MTI Report: Transit Systems Need Cybersecurity Improvements

A new report from the Mineta Transportation Institute says U.S. transit agencies need to improve their data management and data privacy practices as they are being targeted more frequently by cyberattacks.

[Above photo by the Metropolitan Transportation Authority]

That report – entitled Personal Data Protection as a Driver for Improved Cybersecurity Practices in U.S. Public Transit – explores how the increase in cyberattacks against public transit agencies further underscores the importance and increasing responsibility transit agencies have to prioritize the protection of any personal data they collect, retain, or distribute from their ridership.

Photo by the Metropolitan Transportation Authority

“Ultimately, transit agencies will be held to account just as any other business will be – regardless of industry – for the security of the data they collect, process, and leverage for service delivery or other purposes,” the report noted.

“A failure to protect personal data in the process not only has a direct impact on the data owner, but it can also have a material impact on an agency’s operations, finances, compliance status, and reputation,” it said.

Some of the data security issues discussed in the report include:

  • The use of and debates surrounding facial recognition software.
  • The issues arising from the shift in fare payment systems from tokens and tickets to digital wallets and contactless credit cards, which potentially exposes Personally Identifiable Information to breaches.
  • The security challenges of “open-loop” systems, which are mobile payment systems that allow users to pay for goods and services at multiple vendors using a single digital wallet or credit/debit card.

“There are 17 countries with comprehensive national data protection laws in place – [but] the United States is not among them,” emphasized Scott Belcher, the report’s principal author, in a statement.

Scott Belcher

“As more countries enact laws governing the data of their residents, U.S. entities are going to face an increasingly complex process of navigating extra-territorial and data export requirements,” he added.

Belcher noted in the report that he expects more federal and state guidance – “if not laws” – to pass in the coming years. “Addressing these issues now means taking steps toward protecting personal data and building more robust cybersecurity practices,” he said.

Belcher also testified at a House of Representatives Transportation & Infrastructure Committee hearing in November 2021 that sought to identify cybersecurity challenges facing the nation’s critical infrastructure and transportation systems, along with possible solutions.

He noted in his written testimony  that “as digital technologies continue to be woven into the operations of even the most conventional public transit agency, any system, process, or function dedicated to reducing physical risk likely includes an array of digital vulnerabilities that need to be managed in concert with current security operations.”

He added that there “needs to be a collaborative effort between the federal government, the industry, and transit agency leadership to establish, maintain, refine, and support cybersecurity programs.”

The reason is that transportation infrastructure is a becoming a more attractive target for “nefarious actors” seeking local, regional, and national disruptions, be it for personal or political gain.

“The avenues to exploit this vital infrastructure will continue to evolve along with the technology that enables the industry’s core operations and goals,” Belcher said. “As these technologies are further embedded in operations, new vulnerabilities will arise. Accounting for the risk today will foster greater resiliency and preparedness in the years to come.”

Related articles