What Differentiates Public Transport From Other OT Technology
An Attack on Public Transport Is an Attack on the Public
When a cyberattack hits any sector of critical infrastructure, it can directly impact the public by rendering water undrinkable, shutting off the electricity, and otherwise disrupting people’s lives. But when it comes to public transit, the stakes are even higher: cybersecurity here isn’t just about keeping operations running, it’s about protecting people in motion.
When an attack happens in this sphere, it happens while people are physically present and vulnerable. In real time. In a tunnel. On a platform. That makes these attacks more visible, more chaotic, and potentially more dangerous. Threat actors aren’t just disrupting a service people use from a distance, they’re directly endangering lives in transit.
That’s the fundamental difference. Cybersecurity for freight railroad focuses on cargo and disruption costs. Although it’s expensive, cargo transport can be halted for a time while an attack is remediated. But in public transport, the “cargo” is people, and their lives can’t be paused when a server goes down. People still need to get to their destinations.
So, a cyberattack that disables ticket machines or shuts down scheduling systems doesn’t just “disrupt service.” It disrupts lives. It puts people in danger. It breaks public trust. People discover these attacks in real time—as they happen—and remember them. Transit’s high visibility, taxpayer funding, and role as a civic responsibility pulls these incidents out of the IT/OT niche and into the limelight.
Public Transit Systems Are Uniquely Vulnerable
Almost every modern major city around the world has some kind of public transport system. Some combination of buses, subways, and light rail keeps people moving from place to place.
But even the most modern public transit systems weren’t designed with cybersecurity as a primary concern. They were built for efficiency, ease of use, and near-constant uptime. There are several factors that make these systems particularly exposed:
1. Always-on, Always-connected
Public transit runs on complex networks that includes multiple systems that control various parts of a rider’s journey. All of these need to be protected and the public generally has very little tolerance for delays or outages. Such systems include:
- Downloadable apps that provide information about schedules and ticketing
- Fare collection systems
- Public Wi-Fi and station services
- Scheduling and dispatch systems
- Internal GPS to help the system navigate through traffic
- Employee login and validation systems
The result of implementing all those systems can be a messy mix of IT and OT systems, some brand-new and modern, some legacy and hard to upgrade. As the TXOne Annual OT/ICS Cybersecurity Report 2024 notes, 85% of OT environments don’t patch regularly — and transit is no exception. Delays can leave known vulnerabilities exposed for months.
2. Built for Access, Not Restriction
You can’t air-gap a city bus. The whole purpose of public transit is that it is widely open and accessible. Literally anyone can walk into a station and use a ticketing machine kiosk. That openness makes the system available to all, but it also makes it vulnerable.
There’s no such thing as a “trusted user” in a subway station. And there’s no easy way to implement MFA on a ticketing system. That means things like ticket machines, public Wi-Fi, and even intercom systems can be easily exploited, especially when they’re running on old hardware or haven’t been patched in years.
3. Chronic Budget Pressure
The public transit system is expensive; it is often the largest line item on a city’s budget. Most transit agencies have to walk a fine line between political reality, public need, and union demands. Upgrading cyber defense or adding IT staff costs money, and there’s usually not enough of it to go around. Budgets tend to go toward salaries, keeping the system running, and just trying to stay ahead of breakdowns.
That means cybersecurity often gets left out. Not because no one cares, but because it’s easier to defer since no one is advocating for it. Deferred maintenance, legacy infrastructure, and limited staff are the norm. According to TXOne’s report, only 25% of organizations have full asset visibility across their OT systems. Without full asset visibility, defenses will remain porous.
Recent Cyberattacks on Public Transit
There have been a number of high-profile attacks on public transit systems in recent years, affecting millions of riders.
In London, a 2024 cyberattack took down Transport for London’s real-time service information, leaving riders in the dark and scrambling to reroute. The confusion rippled across buses, trains, and tube lines.
A 2025 Russian cyberattack on Ukraine’s national rail system forced train reroutes during a civilian evacuation. Without automated controls, moving civilians to a safer location became slower and riskier, compounding the stress and displacement of an already traumatized population.
Honolulu, Hawaii was affected by ransomware attack against its Oahu Transit Services, less than a year after its much-delayed Skyline rail project was finally launched. Card readers and transit vans were disrupted by the attack. While Skyline itself wasn’t directly impacted, the timing of the attack added to public frustration and led to widespread media coverage and criticism of the system’s overall resilience.
In Seattle, a 2024 attack brought down the airport link’s ticketing system during peak hours. With no way to pay or board, riders were stranded and service ground to a halt.
On the other side of the globe, in Auckland, New Zealand in 2023, the Medusa ransomware gang claimed credit for a ransomware attack against its public transit’s ticketing and customer service systems. The city allowed riders to travel for free if they couldn’t add money to their transit cards, a decision which kept people moving but racked up millions in lost revenue for the city.
In all these instances, there aren’t just outages, there are civic breakdowns. And the harm falls unevenly. Wealthy commuters can call a rideshare or find an alternate means of travel. Lower income and more vulnerable populations often can’t.
When that trust breaks, when systems meant to serve the public fail under stress, the consequences are lasting. Riders may stop relying on transit. Ironically, public funding may shrink if the public thinks the money isn’t being well spent. And worst of all, agencies may fall into fear-driven decision-making rather than proactive planning.
