Skip to main content

Passenger Rail Security: TSA Engages with Stakeholders but Could Better Identify and Share Standards and Key Practices

GAO-20-404 Published: Apr 03, 2020. Publicly Released: Apr 03, 2020.
Jump To:

Fast Facts

Recent attacks in the U.S. and Europe highlight the importance of strengthening and securing rail systems around the world.

Among other things, we looked at how the U.S. Transportation Security Administration works with U.S. and foreign transit and security officials and others to identify and share security standards and practices.

TSA may not be fully aware of key rail security practices abroad that can keep passengers safe. TSA could also engage more consistently with foreign surface transportation stakeholders.

We made 2 recommendations, including that TSA provide better guidance for those who serve as its primary overseas representatives.

Paddington Station, London

Train station

Train station

Skip to Highlights

Highlights

What GAO Found

The Transportation Security Administration (TSA) assesses passenger rail risks through the Transportation Sector Security Risk Assessment, the Baseline Assessment for Security Enhancement (BASE), and threat assessments. TSA uses the risk assessment to evaluate threat, vulnerability, and consequence for attack scenarios across various transportation modes. TSA surface inspectors use the baseline assessment, a voluntary security review for mass transit, passenger rail, and highway systems, to address potential vulnerabilities and share best practices, among other things.

TSA works with U.S. stakeholders to identify security standards and key practices and identifies foreign standards and practices through multilateral and bilateral exchanges. However, TSA Representatives (TSARs), the primary overseas point of contact for transportation security matters, lack specific guidance on foreign rail stakeholder engagement. As a result, TSA is less likely to be fully aware of key practices in other countries, such as station security guidance. Specific guidance would provide TSARs with clear expectations and encourage more consistent engagement with foreign rail stakeholders.

Examples of Security Key Practices Cited by Passenger Rail Stakeholders

Examples of Security Key Practices Cited by Passenger Rail Stakeholders

Public Awareness Campaign                           Canine Units

Emphasize security awareness                           Detection of vapor from explosives

 

TSA shares standards and key practices with stakeholders, including those related to cybersecurity, through various mechanisms including BASE reviews; however, this assessment does not fully reflect current industry cybersecurity standards and key practices. For example, it does not include any questions related to two of the five functions outlined in the National Institute of Standards and Technology's Cybersecurity Framework—specifically the Detect and Recover functions. Updating the BASE questions to align more closely with this framework would better assist passenger rail operators in identifying current key practices for detecting intrusion and recovering from incidents.

Why GAO Did This Study

Recent physical and cyberattacks on rail systems in U.S. and foreign cities highlight the importance of strengthening and securing passenger rail systems around the world. TSA is the primary federal agency responsible for securing transportation in the United States.

GAO was asked to review TSA's efforts to assess passenger rail risk, as well as its role in identifying and sharing security standards and key practices. This report addresses (1) TSA's efforts to assess risk; (2) the extent to which TSA works with U.S. and foreign passenger rail stakeholders to identify security standards and key practices; and (3) the extent to which TSA shares passenger rail security standards and key practices with stakeholders.

GAO analyzed TSA risk assessments from fiscal years 2015 through 2019 and reviewed TSA program documents and guidance. GAO interviewed officials from TSA, and from seven domestic rail agencies, three foreign rail agencies, and two foreign government agencies. The results from these interviews are not generalizable but provide perspectives on topics in this review.

Recommendations

GAO is making two recommendations: (1) that TSA update TSAR guidance to include engaging with foreign passenger rail stakeholders; and (2) that TSA update the BASE cybersecurity questions to ensure they reflect key practices. DHS concurred with both recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Transportation Security Administration The TSA Administrator should ensure that the TSAR Regional Operational Implementation Plans include guidance on how TSARs are to engage with foreign surface transportation stakeholders, including passenger rail stakeholders. (Recommendation 1)
Closed – Implemented
We found that while the Transportation Security Administration (TSA) worked to identify foreign passenger rail security standards and key practices through multilateral and bilateral exchanges, TSA Representatives (TSARs), the primary overseas point of contact for transportation security matters, lacked guidance on foreign rail stakeholder engagement. As a result, we recommended that the TSA Administrator ensure that the TSAR Regional Operational Implementation Plans include guidance on how TSARs are to engage with foreign surface transportation stakeholders, including passenger rail stakeholders. In September 2020, TSA updated its Operational Implementation Plan, which provides the framework for the TSAR Regional Implementation Plans, to include guidance to TSARs for engaging with international stakeholders on global security initiatives, including surface transportation and passenger rail security. TSA further updated its Regional Operational Implementation Plans to include guidance on engaging with international rail stakeholders. These actions are consistent with our recommendation and this updated guidance should improve TSA's ability to identify and share passenger rail security information with international stakeholders. Therefore, we are closing this recommendation as implemented.
Transportation Security Administration The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)
Closed – Implemented
We found that the Transportation Security Administration's (TSA) Baseline Assessment for Security Enhancement (BASE) template did not fully reflect current industry cybersecurity standards and key practices. We recommended that TSA update cybersecurity questions in the BASE template to align more closely with the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, including the Detect and Recover functions. In response to this recommendation, TSA reported that it convened a working group to review the cybersecurity section of the Mass Transit and Passenger Rail BASE template. The group revised the section to include 82 new questions which incorporate all of the core functions of the NIST Framework, including the Detect and Recover functions. TSA's Assistant Administrator for Surface Operations approved the new questions in September 2020. In August 2021, to comply with the Paperwork Reduction Act, TSA published a notice of the proposed changes to the BASE in the Federal Register. The Office of Management and Budget (OMB) approved the BASE changes in March 2022. In February 2023, TSA reported that cybersecurity training for Surface Inspectors was underway. TSA also included the revised BASE with the new cybersecurity questions as part of the fiscal year 2023 Surface Operations work plan requirements. These actions meet the intent of our recommendation and incorporate cybersecurity standards and key practices into TSA assessment efforts.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

TransportationTrain stationRailroad tracksHigh-risk listSystems interoperabilityHighway traffic control systemsTerrorist threatsAudit objectivesAviationThreat levelsFederal agenciesSecurity incidentsWireless communicationsPublic officialsGrant programsSecurity threatsHigh-risk issuesPrivate sectorFreightAccess controlTerrorist attacksIndustry standardsPhysical securityInformation securityImprovised explosive devicesForeign governmentsMilitary communicationCommunicationsPoliceCompliance oversightCommuter railTerrorismSoftwareTransit systemsAirportsExplosivesRailroadsPositive train controlCyberspace threatsCritical infrastructure vulnerabilitiesEmergency managementInformation sharingRisk managementPublic roads or highwaysPublic and private partnershipsHomeland securitySurface transportationPublic transportationTransportation systemsRail securityTransportation securityCritical infrastructureBest practicesCybersecurityPassenger railRailPassenger rail securityIntermodalMass transitRisk assessmentControl systemsCritical infrastructure protectionLessons learnedInformation technologyLight rail transitPipeline operationsBaggageTerroristsInformation systemsTransit securityHeavy railComputer systemsPassenger screeningMetropolitan areasHigh risk seriesComputer network protocolsBusesMarine transportationEmergency services