Over the past few decades, technology has revolutionized transit, empowering agency staff with new tools to efficiently manage operations and connect with riders.

But a rise in IT incidents poses new transit technology challenges for agencies large and small.

Cyber attacks are increasing at a record pace, with a recent report citing a 186% increase in ransomware attacks on the transit industry in recent years. Consequently, transit agencies that experience cyber attacks or receive regulatory pressure often take cybersecurity as a top consideration as they evaluate their technology stacks.

However, many transit agencies remain underprepared to prevent a cybersecurity incident from happening to them.

In the face of these threats, a new generation of cloud-native transit technology offers unique capabilities for reliability, resiliency, and confidence in data security for agencies large and small. Swiftly has responded to these challenges by investing in our own cybersecurity, and we recently achieved SOC 2 Type II compliance, one of the most stringent security certifications available.

As the leader of software development here at Swiftly, I’d like to share guidance for agencies evaluating cybersecurity risk and detail the ways technology is evolving to counter these threats.

The impact of cyber attacks

Cyber attacks today often target vulnerable or exposed software infrastructure. Attack patterns, tools, and vulnerabilities evolve over time, and what is secure today may not be secure tomorrow. This evolving threat landscape presents an ongoing challenge for IT and security professionals responsible for securing their agency’s software.

Cyber attacks come in many forms, with direct impacts on transit agencies:

Breach of personal or sensitive data

• Ransomware incidents are on the rise, and data loss can impact operations and erode trust with employees and riders.

Loss of access to critical tools

• ‍It is typical to respond to a security incident by isolating a breached network to prevent the proliferation of an attack. Transit agencies that have been breached can lose access to mission-critical tools necessary to run operations effectively, respond to customer service calls, provide real-time passenger information, and more. For example, Swiftly has worked with more than five agencies that have lost access to their CAD/AVL systems temporarily or permanently due to cyber attacks.

High cost to recover

• ‍Between recovery tools and interrupted operations, the price tag of a data breach can reach astronomical sums. According to IBM research, the average cost of responding to a data breach was $4.45 million in 2023.

As an example, the Kansas City Area Transportation Authority (KCATA) suffered a ransomware attack earlier this year. The attack impacted critical systems, resulting in data loss, phone outages, and the unavailability of important staff tools.

"Our cyber attack was awful,” shares Patrick Blankenship, KCATA's Lead Scheduling Analyst. “We were without a network for almost two weeks. We also lost many capabilities, most notably our ability to run run-time reports. It’s been almost three months and we still do not have run-time data from our CAD/AVL system."

Fortunately, KCATA was able to retain key information, along with supplemental data and reports, through Swiftly’s transit data platform. Cloud-native tools like Swiftly offer new levels of resiliency that can help agencies weather the storm of cyber attacks.

“Without Swiftly and their resilient platform we would be scheduling blind,” says Blankenship.

Five focus areas to prevent and mitigate cyber attacks 

There are five key areas of focus for any agency to reduce the risk of cyber-attacks:

1. Security

• ‍Creating and configuring systems to be secure by design and including proper incident detection mechanisms

2. Privacy

• ‍Limiting access to data and systems

3. Availability

• ‍Designing systems to be resilient to failure and recoverable in the event of an incident‍‍

4. Training

• ‍Making employees aware of common social engineering scams (e.g., phishing)

5. Preparation

• ‍Ensuring your organization is living out its information security processes, has practiced responding to cybersecurity attacks, and remains up-to-date

These best practices apply equally to transit agencies and their vendors. Swiftly has aligned many of our own cybersecurity investments with these categories, detailed in a later section.

It’s also important for transit agencies to exchange information among their peers and learn from past industry cyber attacks. Honolulu’s TheBus has suffered multiple cyber attacks, and Deputy Director Jon Nouchi shared cybersecurity advice for other agencies based on his agency’s experiences:

“It's ultimately important to be connected with experts in network security and have them contracted at your side for constant and ongoing threat assessment.

