Cyber Strength: Aligning Transit Agencies & Vendors in the Face of Increasing Cyber Risk

U.S. public transit agencies are highly dependent on the services of vendors to help deliver and maintain critical technologies linked to everything they do. The vendor’s cybersecurity posture (the strength of their controls and protocols)—whether immature or advanced—is shared with their clients, and this leaves transit agencies of all sizes vulnerable to cyber incidents. New Mineta Transportation Institute (MTI) research, Aligning the Transit Industry and Their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges, demonstrates that the U.S. transit industry and its vendor community have the opportunity to broaden their relationships and focus on cybersecurity–both parties need to create a secure environment that can benefit from and augment the other.

The authors’ findings focus on three key areas: cyber literacy and procurement practices, the lifecycle of technology vis-à-vis transit hardware, and the importance of embracing risk as a road to resiliency. Key findings include:

• Transit agencies need to use the procurement process as an opportunity to articulate their cyber needs because the presence of such requirements in requests for proposals (RFPs) is a key driver of investment for vendors.
• Transit agencies must also understand their own risks and have the ability to communicate these risks in technical terms.
• The hardware and software lifecycles in public transit are out of sync, creating a situation in which vehicles and other hardware designed to last for 15 years or more are being supported by or carrying software that stopped receiving security updates, which creates serious vulnerabilities.

“There are several steps that transit agencies and their stakeholders can take to strengthen their collective cybersecurity posture,” explain the study’s authors. “For example, vendors for critical systems should make available a security lead to assist the agency in the management of the agency’s risk. Meanwhile, transit agencies should integrate their cyber risk management program with their existing physical security risk management organization and infrastructure, creating a holistic Enterprise Risk Management program. They should also elevate security within the organization by appointing a Chief Security Officer (CSO).”

Measures taken to protect transit security require executive focus and investment across the transit ecosystem. Transit agencies, vendors, associations, the Department of Homeland Security (DHS) and U.S. Department of Transportation (U.S. DOT), as well as the Federal Transit Administration (FTA) can cooperate and collaborate to invest in risk management to ensure the safety, efficiency, and reliability of our nation’s critical infrastructure.

ABOUT THE MINETA TRANSPORTATION INSTITUTE

At the Mineta Transportation Institute (MTI) at San Jose State University (SJSU) our mission is to increase mobility for all by improving the safety, efficiency, accessibility, and convenience of our nations’ transportation system. Through research, education, workforce development and technology transfer, we help create a connected world. Founded in 1991, MTI is funded through the US Departments of Transportation and Homeland Security, the California Department of Transportation, and public and private grants, including those made available by the Road Repair and Accountability Act of 2017 (SB1). MTI is affiliated with SJSU’s Lucas College and Graduate School of Business.

ABOUT THE AUTHORS
Scott Belcher, JD, MPP is an MTI Research Associate and the President and CEO of SFB Consulting, LLC. Kathryn Seckman, MA is the Executive Director of Strategy and Analysis at Grayline Group. Terri Belcher is a writer and analyst who has worked in Washington, D.C. for 30 years. Brandon Thomas, MBA is a Partner at Grayline Group. Homayun Yaqub, MA brings 25+ years of security and risk management experience, as a Global Security Strategist at Forcepoint and has lead risk and security initiatives at JPMorgan Chase.

Media Contact: