Transit & surface transportation

Signaling networks, fare collection, station BAS, and the connected-bus telemetry gateway — the visibility TSA Security Directives now expect.

Since the 2021 ransomware incidents in surface transportation, TSA has issued Security Directives covering passenger rail, freight rail, and rail-related transit. APTA's cybersecurity guidance has hardened in parallel. The recurring expectation: a current inventory of critical cyber systems and a documented assessment of what's connected to them. CybrIQ produces that inventory across signaling systems, fare-collection terminals, station building automation, vehicle telemetry gateways, and the IT side that intersects with all of them.

What's regulated and who's asking

TSA Security Directive 1580/82-2022-01 (Higher-Risk Freight Railroads). Critical cyber system inventory, cybersecurity coordinator, reporting cybersecurity incidents to CISA.
TSA SD 1580-21-01A and 1582-21-01A (Surface Transportation). Cybersecurity vulnerability assessment, cybersecurity incident response plan.
TSA SD Pipeline-2021-02D (and related pipeline SDs). Where transit agencies interconnect with pipeline operators, the inventory expectation crosses boundaries.
APTA Cybersecurity Considerations for Public Transit. Identify-Protect-Detect-Respond-Recover framing, modeled on NIST CSF.
FTA cybersecurity programs. Federal Transit Administration grant programs increasingly require cyber posture evidence.
State DOT cybersecurity policies. Many state DOTs have cyber requirements that flow down to transit authorities, port authorities, and toll authorities.
ITS / V2X / connected-vehicle infrastructure. Roadside units (RSUs), DSRC/C-V2X equipment, traffic-signal controllers, and signal-cabinet PLCs all carry asset-inventory expectations under USDOT and state DOT programs.

Why the device-inventory question is hard for a transit agency

Signaling networks are operational and brittle. Block signaling, train-control systems (CBTC, PTC), and interlocking PLCs cannot accept active scanning or agent installation.
Fare-collection terminals span jurisdictions. A regional transit system may operate gates and fareboxes across dozens of stations operated by different agencies. The inventory of what's on each segment is rarely consolidated.
Station infrastructure is messy. HVAC, lighting controls, public-address systems, dynamic-information displays, CCTV — most of it on flat or lightly-segmented networks.
Vehicle telemetry gateways are exposed. Buses, light-rail vehicles, and rail consists carry cellular gateways for telemetry, schedule update, and passenger Wi-Fi. The inventory of which gateways are on which network is often vendor-supplied and out of date.
Vendor and contractor presence. Signal-system vendors, fare-system integrators, station-finish contractors — all plug equipment in routinely.

CybrIQ identification approach on operational-technology and signaling networks. Signaling-system PLCs, HMI workstations, RTUs, IEDs, fare-system controllers, and vendor-supplied OEM gear are connected through managed switches. CybrIQ's External Scan Engine reads switch-side signals (link negotiation, MAC OUI, LLDP, port statistics, VLAN context) through SNMP with read-only credentials. The signaling segment itself is never actively scanned, never probed, and no agents are installed on operational devices, PLCs, HMIs, RTUs, fare terminals, or vehicle-telemetry gateways. SSL between ESE and the main instance, internal to the customer network. Output: per-device inventory, relabel-resistant identification, unauthorized-device events, signed audit trail with SHA-256. What never enters the signaling or operational segments: SPAN ports, mirror ports, inline taps, packet capture, DPI, agents on operational devices, vendor cloud connectivity from the OT side.

How CybrIQ identifies devices on a transit network

Switch-side, read-only signals. Identification from managed switches via SNMP with read-only credentials. No active scanning of OT segments. No agents on PLCs, RTUs, vehicle-telemetry gateways, or fare terminals.
Transportation-OT reference library. The Device DNA library identifies signaling and traffic-control PLC families, fare-system vendor hardware classes, vehicle telemetry gateway classes, RSU / DSRC / C-V2X equipment, and station BAS controllers.
Cross-segment visibility. One deployment covers signaling, fare, station, IT, and ITS roadside-unit segments — provided the segments share managed-switch infrastructure CybrIQ can read against.
Unauthorized-device detection. Vendor laptop on a signaling-vendor maintenance VLAN that should have been disconnected. A wireless bridge installed during a station-finish project. A USB-to-Ethernet adapter on a fare terminal.

Reporting alignment

TSA SD critical cyber system inventory. Per-segment device inventory with class, vendor, model. Updated as systems change.
TSA cybersecurity vulnerability assessment. The inventory is the input layer; the assessment is conducted against it.
TSA cybersecurity incident reporting. Device-level audit trail for the reportable-incident timeline.
APTA framing for board / oversight reporting. The Identify function output, in language the agency's board reads.
FTA grant-reporting alignment. Pre- and post-investment device-visibility numbers for grant-period evaluation.

Recent incident context

NY MTA (Apr 2021). APT exploitation in agency systems disclosed publicly. Triggered hardening across major US transit agencies.
SF Bay Area transit, Denver RTD, other US agencies (2022-2024). Ransomware and unauthorized-access incidents at fare and operations systems. Each raised the floor of carrier and oversight expectation.
Volt Typhoon advisories (CISA AA24-038A and related). Specifically named US transportation infrastructure as targeted for pre-positioning on edge devices. The relevance for transit IT: every connected edge device is now an inventory question.

Schedule a transit briefing

30 minutes. We walk CybrIQ against your specific signaling, fare, station, and vehicle-telemetry topology, your active TSA SD obligations, and your APTA-aligned reporting cycle.

Request briefing