Does the Transit Industry Understand the Risks of Cybersecurity and are the Risks Being Appropriately Prioritized?

Authors

Scott F. Belcher, Mineta Transportation Institute
Terri Belcher, Mineta Transportation Institute
James Grimes, Mineta Transportation Institute
Lusa Holmstrom, Mineta Transportation Institute
Andy Souders, Mineta Transportation Institute

Description

The intent of this study is to assess the readiness, resourcing, and capabilities of public transit agencies to detect, identify, be protected from, respond to, and recover from cybersecurity vulnerabilities and threats. This study is an update of the 2020 Mineta Transportation Institute (MTI) study, “Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness.” In the previous study, the authors found that the transit industry was ill-prepared for cybersecurity attacks. Unfortunately, after four years and the development of new, and often free, resources, the situation has not markedly improved. In fact, this survey, which included a larger number of small rural transit agencies, shows that they lag far behind their larger peers. The increasing sophistication of cybercriminals, in combination with a greater reliance on technology within the transit industry, puts the industry at greater risk than in 2020. This study reviews and updates the state of best cybersecurity practices in public surface transit; outlines U.S. public surface transit operators’ cybersecurity operations and the resources available to them; reviews U.S. policy on cybersecurity in public surface transportation; and provides policy recommendations that address gaps or identify issues for Congress, the Executive Branch, public surface transit agencies, and their associations and other supporting organizations. Research methods include an online survey and oral interviews with public surface transit agencies in the United States as well as oral interviews with members of the Executive Branch (e.g., the U.S. Department of Transportation, the U.S. Department of Homeland Security), as well as research of literature published in periodicals. There is an exponentially expanding gap between the cybersecurity preparedness that should exist and the growing threats from increased reliance on technology and the opportunities by malicious actors. This research provides information that can be used to help close that gap.

Publication Date

5-1-2025

Publication Type

Report

Topic

Planning and Policy, Security and Counterterrorism

Digital Object Identifier

10.31979/mti.2025.2405

MTI Project

2405

Mineta Transportation Institute URL

https://transweb.sjsu.edu/research/2405-Transit-Industry-Cybersecurity-Risks

Keywords

Cybersecurity, enterprise risk management, policy, security, transit

Disciplines

Cybersecurity | Transportation

Recommended Citation

Scott F. Belcher, Terri Belcher, James Grimes, Lusa Holmstrom, and Andy Souders. "Does the Transit Industry Understand the Risks of Cybersecurity and are the Risks Being Appropriately Prioritized?" Mineta Transportation Institute (2025). https://doi.org/10.31979/mti.2025.2405