California Transit Association

Transit California

Transit Cybersecurity

Mineta Transportation Institute Report Flags Industry Vulnerability, Suggests Solutions

By Jacob Herson
Managing Editor
Transit California 

A July 2022 report from the Mineta Transportation Institute at San José State University warned the transit industry of increasing cybersecurity threats. The recent integration of new technologies to improve service has also introduced new vulnerabilities. “Unfortunately, many U.S. public transit agencies are not prepared for these risks,” says the report. “Transit agencies of all sizes have found themselves subject to cyber incidents, most notably ransomware attacks that resemble those experienced by larger, more prominent companies and critical infrastructure providers.”

Several California agencies know this all too well. San Francisco Municipal Transportation Agency (SFMTA) was the victim of a 2016 ransomware attack in which the perpetrators demanded $73,000 worth of Bitcoin. The agency reported at the time: “On Friday, Nov. 25 we became aware of a potential security issue with our computer systems, including email. The malware used encrypted some systems mainly affecting office computers, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports — no data was accessed from any of our servers.”

Sacramento Regional Transit District (SacRT) was hit a year later in 2017. “It was simply a ransom attack where they were going to delete files if we didn’t pay via bitcoin of $7,000," SacRT spokesperson Wendy Williams said at the time. “It didn’t really affect service; it may have affected people's ability to pay,” SacRT Deputy General Manager Mark Lonergan said at the time. “We’ve had malware attacks and viruses get into the system before; this was our first cyber attack.”

In April 2021, it was Santa Clara Valley Transportation Authority’s (VTA) turn. The breach did not affect service but interrupted the agency’s systems for communicating with riders. Scott Belcher, a Research Associate at Mineta Transportation Institute and one of the authors of this year’s report, said at the time that the VTA breach likely occurred as a result of an email or phishing scheme.

Belcher told Transit California, “The largest current risks to transit agencies are from criminal organizations looking to access customer, operational, or employee data through phishing or ransomware attacks. Once a criminal gets into a network, they encrypt the data and demand a ransom payment from the agency. Of the agencies we’ve spoken with, most were attacked via malicious links in emails. The transit agencies we spoke to that suffered a significant attack range from the very largest to the smallest.”

Belcher explained, “Cybersecurity used to be something that only larger organizations had to worry about. Now every organization is at risk, regardless of size. What changed? The cyber criminals have become franchise operations using modern technology that does not distinguish among organizations based on size or resources. Moreover, as agencies continue to modernize and become more connected, they create new threat vectors.”

While many transit agencies across the U.S. are not adequately prepared for cyber attacks according to Mineta research, Belcher said many of the larger agencies have made significant investments in this area while many of the smaller and mid-size operators have not. “Many small to mid-sized agencies lack the resources and sophistication to address their cybersecurity limitations and most simply did not see themselves as likely cybersecurity targets,” said Belcher.

What Should Agencies Do?

Belcher said that first, agencies must understand that cybersecurity will be an ongoing and constant threat. “Transit agencies cannot secure their organization against cyber attacks, rather they must factor cyber risk into their overall enterprise risk management activities," he said. "As such, they must identify their risks, prioritize them, and address those that will provide the greatest protection within their available resources. Moreover, cybersecurity must become front of mind for everybody in the organization from the receptionist to the Board Chair.”

Second, as part of what he calls “good cybersecurity hygiene,” Belcher said agencies need to identify an executive in charge of cybersecurity. “While not all agencies have the resources to have a Chief Information Security Officer, all agencies should identify an individual at an executive level that has broad responsibility for cybersecurity and can cross organization boundaries to implement necessary changes (e.g., security, IT, HR, legal)," he said. "Cyber hygiene also means having basic written policies in place to address such topics as security management, document retention, password protection, two-factor authentication, differentiated access, and breach response. Agencies need to regularly train and test against these policies, and they should participate in appropriate local and regional information sharing organizations.”

