The public transport sector plays a central role in the proper functioning of modern societies. It ensures the mobility of people, connectivity between territories and access to essential services such as employment, healthcare and education. The efficiency and security of these networks directly influence the attractiveness of territories and their economic vitality.
With the acceleration of digital transformation, railway networks, underground systems and ticketing platforms now rely on increasingly sophisticated digital systems, integrating artificial intelligence, IoT and cloud technologies.
Beyond the day-to-day management of growing flows, operators must now combine innovation and security. They face the challenge of digitalisation while ensuring a high level of resilience against risks of attack, fraud, breakdowns or major crisis.
In this context, cybersecurity in public transport has become a key strategic priority for both public and private stakeholders, in order to ensure service continuity, passenger safety and public trust.
What are the main challenges for the public transport sector?
Le secteur des transports publics est exposé à un spectre large de risques, tant du point de vue physique que numérique. Cette pluralité de menaces s’inscrit dans une dynamique où la numérisation et l’interconnectivité des systèmes amplifient les vulnérabilités existantes ou en créent de nouvelles. La protection de ce secteur est devenue un enjeu de souveraineté nationale. The risks fall into four main categories:
- Passenger safety: The integration of automated systems generates new sources of incidents, such as the hacking of signalling systems or the remote immobilisation of trains. Beyond the technical risk, the physical safety of passengers may be directly affected.
- Maintaining service levels: Operational continuity is vital. Any shutdown of ticketing services or traffic management leads to significant financial costs and territorial disruption. Operational resilience therefore becomes a key performance indicator for operators.
- Combatting Fraud: Digital platforms are exposed to ticket forgery and user account manipulation, impacting the reputation and finances of operators. The digitalisation of user journeys mechanically increases this exposure surface.
- Convergence IT/OT : L’interconnexion entre l’informatique traditionnelle (IT) et les technologies industrielles (OT) permet à des attaquants d’exploiter à distance des systèmes historiquement isolés comme les commandes industrielles. Cette convergence constitue aujourd’hui l’un des principaux facteurs d’augmentation du risque cyber dans les transports.
- IT/OT convergence: The interconnection between traditional IT systems and industrial technologies (OT) enables attackers to remotely exploit systems previously isolated, such as industrial control systems. This convergence is now one of the main drivers of increased cyber risk in transport.
A real threat to the cybersecurity of public transport
The public transport sector is increasingly exposed to cyberattack risks, affecting both major metropolitan areas and mid-sized cities, comparable to Strasbourg. The reality of this threat is illustrated by specific figures and by several incidents that have occurred in recent years.
From January 2020 to December 2024, ANSSI handled 123 cyber-origin security events affecting organisation in the urban transport sector (rail, road, guided, river). Among these, 91 security reports and 32 confirmed incidents were recorded. This high volume highlights the intensification of cyber threats in the sector and the need for increased vigilance across all operators and transport authorities.
- Transport for London (September 2024): A ransomware attack suspended online ticket sales and compromised personal data (names, addresses, banking information). The financial impact reached nearly £30 million.
- City of Olsztyn (2023): A cyberattack simultaneously blocked ticketing, timetable displays and forced traffic lights into automatic mode, disrupting the mobility of thousands of users.
- Honolulu (2022): A major failure of GPS systems and card readers led to direct financial losses, as users were no longer charged during the incident.
These events confirm an underlying trend: cybersecurity in public transport has become a critical operational issue for the entire sector.
Source: ANSSI
A persistent gap between perception and preparedness
Given the increasing frequency and diversity of cyber threats, the implementation of a comprehensive and structured security strategy is now a necessity for all public transport and critical infrastructure stakeholders.
A 2023 study by the Mineta Transportation Institute (MTI) highlights a concerning gap between operators’ perceived level of preparedness and the reality of cybersecurity measures in place:
- The study shows that more than 80% of public transport companies consider themselves prepared to face a cyber threat, whereas only 60% actually have a documented cybersecurity strategy. This gap reflects sometimes an overconfidence, while structural vulnerabilities persist at different levels.
- 47% of them state that they audit their programme at least once a year, a frequency that remains too low given the rapid evolution of threats.
- More than 50% do not retain event logs for more than a year, even though long-term log retention is one of the cornerstones of cybersecurity preparedness and the ability to trace back an attack or a past breach.
- Even more concerning, 36% do not have a disaster recovery plan (DRP) in place following a digital incident, leaving the organisation vulnerable to prolonged disruptions in the event of a major incident.
