Only 60 per cent of U.S. transit agencies have cyber-attack preparedness plans

New research conducted by the Mineta Transportation Institute (MTI) has revealed that while 80 per cent of U.S. transit agencies say they feel “prepared” for a cyber-attack, only 60 per cent actually have a cyber-security plan in place.

The researchers surveyed 90 transit agency technology leaders to produce the results.

The U.S. Department of Homeland Security designates the Transportation System Sector as one of 16 critical infrastructure sectors whose disruption would have a debilitating effect on U.S. national security. The report based on the survey’s findings found that most transit agencies, which fall within this sector, do not have many of the basic policies or personnel in place to respond to a cyber incident.

Among the key findings are that 36 per cent of those surveyed do not have a cyber-disaster recovery plan, and 67 per cent do not have a cyber-crisis communications plan.

Meanwhile, 73 per cent of respondents said they feel they have access to information to help implement a cyber-security preparedness programme, but of the 60 per cent that currently have a response plan in place, 43 per cent do not find their plan sufficient.

Of those surveyed, 47 per cent of agencies reported auditing their cyber-security programme at least once a year, however, over 50 per cent of agencies do not keep a log for longer than a year – a measure that the report describes one of the most basic cyber-security preparedness requirements.

Scott Belcher, the Principal Investigator on the report, titled Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness, said that “there is an abundance of information and tools, such as the Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance and accompanying workbook, available to public transit agencies to support a cybersecurity programme.” Belcher also explained that agencies that have become aware of the imminent threat have taken action to protect themselves from cyber attacks, including seeking technical leadership from outside the transit industry and contracting out the management of personally identifiable information (PII).

The MTI research team has emphasised that the Federal Transit Administration (FTA) should require transit organisations to adopt and implement minimum cyber-security standards prior to receiving federal funding. They also recommend federal funds be allocated for the development of  comprehensive cyber-security preparedness plans and their implementation.