Ensuring that the Transit Industry and Their Vendors are Aligned to Face the Increasing Cybersecurity Challenges. Recommendations for Quickly Identifying and Addressing Challenges

Cyber-attacks are inevitable. Fortunately, agencies and their vendor partners can take action to help protect themselves from attacks and to prepare for any breaches that do occur, thus ensuring the critical transportation systems of our nation continue running smoothly and safely.

The U.S. Department of Homeland Security (DHS) designated the Transportation System Sector as one of 16 critical infrastructure sectors, whose disruption would have a debilitating effect on our nation’s security. And yet, ransomware, data breaches, business email compromise and other cyber threats are on the rise throughout the country. In parallel there is an enormous amount of data flowing among vehicles, systems and vendors employed throughout the public transit industry, making the transit industry especially vulnerable to cyber-attack.

The intent of this study is to help public transit agencies understand the cybersecurity risks posed by the role some of their vendors play in their systems, and align the interests of the vendors with those of the agency to better understand, mitigate, and respond to cybersecurity threats. This study will review the state of best practices in supply chain cybersecurity among other industries; review the state of cybersecurity best practices in supply chain management among public transit agencies; outline modern cybersecurity operations among public transit vendors; further assess U.S. policy on cybersecurity in public transportation and potential changes from the new Administration and in response to SolarWinds; and provide operational recommendations for public transit operators and their supply chain of vendors to enhance their cyber risk management.

University: 

Mineta Consortium for Transportation Mobility
San José State University

Principal Investigator: 

Scott Belcher

PI Contact Information: 

Scott Belcher, JD, MPP scottfbelcher@gmail.com

Funding Source(s) and Amounts Provided (by each agency or organization): 

U.S. Department of Transportation, Office of the Assistant Secretary for Research and Technology - $81,548

Total Project Cost: 

81,548

Agency ID or Contract Number: 

69A3551747127

Dates: 

March 2021 to December 2021

Impacts/Benefits of Implementation: 

The study will make a series of recommendations for both transit operators and their vendors for how they can refine their contracts to ensure that the vendors have a clear expectation of how they can best support the transit operator in preventing and responding to a cyber-attack. The recommendations will also provide examples for how vendors can mature their cybersecurity practices.

Project Number: 

2113