Transit agencies continue to fall behind in cybersecurity training, staffing and policy development according to a new report, placing these organizations at increasing risk as threats rise and take on more sophisticated forms.
“The most interesting thing, after doing this work for the last four years, especially in the smaller and more midsize agencies, is that they don’t have the basic written policies and procedures that you would expect,” Scott Belcher, a research associate with the Mineta Transportation Institute (MTI) at San Jose State University in California, said.
Belcher was one of the authors of a recent report, “Does the Transit Industry Understand the Risks of Cybersecurity and are the Risks Being Appropriately Prioritized?” The May 2025 study is an update on a similar 2020 MTI study.
The 2025 study surveyed 78 transit agencies in the United States, serving more than 72 million people. About a third of respondents, or 26, are considered rural. Large agencies with considerable staff and funding tended to be the most prepared for cybersecurity threats, the research found, with strategies and policies to reduce vulnerabilities and respond appropriately when such an attack should occur. However, the report found smaller to midsize agencies often lack the staffing, expertise and executive leadership to prioritize cybersecurity and make it an agencywide priority.
A year ago, the Oahu Transit Service (OTS) in Hawaii experienced a cyber attack impacting users’ personal data, the transit system’s bus service and TheHandi-Van, the city’s paratransit service. It was the second attack in three years, and affected card readers, phone service, GPS technology, communications and payment services. The attackers demanded a ransom, which the transit provider did not pay. Returning to normal operations took weeks, according to the report.
Since then, OTS has taken “a multi-layered approach” to cybersecurity, with modernized hardware, software, and user security protocols and procedures, said Travis Ota, an information specialist with the Department of Transportation Services in the consolidated city-county of Honolulu.
“In addition, OTS established an IT team dedicated to security activities,” Ota said via email. “These enhancements aim to reduce OTS’ threat surface and align with evolving best practices in cyber defense.”
Even as transit systems have been slow to adopt cybersecurity safeguards, they have continued to move forward with technology deployments in the form of digital payment systems and trip-planning, and technology to improve operations like GPS tracking or “mobility-as-a-service” tech, all offering possible entry points to malicious actors.
“Each of those are new vulnerability points,” Belcher said. “And then you overlay on top of that cybersecurity as a service and AI, and the threat level just keeps increasing as the criminals get more sophisticated.”
The first step to cyber-readiness is conducting a cybersecurity assessment, he said, which can be a dispiriting endeavor because it points out where an agency falls short on policy and protocol.
“The worst thing you do with these assessments is, you do it and everything is red,” Belcher said. “And that’s incredibly discouraging, and you can’t tell your boss, and nothing happens.”
In 2022, Belcher and other experts from MTI formed the cyber-consulting company Cybrbase, which offers cyber-readiness assistance to transit agencies. Its assessment can be taken online, and is designed to offer the kinds of tools and training needed to stand up the basics of a cybersecurity plan.
In an ongoing state pilot around Cybrbase’s offering, the Illinois Department of Transportation brought together six local transit agencies — all of them either rural or smaller operations — for a self-examination using the Cybrbase assessment tool and further consultation. The agencies got to know each other, and came to the collective understanding they are far from alone in their cybersecurity needs and shortfalls.
“This is an environment where you find out, everybody is in the same boat you are. And then you can talk about your own experiences, and share that,” said Belcher, indicating the project runs until the end of the year.
The agencies’ work includes two assessments, and development of basic policies and procedures. The first assessment is followed by a workshop to cover the top policies the cohort needs. After six months, they do a second assessment, to show progress.
“They’ll see their first assessment as, not too bad. But they see a lot of stuff they can still do without spending a ton of money. They can do those over the next six months. And then when you do the second assessment in six months they’re going to see continued improvement,” Belcher said.
Chief information security officers can now be found in about two-thirds of the 50 largest transit systems. These agencies are moving toward an appreciation for the cross-cultural application of cybersecurity, where cybersecurity is not only a concern for IT, Belcher said, but is a focus across the organization.
“And that’s what we’ve always preached, that this is an enterprise security issue,” he said. “And it’s got to be prioritized within your overall enterprise security vulnerabilities.”
