Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
1  The purpose of TCRP Synthesis 158: Cybersecurity in Transit Systems is to identify and document emerging cybersecurity trends related to teleworking/remote worker offices, contactless customer services, real-time information services, transit-on-demand services, and cyber resilience affecting transit agencies now and in the near future as a consequence of the digital acceleration stimulated by the global pandemic of 2020â2021. The objectives of TCRP Synthesis 158 are to ⢠Explore and evaluate the extent of a holistic implementation of emerging cybersecurity practice across both information technology (IT) and operational technology (OT) environments, focusing on â Cyber resilience, including cyber insurance; â Third-party cyber-risk management, including cyber supply chain risk; â Cybersecurity of location-agnostic access (e.g., remote work/teleworking/âwork-from- homeâ); â Zero-trust computing architectures supporting contactless customer applications, including real-time and on-demand information and services; and â Cybersecurity governance and workforce. ⢠Highlight innovative approaches, successes, challenges, and lessons learned in these areas. ⢠Identify knowledge gaps and future research needs for the cybersecurity and resilience challenges identified in this synthesis. The material contained in this report was gathered over the period 2020â2021 from a variety of published material, including contemporary news reports; TRB research reports; recent government reports and publications, industry standards, and other guidance; recent industry (i.e., cyber, transportation, and transit) surveys; and material directly supplied by various agencies and organizations. The overriding finding of this research is that the acceleration of the digital transformation in the transit industry leaves many organizations having difficulty absorbing, responding to, and adapting to the simultaneous introduction of new technologies, new workplace norms, and new customer expectations. The convergence of these three disruptors introduces new cyber vulnerabilities that are now being exploited by a wide variety of threat actors, including geopolitical adversaries, criminals, hacktivists, and insiders. The inevitable consequence of this situation is that pre-pandemic cybersecurity approaches and skill sets are no longer adequate to effectively minimize vulnerability, defend against ever-more effective attacks, and rapidly recover and restore agency services and internal operations. As a result, many agencies are increasingly reliant on third-party providers of cyber goods and services, creating even greater vulnerability. S U M M A R Y Cybersecurity in Transit Systems
2 Cybersecurity in Transit Systems Next-generation cybersecurity approaches addressing these additional vulnerabilities are being introduced in other industries and infrastructure sectors and are being promoted by federal regulators and the cyber insurance industry. However, public sector agencies report that a lack of funding, the complexity of their existing environments, and a lack of expertise about next-generation approaches are substantial inhibitors to the implementation of these approaches. The knowledge gaps identified during the course of the research have to do with this lack of expertise concerning the next-generation approaches. Given the increasing reliance on third-party relationships by transit agencies, there is an urgent need for procurement guidance across the entire spectrum of cybersecurity goods and services. This guidance encompasses vetting third- and fourth-party suppliers and their digital products. This broad need also includes the need for actionable information about cyber insurance should things go wrong. The second major knowledge gap identified by public agencies is the gap in employee knowledge and skill sets. Agencies do not have employees with the requisite cybersecurity skills and are increasingly unable to recruit, on-board, and retain them for a variety of reasons. This dilemma can be resolved using either of two strategies: outsource the task(s) or upskill the workforce. Outsourcing leads to the procurement knowledge gaps just dis- cussed while upskilling identifies a new set of gaps. Research needs for addressing the cybersecurity skill gap include developing transit- specific guidance on new paradigms such as Zero-Trust Architectures, on managing the new workplace and the next-generation employee, and on incorporating cybersecurity into all aspects of the agencyâs emergency and incident planning and response programs, including training programs.
