A study of 176 transportation leaders, contrasting how public agencies and private operators rank cybersecurity, where they invest, what they fear, how often they're already being hit, and why leaning on compliance leaves them exposed.
Cybersecurity for operational and transportation systems is now a top priority for 91.5% of leaders, and nearly 60% have already dealt with an incident in the past 12 months. Yet half still believe compliance fully covers their security needs. That gap between confidence and exposure is the story, and it splits along sector lines: public agencies are more likely to trust compliance, while private operators run hotter on concern, lean harder on field connectivity, and put their next dollar in different places. Every section below is cut by sector, and the widest gaps are called out directly.
Across 176 transportation leaders, cybersecurity for operational and transportation systems has become an operational imperative: 91.5% rank it among their top priorities and not one respondent calls it a lower priority. The more useful question for go-to-market is what they're actually buying. First-choice investment priorities split by sector, with public agencies leading on threat intelligence and private operators on cloud security.
Public agencies lead with threat intelligence (20.3% first-choice) and incident response and recovery (15.6%), a detect-and-respond posture. Private operators lead with cloud security (16.7%), followed by a three-way tie across secure connectivity, endpoint protection, and security automation (13.0% each). The order differs, but the top of both lists is dominated by cloud, threat intelligence, and secure connectivity for field and mobile environments. Remote and field access runs through all three, which is the connective thread for the rest of this report.
This is the head-nodding stat: a cyber incident affecting operational systems is now the norm, not the exception. Nearly 60% of leaders in both sectors have dealt with at least one in the past 12 months, at near-identical rates. Public agencies report more repeat exposure at the high end.
57.6% of public agencies and 59.1% of private operators reported at least one incident in the past year. Public agencies report more repeat exposure at the high end: 7.6% have had four or more incidents, against 4.5% of private operators. And roughly 40% in each sector answered "none we're aware of," which is the line that should give any leader pause, because limited visibility into operational environments is exactly how incidents go uncounted. The takeaway for both audiences: your peers are already being hit, whether or not they can see it.
Given how many organizations are already being hit, rising concern is the rational response, and most leaders feel it: nearly two thirds are more concerned than they were a year ago. But concern is lopsided. Private operators run hotter, while public agencies are more likely to sit in the middle, a posture that looks increasingly out of step with their incident rate.
62.5% of leaders are more or far more concerned than a year ago. The intensity sits on the private side: 18.2% of private operators are far more concerned, against just 7.6% of public agencies. Public sentiment clusters in the middle, with 34.8% saying their concern is about the same. Read against Section 02, that calm is the problem. Public agencies face the same incident rate as private operators but register less urgency, which is the gap this research exists to close.
Data breach tops the list for both sectors, but underneath it the two risk profiles pull apart. Private operators index higher on almost every threat, with double-digit gaps on operational disruption, legacy systems, and ransomware. The sectors converge on only three.
The biggest gap is operational disruption, where private concern leads by 19 points (64.5% vs 45.5%), followed by legacy and unpatched systems at 18 points. Private operators feel the threat escalation across the board. The only places the two sectors agree are phishing and social engineering (within a point), insider threats, and attacks on field, remote, or mobile infrastructure, which is the single threat where public concern actually leads (50.0% vs 45.5%). For a connectivity-security message, the public sector is the more receptive audience.
Here is the widest belief gap in the study, and the clearest correlation. A majority of public agencies believe meeting regulatory requirements fully covers their security needs. Set that against Section 02: nearly 60% of those same organizations have already had an incident. Compliance is table stakes, the minimum standard. What an organization does beyond it is what actually moves the needle.
"On paper it's mostly compliance, but in reality the backups are not in place, no major patch work being done, and we still use Windows 7."
58.5% of public agencies say compliance fully covers their needs, versus 43.5% of private operators, a 15-point gap that makes public agencies the more exposed audience. Put the other way, 56.5% of private operators see gaps beyond compliance, against 41.5% of public agencies. On frameworks, public strategy anchors to TSA Security Directives (45.5%) and CMMC runs higher (24.2% vs 16.4%); private operators lean on NIST (41.8%) and ISO 27001 (40.9%). The correlation to lead with: the organizations most confident that compliance is enough are being hit at the same rate as everyone else.
Cellular, wireless, and portable connectivity keeps transportation moving when wired infrastructure is unavailable or impractical. Nearly nine in ten leaders call it mission-critical or very important, and private operators feel the dependency most acutely.
42.6% of private operators call wireless connectivity mission-critical, operations literally depend on it, versus 28.8% of public agencies, who lean toward "very important" (53.0%). Combined with Section 04, the picture sharpens: public agencies worry more about attacks on field infrastructure, while private operators are more operationally dependent on it. Both are openings for a secure-connectivity message, framed to the audience.
Four out of five organizations are increasing cybersecurity investment for operational systems over the next 12 to 18 months, and roughly three quarters plan to bring cloud applications directly into their operational environments. Private operators are hitting the gas harder; public budgets rise more gradually. The one point of universal agreement: almost no one is decreasing.
32.4% of private operators are significantly increasing investment, versus 24.6% of public agencies, whose budgets cluster in "somewhat increasing" (61.5%), consistent with slower public procurement cycles. Cloud adoption into operational environments is high and evenly split (78.7% private, 73.4% public). Budgets are rising and the attack surface is expanding in parallel. Where those dollars land, shown by sector in Section 01, is where the two audiences most diverge.
Security maturity is the one dimension where the two sectors look broadly alike. The vast majority in both place themselves in the "mature" band, but very few have reached advanced automation and orchestration, and a meaningful share remain at foundational or early stages.
Roughly half of each sector rates itself "mature," but only 16.7% overall describe themselves as advanced, with extensive automation and orchestration. The self-assessment sits uneasily next to the incident and compliance findings: many organizations that call themselves mature are still being hit and still treating compliance as sufficient. The headroom between "mature" and "advanced" is where the next wave of investment, traced in Sections 01 and 07, is headed.
Public agencies and private operators enter the cybersecurity conversation from different places: agencies trust compliance and anchor on TSA and NIST, while operators run hotter on urgency, lean on NIST and ISO 27001, and depend on always-on connectivity. The message has to differ. The technical answer does not. Nearly 60% of both have already been hit, and the organizations that will lead are investing now in unified visibility, segmentation, and secure connectivity beyond compliance.
Explore Fortinet for TransportationThis research combines structured multiple-choice questions with open-text conversational responses from 176 transportation leaders with direct oversight of, or significant influence over, operational and transportation systems. The sample comprises 66 public-sector respondents (state DOTs, transit authorities, municipal transportation, ports, airports) and 110 private-sector respondents (logistics, freight, fleet, rail, maritime, air). Every closed-ended question in this report is cross-tabulated by sector; percentages are calculated within each sector group (public n=66, private n=110) so the two bars are directly comparable. Multi-select question totals exceed 100% by design and are labeled as such. Verbatim quotes are drawn from respondent transcripts and lightly cleaned for spelling and readability without changing meaning.