- Finally, 67% have not implemented a specific communication plan for the event of a cyber crisis, thus exposing the authority or operator to the risk of a loss of trust among users, partners and the media.
This gap between perception and the actual level of preparedness is now a major cause for vigilance.
Source Mineta Transportation Institute, Cybersecurity in Public Transportation: Risks and Preparedness, 2023.
What priorities to strengthen cybersecurity in public transport?
In light of the identified threats, ANSSI, in its document CERTFR-2025-CTI-005, recommends adopting a comprehensive and structured approach to cybersecurity, primarily based on understanding risks, controlling information systems and strengthening resilience capabilities.
Structuring risk management and knowledge of the information system
The first step is to have a clear view of the information system and its ecosystem. This involves carrying out a comprehensive mapping of assets, flows and dependencies (particularly in relation to service providers), as well as conducting regular risk analyses. This approach enables to identify critical assets, assess threats and prioritise security measures to be implemented.
Integrating security by design and throughout the supply chain
Cybersecurity must be taken into account from the system and project design phase. This implies integrating security requirements into specifications, securing development and ensuring security is maintained over time. Particular attention must also be paid to suppliers and the supply chain, which constitute major attack vectors.
Strengthening security architecture and system segmentation
Reducing the attack surface relies on a secure architecture, including the segmentation of information systems (IT, OT, business) and strict filtering of flows. The implementation of security zones, controlled gateways to the internet and appropriate protection mechanisms helps limit the spread of an attack and contain its impacts.
Managing access and protecting sensitive data
Identification and access management is a fundamental pillar of security. It relies on the unique identification of users, the implementation of robust password policies and the deployment of strong authentication for sensitive access. At the same time, data must be protected, particularly through encryption mechanisms, to ensure its confidentiality and integrity.
Detecting incidents and maintaining security over time
The implementation of logging and detection mechanisms makes it possible the quick identification of abnormal behaviour and react before an incident causes significant damage. This capability relies in particular on log centralisation, monitoring of security events and maintaining systems in a secure system configurations (updates, patches, configuration hardening).
Strengthening resilience and incident response capabilities
Finally, the ability to cope with a cyberattack is a key challenge for transport operators. This involves planning degraded operating modes, implementing business continuity and disaster recovery plans (BCP/DRP), as well as appropriate backup mechanisms. Preparation for crisis management, notably through regular exercises, is also essential to ensure a rapid and coordinated response in the event of an incident.
Developing a cybersecurity culture within organisations
Cybersecurity also relies on human behaviour. Raising employee awareness, particularly with regard to common threats such as phishing or malicious media, is a key lever for reducing the risk of compromise of information systems.
The Willing approach: strengthening operational resilience
In response to these challenges, Willing supports transport stakeholders by implementing a comprehensive security strategy that combines governance, technology and cyber security culture.
Cyber strategy and governance : Willing supports in defining cybersecurity strategies aligned with public transport challenges, including the implementation of information security roadmaps and structured governance (KPIs, committees, risk management) across organisations.
Audit, diagnostic and maturity assessment : Maturity analyses, compliance audits (NIS2, ISO 27001, etc.) and risk analyses to provide an objective view of exposure levels and prioritise security actions.
Business Continuity Plan: Willing assists structuring and strengthening of business continuity arrangements by identifying critical processes and carrying out impact analyses (BIA). On this basis, tailored BCP/DRP are defined to ensure realistic and operational recovery in the event of an incident.
Cyber crisis exercises: Willing conducts crisis management exercises to test coordination between business, IT/OT teams and top management. These simulations enable a shift from a theoretical posture to real operational capability in the face of scenarios impacting service continuity.
Security integration into projects : We work to embed cybersecurity from the design phase of transformation projects (cloud, data, embedded systems), with the definition of architectures adapted to IT/OT environments and the implementation of security best practices.
Programme management and change support : Willing supports the management of cybersecurity programmes and change management, raising awareness among different stakeholders and embedding cybersecurity as a lever for reliability and trust in the service of users.
Securing transport systems against cyber threats is now a strategic and operational priority.
The diversity and severity of risks, illustrated by recent incidents, require a comprehensive, continuous and collaborative approach to cybersecurity, structured around prevention, detection, response and crisis management. In a context of accelerated digital transformation, anticipation and resilience capabilities are becoming key factors for operators. Crisis exercises, combined with strengthened governance and structured action plans, constitute essential levers to ensure controlled digital transformation and to guarantee service continuity and user trust.