When Jacksonville’s Autonomous Transit System went live, it became the first fully autonomous public transit network in the United States. What most people don’t realize is that the vehicles themselves represent only one attack surface in a much larger ecosystem. The real cybersecurity challenge isn’t just protecting the AVs — it’s securing the operations center that commands them, the infrastructure that supports them, and the data flows that connect everything together.
After spending years embedded in this program from its cybersecurity infancy through full operational capability, I can tell you that autonomous vehicle operations security requires a fundamentally different mindset than traditional fleet management. You’re not securing a dispatch center with some fancy screens. You’re securing a cyber-physical system where a misconfigured firewall rule or a compromised workstation could translate into real-world kinetic consequences.
This piece is for operators who are standing up AV deployments — whether public transit, logistics, or commercial shuttles — and need to understand what securing the operations hub actually looks like in practice.
The Operations Center Is Your Most Critical Attack Surface
Operators tend to focus security investments on the vehicles themselves: hardened onboard systems, encrypted V2X communications, tamper-resistant sensors. That’s necessary but insufficient. The operations center — what we called the Autonomous Innovation Center — is where adversaries can achieve the most impact with the least effort.
Think about what converges in that space:
- Real-time telemetry from every vehicle in your fleet
- Remote intervention capabilities (emergency stops, route modifications, speed adjustments)
- Passenger safety systems and communications
- Integration points with traffic management systems, transit authorities, and emergency services
- Maintenance and diagnostic systems with write access to vehicle software
An attacker who compromises your operations center doesn’t need to hack a vehicle. They can issue commands through legitimate channels. They can blind your operators by corrupting telemetry. They can create safety incidents by degrading the human-machine interface at critical moments.
When we assessed the AV infrastructure cybersecurity posture for the NAVI program, we mapped the operations center against MITRE ATT&CK for ICS. The framework’s focus on industrial control systems translates directly to AV operations: you’re dealing with the same patterns of manipulation of control (T0831), denial of control (T0813), and loss of view (T0829) that affect power grids and manufacturing plants. The difference is your “plant floor” is moving through public streets at 25 miles per hour.
Network Segmentation: More Than VLANs
Every security architect knows segmentation matters. Fewer understand how to implement it for AV operations, where you need both isolation and controlled data flow between segments that have very different trust levels.
We implemented a tiered architecture with four distinct security zones:
Zone 1 - Safety Critical: Vehicle command and control systems, emergency intervention capabilities, core fleet management. Air-gapped from corporate IT. Dedicated hardware. No internet connectivity whatsoever. Updates applied through a rigorous out-of-band process with cryptographic verification.
Zone 2 - Operational: Real-time monitoring dashboards, dispatch systems, passenger communications, integration with transit authority systems. Limited, tightly controlled connectivity to Zone 1 through protocol-specific firewalls that only permit defined message types. Think of it as an API gateway, but enforced at the network layer.
Zone 3 - Support: Maintenance workstations, diagnostic tools, software development and testing environments. Physically separated from Zones 1-2. Changes migrate through a controlled pipeline — never direct connectivity.
Zone 4 - Corporate: Standard IT systems, email, business applications. Completely isolated from operational zones. A compromised laptop in this zone cannot see operational traffic, let alone interact with it.
The segmentation isn’t just network ACLs. It’s enforced through physical separation where possible, dedicated switching infrastructure for critical zones, and continuous monitoring of cross-zone traffic patterns. When you see unexpected traffic between zones, that’s not a performance issue — that’s a potential indicator of compromise.
For Azure deployments supporting cloud-based fleet analytics, we implemented similar segmentation using Virtual Network peering with strict Network Security Groups, Azure Private Link for service connectivity, and Azure Firewall with application rules that only permit specific API calls between tiers. Don’t rely on the default “allow within VNet” posture — explicitly deny and then whitelist what you need.
Monitoring: Building Detection for Cyber-Physical Systems
Traditional IT security monitoring won’t catch adversary activity in AV operations. Yes, you need to detect malware, credential theft, and lateral movement. But you also need to detect anomalies that only make sense in the context of vehicle operations.
We built our detection capability in Rapid7 InsightIDR with custom detection rules specifically for the AV environment. Some examples:
Command integrity monitoring: Every command to the vehicle fleet gets logged with operator attribution. InsightIDR correlates commands against operator schedules, historical patterns, and physical badge access. An operator issuing commands while badged out of the building triggers an immediate alert.