Third, Belcher said transit agencies should adopt the Transportation Security Administration (TSA) recommended practices for surface transportation agencies. These include:

  1. Designate a cybersecurity coordinator;
  2. Report cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours;
  3. Develop and implement a cybersecurity incident response plan; 
  4. Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

“These recommendations are already required of certain critical infrastructure segments such as pipeline, rail (including transit rail), and maritime operations and will likely soon become required of all surface transportation operations,” said Belcher.

He went on to point out that “cyber assessment tools, training, and other useful information is currently available from the TSA, the Department of Transportation, the National Institute of Standards and Technology (NIST), transportation trade associations, and private vendors. In fact, the Federal Transit Administration (FTA) will soon be releasing a free, open source, non-technical cybersecurity assessment tool for small to mid-sized transit agencies based on the NIST Cyber Resilience Review (CRR).” FTA currently provides these resources

Belcher pointed out that some FTA grant programs can support cybersecurity activities, including FTA’s Urbanized Area Formula Program, the Formula Grants for Rural Areas Program, and State of Good Repair Program. “Larger agencies that qualify can take advantage of the Department of Homeland Security’s Transit Security Grant Program, which provides competitive grants to transit agencies for security-related projects,” he said. “A good place to start is the FTA’s cybersecurity webpage

The major focus of the July report is the need for agencies to align with their vendors. An agency is only as secure as its vendors are. “If a vendor is cyber mature, they are passing that protection on to their customers,” said Belcher. “Unfortunately, the reverse can also be true.” Sometimes, however, vendors could provide greater levels of cyber security if agencies specified these requirements in the procurement process. “Through the procurement process, transit agencies can seek additional protection,” said Belcher. “Transit agencies should also engage their legal and IT departments in the procurement process to make sure they are seeking appropriate and consistent cybersecurity protection in the procurement process and are using the vendor’s response to cybersecurity requirements as a differentiator in the selection process.”

One of the issues highlighted by the report is the difference in lifecycles between hardware and software. “An agency, for example, may purchase several new buses for their fleet with the intent that those buses will have a lifecycle of at least 15 years,” says the report. “Traditionally, with good mechanics, the safety of the vehicle could be maintained for a long period of time. Today, the technology built into buses — everything from video cameras to location tracking — requires updates aligned to advances in technology and the ever-evolving list of threats that could undermine the security of their operations. The software and firmware used to manage and operate these devices, however, require updates on a timeline counted in months, not decades.

“The result of misaligned lifecycles between hardware and software is that transit agencies are increasingly finding themselves the owners of technology for which vendors no longer provide security updates.” This leaves agencies vulnerable to cyber threats.

The solution is to address this problem in procurement. “When technology advances at a rate that far outpaces public sector budget cycles and costly hardware investments, as the industry is experiencing today, changes need to be made to the agency-vendor contract terms and the expectations of both parties,” says the report. “The authors heard in multiple interviews that vendors want to provide the best possible service to their transit customers, but the expectation to maintain software and firmware on anything other than a technology-driven timeline needs to be built into the contract such that the business can take steps to ensure they allocate the time and resources to do so.”

This changes the cost, however, and “transit agencies, therefore, need to explicitly cite the need for this level of ongoing service in their RFPs so that vendors can compete based on the actual required scope of work. It is equally important for agencies to incorporate the cost-of-service contracts into their budgets and capital planning.”

Finally, Belcher recommended cybersecurity insurance as something to consider: “Today, obtaining and maintaining cybersecurity insurance itself can often require a cybersecurity assessment, a cybersecurity response plan, and progress reports. These newer requirements can force an agency to take action that they might not have taken otherwise. Moreover, if covered by cybersecurity insurance, the insurance can provide legal support to the agency so that it understands its reporting obligations and can advise the transit agency during the negotiations.”

Unfortunately, cyber attacks are an experience that more transit agencies will face as time goes on, and with agencies struggling financially due to decreased farebox revenue and the costs of meeting zero-emission vehicle mandates, the resources to address this threat can seem nonexistent. Agencies must at least adopt the necessary mindset with regard to cybersecurity and identify the most critical actions relative to their resources. The state and federal governments must meanwhile expand the support they provide.