The 2025 Mineta Institute report delivers a sobering conclusion: the U.S. transit sector, especially small and mid-sized operators, is falling dangerously short on cybersecurity readiness. Despite years of warnings, free federal guidance, and escalating threats, basic protections are still lacking. For the rail sector, this isn’t just a technical oversight, it’s a threat to operational continuity and passenger safety. At Cervello, we view this gap as a critical call to action.
What the Report Reveals
According to the MTI’s April 2025 report titled “Does the Transit Industry Understand the Risks of Cybersecurity and are the Risks Being Appropriately Prioritized?”, the data shows:
- 57% of transit agencies lack a documented cybersecurity incident response plan.
- Over one-third have never conducted a cybersecurity assessment.
- More than half do not include cybersecurity clauses in vendor contracts.
- 60% do not have a single employee with a cybersecurity certification.
These findings confirm that cybersecurity weaknesses are systemic and not limited to underfunded operators. They also point to a dangerous underestimation of Operational Technology (OT) threats across the sector.
Why It Matters for Rail OT
While the report addresses surface transit broadly, its insights are particularly urgent for rail operators. The convergence of IT and OT in rail introduces unique vulnerabilities:
Strategic Deficiencies:
- Lack of regular cybersecurity assessments
- Absence of disaster recovery or incident response planning
- Limited or non-existent staff training or internal policies
OT-Specific Risks:
- SCADA and signaling systems are vulnerable to remote access
- Poor network segmentation between IT and OT
- Increased exposure via connected onboard systems and legacy infrastructure
In rail, a breach isn’t just a digital event, it can mean delayed services, disabled communications, or compromised passenger safety.
Key Takeaways for Transit Operators
- Cybersecurity is no longer optional. Rail agencies must treat it as an enterprise risk management issue, not just an IT concern.
- OT-specific threats demand OT-specific solutions. General IT security tools won’t protect rolling stock or interlocking systems.
- Cyber resilience must be built in. Plans must include backups, tabletop exercises, and recovery protocols.
- Vendors are a critical risk vector. Supply chain and contract oversight must be elevated.
Small agencies face outsized risks. Limited resources and staff make them prime targets.
Cervello’s Role
Cervello is uniquely positioned to lead this charge. Our platform is purpose-built for the rail OT environment and designed to address the specific risks identified in the MTI report.
We deliver:
- Continuous asset discovery to identify all connected devices
- Rail-specific anomaly detection that understands signaling, SCADA, and rolling stock behavior
- Real-time incident response tools to accelerate containment and recovery
- Automated compliance support for TSA directives and NIST CSF 2.0
- Scalability for both major railways and smaller regional networks
Whether you’re a national infrastructure operator or a rural transit agency, Cervello helps protect the systems that keep passengers moving and infrastructure safe.
Call to Action
The MTI report makes one thing clear: inaction is no longer viable.
To learn how Cervello can help your agency close cybersecurity gaps, meet evolving compliance requirements, and ensure operational resilience, contact us or schedule a demo today.
Let’s secure the future of rail. Together.