Cyber Resilience: Protecting Riders & Revenue

Transcript

1. Transit Ticketing & Fare Collection in the US | Joffrey

   Lauthier | San Francisco | November 5, 2025 Cyber Resilience Protecting Riders & Revenue

2. Bus and rail operations disrupted Paratransit booking channel down Rider

   data exposed RANSOMWARE SEPT. 2025 RANSOMWARE JUNE 2024 PRIVACY BREACH AUG. 2023 HACK DEMO AUG. 2023 Rider website down Card readers down Rider data exposed Design flaw exposed rider history on OMNY website Stalking risk even without account authentication DEF CON demo rewriting MBTA RFID fare cards to add value and ride privileges Transit ticketing incidents 2 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

3. 11/02/25 IoT Tech Expo North America 2024 – The Internet

   of Trains: Wireless Connectivity, IoT and the Future of Public Transit 3 3 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue Transport cybersecurity threats Prime threats to the transport sector — January 2021 to October 2022 ENISA Threat Landscape: Transport Sector, March 2023 The European Union Agency for Cybersecurity OT Incidents With Physical Consequences — 2010 to 2024 Waterfall Security + ICS STRIVE, 2025 OT Cyber Threat Report "Making up 37% of all attacks, the transportation industry was the single biggest vertical impacted by OT cyber attacks with physical consequences in 2024."

4. Transit Ticketing & Fare Collection in the US 2025 –

   Cyber Resilience that Protects Riders and Revenue 4 Global cyber threats to the transport sector, 2021-22 Source: The European Union Agency for Cybersecurity ENISA Threat Landscape: Transport Sector, March 2023 THREAT ACTORS MOTIVATION

5. California hosting high-profile events 5 Transit Ticketing & Fare Collection

   in the US 2025 – Cyber Resilience that Protects Riders and Revenue SUPER BOWL LX SANTA CLARA 1 February 2026 Levi's Stadium FIFA WORLD CUP BAY AREA 2 July 2026 Levi's Stadium FIFA WORLD CUP LOS ANGELES 3 July 2026 SoFi Stadium LA28 OLYMPIC & PARALYMPIC GAMES 4 Summer 2028 40+ venues in the Los Angeles Area

6. The cybersecurity challenge: interconnected systems 6 Transit Agency Data Hubs

   System Integration Analytics Communi- cations P3 Agreements Connected Services Apps and Services Mobility Services Transit Multimodal Services Bike Sharing Car Sharing Dynamic Car Pooling Interactive Kiosk Smart Payments Wi-Fi Trip Planning Rewards and Incentives Real-Time Information Connected Traveler Automated Vehicles Dynamic Parking Traffic Management TNCs Microtransit Car Companies Taxis From DART presentation, October, 2024 Cybersecurity Awareness for Transit Agencies Webinar Federal Transit Administration Office of Transit Safety and Oversight Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

7. Transit Ticketing & Fare Collection in the US 2025 –

   Cyber Resilience that Protects Riders and Revenue 7 Attack surface: operational vs. IT systems Dimension Fare Collection Communications Vehicles and Stations Train Control Traction Power and SCADA Enterprise IT Exposure to public and Internet Very high Apps, web, APIs, validators High PA/CIS, Wi-Fi Low Low High Third-party dependencies High Medium Medium Medium Very high Legacy and heterogeneity risk High High Medium Medium Low Operational disruption potential High Rider friction Medium Very high Very high Low Immediate safety impact Medium Crowded gates, fare disputes Medium Emergency messages High High Low Data sensitivity High PII, travel history, payment Medium CCTV Low Low High

8. Fare collection systems cybersecurity risks 8 Transit Ticketing & Fare

   Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue MOBILE AND E-TICKET 1 Static or predictable QR codes Weak authentication in apps and APIs Clock tampering to extend/replay tickets OPEN-LOOP PAYMENTS CLOSED-LOOP FARE MEDIA 3 2 PCI DSS scope mismanagement exposing payment details Point-of-sale malware Cloneable RFID and magnetic stripes Weak cryptography for closed-loop, value-on-card systems EDGE DEVICES 4 Unpatched operating systems for TVMs, gates, validators, infotainment Complex supply chain of third-party software components Communication with central servers BACK OFFICE AND CLOUD BUSINESS LOGIC 6 5 Weak segmentation allowing pivot into fare systems Misconfigured cloud storage, third-party integrations, and APIs exposing data Weak administrative access to portals Over-collection and retention of travel histories and personally identifiable info Fare-product logic flaws enabling fraud and threatening revenue integrity

9. AFC cyberattacks – impacts on public security 9 Transit Ticketing

   & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue CROWDS 1 Crowding at stations and platforms Emergency egress obstruction risk DISORDER 2 Breakdown of fare enforcement Frontline conflicts at gates and vehicles SECURITY PRESENCE 3 Operational distraction – incident management load Revenue loss – reduced security presence RIDER & STAFF PRIVACY 4 Trip history exposure – stalking, doxxing Breach of personal information PUBLIC TRUST 5 Visible outage across agencies Loss of service availability

