Freight Rail Security:

Actions Have Been Taken to Enhance Security, but the Federal Strategy Can Be Strengthened and Security Efforts Better Monitored

GAO-09-243: Published: Apr 21, 2009. Publicly Released: May 21, 2009.

Additional Materials:

Contact:

Stephen M. Lord
(202) 512-3404
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

An attack on the U.S. freight rail system could be catastrophic because rail cars carrying highly toxic materials often traverse densely populated urban areas. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) is the federal entity primarily responsible for securing freight rail. GAO was asked to assess the status of efforts to secure this system. This report discusses (1) stakeholder efforts to assess risks to the freight rail system and TSA's development of a risk-based security strategy; (2) actions stakeholders have taken to secure the system since 2001, TSA's efforts to monitor and assess their effectiveness, and any challenges to implementing future actions; and (3) the extent to which stakeholders have coordinated efforts. GAO reviewed documents, including TSA's freight rail strategic plan; conducted site visits to seven U.S. cities with significant rail operations involving hazardous materials; and interviewed federal and industry officials.

Federal and industry stakeholders have completed a range of actions to assess risks to freight rail since September 2001, and TSA has developed a security strategy; however, TSA's efforts have primarily focused on one threat, and its strategy does not fully address federal guidance or key characteristics of a successful national strategy. Specifically, TSA's efforts to assess vulnerabilities and potential consequences to freight rail have focused almost exclusively on rail shipments of certain highly toxic materials, in part, because of concerns about their security in transit and limited resources. However, other federal and industry assessments have identified additional potential security threats, including risks to critical infrastructure and cybersecurity. Although many stakeholders agreed with TSA's initial strategy, going forward TSA has agreed that including other identified threats in its freight rail security strategy is important, and reported that it is reconsidering its strategy to incorporate other threats. Additionally, in 2004, GAO reported that successful national strategies should identify performance measures with targets, among other elements. TSA's security strategy could be strengthened by including targets for three of its four performance measures and revising its approach for the other measure to ensure greater consistency in how performance results are quantified. Federal and industry stakeholders have also taken a range of actions to secure freight rail, many of which have focused on securing certain toxic material rail shipments and have been implemented by industry voluntarily; however, TSA lacks a mechanism to monitor security actions and evaluate their effectiveness, and new requirements could pose challenges for future security efforts. GAO's Standards for Internal Control in the Federal Government calls for controls to be designed to ensure ongoing monitoring. While the freight rail industry has taken actions to better secure shipments and key infrastructure, TSA has limited ability to assess the impacts of these actions because it lacks a mechanism to systematically track them and evaluate their effectiveness. Having such information could strengthen TSA's efforts to efficiently target its resources to where actions have not been effective. New, mandatory security planning and procedural requirements will also necessitate additional federal and industry efforts and resources, and may pose some implementation challenges for both federal and industry stakeholders. Federal and industry stakeholders have also taken a number of steps to coordinate their freight rail security efforts; however, federal coordination can be enhanced by more fully leveraging the resources of all relevant federal agencies. GAO previously identified a number of leading practices for effective coordination that could help TSA strengthen coordination with federal and private sector stakeholders.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To ensure that TSA is able to more effectively assess the progress being made in securing freight rail, DHS's Assistant Secretary for the Transportation Security Administration should balance future activities against the various security risks to freight rail, and use its and industry's resources in the most cost-effective manner, take steps to more fully track and assess the implementation and effectiveness of security actions being taken to secure freight rail.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: To address our recommendation that the Transportation Security Administration (TSA) take steps to more fully track and assess the implementation and effectiveness of security actions being taken to secure freight rail, TSA initiated various efforts, including developing a database that captures every security control point location where toxic inhalation hazard (TIH) rail cars were standing unattended in major cities. As we reported, TSA determined that TIH rail cars' vulnerability in major cities (identified as high threat urban areas or HTUAs) could be partially mitigated by freight rail operators (1) reducing the overall time that TIH spent in the major cities, or (2) having freight rail employees attend TIH cars while the cars were stopped in identified security control points. These security actions serve both as a deterrent to unauthorized activity and as a means to detect unauthorized access to TIH cars. TSA documented the extent to which freight rail operators implement these actions by deploying TSA Surface Transportation Inspectors to conduct field observations at security control points where TIH cars are stopped or held. In fiscal year 2012, TSA reported that inspectors conducted approximately 12,900 observations of TIH cars in 20 HTUAs. TSA's database shows the extent to which these actions have reduced risk posed by TIH cars in HTUAs. In conjunction with the observations, TSA's database identifies the extent to which freight rail operators have implemented two major security actions and also measures the relative risk reduction of the implementation of these security actions. For non-TIH threats to freight rail, TSA officials now assess the security of freight rail bridges and tunnels using a similar type of methodology to its HTUA TIH reviews and are tracking railroad actions taken as a result of these assessments, including the extent to which they reduce vulnerability to the infrastructure. TSA's infrastructure assessment includes descriptions of security actions taken by the freight rail company, a discussion of the sufficiency of these security actions, and any recommended actions that would mitigate the risk to the bridge. According to TSA officials, as of March 2013, TSA completed vulnerability assessments of 217 freight rail bridges and 69 freight rail tunnels. Because these assessments include compilations of security actions and recommendations that can be used to identify potential improvements to security if the agency determines the need to arise, we believe that TSA's efforts address the recommendation and are therefore closing it as implemented.

