Originally published by Traffic Technology International, this thought leadership piece by Q-Free CEO Mark J. Talbot explores the growing cybersecurity risks facing modern transportation systems—and why shared accountability, modern tools, and a cultural shift are urgently needed.

You can also read the article on TTI’s website here.

Time for a cybersecurity culture shift

Transportation and traffic management are undergoing rapid transformation. As agencies and technology partners embrace digitization and software-driven infrastructure, new opportunities are emerging to make our systems smarter, more efficient, and more responsive to community needs. But with greater connectivity comes greater responsibility – especially when it comes to protecting critical infrastructure from cyber threats.

At Q-Free, we’re committed to helping the industry advance with resilience and foresight. Soon, we’ll introduce one of our most important innovations yet in the fight against transportation-related cyber threats. We believe it has the potential to reshape how agencies approach traffic signal controller security—and to raise the standard for what modern cybersecurity should look like across the industry. More on that soon.

In 2025, cybersecurity is no longer a hypothetical risk – it’s a core operational issue that must be actively managed. Cyber readiness and resilience should be monitored and reported like any other strategic risk. Responsibility for managing cyber threats no longer rests solely within IT departments. In both the public and private sectors, accountability now extends to agency leadership, executive teams, and ultimately, boards of directors.

Yet many agencies still lack either the technical resources or the funding needed to build robust security programs and maintain an appropriate level of cyber maturity. And when breaches occur, the costs are often significant and unbudgeted. According to IBM’s annual Cost of a Data Breach Report, the global average impact reached $4.88 million per incident, with costs nearly double that in the United States.

We don’t have to look far to see the consequences. In Toronto, a malware attack on the city’s transit system in 2021 disrupted service and exposed system weaknesses. Even as recently as last year, the agency was still dealing with the aftermath, offering credit protection to those whose personal data had been compromised. Other cities have had digital signs hijacked and signal systems compromised. Just last month, the Texas Department of Transportation suffered a breach in which nearly 300,000 crash records were stolen, including names, driver’s license numbers, license plate numbers, insurance policy details, and injury reports. And in Seattle’s University District, someone hacked audio warnings at multiple crosswalks to play fake Jeff Bezos messages. Hackers are just as prolific in other geographies. In the United Kingdom, Transport for London which operates the London Underground as well as surface transit, suffered a hack that impacted both rail and bus services. Personal data from contactless bank cards and the network’s iconic Oyster Cards were exposed, and the ripples sent a shockwave through European agencies.

These incidents may seem isolated, but they reveal a deeper reality: critical transportation infrastructure is now digital and dangerously vulnerable.

Our systems are under attack from opportunistic individuals exploiting vulnerabilities to insidious actors seeking financial gain or large-scale disruption. These breaches don’t just cause service delays; they put public money, public safety, and public trust at risk. While isolated breaches are troubling, the possibility of a coordinated cyberattack with more devastating outcomes is alarming. Yet too often, we treat these warning signs like early medical symptoms, ignoring them and hoping they will go away on their own, but history tells us they won’t.

The millions of people who rely on our transportation networks to get to work, school, or the doctor’s office are largely unaware that while we focus on road safety, congestion, and emissions, a different threat is quietly growing. Transportation systems are no longer just about pavement and signals—it’s about networks, software, sensors, and systems that are all interconnected. That interconnectivity, while powerful, also makes us more vulnerable. A single compromised traffic cabinet might seem insignificant on its own, but if it provides access to a larger citywide or even regional system, the consequences could be far-reaching. The strength of our infrastructure is now tied not just to its physical integrity but to the security of every node in the network.

One of the most important voices in today’s transportation cybersecurity conversation, is my industry colleague Scott Belcher, former CEO of ITS America and now the head of SFB Consulting. He recently authored a report for the prestigious Mineta Transportation Institute entitled, “Does the Transit Industry Understand the Risks of Cybersecurity and Are the Risks Being Appropriately Prioritized?” His findings exposed a troubling reality: many transit agencies, particularly smaller ones, remain vulnerable to cyberattacks.

