The Changing Face of Digital Risk in Transit: Building Cyber Resilience in the Modern Transportation Era

MARVIN MUHUMUZA
Director, Cybersecurity Risk Management
Washington Metropolitan Area Transit Authority
Washington, DC

Cyber Risk Is Now Service Risk

When digital systems fail, passengers experience delayed trains, unavailable fare systems, disrupted communications, inaccurate arrival information, or reduced operational visibility. Riders may never see a cybersecurity dashboard, but they immediately notice when service reliability is affected.

Modern transit systems rely on interconnected digital environments spanning both traditional information technology (IT) and operational technology (OT). Signaling systems, Positive Train Control (PTC), dispatch centers, fare collection platforms, passenger information systems, vehicle telemetry, and cloud-based applications all contribute to delivering reliable service. As these systems become more connected, transit agencies are inheriting a new category of operational exposure: cyber-physical risk.

The industry’s challenge today is not only protecting technology. It is building resilient operations that can continue delivering safe and reliable service during digital disruption.

The Digital Transit Transformation

Transit systems across the United States and Europe are rapidly modernizing through digital technologies designed to improve customer experience and operational efficiency. Riders increasingly expect real-time information, contactless payments, mobile ticketing, and seamless trip planning.

Washington Metropolitan Area Transit Authority’s (WMATA/Metro’s) “Tap. Ride. Go.” system allows customers to pay fares using contactless credit cards or mobile wallets directly at faregates and buses. New York City Transit’s OMNY platform similarly enables riders to use phones, wearable devices, or credit cards instead of traditional fare cards. Across Europe, Transport for London helped pioneer large-scale contactless fare integration.

These innovations have improved convenience and modernized service delivery. However, they also reinforce an important reality: transit operations are increasingly dependent on interconnected digital ecosystems involving cloud platforms, telecommunications providers, software vendors, mobile applications, and real-time operational data.

The traditional cybersecurity model focused heavily on protecting systems and preventing incidents. Today’s operating environment requires something broader: understanding operational impact, managing risk, maintaining continuity, and recovering quickly. This is the foundation of digital cyber resilience.

Why the Transit Threat Model Has Changed

Several trends are reshaping digital risk across transportation.

The first is the convergence of OT and traditional IT. Systems that were once isolated, such as signaling, PTC, fleet management, dispatch, and rail operations, now exchange information with enterprise systems, analytics platforms, cloud services, and vendor-managed technologies. While this improves operational efficiency and visibility, it also expands the attack surface.

The second trend is the rapid growth of customer-facing digital services. Mobile ticketing, account-based fare systems, and contactless payments create more connected experiences for passengers while increasing reliance on telecommunications providers, identity systems, and third-party vendors.

Electrification is also changing operational dependency. Transit agencies deploying battery-electric bus fleets increasingly rely on digitally managed charging systems and energy-management platforms. A cyber disruption affecting charging infrastructure could directly impact fleet readiness and operational continuity.

Remote vendor access continues to be another major concern. Transit agencies increasingly rely on outside vendors for software updates, diagnostics, monitoring, and operational support. While this improves efficiency, it also creates indirect entry points into agency environments. In 2022, a cyberattack affecting a third-party IT provider disrupted software used by Danish rail operators, resulting in temporary service interruptions. The incident reinforced a critical lesson: agencies must manage not only their own cybersecurity posture, but also the resilience of their supplier ecosystem.

Artificial intelligence is adding another dimension to threat environments. Federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and National Security Agency (NSA), have warned organizations about AI-enabled phishing, impersonation attacks, and increasingly sophisticated social engineering. Michael Echols, in AI Chaos: The War for Control of Smart Systems, argues that organizations must adopt structured governance approaches to AI rather than reacting to threats after disruption occurs. For transit agencies, the lesson is practical: governance frameworks are needed to define how AI-enabled technologies are introduced, monitored, and managed within operational environments.

Finally, many transit agencies continue operating legacy infrastructure designed decades before modern cybersecurity threats existed. Long asset lifecycles, budget limitations, and operational complexity make modernization difficult, reinforcing why resilience, and not perfection, must become the strategic objective.

Recent Incidents Reveal the Real Risk

Recent transportation cyber incidents demonstrate how operational disruption can emerge in many forms.

In 2023, Bay Area Rapid Transit was reportedly affected by a ransomware-related incident involving leaked data. In 2024, Pittsburgh Regional Transit experienced a ransomware incident that temporarily affected portions of rail service and later involved notifications regarding compromised personal information. Transport for London also experienced a cyber incident affecting portions of its digital services environment.

One of the most widely cited transportation examples remains the impact of the WannaCry ransomware outbreak on Deutsche Bahn in 2017, where passenger information displays were disrupted while core rail operations continued.

The lesson across all of these incidents is clear: cyber incidents are no longer only technology problems. They are operational events affecting service delivery, communications, public confidence, and recovery management. That is why resilience is becoming the defining concept for transit cybersecurity.

Regulation Is Moving From Guidance to Expectations

Governments and regulators increasingly recognize transportation as critical infrastructure requiring stronger cybersecurity governance.

In the United States, the Transportation Security Administration (TSA) introduced cybersecurity directives for certain rail and public transportation operators requiring measures such as:

• Designating a 24/7 cybersecurity coordinator
• Reporting incidents to CISA
• Conducting vulnerability assessments
• Developing cyber incident response plans

The broader goal behind TSA’s approach is operational resilience. Regulators understand that disruptions affecting transportation systems can quickly impact public safety, economic activity, and public trust.

For smaller transit agencies, resilience does not always require massive cybersecurity budgets. Practical starting points include:

• Identifying systems critical to operations
• Strengthening remote-access controls
• Implementing multi-factor authentication
• Conducting tabletop exercises
• Separating operational systems from enterprise networks
• Maintaining offline backups
• Reviewing vendor-access procedures
• Establishing clear incident-response roles

Europe is also influencing global transportation cybersecurity practices through regulation. The European Union’s Cyber Resilience Act, which entered into force in December 2024, focuses on secure product development, vulnerability handling, lifecycle support, and accountability for digital products.

This matters for U.S. transit agencies because many transportation vendors operate globally. Increasingly, cybersecurity expectations are becoming part of procurement, contract management, and supplier governance.

Questions Transit Agencies Should Ask Vendors

• How is remote access secured and monitored?
• What are the vendor’s incident-notification timelines?
• Are software updates and security patches contractually defined?
• Is a Software Bill of Materials (SBOM) available?
• What is the product end-of-support lifecycle?
• Does the vendor maintain a formal vulnerability disclosure process?
• Can the agency audit cybersecurity controls or request independent assessments?
• Are cybersecurity exercises or recovery testing included in support agreements?
• How are third-party subcontractors governed and monitored?
• What operational continuity procedures exist during a cyber incident?

Building a Resilient Transit Future

Perfect cybersecurity does not exist. Transit agencies operate complex ecosystems that include legacy infrastructure, cloud services, electrified fleets, customer-facing applications, remote vendors, and long operational asset lifecycles.

The objective is not to eliminate every threat. The objective is to be a resilient service. The agencies that lead the future of public transportation will be those that integrate cyber resilience into operations, procurement, governance, modernization planning, vendor management, and executive decision-making.

In the digital age, protecting transit systems means protecting the ability to move people safely, reliably, and confidently under pressure. Increasingly, that is what resilience means.