APTA Announces Updated Cybersecurity Course for Executives

The most common cybersecurity incidents encountered by transit systems involve email compromise, data breaches, ransomware, counterfeit hardware, and supply chain risks.

The updated course was supported by APTA’s Business Members Board of Governors Committee, which is chaired by Ray Melleady, executive vice president, USSC Group. “Cybersecurity in public transit isn’t a destination; it’s a journey we must actively pursue every day,” Melleady said. “By staying ahead of threats, we don’t just prevent disruptions; we build a resilient foundation for the smart cities of tomorrow.”

APTA’s Business Members Cybersecurity Committee co-chair and Mineta Transportation Institute (MTI) Research Associate Scott Belcher said, “Agencies need to address cybersecurity from the top down, making it a part of the agency’s overall enterprise risk management strategy and not pushing it to the back burner. Resources like the new APTA course are a great starting point for public transit leaders, especially at smaller agencies.”

In 2020, MTI published a report titled Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness, which called attention to the industry’s lack of preparedness for the coming cybersecurity revolution.

In 2024, MTI revisited its original study and found that while progress was being made by larger agencies, cybersecurity is still not a priority among many rural, small, and mid-size transit systems.

APTA recommends that public transit agencies begin with a NIST-based cybersecurity assessment or with FTA’s Cybersecurity Assessment Tool for Transit (CAAT), which is a National Institute of Standards and Technology (NIST)-based Cyber Resilience Review self-assessment tool.

Other APTA resources, such as the Operational Technology Cybersecurity Maturity Framework (OT-CMF) Overview, and a cybersecurity resource page, can be found here.

APTA has updated its Cybersecurity Fundamentals for Executives
course to reflect federal
government requirements and new resources. The 90-minute course provides actual
cybersecurity scenarios that could threaten public transit agencies. The most common cybersecurity incidents
encountered by transit systems involve email compromise, data breaches,
ransomware, counterfeit hardware, and supply chain risks. The updated course was supported by APTA’s Business Members
Board of Governors Committee, which is chaired by Ray Melleady, executive vice
president, USSC Group. “Cybersecurity
in public transit isn’t a destination; it’s a journey we must actively pursue
every day,” Melleady said. “By staying ahead of threats, we don’t just prevent
disruptions; we build a resilient foundation for the smart cities of tomorrow.” APTA’s Business Members Cybersecurity
Committee co-chair and Mineta Transportation Institute (MTI) Research Associate
Scott Belcher said, “Agencies need to address cybersecurity from the top down,
making it a part of the agency’s overall enterprise risk management strategy
and not pushing it to the back burner. Resources like the new APTA course are a
great starting point for public transit leaders, especially at smaller
agencies.” In 2020, MTI published a report titled Is the Transit
Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance
Surface Transit Cyber Preparedness, which called attention to the industry’s
lack of preparedness for the coming cybersecurity revolution. In 2024, MTI revisited its original study
and found that while progress was being made by larger agencies, cybersecurity
is still not a priority among many rural, small, and mid-size transit systems. APTA recommends that public transit
agencies begin with a NIST-based cybersecurity assessment or with FTA’s
Cybersecurity Assessment Tool for Transit (CAAT), which is a National Institute
of Standards and Technology (NIST)-based Cyber Resilience Review
self-assessment tool. Other APTA resources, such as the
Operational Technology Cybersecurity Maturity Framework (OT-CMF) Overview, and
a cybersecurity resource page, can be found here.