“The increasing sophistication of cybercriminals, in combination with a greater reliance on technology within the transit industry, puts the industry at greater risk than in 2020,” Belcher wrote. His research found that just 60% of U.S. transit agencies even have a cybersecurity preparedness plan. Smaller systems, which often serve rural and underserved communities, are especially vulnerable because they lack the resources and personnel needed to build robust security programs.

This isn’t just a technology issue: it’s also an equity issue. When cyber protections are concentrated in large urban systems, millions in smaller communities are left exposed. Belcher’s report calls for federal funding and leadership to bridge this gap and ensure all agencies, regardless of size, can implement and sustain proper cybersecurity measures. While the report focuses on transit, our conversations make it clear that these vulnerabilities extend across the broader transportation sector.

Another critical challenge lies in the growing connectivity of transportation systems. As regions pursue cross-jurisdictional operations, a single vulnerability in one network can compromise others. And—borrowing from a familiar phrase—no one wants to be the weakest link.

It’s time for a culture shift. Agencies across the country recognize the importance of cybersecurity, but limited funding, understaffed teams, and a lack of modern, scalable tools hold many back. To keep pace with evolving threats, cybersecurity can’t be just another IT line item. It must be a core part of how we design, build, and manage our systems. That shift requires modern tools, sustained funding, and industry-wide collaboration.

At Q-Free, we are committed to staying ahead of cyber threats. Our R&D teams have spent the last five years not only focused on innovation, but on building a resilient, secure foundation across all our products and platforms. For us, cybersecurity is not an afterthought—it’s embedded from the start.

A prime example is our pilot solution for distance-based road user charging and fleet management. From day one, privacy and cybersecurity were prioritized alongside key functionality, like battery life and ease of use. We believe strong privacy is a prerequisite for public trust and user adoption, particularly in an increasingly connected transportation ecosystem.

Safeguards such as secure boot procedures, encrypted and digitally signed data, and hardware-based separation of security and application functions were integrated into the system architecture from day one. This proactive approach not only meets current and upcoming regulatory requirements—it reflects our broader philosophy: security isn’t a feature, it’s a foundation.

With that foundation in place, we’re about to take another leap forward—one that will redefine expectations for cybersecurity in traffic signal control. In the lead up to the ITS World Congress, Q-Free will launch what we believe will be the most cyber-secure traffic signal software available in the North American market, incorporating end-to-end encryption, federated authentication, and a modern architecture designed to close long-standing cybersecurity gaps in intersection control.

This upgrade represents not only an advancement in cybersecurity but a bold step in setting a new standard for the industry—one we hope others will follow. Because cybersecurity isn’t just my job, or Q-Free’s, or our competitors’. It’s universal, requiring an all-hands approach that starts with acknowledging the threat and meeting it head-on.

In his report, Belcher called for a 21st century upgrade: a collaborative effort from the federal government, industry leaders, and agency leadership to establish, maintain, and continuously refine cybersecurity programs. Belcher is exactly right. In my view, we must modernize our infrastructure with secure, interoperable solutions that can evolve with the threat landscape, embrace modern IT standards that stay ahead of the bad actors and give agencies flexibility, resiliency, and a fighting chance against cyber threats, and support smaller agencies with funding, tools, and guidance to bring their systems up to speed, because cybersecurity should be a standard, not a privilege.

Technology alone, however, won’t close the gap. We must also embrace vendor-agnostic protocols, foster collaboration, and treat cybersecurity as a shared responsibility across all levels of government and industry. Only then can we build a transportation system that’s not just smart and connected, but secure and resilient.

It may be cliché to say transportation is at a crossroads, but like many clichés, it holds a fundamental truth. Cyber threats are increasing in frequency and sophistication, and the bad actors behind them are relentless. As our infrastructure and vehicles become increasingly connected, our response must become equally sophisticated.

That culture shift is simple to define – it’s time for our industry to watch the hackers as closely as they’ve been watching us.