    Recommendation: To ensure that TSA is consistently and accurately measuring agency and industry performance in reducing the risk associated with TIH rail shipments in major cities, DHS's Assistant Secretary for the Transportation Security Administration should take steps to revise the baseline year associated with its TIH risk reduction performance measure to enable the agency to more accurately report results for this measure.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In April 2009, we reported that the Transportation Security Administration's (TSA) had limited ability to measure the impact of federal and industry efforts on achieving the agency's key performance measure for the freight rail security program because the agency was unable to obtain critical data necessary to consistently measure results. Specifically, TSA's key performance measure for its freight rail security program was to reduce the cumulative risk of the shipment of toxic inhalation hazards (TIH) by 81 percent by the end of 2013. To measure its progress, TSA collects risk data in major U.S. cities and compares it with the same data from preceding years. However, when establishing the measure, TSA was unable to obtain key data necessary to accurately measure some data for its baseline year of mid-2005 to mid-2006. As a result, in 2007, TSA developed a general estimate for this missing data using its and industry's expert judgment and inserted this data estimate into its calculation of risk. We reported that there were questions regarding the validity and appropriateness of applying a uniform estimate of risk to all locations because of the wide variances in this data that TSA found during subsequent years. Therefore, we believed the accuracy of TSA's uniform estimate and the associated percent of cumulative reduction in risk that TSA reported as being achieved was uncertain. However, since 2007, TSA has been able to collect more relevant, accurate, and timely TIH risk data and we recommended that TSA take steps to revise the baseline year associated with its TIH risk reduction measure to enable the agency to report results more accurately. In response to our recommendation, TSA included a disclaimer in its 2010 Transportation Systems Sector Security Plan Freight Rail Security Modal Annex, which described the limitations in the baseline data used to measure the risk associated with TIH rail shipments. In addition, TSA reported that the TIH annual risk reduction goal would be 10 percent each year using the previous year's risk measurement as a baseline. Further, in 2012 TSA documented that its cumulative goal for TIH rail risk reduction would be measured with 2009 as the baseline measure. Through these changes, TSA will be able to more accurately and reliably measure progress in reducing the risk that TIH rail shipments pose throughout the United States where these shipments have the most risk. This recommendation is therefore closed as implemented.

