Cybersecurity Management: Driving Improved Resiliency in Public Transit and Beyond

In July 2022, I along with several members of the Grayline team co-authored a research report published by the Mineta Transportation Institute at San José State University entitled, “Aligning the Transit Industry and their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges.” The study set out to assess the state of play regarding cybersecurity practices between public transit agencies and the myriad of suppliers servicing these agencies.

Previous research and first-hand experience told us that the majority of U.S. public transit agencies are in need of significant improvements to their information technology risk management practices and, more specifically, to their cybersecurity practices. The big question, however, was how the suppliers—many of whom are large, seemingly sophisticated, multinational companies—were handling the issue of cybersecurity. Do they have cyber expectations of their clients? Are they mindful of their own security posture? If so, are they imparting any of this experience and wisdom on their clients? Are the agencies requiring any cyber best practices of their suppliers? If so, what does this look like coming from an industry that is known to be behind the curve in cybersecurity? With no shortage of questions, we approached the delicate task of asking global suppliers to U.S. transit agencies to allow us to peek behind the curtain of their own operations and their interactions with their agency clients. 

For those of you who have either conducted interviews or are familiar with the details of cyber risk management, you’ll understand the tightrope we faced. Most companies do not care to share the details of their own cybersecurity practices or the risks they have faced in protecting their own digital assets and that of their customers. As commonplace as ransomware attacks and data breaches have become, cyber can still be a taboo topic—evidenced by the number of lawyers who joined our interviews on behalf of the transit supplier companies they represent. For our research team, however, we focused less on probing about the sophistication of the supplier companies—though there was plenty of that—and more on an assessment of the transit industry’s cyber practices from the supplier perspective. 

A read of our report will give you the highlights of the many hours of discussions and debates we had with the vendors who graciously gave of their time, expertise, and experience. The overall takeaway from the research process (covered in much greater detail in the report) is that transit agencies need to improve their own cyber acumen to  drive their vendors to make the investments needed to institute cyber best practices. Transit agencies are best positioned to influence this through their procurement process. Improved cyber literacy for transit agencies is a gateway to two additional key findings—the need to address the disconnect between technology lifecycles and transit hardware (e.g., buses and trains) and the need to incorporate cyber risk management into pre-existing safety management efforts (known outside the transit industry as enterprise risk management).

Thank you to Karen Philbrick and the Mineta Transportation team for sponsoring this research. We are excited to leverage this research beyond the public transit industry as we assist our clients as they seek to improve their cyber risk management practices.