A new report from the Mineta Transportation Institute (MTI) offers a timely and thoughtful analysis of cybersecurity across the U.S. transit industry. As digital systems continue to shape modern mobility, the report highlights key areas where transit agencies, particularly smaller ones, can make meaningful progress in securing their networks.

Identifying the Gaps

Among the report’s findings is the persistent challenge smaller agencies face in addressing cybersecurity risk. Limited resources, competing priorities, and a perceived focus on information technology (IT) over operational technology (OT) can delay essential improvements. This is especially important in the transit space, where OT systems, like SCADA, signaling, and train communications, are foundational to safe and reliable service.

Another insight from the MTI study is the ongoing divide between IT and OT cybersecurity strategies. These systems are often managed separately, despite being increasingly interconnected. Without clear frameworks and consistent funding, it’s difficult to ensure security across the entire operational landscape.

Why OT Cybersecurity Matters

While cybersecurity priorities vary across transit systems, OT has become an area that demands greater attention. As systems like signaling, SCADA, and onboard networks become increasingly connected, often bridging the gap between legacy infrastructure and modern digital platforms, the need for dedicated protection alongside IT efforts is more pressing than ever.

Focusing on OT isn’t about raising red flags or creating panic, it’s about enabling visibility, building resilience, and ensuring operational continuity. When OT systems are compromised, the consequences are immediate and operational, affecting service delivery, safety, and continuity. Without proper safeguards, even small gaps in OT security can create a rippling effect that is difficult to isolate and recover from.

Addressing cybersecurity at the OT level strengthens the entire transit network. It empowers agencies to detect anomalies early, respond faster to incidents, and maintain uninterrupted service. It also aligns with emerging regulatory expectations and supports a more unified cybersecurity strategy across IT and OT environments.

Practical Cybersecurity Recommendations (MTI 2025 report evidence):

• Annual cybersecurity assessments (incl. OT systems): The MTI report emphasizes the need for regular (ideally annual) cyber risk reviews. It notes that “general best practices recommended by CISA suggest that regular, ideally yearly, risk and vulnerability assessments (RVAs) are essential in managing cyber risks across critical infrastructure sectors” (Section 5.1, p.65). While TSA recommends agencies complete cyber vulnerability assessments, the report points out that there is currently no mandate for most transit agencies to do so on a set schedule. The MTI report emphasizes that transit agencies should proactively conduct comprehensive yearly cybersecurity assessments covering all IT and OT assets.
  
  
• Regular tabletop exercises: MTI highlights that incident response plans should be practiced at least yearly. In Section 5.7, it explains that “conducting these exercises at least annually is crucial to account for evolving best practices, organizational changes, employee turnover, and the need for continuous training” (p.80–81). The report notes that tabletop simulations build readiness and that, as of the survey, less than 40% of agencies had run a cybersecurity tabletop exercise in the past year, reinforcing the recommendation for annual tabletop drills to improve preparedness.
  
  
• Network segmentation for OT systems: MTI calls for strict separation of operational networks. It recommends architecting segmented IT/OT networks to contain threats, noting: “Network Segmentation of IT and OT Environments – Architect and implement strict segmentation protocols within and between IT and OT networks to contain threats, prevent lateral movement, and safeguard critical operational assets” (p.5). This direct guidance confirms the importance of isolating sensitive operational technology systems from corporate IT, limiting the radius of cyber attacks.
  
  
• TSA directives and regulatory trends: The MTI study references new TSA cybersecurity directives as an emerging driver of transit security compliance. Notably, it cites TSA’s October 2024 security directive (SD 1582-21-01C) for public transit, which requires designated transit operators to “report cyber incidents to CISA within 24 hours; develop an incident response plan to reduce the risk of operational disruption should their IT and/or OT systems be affected by a cybersecurity incident; [and] conduct a cybersecurity vulnerability assessment using the form provided by TSA” (p.53). The inclusion of these TSA mandates in the report underscores a regulatory trend: basic cyber practices (incident reporting, IR planning, assessments, etc.) are increasingly being required for transit agencies, not just recommended.
  
  
• CISA guidance and frameworks: Throughout the report, MTI points transit agencies toward CISA’s cybersecurity frameworks and tools. For example, it highlights the “Cyber Resilience Review (CRR) developed by CISA and based on the NIST Cybersecurity Framework,” a free self-assessment tool for transit agencies (Section 5.1, p.65). The report also discusses CISA’s 2022 Cross-Sector Cybersecurity Performance Goals, quoting CISA Director Jen Easterly that these goals provide “an approachable common set of IT and OT cybersecurity protections… aimed at addressing some of the most common and impactful cyber risks” (p.50–51). By referencing NIST/CISA frameworks, free DHS tools, and CISA’s best-practice advisories, the MTI report supports aligning transit cybersecurity programs with CISA guidance and industry-standard frameworks.

How Cylus Can Support

Cylus helps transit agencies implement many practices outlined in the MTI report and TSA directives, providing tools specifically designed to secure rail-focused OT networks. From enabling continuous visibility and monitoring to supporting segmentation strategies and incident response planning, the CylusOne platform is built for the unique demands of rail systems.

Whether you’re just starting to assess OT risks or looking to align with TSA and CISA guidance, Cylus works with agencies of all sizes to close critical gaps without disrupting operations.

We’re here to help you take the next step, wherever you are in your cybersecurity journey. Let’s talk.

Sources: Mineta Transportation Institute – “Does the Transit Industry Understand the Risks of Cybersecurity and Are the Risks Being Appropriately Prioritized?” (April 2025)