APTA SS-TCS-WP-001-26

The North American Transit Cybersecurity Consortium has designed an approach to meet the cybersecurity requirements and level the playing field for agencies by holding vendors responsible for the products and services they provide. The consortium’s procurement standard, known as the North American Transit Cybersecurity Agreement (NATCA), outlines cybersecurity requirements that will define cybersecurity operational technology (OT) procurement requirements and serve as a guideline for members of the consortium.

This white paper is an overview and endorsement of the NATCA document as it attempts to support many of the previous APTA OT recommended practices and standards. The NATCA standard addresses requirements and expectations for vendors and service providers and outlines the steps agencies must take to ensure that the recommended steps to support resilience are addressed with consistent expectations across the transit sector.

The requirement for this guidance is predicated on a growing threat to transit. As mass transit and passenger railroad operators find themselves dependent on OT that are more open to cybersecurity threats, and as cybersecurity regulations are imposed by U.S. government agencies like the TSA, transportation agencies must enhance their ability to reduce cybersecurity risk and long-term security costs associated with technology integration. Currently, unsecured OT systems support the critical operations of transportation agencies, especially in railway and building management environments. Many of the legacy OT systems lack cybersecurity functionality and design consistent with meeting the current cyber threat environment. The addition of new unsecured and unmanaged technology exacerbates this issue and ensures that systems will eventually be more vulnerable to cyberattacks. This ultimately creates increased incident response costs when an agency is eventually breached.