Evolving Role of the Transit CISO: Securing Safety in the Age of Cyber-Physical Threats

By Rafi Khan | 12/15/2025

Chief Information Security Officer
NJ TRANSIT

Public transportation agencies face an unprecedented challenge: cybersecurity threats that can directly impact passenger safety. As transit systems become more digitized and interconnected, the role of the Chief Information Security Officer has evolved from protecting data to safeguarding lives.

Why Cybersecurity Is Now a Safety Issue

A transit agency’s safety mission extends beyond brakes and signals. Modern threats target the digital systems that control train movements, manage power distribution, and coordinate emergency response. A ransomware attack can halt service. A compromised signaling system can create collision risks. An intrusion into operational technology can disable safety-critical functions.

The consequences are real: Ransomware attacks in December 2024 disrupted Pittsburgh Regional Transit’s rail schedules and Maryland’s bus tracking. Hartsfield-Jackson Atlanta International Airport suffered a DDoS Attack in March 2025, temporarily disrupting online services. These attacks affected operational logistics and public service, and exposed vulnerabilities in transit infrastructure nationwide.

Federal Mandates Drive Action

TSA recognized this convergence of cyber and physical risk when it issued Security Directive 1582-2022-01D for passenger rail and transit systems, and SD 1580-2022-01D for freight rail operators, building on earlier directives from 2021.

These directives require:

  • Designation of a primary cybersecurity coordinator with direct authority
  • Network segmentation between IT and operational technology (OT) systems
  • Continuous monitoring and real-time threat detection
  • Annual cybersecurity assessments and vulnerability testing
  • Formal incident response and recovery planning

For transit agencies, compliance is not optional, it’s mandatory and assessed annually. More importantly, these requirements reflect a fundamental shift: cybersecurity is now recognized as essential to transportation safety.

The IT-OT Convergence Challenge

Transit agencies operate at the intersection of two distinct technical environments. Information technology systems manage business functions, employee data, and customer services. Operational technology controls trains, signals, power distribution, and communication systems. Historically, these systems operated independently. Today, they’re interconnected.

A credential compromised in an IT system—a phishing email, a weak VPN password—can provide access to OT networks that control train movements or manage power substations. The 2015 Ukraine power grid attack demonstrated this pathway: attackers entered through IT systems and migrated to industrial controls, leaving hundreds of thousands without power.

Transit CISOs must now bridge engineering and information security disciplines. We must understand SCADA protocols and Active Directory architecture. We must speak the language of both the boardroom and the signal maintainer.

A Practical Roadmap for Transit Cybersecurity

Based on implementing these requirements in a complex transit environment, here are five actions every agency should prioritize:

1. Establish Formal Cybersecurity Leadership

Designate a primary cybersecurity coordinator as required by TSA directives—not as a collateral duty but as a dedicated senior leadership role with:

  • Direct reporting to executive leadership
  • Authority to coordinate across IT and operations divisions
  • Accountability for annual compliance and assessment outcomes

This individual must have the organizational standing to make risk-based decisions that affect operations.

2. Document and Validate IT-OT Boundaries

Conduct structured assessments to identify all systems, interfaces, and data flows between IT and OT environments. This means:

  • Site visits to substations, maintenance facilities, and control centers
  • Interviews with engineering staff who manage legacy systems
  • Documentation of vendor remote access points and shared services
  • Validation that network segmentation matches architectural diagrams

Paper documentation often diverges from operational reality. Physical verification is essential.

3. Implement Unified Security Monitoring

Deploy centralized logging and security information and event management (SIEM) capabilities that cover both IT and OT systems. Effective monitoring requires:

  • Log aggregation from servers, network devices, and industrial control systems
  • Correlation rules tuned to transit-specific threat scenarios
  • Alert procedures that connect security teams to operations staff
  • Regular testing to ensure detection capabilities function as designed

Visibility is the foundation of defense. Without comprehensive logging, threats remain invisible until they cause operational impact.

4. Assess Third-Party Cybersecurity Risk

Transit agencies rely on numerous vendors for system integration, maintenance, and support. Many have privileged access to critical systems. Implement vendor risk management that includes:

  • Pre-contract security assessments for new vendors
  • Multi-factor authentication requirements for remote access
  • Regular compliance reviews and security questionnaires
  • Contractual language that establishes cybersecurity responsibilities

A vendor with weak security practices represents a pathway into your environment

5. Formalize Change Control for Cyber-Physical Systems

Establish a Change Control Board with representatives from IT, operations, engineering, and cybersecurity to review:

  • Network architecture modifications
  • New system implementations that cross IT-OT boundaries
  • Software updates to safety-critical systems
  • Emergency changes that bypass normal review processes

Undocumented or poorly coordinated changes are among the most common sources of security incidents in transit environments.

The Path Forward

The transit CISO role has fundamentally changed. We are no longer solely focused on protecting data—we are responsible for safeguarding the systems that ensure passenger safety and operational continuity.

This requires alignment with federal cybersecurity mandates, adoption of industry frameworks including NIST and IEC 62443, and, most critically, integration of cybersecurity into every operational decision.

As cyber threats continue to evolve in sophistication and scale, transit agencies must move beyond reactive security. We must anticipate threats, coordinate across technical and operational teams, and build resilience into our infrastructure.

Transit CISOs are now safety stewards, system architects, and strategic leaders. In an environment where a cybersecurity incident can halt service, endanger passengers, or compromise critical infrastructure, our responsibility has never been clearer: protect the mission, secure the systems, and ensure the safe movement of millions of people who depend on public transportation every day.