Cybersecurity in public transport: 3 focus areas for building resilience
Published May 16, 2025
- Customer Experience
- Cybersecurity
- Travel, Transport & Logistics
Key takeaways
- Risk management is essential and must be systematic
Public transport companies must treat cyber risks as operational risks. Clear analysis, prioritization and continuous monitoring are essential. Legal provisions such as NIS-2 provide an important framework.
- Technology alone is not enough, adequate organizational structures are required
Security solutions are only effective if emergency processes, clear responsibilities and escalation mechanisms are in place. It is only in emergencies that we see whether organizations are prepared.
- Human behavior is a critical factor
Over 80% of successful attacks exploit human weaknesses. So it’s essential to establish a culture of security: with training, a safe-to-experiment culture and skilled managers.
Public transport is networked, digital and mobile – and that is precisely what makes it vulnerable to attack. Whether bus, train or operations control center: the more processes are automated and systems are connected, the greater the attack surface for cyber criminals. Ransomware attacks, DDOS waves, compromised supply chains or targeted attacks on critical infrastructures – the threat is real and continues to grow.
Attacks are not only increasing, they’re becoming more intelligent. If you don’t invest today, you will pay tomorrow – the worst-case scenario being a business failure.
Risk management as a duty – not as an optional extra
Many companies still rely on outdated protection mechanisms or trust that “they are not meant to be”. But this no longer works. Modern cybersecurity starts with a clear risk analysis: Which systems are particularly worth protecting? What are the entry routes, both technical and human? And how can incidents be detected before they escalate?
What is needed is active risk management that treats cyber risks like traditional operational risks – including prioritization, action planning, and regular monitoring.
We see time and again how a lack of preparation can be really expensive. Legal requirements such as NIS-2 or the Swiss equivalent, are not an end in themselves – they are the necessary basis for professional risk management.
Technology is not enough – organization is crucial
Of course, technologies play a key role: segmented networks, zero-trust architectures, end-to-end encryption, secure APIs and monitoring solutions. But without clear organizational structures, even the best tools lose their effectiveness.
In the event of an emergency, it is regulated processes that make a difference – from incident detection to communication with authorities and partners. This includes
- Emergency playbooks
- 24/7 escalation plans
- Clear responsibilities
- Regular test scenarios
Small and medium-sized transport companies in particular benefit from scalable standard solutions and experienced partners.
Technology is important, but it only works if the organization also works. If you don’t know who decides what in an emergency, you’ve already lost.
Awareness instead of firewalls
Technology protects – people decide. Human behavior plays a decisive role in more than 80% of all successful attacks. Carelessness, a lack of awareness or a lack of training lead to dangerous gateways.
Cybersecurity must become part of the corporate culture.
This means:
- Regular training & awareness campaigns
- Promoting a culture of error: Better to report than to conceal
- Establish “security champions” in teams
- Sensitize managers
Security must become part of everyday life – not just in the IT department. If there is a lack of awareness in the organization, any strategy will remain a paper tiger.
Resilience requires a three-pronged approach
Cybersecurity in public transport requires more than just technology. Real resilience can only be achieved when technology, organization and culture work together. Companies – regardless of their size – should start building structures today, understand the risks and take their employees with them. The example of SITA’s Product Security Office, which is setting new standards for cybersecurity in aviation, shows how this can be achieved in other areas of the transport sector.
Because the next attack is sure to come – the only question is: how well prepared will you be?