Telemetry anomaly detection: Vehicles report position, speed, and system health at defined intervals. We baseline normal reporting patterns and alert on vehicles that stop reporting, report at unusual intervals, or report data that conflicts with known route geometries. A vehicle reporting it’s stationary while also reporting wheel speed isn’t a glitch — it’s potentially spoofed telemetry.
Configuration drift: Any change to firewall rules, routing tables, or system configurations in safety-critical zones generates an alert that requires explicit acknowledgment. No silent changes.
Integration with physical security: We correlate cybersecurity events with physical access control, CCTV motion detection in sensitive areas, and even environmental sensors. Someone accessing a network closet at 3 AM while simultaneously a maintenance workstation authenticates to the diagnostic network? That’s a red-team scenario, not coincidence.
The key insight is that autonomous vehicle operations security requires context-aware detection. A failed login attempt is routine. A failed login attempt to the fleet management system, from an unexpected IP, minutes after a physical access anomaly in the operations center, targeting a credential that was just added to a diagnostic group — that’s a kill chain in progress.
Incident Response: When Minutes Matter
Incident response for AV operations carries a weight that IT security rarely faces. A ransomware attack on a corporate network is disruptive and expensive. A cyberattack that affects vehicle operations could endanger lives.
We developed our incident response playbooks with this asymmetry in mind, building on the NIST Cybersecurity Framework’s response and recovery functions but adding AV-specific considerations.
Immediate isolation protocols: Operators are trained and authorized to physically isolate safety-critical systems from the network with a single action — no waiting for approvals. Yes, this causes operational disruption. That’s acceptable when the alternative is loss of vehicle control.
Fail-safe vehicle behavior: If the operations center goes dark, vehicles default to a safe state (controlled stop, hazard lights, passenger notification). This isn’t cybersecurity per se — it’s system engineering — but your security team needs to understand and plan for it. Adversaries who know about this fail-safe might trigger it intentionally to cause mass disruption.
Evidence preservation that doesn’t delay response: We implemented forensic logging that captures full packet data for safety-critical zones, stored on write-once media. When an incident occurs, operators focus on containment and recovery; forensic analysis happens after, with complete data.
Coordination with external stakeholders: AV operations don’t exist in isolation. Your incident response plan needs to account for communication with transit authorities, traffic management, emergency services, and potentially federal agencies like TSA (for mass transit) or CISA (for critical infrastructure). These coordination channels should be established before you need them.
InsightConnect let us automate portions of the response — automatic evidence collection, stakeholder notification, ticket creation — while keeping humans in the loop for decisions that affect physical operations. Automation should accelerate response, not replace judgment.
Workforce and Physical Security: The Overlooked Layer
I’ve seen too many AV programs invest heavily in technical controls while ignoring the basics of personnel and physical security. Your operators have the ability to command vehicles. That makes them targets.
Background investigations for operations center staff should go beyond standard employment checks. Consider the criticality of the access they’re being granted. Establish clear policies for personal device usage, social media activity related to work, and reporting of suspicious contacts.
Physical security for the operations center should reflect its criticality. Multi-factor physical access, surveillance with monitoring, clean-desk policies, and visitor escort requirements are baseline. If your operations center has floor-to-ceiling glass windows facing a public street, you have a problem — shoulder surfing and visual intelligence collection are real threats.
Training should include not just security awareness but specific scenarios relevant to AV operations: what to do if you notice unusual vehicle behavior, how to recognize social engineering attempts targeting operational information, and when to escalate versus when to act immediately.
Bottom Line
Autonomous vehicle operations security is a discipline that borrows from IT security, OT security, and safety engineering — but isn’t identical to any of them. The operations center is your center of gravity: it’s where command authority resides, where data converges, and where adversaries can achieve disproportionate impact.
The operators who get this right implement defense in depth with genuine network segmentation, not just policy documents. They build monitoring capabilities that understand the context of vehicle operations, not just IT events. They plan for incidents with the urgency that cyber-physical consequences demand. And they remember that technology controls mean nothing without trained, vetted people operating within secure physical spaces.
AV infrastructure cybersecurity is still a maturing field. The frameworks exist — NIST, MITRE ATT&CK for ICS, the approaches developed for other cyber-physical systems — but applying them to autonomous vehicle operations requires translation and adaptation. The practitioners building these programs today are writing the playbook for an industry that’s only going to grow.
Get it right now, while the deployments are still manageable and the lessons learned can be institutionalized. The alternative — learning these lessons through a serious incident — is a price nobody wants to pay.