A Government Accountability Office (GAO) review has found that the Transportation Security Administration (TSA) may be risking rail passenger safety by failing to engage with other surface transportation stakeholders.
Recent attacks in the U.S. and Europe highlight the importance of strengthening and securing rail systems around the world. In addition, cyber attacks, such as those that affected San Francisco’s mass transit system in 2016 and Deutsche Bahn in Germany in 2017, as well as derailment attempts in Germany in 2018, demonstrate the evolving nature of the threat to passenger rail.
GAO’s review focused on how TSA works with U.S. and foreign transit and security officials and others to identify and share security standards and practices.
TSA assesses passenger rail risks through the Transportation Sector Security Risk Assessment, the Baseline Assessment for Security Enhancement (BASE), and threat assessments. The risk assessment is used to evaluate threat, vulnerability, and consequence for attack scenarios across various transportation modes. TSA surface inspectors use the baseline assessment, a voluntary security review for mass transit, passenger rail, and highway systems, to address potential vulnerabilities and share best practices, among other things.
GAO’s April 3 report said TSA works with U.S. stakeholders to identify security standards and key practices and identifies foreign standards and practices through multilateral and bilateral exchanges. However, GAO added that TSA Representatives (TSARs), the primary overseas point of contact for transportation security matters, lack specific guidance on foreign rail stakeholder engagement. “As a result, TSA is less likely to be fully aware of key practices in other countries, such as station security guidance.”
Various stakeholders often engage in action days such as Active Shield, organized by RAILPOL – the European Association of Organizations responsible for policing the railways in Europe. This coordinated action which took place in eight countries in January 2020 involved a series of checks on high speed and international rail, with the aim of identifying passengers and, where necessary, checking their baggage to prevent threats. During Active Shield 3,420 police officers performed 14,244 checks on persons and checked 3,725 items of baggage. 131 luggage shops and 291 automatic lockers were also checked with detection equipment and canine teams. Lessons learned from such action days could be of significant value to TSA operations.
TSA concurred with GAO’s recommendation to ensure that the TSAR Regional Operational Implementation Plans include guidance on how TSARs are to engage with foreign surface transportation stakeholders, including passenger rail stakeholders. TSA said it plans to draft a new Operational Implementation Plan, which will provide guidance to TSARs for engaging with foreign surface transportation stakeholders, including in passenger rail security.
TSA shares standards and key practices with stakeholders, including those related to cybersecurity, through various mechanisms including BASE reviews; however, GAO found this assessment does not fully reflect current industry cybersecurity standards and key practices. For example, it does not include any questions related to two of the five functions outlined in the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework—specifically the Detect and Recover functions.
GAO therefore recommended that TSA update the BASE questions to align more closely with this framework in order to better assist passenger rail operators in identifying current key practices for detecting intrusion and recovering from incidents. TSA concurred and says it plans to update BASE to reflect the NIST framework by September 30, 2020.
The review also looked into TSA’s work with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) concerning transportation cybersecurity.
TSA and CISA are currently collaborating or planning to collaborate on several cybersecurity assessments for passenger rail systems, including a cyber risk assessment for passenger rail cars and a cyber assessment of the mass transit and passenger rail mode.
CISA officials also told GAO that TSA, DHS’s Science and Technology Directorate, and CISA’s National Risk Management Center are in early phases of developing a cyber risk assessment for select passenger rail cars that they plan to produce in fiscal year 2020. CISA officials stated that they intend to address cyber vulnerability in the rail car assessments and plan to reach out to operators to discuss results.
TSA and CISA also are considering a mass transit and passenger rail cyber assessment similar to one being developed for the pipeline mode. CISA officials stated that the planned pipeline assessment effort will include a total of 10 Validated Architecture Design Review assessments, in which TSA will help make arrangements with industry and will observe the process. Expanding this effort to include passenger rail would depend on CISA’s availability to conduct assessments and balance demands in other sectors. When the GAO review enquired, CISA officials noted that they currently do not have the resources to support a similar plan for rail.
Cyber defense activities in other countries that TSA may not be fully utilising include the U.K. approach intended to help the rail industry reduce vulnerability to cyberattack. This includes identifying all components that need patches or updates, and recommends separating networks used for train control and signals from networks passengers may use. Here, the U.K. is making good use of U.S. expertise as it encourages the use of the NIST Cybersecurity Framework in U.K. companies that operate critical infrastructure.
Although the gap between airport and rail security is not as extreme as it once was, there is still room for improvement, both in terms of federal engagement with other other countries to learn and train in different techniques, as well as working more closely with rail operators and industry in the U.S. to create a cohesive defense against physical and cyber attacks.