Research from the Mineta Transportation Institute (MTI) has found that US transit agencies are not properly prepared for the potential havoc wreaked by hackers.
The report - Policy Recommendation to Enhance Surface Transit Cyber Preparedness – surveyed 90 transit agency technology leaders.
It uncovered a mismatch between approaches and attitudes: although 80% of agencies said they felt prepared, just 60% of those questioned actually have a cybersecurity preparedness plan.
This suggests complacency and a lack of readiness to face problems: MTI says most transit agencies “do not have many of the basic policies or personnel in place to respond to a cyber incident”.
This is particularly significant because the US Department of Homeland Security – which part-funds MTI - has designated the transportation as one of 16 critical infrastructure sectors whose disruption would have a debilitating effect on the country’s security.
MTI, based at San Jose State University, points out that resources to combat hack attacks are ‘scarce’ for transit agencies, which means “there needs to be a collaborative effort from the federal government, the industry, and agency leadership to establish, maintain and refine cybersecurity programmes”.
Researchers insist, however, that transit operators must adopt and implement minimum cybersecurity standards before receiving cash from the Federal Transit Administration (FTA).
The report found that more than half of agencies ignore “one of the most basic cybersecurity preparedness requirements” by failing to keep a log for longer than 12 months.
In addition, 36% do not have a cyber disaster recovery plan and 67% do not have a cyber crisis communications plan.
Help is at hand. The report’s principal investigator, Scott Belcher, says: “Fortunately, there is an abundance of information and tools, such as the Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance and accompanying workbook, available to public transit agencies to support a cybersecurity programme.”