The National Academies

TCRP Synthesis J-07/Topic SA-50 [Active (Synthesis)]

Cyber Security in Transit Systems
[ TCRP J-07 (Synthesis of Information Related to Transit Practices) ]

  Project Data
Funds: $45,000
Authorization to Begin Work: 5/24/2019 -- estimated
Staff Responsibility: Mariela Garcia-Colberg
Research Agency: Geographic Paradigm Computing, Inc.
Principal Investigator: David Fletcher
Fiscal Year: 2019

Final Scope

The report is intended for transit executives and senior management. The consultant shall draft survey questions and correlate output conducive to management decision making. The synthesis will gather information regarding the maturity of current cyber security programs in the following functions:


·         Protect, Shield, Defend, and Prevent -- Measure the organization’s staff, policies, processes, practices, and technologies that protect, shield, and defend the enterprise from cyber threats, and prevent the occurrence and recurrence of cybersecurity incidents commensurate with the organization’s risk tolerance.

·         Monitor, Detect, and Hunt -- Measure the organization’s staff, policies, processes, practices, and technologies which monitor ongoing operations and actively hunt for and detect adversaries, and report instances of suspicious and unauthorized events as expeditiously as possible.

·         Respond, Recover, and Sustain -- When a cybersecurity incident occurs, measure the organization’s staff, policies, processes, practices, and technologies that are deployed to return assets to normal operations as soon as possible. Assets include technologies, information, people, facilities, and supply chains.

·         Govern, Manage, Comply, Educate, and Manage Risk -- Measure the organization’s leadership, staff, policies, processes, practices, and technologies which provide ongoing oversight, management, performance measurement, and course correction of all cybersecurity activities. This function includes ensuring compliance with all external and internal requirements and mitigating risk commensurate with the organization’s risk tolerance.


Contractor shall explore and evaluate the extent of a holistic implementation of cyber security practice across both the IT and OT environments. Identify whether it is a single security program or multiple security programs within the organization. Contractor must use/create a system that anonymizes this data and categorizes into four tiers. Further, contractor shall identify:

·         Organization staff levels (FTE/contractor) dedicated to the cyber security function

·         Associated budget dedicated to the cyber security function in three focus areas:

o   personnel costs

o   training and awareness

o   non-personnel costs

·         Outsourced functions (e.g. managed SOC - not component of staff levels but captured in the budget) dedicated to the cyber security function

·         Organization demographics and ridership which enable meaningful comparison of cyber security programs.

·         Cyber security program categories for use in a prioritization matrix for transit agencies



Information will be gathered by literature review, and a survey of qualifying transit organizations.  The synthesis will emphasize four case examples that are representative of transit system cyber security programs for each of the tiers.  These should highlight innovative approaches, successes, challenges and lessons learned. Gaps in information and future research needs will also be identified.

Information Sources:

  Allen, et al. Structuring the Chief Information Security Officer, Carnegie Mellon University September 2015. https://resources.sei.cmu.edu/asset_files/TechnicalNote/2015_004_001_446198.pdf

‘Top Management Challenges for fiscal year 2017’- by Dept. of Transportation Nov 15, 2016

‘Cyber Attack on CDOT’ by Tamara Chuang published in Denver Post April 5, 2018

‘Ransomware Strikes launched a cyber-cleansing program at transportation’ by Joseph Marks, Senior Correspondent published in ‘Nextgov’, Sept 7, 2018

‘Security Concepts and Mechanisms’ – an article at IBM knowledge Center https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009730_.htm

A Cisco Press chapter ‘Developing Network Security Strategies’ by Priscilla Oppenheimer, Oct 4, 2010

‘3 emerging innovations in technology that will impact cyber security’- an article published on The State of Security March 25, 2018

‘Single photon generation will boost cyber security’- published on 22 march, 2016 https://optics.org/news/7/3/32

‘Cyber jacked’ published in Today’s Trucking on Jan 16, 2018 and posted by Jim Park

‘How a group of engineers hacked a 113- old subway system’s signs’ by Ankita Rao on Aug 3, 2017

Factsheet published on U.S. Dept. of Transportation’s ITS policy and knowledge transfer https://www.its.dot.gov/factsheets/pdf/cybersecurity_factsheet.pdf

‘Hacks on a plane’- by Kevin Kelleher, a Fortune article published on June 8, 2018

‘Top Management Challenges for fiscal year 2019’- by Dept. of Transportation Nov 15, 2018.

TRB Staff

Mariela Garcia-Colberg

Phone:  202/334-2361

Email:  mgarciacolberg@nas.edu


Meeting Dates

First Panel: September 13, 2019

Teleconference with Contractor: October 17, 2019

Second Panel: May 14, 2020


Topic Panel

Sandra Bobek, San Diego Metropolitan Transit System

Alesia Cain, Hampton Roads Transit

Jasdeep Gill, Brithish Columbia Rapid Transit Company

Mark Hartong, John Hopkins University Applied Physics Laboratory

Kyle Malo, WMATA

Stephanie M. Murphy, Tidal Basin Government Consulting, LLC

Jeffrey Nichols, Port Authority of Allegheny County (PA)

Sarah VanWormer, City of Battle Creek

Brian Jackson, Federal Transit Administration

Polly L. Hanson, APTA

Sheila Moore, Transportation Research Board

To create a link to this page, use this URL: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=4799