With American public transport agencies being highly dependent on the services of vendors to help deliver and maintain critical technologies linked to everything they do, the vendor’s cybersecurity controls and protocols can leave transit agencies of all sizes vulnerable to cyber incidents.
New research seen by Highways News called “Aligning the Transit Industry and Their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges”, demonstrates that the US transit industry and its vendor community have the opportunity to broaden their relationships and focus on cybersecurity–both parties need to create a secure environment that can benefit from and augment the other.
The authors, led by Intelligent Transport Systems expert Scott Belcher, have findings focussing on three key areas: cyber literacy and procurement practices, the lifecycle of technology vis-à-vis transit hardware, and the importance of embracing risk as a road to resiliency.
Key findings include:
● Transit agencies need to use the procurement process as an opportunity to articulate their cyber needs because the presence of such requirements in requests for proposals (RFPs) is a key driver of investment for vendors.
● Transit agencies must also understand their own risks and have the ability to communicate these risks in technical terms.
● The hardware and software lifecycles in public transit are out of sync, creating a situation in which vehicles and other hardware designed to last for 15 years or more are being supported by or carrying software that stopped receiving security updates, which creates serious vulnerabilities.
“There are several steps that transit agencies and their stakeholders can take to strengthen their collective cybersecurity posture,” explain the study’s authors. “For example, vendors for critical systems should make available a security lead to assist the agency in the management of the agency’s risk. Meanwhile, transit agencies should integrate their cyber risk management program with their existing physical security risk management organisation and infrastructure, creating a holistic Enterprise Risk Management program. They should also elevate security within the organisation by appointing a Chief Security Officer (CSO).”
Measures taken to protect transit security require executive focus and investment across the transit ecosystem. Transit agencies, vendors, associations, the Department of Homeland Security (DHS) and U.S. Department of Transportation (U.S. DOT), as well as the Federal Transit Administration (FTA) can cooperate and collaborate to invest in risk management to ensure the safety, efficiency, and reliability of our nation’s critical infrastructure.
You can read the report here.
(Picture – Yay Images)