The Cyber Risks Unique to Public Transit
Public transit systems don’t just have one attack surface. They have many. Every rider touchpoint is a potential entry point. And attackers are noticing.
- Physical Access: Open stations, publicly accessible vehicles, and crowded spaces make physical tampering easier.
- Authentication Gaps: Systems are designed for anonymous use. There’s no login required to swipe a card or use a kiosk and definitely no opportunity for MFA.
- Multiple Endpoints: A large city can have literally dozens of stations, each with multiple devices, making upkeep and maintenance challenging.
- Limited Cyber Budgets: Funding is stretched across operations, with little left to dedicate to cybersecurity.
- Low Redundancy: Backup systems are rare, and outages can take down core services.
- High Visibility: Failures are public and immediately reported on, tweeted about, and felt citywide.
In 2024, ransomware groups like RansomHub increasingly targeted SCADA systems in OT environments. TXOne’s report notes a rise in malware strains like FrostyGoop and IOCONTROL, explicitly built for ICS targets. When even elevators and intercoms can be exploited, the urgency for protection increases.
Human-Centric Cyber Defense
What does defense look like when infrastructure is open -access by design, budgets are tight, and the “cargo” is the general public? The focus shouldn’t just be on protecting systems. It has to be about keeping people moving, even when things go wrong.
1. Design for Resilience, Not Just Prevention
As with all OT cybersecurity, prevention is ideal. But in public transit systems, response matters even more. Your security plan must still be able to protect and assist the public, even during an attack.
- Build in fail-safe modes for ticketing and scheduling systems.
TXOne’s EdgeIPS series are devices you can put inline, placing them at certain places in your network so they can inspect network traffic and communications. This ensures that only proper protocols and commands get through. Most importantly, these have hardware bypass, so even if a security appliance goes down, the traffic will continue flowing. This supports continuity for critical fare collection and scheduling systems.
- Create manual overrides for safety-critical OT assets.
- Use virtual patching where live updates are too risky.
For endpoints that can’t be patched, such as Windows XP and other legacy assets, EdgeIPS devices can shield unpatched assets by using intrusion prevention and exploit filtering. This means that if an exploit is sent to the endpoint, that exploit gets blocked. This strategy, often referred to as “virtual patching,” ensures critical operations remain protected even without traditional software updates.
2. Prioritize Fast Recovery
Fast recovery isn’t a money-saving luxury, it’s a public service. Agencies need response plans tailored to OT disruption:
- Isolate affected zones
TXOne’s EdgeIPS goes beyond segmenting networks based on IP or port. It inspects industrial traffic to understand who’s talking to whom, which OT protocol is being used (i.e., Modbus or S7), and even what specific commands are sent. This allows admin or operators to segment their networks into enforceable zones that block malicious behavior at the command level. Combining this with EdgeOne, which provides centralized control of all EdgeIPS products, makes it simple to contain incidents quickly, keep segments operational, and recover quickly as well.
- Alert riders and staff immediately
While SageOne doesn’t send public alerts, it gives operators a centralized, real-time view of threats across all TXOne platforms. This faster situational awareness enables quicker decisions—like rerouting service or triggering public communications through existing channels. These tools can also link up with alerting or dispatch platforms, so that when a threat is detected, the right people are immediately notified, and the system can quickly respond.
- Reroute or reassign service
During an attack, transit operations may need to shift control to a backup dispatch center or redirect communications between zones. EdgeFire, a next-generation industrial firewall, is designed for exactly these scenarios. It can establish secure VPN tunnels—for example, between headquarters and bus depots—and supports IPSec, NAT, and VLAN trunking to protect rerouted traffic. This gives operators control over distributed assets without exposing the broader network.
- Communicate transparently with the public
With ElementOne, agencies can quickly generate consolidated reports of scan results, asset status, and vulnerabilities. This makes it easier to brief leadership, inform regulators, and maintain trust with the public.
Resilience means having not just Plan A, but Plan B, Plan C, and Plan D ready.
3. Protect the Most Vulnerable First
Cybersecurity decisions must factor in equity:
- What happens if riders can’t access digital payment?
- Who is affected most if elevators stop working?
- How can agencies maintain ADA compliance under cyber duress?
While equity challenges cannot be solved by any single cybersecurity product, some solutions can at least ensure the availability of accessibility-critical systems. Older kiosks, ticketing machines, or elevator controllers that often rely on unpatchable Windows systems can be protected by Stellar Legacy Mode. You can curb the spread of malware during system updates by using the Portable Inspector, whose USB form factor offers a plug-and-play way to scan endpoints like station kiosks or engineering laptops before or after they’re accessed. As for removable media such as USB drives brought in by staff or vendors, Safe Port provides an inspection station that verifies that only clean files are granted entry. In this way, agencies can protect infrastructure that vulnerable riders rely on.
Cyber Resilience Is a Public Good
When cities invest in transit cybersecurity, they’re not just defending networks. They’re defending dignity, mobility, and access. Security can’t be an add-on. It must be baked into transit design, funding models, and public policy. Because every public system is only as strong as the public’s ability to trust it.
