A major report by one of the world’s leading experts in Intelligent Transport Systems has found significant problems with cyber security in America’s transport system.
Scott Belcher’s Transit Industry Cyber Preparedness study describes how a huge flaw in security at the San Francisco Bay Area Rapid Transit system meant that “intentionally planted spyware” had been planted by “foreign nation hostile to American interests” into hardware switches on its network which could have had “swift and severe” consequences.
In his research, Belcher – a former President of ITS America – discovered that two-fifths of transit agencies had no cyber security policy at all, and only just over a third had revised theirs within a year. Less than 40% of agencies even have standard clauses in their vendor contracts related to
Other worrying examples of cyber failings include hackers attacking the transit system in California’s Capital in a ransomware attack, and attacking a lorry and school bus taking control of the vehicles’ operations.
Belcher recommends developing cybersecurity standards and guidance for transit operators; requiring them to attest to compliance with standards for funding, providing funding to develop standards and tools and ensure transit operators are resourced to implement the new requirements and to ensure operators make their cybersecurity readiness more robust.
“Fortunately, there is an abundance of information and tools available to public transit agencies to support a cybersecurity programme,” Belcher explained. He described how agencies that have become aware of the imminent threat have taken action to protect themselves from cyber attacks, including seeking technical leadership from outside the transit industry and contracting out the management of personally identifiable information.
Although this report looks at events in the USA, given that country’s world-leading position on connectivity, its failings should be a warning to organisations in the UK that they need to review and possibly strengthen their cyber security.