Cyber Resilience: Protecting Riders & Revenue

Transcript

1. Cyber Resilience Protecting Riders & Revenue Transit Ticketing & Fare

   Collection in the US | Joffrey Lauthier | San Francisco | November 5, 2025

2. Transit ticketing incidents RANSOMWARE SEPT. 2025 Bus and rail operations

   disrupted Paratransit booking channel down Rider data exposed RANSOMWARE JUNE 2024 Rider website down Card readers down Rider data exposed PRIVACY BREACH AUG. 2023 Design flaw exposed rider history on OMNY website Stalking risk even without account authentication HACK DEMO AUG. 2023 DEF CON demo rewriting MBTA RFID fare cards to add value and ride privileges 2 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

3. Transport cybersecurity threats Prime threats to the transport sector —

   January 2021 to October 2022 ENISA Threat Landscape: Transport Sector, March 2023 The European Union Agency for Cybersecurity OT Incidents With Physical Consequences — 2010 to 2024 Waterfall Security + ICS STRIVE, 2025 OT Cyber Threat Report "Making up 37% of all attacks, the transportation industry was the single biggest vertical impacted by OT cyber attacks with physical consequences in 2024." 3 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

4. THREAT ACTORS MOTIVATION Global cyber threats to the transport sector,

   2021-22 Source: The European Union Agency for Cybersecurity ENISA Threat Landscape: Transport Sector, March 2023 4 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

5. 1 SUPER BOWL LX SANTA CLARA February 2026 Levi's Stadium

   California hosting high-profile events 2 FIFA WORLD CUP BAY AREA July 2026 Levi's Stadium 3 FIFA WORLD CUP LOS ANGELES July 2026 SoFi Stadium 4 LA28 OLYMPIC & PARALYMPIC GAMES Summer 2028 40+ venues in the Los Angeles Area 5 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

6. The cybersecurity challenge: interconnected systems From DART presentation, October, 2024

   Cybersecurity Awareness for Transit Agencies Webinar Federal Transit Administration Office of Transit Safety and Oversight Transit Agency Data Hubs System Integration Analytics Communi- cations P3 Agreements Connected Services Apps and Services Mobility Services Transit Multimodal Services Bike Sharing Car Sharing Dynamic Car Pooling Interactive Kiosk Smart Payments Wi-Fi Trip Planning Rewards and Incentives Real-Time Information Connected Traveler Automated Vehicles Dynamic Parking Traffic Management TNCs Microtransit Car Companies Taxis 6 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

7. Attack surface: operational vs. IT systems Dimension Fare Collection Communications

   Vehicles and Stations Train Control Traction Power and SCADA Enterprise IT Exposure to public and Internet Very high Apps, web, APIs, validators High PA/CIS, Wi-Fi Low Low High Third-party dependencies High Medium Medium Medium Very high Legacy and heterogeneity risk High High Medium Medium Low Operational disruption potential High Rider friction Medium Very high Very high Low Immediate safety impact Medium Crowded gates, fare disputes Medium Emergency messages High High Low Data sensitivity High PII, travel history, payment Medium CCTV Low Low High 7 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

8. Fare collection systems cybersecurity risks 1 MOBILE AND E-TICKET Static

   or predictable QR codes Weak authentication in apps and APIs Clock tampering to extend/replay tickets 2 OPEN-LOOP PAYMENTS PCI DSS scope mismanagement exposing payment details Point-of-sale malware 3 CLOSED-LOOP FARE MEDIA Cloneable RFID and magnetic stripes Weak cryptography for closed-loop, value-on-card systems 4 EDGE DEVICES Unpatched operating systems for TVMs, gates, validators, infotainment Complex supply chain of third-party software components Communication with central servers 5 BACK OFFICE AND CLOUD Weak segmentation allowing pivot into fare systems Misconfigured cloud storage, third-party integrations, and APIs exposing data Weak administrative access to portals 6 BUSINESS LOGIC Over-collection and retention of travel histories and personally identifiable info Fare-product logic flaws enabling fraud and threatening revenue integrity 8 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

9. AFC cyberattacks – impacts on public security 1 CROWDS Crowding

   at stations and platforms Emergency egress obstruction risk 2 DISORDER Breakdown of fare enforcement Frontline conflicts at gates and vehicles 3 SECURITY PRESENCE Operational distraction – incident management load Revenue loss – reduced security presence 4 RIDER & STAFF PRIVACY Trip history exposure – stalking, doxxing Breach of personal information 5 PUBLIC TRUST Visible outage across agencies Loss of service availability 9 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

