.”

The report also notes that DHS and the Federal Transit Administration should create an “attestation program,” in which transit agency CEOs would be required to attest that their agency has met those minimum cybersecurity standards before getting federal funds.

Congress should also increase funding to DHS and U.S. DOT so they can develop and promulgate the minimum cybersecurity standards, and so transit agencies can meet them.

In terms of transit agencies themselves, the report recommends that APTA, working with other stakeholders, “should develop a clearinghouse for cybersecurity best practices, in particular for small and medium transit operations.”

Transit agencies should develop individualized cybersecurity plans that take advantage of the best practices. Further, the report recommends that APTA, working with other stakeholders, should create minimum guidelines for cybersecurity audits.

Transit operators should also “conduct a periodic cybersecurity audit and address the shortcomings identified in that audit in a timely manner,” the report notes.

Training is also critical, the report notes. APTA, working with other stakeholders, should “continue to develop cybersecurity training modules and certificates” and “take advantage of the guidance developed by” the Transportation Systems Sector, cybersecurity advisers at DHS and others.

Transit operators should “ensure that every employee receives the appropriate level of cybersecurity training at least annually.”

LEARN MORE: How do wireless gateways and cloud tools help transit agencies keep buses and trains on track?

jimfeng/Getty Images