    Recommendation: To better ensure that relevant federal and industry partners effectively leverage their resources to achieve the strategic vision of TSA's Freight Rail Modal Annex, DHS's Assistant Secretary for the Transportation Security Administration should ensure that future updates to TSA's annex more comprehensively address factors contained in Executive Order 13416 and identified key characteristics of a successful national strategy, including (1) describing the methodology used to develop the strategy and which organizations and entities contributed to its development; (2) more clearly defining federal and industry roles and responsibilities; (3) ensuring that performance measures have defined targets and are linked to fulfilling goals and objectives; (4) more systematically addressing specific milestones for completing activities and measuring progress toward meeting identified goals; (5) more thoroughly identifying the resources and investments required to implement the strategy, including priorities for allocating future grants; and (6) more comprehensively identifying linkages with other developed strategies, such as those that guide DHS IP, whose responsibilities overlap with TSA for protecting freight rail critical infrastructure.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In 2009, we reported that the Transportation Security Administration's (TSA) strategic priorities for securing freight contained some information that is consistent with our prior work on characteristics of a successful national strategy and that is called for in executive requirements. However, these strategic priorities lacked other information that if incorporated, could strengthen the strategy. Specifically, we found that TSA's Freight Rail Model Annex (Annex), which was developed in 2007 as a part of the Transportation Sector Specific Plan (TSSP), could more fully address factors contained in Executive Order 13416 and GAO-identified key characteristics of a successful national strategy. More fully addressing these key characteristics could assist TSA in further developing and strengthening the Annex. These efforts could also enhance the strategy's usefulness in resource and policy decisions to better ensure accountability by making decision making more transparent and comprehensive. To this end, we recommended that TSA's future updates to the Annex more comprehensively address factors contained in Executive Order 13416 and identified key characteristics of a successful national strategy, including (1) describing the methodology used to develop the strategy and which organizations and entities contributed to its development; (2) more clearly defining federal and industry roles and responsibilities; (3) ensuring that performance measures have defined targets and are linked to fulfilling goals and objectives; (4) more systematically addressing specific milestones for completing activities and measuring progress toward meeting identified goals; (5) more thoroughly identifying the resources and investments required to implement the strategy, including priorities for allocating future grants; and (6) more comprehensively identifying linkages with other developed strategies. In response to our recommendation, TSA stated that the updated Annex issued in 2010 incorporates the elements of our recommendation, and in 2012, TSA provided analytical documents that described how its 2010 Annex addressed the elements we previously recommended and where the previous freight rail security strategy document was improved. For example, TSA's 2010 Annex discusses the general roles of federal and industry stakeholders and discusses changes to the Annex pertaining to roles and responsibilities of federal and industry stakeholders. The Annex also discusses specific monies DHS granted to freight rail stakeholders, with priorities for receiving grants, and included a section discussing resources and investments to implement the strategy, as well as priorities. In addition, TSA provided information defining targets for its performance measure, which TSA linked to its objectives and goals of the TSSP. Based on our analysis and TSA's documentation, we believe TSA has sufficiently incorporated the elements contained in Executive Order 13416 and identified key characteristics into its strategy. Therefore, we are closing this recommendation as implemented.

    Recommendation: To ensure that the federal strategy to secure the freight rail system is comprehensive and considers a wider range of risk information, DHS's Assistant Secretary for the Transportation Security Administration should develop a plan for addressing identified security threats to freight rail other than Toxic Inhalation (TIH), such as destruction of or sabotage to freight rail bridges and tunnels and cyberattacks to the rail system, and incorporate this information and other related strategic updates into TSA's Freight Rail Modal Annex. As part of this effort, further evaluate methods for estimating the likelihood of various threats occurring and ensure that this information is also considered when developing future risk assessments and strategic updates.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In response to our recommendation that the Transportation Security Administration (TSA) develop a plan for addressing security threats to freight rail other than Toxic Inhalant Hazard (TIH) chemicals, such as the destruction of or sabotage to freight rail bridges and tunnels or cyber attacks to the rail system, TSA has taken several actions. Specifically, TSA developed a Critical Infrastructure Risk Tool for measuring the criticality and vulnerability of freight railroad bridges, and coordinated development of the tool with Class 1 rail carriers. TSA formally introduced the tool to the rail industry at a Department of Homeland Security I-step workshop in October 2009, and since then has conducted assessments of numerous freight rail bridges throughout the United States. In addition, TSA is also taking steps to address the risk of cyber attacks to the rail system and has developed a TSA cyber risk team, (Cyber Security Awareness Outreach Team), which is working with the rail industry at quarterly I-Step meetings and has used the Freight Rail Sector Coordinating Council (FRSCC) meetings to collaborate on cyber security, including the sharing of information, with rail carriers and other industry stakeholders. As part of this effort, we also recommended that TSA further evaluate methods for estimating the likelihood of various threats occurring and ensure that this information is also considered when developing future risk assessments and strategic updates. To address this, TSA issued the Transportation Sector Security Risk Assessment (TSSRA) on June 30, 2010, which defines and quantitatively weighs various security threats among the transportation modes, including freight rail. Specifically, the TSSRA states that Threat (T) is defined as the likelihood that an attacker will attempt a particular attack scenario, given the intent and capability of the attacker. Intent (I) is defined as the likelihood that an adversary will choose a given attack scenario once they are committed to an attack; and Capability (C) is defined as the likelihood that an adversary will have the resources and skills to undertake a given attack scenario within a defined time frame. The TSSRA uses this formula to provide the estimated likelihood of various threats occurring in the freight rail mode. This recommendation is therefore closed as implemented.