10. Transit Ticketing & Fare Collection in the US 2025 –

    Cyber Resilience that Protects Riders and Revenue 10 Cyber insurance – improving underwriting terms MINIMUM CONTROLS MFA, EDR, backups, patches, incident response plan, email/web protections, awareness trainings PCI DSS COMPLIANCE Card processing in App, website, POS, TVMs, gates, validators TSA SECURITY DIRECTIVE 1582 Define, monitor, test Critical Cyber Systems (CCS) IT / OT SEGMENTATION Segmentation and allow-listing between corporate IT and fare collection system THIRD-PARTY GOVERNANCE Contractual security obligations for fare system integrators, service providers, and payment gateways

11. Transport Security Administration Federal Transit Administration Federal frameworks State privacy

    laws Payment security APTA guidance TSA Security Directive 1582 Cybersecurity requirements for passenger railroads and rail transit systems – cybersecurity coordinator – report cyber incidents – cybersecurity incident response plan – protect critical cyber systems – assess cyber defenses Public Transportation Agency Safety Plan (PTASP) Safety Management System National Transit Database (NTD) Upcoming: more detailed reporting of cybersecurity events NIST Cybersecurity Framework Reference model for cyber risk governance CISA Cross-Sector Cybersecurity Performance Goals (CPG) Minimum baseline safeguards applicable to critical infrastructure California CCPA/CPRA Data privacy obligations for rider accounts, trip history, and PII in California Other states Data privacy and breach notification laws PCI DSS Storing, processing, transmitting cardholder data EMVCo specifications Contact and contactless acceptance of open-loop payment cards ISO/IEC 14443 Closed-loop proximity card standard and EMV contactless taps APTA Cybersecurity Considerations for Public Transit Governance, planning, incident response, and training APTA SS-CCS series Control & Communications Security guidance for public transit operational systems Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue 11 Regulations, standards, and guidelines

12. TSA SD 1582 Cyber Critical System determination 12 Transit Ticketing

    & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue AFC BACK OFFICE Outage breaks boarding decisions at gates/validators; prevents hotlisting COMMUNICATION NETWORKS Loss or compromise isolates field devices INTEGRATION WITH STATION SYSTEMS Affects station crowd control/egress pathways and VMS gating modes FAREGATES, VALIDATORS Outage or tampering forces fail-closed modes and creates unsafe crowding MOBILE TICKET VALIDATION Loss or manipulation blocks mobile boarding and inspection at scale TVMS AND KIOSKS Outage or compromise blocks fare media issuance at major events PAYMENT GATEWAYS Failure forces widespread free-ride or blocks validation impacting throughput INSPECTOR HANDHELDS Prevents on-board validation and revenue protection Any IT/OT system or data whose compromise could result in operational disruption

13. Transit Ticketing & Fare Collection in the US 2025 –

    Cyber Resilience that Protects Riders and Revenue 13 Fare collection systems procurement and contracts SECURITY BY DESIGN TECHNICAL SUPPORT RFP CONTRACT DESIGN BUILD TEST & COMM- ISSION INSTALL OPERATE & MAINTAIN Bundle supply with 10-20 years service level agreements Evaluate total cost of ownership before committing to a vendor Vendor incentivized to maintain system availability Patches, spare parts, upgrade path No longer optional: regulators and funders expect it Payments compliance demands it Real-world outages show the cost of not doing it Addressing security earlier in the lifecycle reduces total cost

14. Bespoke system vs. shared ticketing platform 14 Transit Ticketing &

    Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue BESPOKE DESIGN-BUILD SHARED PLATFORM 2 1 Tailored systems built specifically for the agency More control on rules and functionalities The more customized, the more the agency bears the cost of obsolescence management Higher cost of maintaining the cybersecurity posture Ascendant, multi-tenant, Fare Collection-as-a-Service model Cost savings of 40% to 70% compared to bespoke Obsolescence management cost amortized on multiple agencies Continuous software upgrades Gradual upgrade path for hardware Source: Total Cost of Ownership Analysis: Shared Platforms vs Bespoke Design-Build Fare Collection Systems Consult Hyperion, May 2022

15. AFC cyber incident response 15 Transit Ticketing & Fare Collection

    in the US 2025 – Cyber Resilience that Protects Riders and Revenue SAFETY FIRST 1 Decide gate/validator posture: fail-open vs fail-closed Enable temporary free-ride mode if needed Freeze automations: pause hotlist pushes, fare rule changes, and device updates Disable remote support access Communicate with riders Restore operations PAYMENT RISK REGULATORY 3 2 Isolate affected network segments, subsystems Isolate Cardholder Data Environment Freeze batch settlement if data integrity is uncertain Alert vendors and partners Preserve logs/artifacts, start chain of custody Notify TSA / CISA Coordinate with FBI Breach notification CISA Shares Lessons Learned from an Incident Response Engagement Cybersecurity advisory AA25-266A – September 23, 2025 "The agency did not test or exercise their incident response plan, nor did their IRP enable them to promptly engage third parties and grant third parties access to necessary resources."

16. Thank you Joffrey Lauthier Head of Rail North America [email protected]

    FIFTH CONFERENCE ON TRANSIT TICKETING & FARE COLLECTION IN THE US 2025