As industries navigate the evolving threat landscape, the need for comprehensive cybersecurity strategies has grown substantial, especially in the transportation industry. We’ve seen numerous cyberattacks in the transportation field resulting in personal data being stolen from companies such as Ferrari, Toyota and Tesla. According to a 2023 report from Upstream, data breaches account for 37% of cybersecurity automotive incidents, and backend server attacks make up 40% of attacks.
Leaders in the transportation industry must respond to these trends by conducting internal evaluations of existing cybersecurity strategies as a way to ensure preparedness and speedy recovery times in the case of a breach. The numbers of clients purchasing cyber insurance continues to grow, and compared to 2022, there has been a steady rise in the cost of U.S. cyber insurance of 11% year-over-year on average in just the first quarter of 2023, according to a report from insurance broker Marsh.
Cybersecurity efforts have also been encouraged by the federal government as well, as seen with the Federal Transit Administration’s release of the Cybersecurity Resilience Assessment Tool to Enhance Public Confidence in Transit (CATT), which was developed to assist transit agencies in assessing cyber preparedness and resilience.
Today, tech has become a crucial factor in operational security across industries, not just a support function. As emerging technologies are deployed across the transportation industry, the increase in functionality promises some real benefits, but poses additional security risks for users. Keep in mind, these security risks within transportation go beyond ransomware attacks on car companies and transit agencies: threats have made their way into personal vehicles. According to a 2023 Mozilla Foundation report reviewing the privacy policies of the top 25 car companies, 84% of companies researched share or sell consumer data, and 76% say they can sell personal data. As it turns out, any personal vehicle now presents itself as a looming threat to data privacy.
Even more concerning: the data collected by automakers is deeply personal — identifying race, immigration status, weight, health and even genetic information. This data also includes how fast the person drives, what music they play and where they drive, posing a huge risk for personal security and privacy. Car companies gather this data through sensors, microphones, cameras and phones or devices connected to the vehicle via car apps, websites, dealerships and vehicle telematics. They can even collect data through third-party sources like Google Maps or Sirius XM and sell it to third parties. Out of the 25 companies researched by Mozilla, just two brands — Renault and Dacia, are owned by same parent company and are only available in Europe, which has protections under the General Data Protection Regulation (GDPR) privacy law that says all drivers have the right to have personal data deleted.
The transportation industry must recognize that the focus of cyber protection has shifted to the implementation of cohesive, end-to-end security protocols aimed at establishing a strong IT infrastructure, operational efficiency, quick recovery times, and encrypted data security. For both car companies and public transit agencies, safeguarding the personal information of users in their systems needs to be a top priority.
As personal vehicles implement emerging technologies like smart phone features, there has been a similar trend in transit agencies adopting new fare collection methods that utilize tap-to-pay and mobile applications on riders' personal devices. In turn, this also puts those relying on public transit at risk of having their data stolen or mishandled. However, an important difference compared to car companies is that transit agencies are much more likely to handle sensitive data responsibly since they are held accountable by state or federal government programs that enforce a base standard of cybersecurity protocols.
Unfortunately, because we live in a world where just about every aspect of personal and professional life has been connected to technology, there’s a constant looming risk of cyberattacks. From an organizational perspective, transit agencies should consider the following suggestions as efforts to mitigate cybersecurity threats:
- Clearly communicate privacy policies to users.
- Prioritize secure data management.
- Offer multi-faceted fare collection options.
- Implement service planning programs that protect personal privacy.
Upholding good cyber hygiene can help transit agencies reassure customers that their personal information has been properly handled and protected. In addition, implementing and upholding a strong cybersecurity policy protects collected data, and serves as an investment in continuity of operations, ensuring data protection and minimizing vulnerabilities in the case of a data breach.
Transit agencies should offer clear communication of privacy policies with customers, make resources easily accessible for customers and ensure that the data management practices in place are transparent and effortlessly understandable. By taking these steps, agencies will safeguard sensitive data, and will also gain the trust of the riders, making them feel secure and confident to integrate public transit into their daily journeys.
Konrad Fellmann, vice president of IT infrastructure and CISO, Cubic Corporation
