The Why & How Of Cybersecurity In The Transit Industry

The Why & How Of Cybersecurity In The Transit Industry

Cybersecurity is a growing concern for companies of all sizes. 2021 will remain in history as the year when hacks became bigger, bolder and much more damaging, and even regular people could feel the fallout from these events. While creating hack-proof software is probably impossible, it’s more than feasible to ensure that your company’s data is adequately protected. Today, we’ll take a look at the importance of cybersecurity in the transit industry and how transit professionals can sleep better at night knowing their agency’s data is safe.

2021: the year hacks got ugly

While cyberattacks are nothing new, 2021 saw a few very important hacks that sent ripples across a variety of institutions and companies – and their customers.

First, there was the SolarWinds hack which was actually a much broader hack that began sometime in 2020 and affected 12 federal agencies and a host of Fortune 500 companies. Then, the Colonial Pipeline breach happened and it seems to be the most important one so far. Its effect was felt not only by employees of the company but also by almost everyone who owns a vehicle in the Southeast. It also sparked an unprecedented government response that lead to the recovery of some of the ransomware paid by Colonial Pipeline. The most expensive of all hacks so far, though, is that of CNA – a company that offers, ironically, cyber insurance. The $40 million ransom was paid but the dangers of the implications of this leak still loom over the company’s customers. Last but not least, there came the hack of the Brazilian meat processor JBS. It may seem random, but having in mind that pork and beef are the two types of meat that sustain the American backyard BBQ tradition, it was actually a big one.

Ransomware attacks will surely become bolder and every business should think about the ways it protects its data. The situation gets even more complicated when you have customers who have entrusted their data to your company. This is the scenario we want to talk about – how to protect a transit agency’s customer data adequately.

Why cybersecurity in the transit industry: why is it so important?

You may be a small transit business handling only a few thousand riders. Or you may be a metropolitan area agency with millions of active riders. No matter the case, it’s almost certain that you have customers who have stored some data with you – think about special discount groups, for example. Or, if you’re a forward-thinking agency that moves with technology, you maybe offer account-based fare collection. Or you may be thinking about offering it.

This means that you need to provide the best security possible to all riders who have entrusted you with their personal information and payment details. It’s a daunting task but one your business should take as responsibly as possible. A data breach can potentially expose not only personal information such as name, email and password but also payment details, social security numbers and travel history, and even home and work addresses.

This is why you need to look for software providers that understand the importance of cybersecurity in the industry.

Paving the way to enhanced cybersecurity

The cloud vs on-prem

There is a general understanding that keeping data on-premises is the more reliable solution. We believe that this isn’t always the case. On-prem solutions, apart from being extremely costly, often use some sort of 3rd party provider (or many), and sometimes a single point of entry like this is all hackers need. In the past year, when many people turned to home office, another shortcoming of this setup was exposed – remote access to on-prem servers was a vulnerability that cost many companies dearly. It’s safe to say that home office is not going away, so reviewing any on-prem setup is of paramount importance.

On the other hand, when investing in a reliable cloud partner, you invest in security that goes above and beyond that of an in-house IT team. For cloud providers, security is one of the areas they work constantly to improve and be always one step ahead of hackers. Not to mention the fact that in the long run it might cost less and be easier to maintain and scale.

In the case of transit businesses, cloud computing is also the better option as there is continuous sync between the cloud and validators inside vehicles. This means data is updated in real time versus the on-prem setup where vehicles need to be physically in the garage to sync validations.


Encryption is another key instrument that should be taken very seriously. All data that travels between validators and the back end in the cloud should be encrypted following the latest protocols. In this way, passenger data is always protected.

PCI compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

Since the pandemic hit, transit agencies are moving faster towards contactless payments and EMV payments. This requires them to be PCI-compliant to meet the demand of their customers who trust them to provide a secure payment gateway for every transaction. Passing a standard compliance test ensures that processing customer payment data does not pose a risk of security breaches.

Modeshift’s security pledge

We at Modeshitf believe that security should be a primary focus when designing software for the transit industry. Our account-based fare collection platform is based on Microsoft Azure Cloud which secures data processing. Our solution is Level 1 PCI compliant to allow payments via PayPal, Braintree & more. All of this is included in the pay-per-vehicle package we offer to our customers at no extra cost!

Security Requirements

Modeshift takes all measures to ensure the security of the platform – from design, architecture, and back office credentials to the app itself. Modeshift’s platform is running on Microsoft Azure which is certified according to the highest security standards.

Microsoft’s team has vetted and reviewed the platform to ensure its security and safety.

Further, the system is implemented according to the CSA (Cloud Security Alliance) guidance and follows these rules:

  1. Data in transit is protected: in place is Distributed Denial of Service (DDoS) Attacks protection provided by Microsoft Azure. All endpoints and communication are encrypted using TLS. All API requests require user authorization and follow OAuth. User data and authentication are managed with Azure Active Directory.
  2. Data center security: the solution runs on Azure that covers the following certifications >>
  3. All electronic data is stored in Azure SQL Databases or Azure Storage – based on the type of data. These services are secured following all recommended procedures from Microsoft. Employees have access to these systems based on the principle of least privilege: they have only enough access to perform the required job. All access to tenant data and information are logged and can be audited. There are different privilege levels in the system.
  4. Modeshift has a clear incident response and patching system in place to remedy any publicly reported issues.
  5. There is no shared tenancy.

Disaster Recovery

For the Modeshift business and fare collection platform, it is imperative that services are operational 24/7, 365 days a year as it is pivotal for business continuity, customer service and revenue. Modeshift’s DR strategy and planning aim to cover three main areas: Prevention, Anticipation, and Mitigation.

• Prevention is the act of avoiding those disasters that can be prevented.
• Anticipation is to plan and develop adequate measures to counter unavoidable disasters.
• Mitigation is effectively managing the disasters and thereby minimizing the negative impact.

Modeshift maintains fully automated and codified infrastructure which is tested on a daily basis. This guarantees that in case of disaster the whole system can be restored in another Microsoft Azure Region.

In conclusion

We’re only halfway through 2021 and we’ve already seen some pretty disturbing, large-scale hacks. While governments around the world are stepping up their game to improve safety regulations in their fight against cybercriminals, the ball is still in the court of businesses to ensure they do their best to protect their systems, be it with a costly on-prem solution or via trusted cloud providers. Cybersecurity is of paramount importance for the transit industry and we believe it should be part of every transit company’s strategy – this is why we built Modeshift with security in mind. Contact us today so we can talk about your needs!