Transit agencies unprepared for cyberattacks, study finds

Recent SEPTA attack illustrates vulnerabilities, risks
Trains Industry Newsletter
Get a weekly roundup of the industry news you need.
By signing up you may also receive occasional reader surveys and special offers from Trains magazine. View our privacy policy.
A Denver RTD R Line light rail train arrives at the Peoria station, where light rail connects to the commuter-rail A Line to Denver International Airport. A new report says most transit systems are vulnerable to cyberattacks.
TRAINS: David Lassen

Most transit agencies are unprepared for a major cyberattack, according to a study soon to be released by the Mineta Transportation Institute. Just three in five agencies have a cybersecurity preparedness program, 42% do not have an incident response plan and 36% have no disaster recovery plan. 

The data comes from a survey of transit operators serving more than a third of the U.S. population. “From our perspective, the transit industry is ill prepared for malicious cyberattacks and other types of cyber-related threats,” says Scott Belcher, one of the study’s authors, speaking at a transit industry conference.

Agencies lack basic policies and procedures, with two-thirds absent a crisis communications plan and 58% missing a business continuity plan. Just 38% include cybersecurity requirements in their contracts with outside vendors.

“It's not until many transit organizations have a serious incursion that they get religion,” says Belcher.

More than half the agencies in the Mineta study fail to keep their computer system’s log data for more than year, and 12% don’t retain their logs at all. The logs are essential. Belcher explains, “If you suffer a cyberattack, then you need your log data to be able to rebuild what you've lost and to be able to put your operation back in in order as quickly as possible.”

The Southeastern Pennsylvania Transportation Authority suffered a malware attack Aug. 10, causing the agency to shut down email, payroll, and other internet-based functions. Real-time service data for customers was cut off for at least two weeks.

Agencies lack the funding, staff, and training needed to protect their systems. “Transit organizations have been struggling for a long time in terms of resources,” Belcher says. “They are overextended, and they have many unfunded mandates and many competing priorities, and cybersecurity is just one of them.”

Michael Woodson, chief information security officer at the Massachusetts Bay Transportation Authority, believes it’s important to engage the agency’s board of directors. “Our business model has to change, our budget model has to be changed, and we have to redirect and reallocate resources,” he says.

A Chicago Transit Authority Purple Line train passes through the city's Lincoln Park neighborhood. Older transit systems are less vulnerable to cyberattacks, one expert says, because they generally are not as reliant on current technology.
TRAINS: David Lassen

Larger, newer transit agencies are even more at risk. Many have partnered with outside vendors to enable cashless payments or real-time data for service alerts and delays. Others have integrated with third-party mobile apps such as Uber or Via.

“Ironically, the older and less sophisticated transit organizations are less vulnerable from a cyber perspective because they're really not taking advantage of technology in the way that a more sophisticated transit organization is,” says Belcher.

But, he adds, “Smaller agencies and mid-size agencies don't have the opportunity to wait. You are going to get hacked, you are getting hacked, and you need to be able to be ready.”

He credits the American Public Transportation Association and federal efforts to provide guidance on cybersecurity risks but notes there are many conflicting and inconsistent guidelines. The Mineta study recommends that the Federal Transit Administration set minimum cybersecurity standards and require transit agencies to meet these standards before receiving federal grants. It also calls on Congress to provide increased funding to help agencies comply with these criteria.

Financing a strong cybersecurity effort could become increasingly difficult as transit agencies, slammed with the loss of farebox revenue and other income, struggle just to maintain service in the current crisis. The New York Metropolitan Transportation Authority, Boston’s MBTA, Bay Area Rapid Transit and others are threatening substantial cuts without additional federal relief.

Woodson warns, however, that cybersecurity “can't be an afterthought.”



Leave a Comment
Want to leave a comment?
Only registered members of are allowed to leave comments. Registration is FREE and only takes a couple minutes.

Login or Register now.
Please keep your feedback on-topic and respectful. Trains staffers reserve the right to edit or delete any comments.


The Genesee & Wyoming 

Newsletter Sign-Up

By signing up you may also receive occasional reader surveys and special offers from Trains magazine.Please view our privacy policy
Subscribe Up To 58% off the newsstand price!
Subscribe To Trains Mag Today