    Recommendation: To better ensure that federal agencies are coordinating as effectively as possible, work with federal partners, such as Department of Homeland Security Office of Infrastructure Protection (DHS IP) and Federal Railroad Administration (FRA), DHS's Assistant Secretary for the Transportation Security Administration should ensure that all relevant assessments and information are shared and TSA and FRA field inspector resources are fully leveraged.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: TSA has taken several steps to better ensure federal agencies are coordinating as effectively as possible, including ensuring relevant assessments and information are shared and TSA and FRA field inspector resources are leveraged. Specifically, TSA, prior to assessing a railroad bridge will now obtain any prior DHS Infrastructure Protection (IP) assessments of the same bridge in order to fully leverage relevant information and analysis before conducting their own assessment, which TSA said has helped them expedite their assessments in some cases. In addition, in 2012, TSA and DHS IP signed an Information Sharing and Access Agreement (ISAA) to define the roles and responsibilities of IP and TSA in collaboratively sharing specific transportation sector-related risk information, including threat, vulnerability, and consequence assessment reports, Site Assistance Visit (SAV) reports, Man-Portable Air Defense Systems (MANPADS), and Corporate Security Reviews (CSR), among other things. TSA officials told us they also assessed the degree to which obtaining FRA inspection data would be useful, but decided after looking at FRA's data that it is unrelated to TSA's mission because it is so heavily focused on safety as opposed to security. As a result, TSA decided not to obtain FRA data on a scheduled basis. However, TSA has extended an open invitation to the FRA to attend future Corporate Security Reviews (CSRs) and FRA extended an invitation to TSA to participate in their reviews. TSA also agreed to set up introductory meetings between FRA's Regional Safety Operation Managers (RSOMs) and TSA's Regional Security Inspectors. In addition, TSA and select members of the Freight Rail Government Coordinating Council (FR GCC), including Federal Railroad Administration (FRA) and Department of Homeland Security infrastructure Protection (DHS-IP), met to discuss our recommendation, and as a result, created a FR GCC Information Sharing Subgroup, which aims to ensure relevant inspections and assessments are shared between FRA and TSA inspectors. In addition, TSA said they have also given several unclassified and classified threat briefings to the American Association of Railroads (AAR) and various rail carriers, and are also working with industry to develop cyber vulnerability assessments tools. Moreover, TSA, through DHS's Intermodal Security Training and Exercise Program (I-STEP), has held tabletop exercises to test plans and procedures for communication and information sharing between federal, state, and local government stakeholders and Class 1 Railroad owner/operators, local short line railroads, passenger rail, and industry organizations in preventing a railroad transportation security incident. This recommendation is therefore closed as implemented.

    Apr 18, 2014

    Apr 8, 2014

    Feb 28, 2014

    Feb 12, 2014

    Feb 5, 2014

    Feb 3, 2014

    Jan 31, 2014

    Jan 16, 2014

    Looking for more? Browse all our products here