MTI study, led by Scott Belcher, finds US transit agencies are vulnerable to cyberattack

A new Mineta Transportation Institute (MTI) survey, led by transportation consultant and former ITS America president and CEO Scott Belcher, has found that over 80% of transit agencies report feeling prepared for a cybersecurity threat, yet only 60% have a cybersecurity program in place, according to its latest survey of 90 transit agency technology leaders in the USA
Despite the US Department of Homeland Security designating the Transportation System Sector one of 16 critical infrastructure sectors whose disruption would have a debilitating effect on our nation’s security, the report – Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness – found that many transit agencies do not have many of the basic policies or personnel in place to respond to a cyber incident. 

Other key findings include that, while 73% of respondents feel they have access to information to help implement a cybersecurity preparedness program, only 60% have a cybersecurity response plan in place and 43% do not find their plan sufficient.

While 47% of agencies reported auditing their cybersecurity program at least once a year, over half do not keep a log for longer than a year– one of the most basic cybersecurity preparedness requirements. Furthermore 36% do not have a cyber disaster recovery plan; and 67% do not have a cyber crisis communications plan.

“Fortunately, there is an abundance of information and tools, such as the Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance and accompanying workbook, available to public transit agencies to support a cybersecurity program,” says the report principal investigator Scott Belcher.
He goes on to describe how agencies that have become aware of the imminent threat have taken action to protect themselves from cyber attacks, including seeking technical leadership from outside the transit industry and contracting out the management of personally identifiable information (PII).  
For the majority of transit agencies, resources for cybersecurity will remain scarce and thus there needs to be a collaborative effort from the federal government, the industry, and agency leadership to establish, maintain, and refine cybersecurity programs. The research team emphasises that the Federal Transit Administration (FTA) should require transit organisations to adopt and implement minimum cybersecurity standards prior to receiving federal funding.

 The team also recommends federal funds be allocated for the development of  comprehensive cybersecurity preparedness plans and their implementation. Industry trade associations should continue to develop, refine, and improve existing cybersecurity guidance to enable transit agencies to adequately prepare for the inevitable cyber disruption and maintain a ready approach in the event of an attack.

Share this story:

About Author


Tom has edited Traffic Technology International (TTi) magazine and its Traffic Technology Today website since May 2014. During his time at the title, he has interviewed some of the top transportation chiefs at public agencies around the world as well as CEOs of leading multinationals and ground-breaking start-ups. Tom's earlier career saw him working on some the UK's leading consumer magazine titles. He has a law degree from the London School of Economics (LSE).