10. Cyber insurance – improving underwriting terms MINIMUM CONTROLS MFA, EDR,

    backups, patches, incident response plan, email/web protections, awareness trainings PCI DSS COMPLIANCE Card processing in App, website, POS, TVMs, gates, validators TSA SECURITY DIRECTIVE 1582 Define, monitor, test Critical Cyber Systems (CCS) IT / OT SEGMENTATION Segmentation and allow-listing between corporate IT and fare collection system THIRD-PARTY GOVERNANCE Contractual security obligations for fare system integrators, service providers, and payment gateways 10 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

11. Regulations, standards, and guidelines Transport Security Administration Federal Transit Administration

    Federal frameworks State privacy laws Payment security APTA guidance TSA Security Directive 1582 Cybersecurity requirements for passenger railroads and rail transit systems – cybersecurity coordinator – report cyber incidents – cybersecurity incident response plan – protect critical cyber systems – assess cyber defenses Public Transportation Agency Safety Plan (PTASP) Safety Management System National Transit Database (NTD) Upcoming: more detailed reporting of cybersecurity events NIST Cybersecurity Framework Reference model for cyber risk governance CISA Cross-Sector Cybersecurity Performance Goals (CPG) Minimum baseline safeguards applicable to critical infrastructure California CCPA/CPRA Data privacy obligations for rider accounts, trip history, and PII in California Other states Data privacy and breach notification laws PCI DSS Storing, processing, transmitting cardholder data EMVCo specifications Contact and contactless acceptance of open-loop payment cards ISO/IEC 14443 Closed-loop proximity card standard and EMV contactless taps APTA Cybersecurity Considerations for Public Transit Governance, planning, incident response, and training APTA SS-CCS series Control & Communications Security guidance for public transit operational systems 11 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

12. TSA SD 1582 Cyber Critical System determination Any IT/OT system

    or data whose compromise could result in operational disruption AFC BACK OFFICE Outage breaks boarding decisions at gates/validators; prevents hotlisting COMMUNICATION NETWORKS Loss or compromise isolates field devices INTEGRATION WITH STATION SYSTEMS Affects station crowd control/egress pathways and VMS gating modes FAREGATES, VALIDATORS Outage or tampering forces fail-closed modes and creates unsafe crowding MOBILE TICKET VALIDATION Loss or manipulation blocks mobile boarding and inspection at scale TVMS AND KIOSKS Outage or compromise blocks fare media issuance at major events PAYMENT GATEWAYS Failure forces widespread free-ride or blocks validation impacting throughput INSPECTOR HANDHELDS Prevents on-board validation and revenue protection 12 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

13. Fare collection systems procurement and contracts RFP CONTRACT DESIGN BUILD

    INSTALL TEST & COMM- ISSION OPERATE & MAINTAIN SECURITY BY DESIGN No longer optional: regulators and funders expect it Payments compliance demands it Real-world outages show the cost of not doing it Addressing security earlier in the lifecycle reduces total cost TECHNICAL SUPPORT Bundle supply with 10-20 years service level agreements Evaluate total cost of ownership before committing to a vendor Vendor incentivized to maintain system availability Patches, spare parts, upgrade path 13 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

14. Bespoke system vs. shared ticketing platform 1 BESPOKE DESIGN-BUILD Tailored

    systems built specifically for the agency More control on rules and functionalities The more customized, the more the agency bears the cost of obsolescence management Higher cost of maintaining the cybersecurity posture 2 SHARED PLATFORM Ascendant, multi-tenant, Fare Collection-as-a-Service model Cost savings of 40% to 70% compared to bespoke Obsolescence management cost amortized on multiple agencies Continuous software upgrades Gradual upgrade path for hardware Source: Total Cost of Ownership Analysis: Shared Platforms vs Bespoke Design-Build Fare Collection Systems Consult Hyperion, May 2022 14 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

15. AFC cyber incident response 1 SAFETY FIRST Decide gate/validator posture:

    fail-open vs fail-closed Enable temporary free-ride mode if needed Freeze automations: pause hotlist pushes, fare rule changes, and device updates Disable remote support access Communicate with riders Restore operations 2 PAYMENT RISK Isolate affected network segments, subsystems Isolate Cardholder Data Environment Freeze batch settlement if data integrity is uncertain Alert vendors and partners 3 REGULATORY Preserve logs/artifacts, start chain of custody Notify TSA / CISA Coordinate with FBI Breach notification "The agency did not test or exercise their incident response plan, nor did their IRP enable them to promptly engage third parties and grant third parties access to necessary resources." CISA Shares Lessons Learned from an Incident Response Engagement Cybersecurity advisory AA25-266A – September 23, 2025 15 Transit Ticketing & Fare Collection in the US 2025 – Cyber Resilience that Protects Riders and Revenue

16. Thank you FIFTH CONFERENCE ON TRANSIT TICKETING & FARE COLLECTION

    IN THE US 2025 Joffrey Lauthier Head of Rail North America [email protected]