An Assessment of Cybersecurity at Public Transportation Agencies
The increased focus on cybersecurity threats and attacks requires the transit industry to address the critical vulnerabilities of connected vehicles throughout the lifecycle of new and existing technologies. Many transit agencies are unaware of the full capabilities of the operational technology (OT) installed by the original equipment manufacturers, and built-in features can present a cyber risk as an avenue of attack for a motivated threat actor. OT vehicle systems rarely undergo cyber testing to identify critical vulnerabilities before deployment. With threat actors aggressively targeting critical infrastructure and the public transit sector, vulnerabilities in OT vehicle systems are unrecognized, untested, and unmitigated. In recent years, experiencing cyberattacks on vehicle OT systems have increased, resulting in service disruptions, safety and security concerns, and reputational risk. Incident response (IR) is a key process to a healthy cybersecurity program. IR policies and processes must be aligned with compliance frameworks, federal security directives, and cyber best practices. However, there is a need for guidance on structuring and formalizing an effective IR process, along with its associated policies. Establishing consistent and standard IR processes is critical in identifying trends within the transit agency and across the greater transit community. Identifying key metrics and reporting supports the transit agency’s compliance with regulatory mandates and captures trends to better understand gaps in policy, procedure, or technology. An important aspect of an IR plan involves each transit agency establishing clear criteria for categorizing events and incidents, and the associated reporting timelines and response activities based on severity or impact. The response actions for an event versus an incident varies greatly, including how and when that information is reported to governing bodies such as the Transportation Security Administration (TSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), or Information Sharing and Analysis Centers (ISAC). Currently, there are no standardized event and incident categories within the transit community, which can result in overreporting and underreporting. Overreporting events can cause undue stress on transit agency’s IR team and skew the metrics collected for future improvements to the IR process. Underreporting incidents affect the ability to meet the requirements of federal directives and could result in decreased IR support from external parties. Each scenario leads to increased costs of incident investigation, root cause analysis, and remediation of the impacts of a cyberattack. Research is needed to assess the vulnerability of cyberattacks on transit agencies how agencies respond to cyberattacks. The objective of this research is to develop a comprehensive toolkit of actionable practices and strategies to help transit agencies prevent cyberattacks and effectively respond to cyber incidents. This research shall examine (1) cybersecurity threat and attack vulnerability of connected vehicles and (2) cybersecurity incident and event categorization of connected vehicles. The key audiences for this project are state departments of transportation and U.S. public transportation providers in urbanized areas of all sizes, rural areas, and Tribal communities.
- Record URL:
-
Supplemental Notes:
- Contract to a Performing Organization has not yet been awarded.
Language
- English
Project
- Status: Proposed
- Funding: $400,000
-
Contract Numbers:
Project A-52
-
Sponsor Organizations:
Transit Cooperative Research Program
Transportation Research Board
500 Fifth Street, NW
Washington, DC 20001Federal Transit Administration
1200 New Jersey Avenue, SE
Washington, DC United States 20590 -
Project Managers:
Schoby, Jamaal
- Start Date: 20250501
- Expected Completion Date: 0
- Actual Completion Date: 0
Subject/Index Terms
- TRT Terms: Automation; Best practices; Computer security; Fleet management; Information technology; Monitoring; Public transit; Risk management
- Subject Areas: Data and Information Technology; Planning and Forecasting; Public Transportation; Security and Emergencies;
Filing Info
- Accession Number: 01901964
- Record Type: Research project
- Source Agency: Transportation Research Board
- Contract Numbers: Project A-52
- Files: TRB, RIP
- Created Date: Dec 11 2023 9:38PM