"Updated software is key, but don't neglect basic networking hardware which can often age in place and grow more vulnerable over time.

"Consider what is at stake: your riders' confidence in any data you might store including personal and financial information; employee data and records; archived contracts, documents, and email; and real-time passenger information.

"Recovery from a cyber attack is stressful and tricky. Remember to notify all federal, state, and local partners, not only in law enforcement, but in transportation as well. Keep your passengers well-informed through social and traditional media, but proceed cautiously with revealing too much information if threatened with demands and conditions from hackers domestically or from other countries.

"During our last cyber attack, our customers were amazing. They wanted to know how soon they could utilize digital payments again and pay to ride, but they really needed real-time bus arrivals and locations back as soon as possible. Swiftly provided us with great solutions to restore confidence in our service delivery through the real-time information our passengers expect and deserve.”

Securing by design with cloud-native best practices

When evaluating critical transit data tools, agencies can go a step further by ensuring they build their technology portfolio on top of modern, cloud-native infrastructure.

Swiftly’s system has been designed from the ground up around the unique capabilities of cloud environments.

This design offers numerous advantages over traditional on-premise tools:

• Swiftly does not require software or hardware to be installed on-premise at an agency.
• Swiftly’s product is built with cloud-native redundancy, ensuring systems are automatically resilient to failure. Swiftly leverages multiple sources of AVL, meaning Swiftly products can continue to function even if an agency’s CAD/AVL system suffers an outage.
• Swiftly leverages cloud best practices for configuring firewalls and other network-level settings proactively. Swiftly can respond in real-time to identify and leverage these settings to isolate a suspected breach.

The result is a robust, secure platform with near zero downtime. In addition to KCATA’s cyber attack, there have been numerous instances where Swiftly’s data and systems remained available through AVL outages.

Swiftly’s path to SOC 2 compliance

A security certification offers an independent, rigorously defined roadmap for organizations to benchmark their own capabilities. The System and Organization Control (SOC) 2 compliance framework addresses all the main areas of information security.

These five pillars of SOC 2 are designed to ensure organizations have proper governance, practices, and tangible security features implemented to remain secure in an evolving threat landscape.

As we considered how best to ensure the substantive security of Swiftly products and data, we ultimately decided to achieve SOC 2 compliance. Through the successful process of achieving SOC 2 compliance, our engineering teams have taken on several large initiatives over the past year.

Securing the development process

Vulnerabilities can exist in third-party libraries, application design, or the code itself. We implemented code scanners to detect vulnerabilities in each of those areas. Our system is scanned regularly to detect newfound vulnerabilities in existing parts of our system, and each code change we make is scanned before being deployed to production. Building security into the development process enables us to frequently deliver new features and functionality with the right information at our fingertips to avoid injecting vulnerabilities into the codebase.

Securing our data infrastructure

Swiftly manages many databases storing different types of data for various customers. We migrated all databases to a secure-by-design architecture, including universal encryption at rest, network-level private access requiring multiple levels of credentials for a human to access data, and robust backup capabilities.

Verifying our security

Swiftly brought in a third party to conduct a penetration test of our product. Essentially, hackers explored our web applications to seek attack vectors and ensure our product is secure in reality.

To conclude the process, Swiftly completed the SOC 2 Type II audit and successfully achieved SOC 2 Type II compliance. We are proud of this result and excited that the more than 180 transit agencies we work with will benefit from our investments in cybersecurity.

Constantly updating security against evolving threats

Finally, one of the unique capabilities of cloud-native technology is that software updates can be deployed to customers over the internet, without downtime and in a matter of hours—not weeks or months. Along with new features, Swiftly leverages these cloud-native software principles and in-house tools to transparently roll out security updates to our product and infrastructure without downtime.

As a result, even in an evolving threat landscape, agencies using Swiftly can have confidence in the security of their transit data.

Interested to learn more about the Swiftly's platform and the benefits of cloud-native transit technology? Reach out today!