There is a desire for some bad actors to target rail systems, especially the hazardous materials freight rail network. This threat underscores the need for the rail transportation industry to maintain and strengthen partnerships with federal, state, and local authorities. With over 140,000 miles of infrastructure, there are difficult security challenges. For example, the U.S. rail system moves over 1.8 billion tons originated/year of freight, petroleum, chemicals, and military assets, making it a vital lifeline. A recent roundtable examined current issues and progress regarding this important topic from government and private sector experts.
Analysis of terrorist attack and plot trends targeting transportation infrastructure in developed countries demonstrates a growing interest in rail systems. Over the past 13 years, European rail systems infrastructure have been the increased focus of successful terrorist attacks, failed attempts, and disrupted plots. Examples include:
- The March 2016 suicide bombing on board a metro train at a station in the center of Brussels, Belgium, part of a coordinated operation that targeted the city’s international airport, killed 32 people and wounded more than 300 others;
- The March 2010 coordinated suicide bombings in Moscow, Russia, subway killed 40 and injured more than 100;
- The July 2005 coordinated suicide bombings on three underground trains and a double decker bus in London, UK, public transport killed 52 people and injured over 700 more;
- The March 2004 coordinated bombings over a period of about four minutes on four commuter trains operating on the same line in Madrid, Spain, killed 192 people and injured over 1,800 others.
Noteworthy terrorist failures include the September 2017 attempt to detonate an improvised explosive device on board a London Underground train at Parsons Green station and the attempt to execute a mass shooting on board a high-speed train operating in northeastern France in August 2015. In the United States, numerous plots envisioning attacks on domestic rail systems have been disrupted, the most advanced being a plan to detonate suicide explosives on board New York City subway trains foiled in September 2009. More recently, a plot to target a VIA Rail passenger train in the Toronto, Canada, area during the September 2012 to April 2013 period was disrupted by the combined efforts of a joint investigation. The Royal Canadian Mounted Police and the Federal Bureau of Investigation (FBI) monitored the two main plotters and the timely reporting of pre-attack surveillance observed by a conductor on a passing train operating on the targeted rail line.
Certainly, the interest of terrorist groups in targeting rail systems has persisted. In August 2017, al-Qaida published issue 17 of its Inspire online publication that focused on inciting attacks against both passenger and freight rail systems in the United States and Europe. On 10 October 2017, Domestic Preparedness moderated a roundtable discussion entitled “Emerging Threats to Freight Rail Infrastructure.” The panel was comprised of distinguished speakers representing a board range of stakeholders in the freight rail transportation sector. Representatives from the following agencies and organizations contributed to this discussion on emerging threats and mitigation strategies in the freight rail transportation sector: Transportation Security Administration (TSA), Threat Analysis Division; TSA, Office of Security Policy and Industry Engagement; the FBI’s Rail Security Program; the U.S. Department of Defense (DoD) TRANSCOM; National Protection and Preparedness Directorate (NPPD), Protective Security Coordination Division; Amtrak Police, Criminal Intelligence Unit; the Association of American Railroads (AAR); and the Secure Technology Alliance. Many interesting and relevant points were discussed during this important roundtable event.
Holistic Perspectives on Threat Mitigation
The panel acknowledged that, although the trends in terrorists’ actions and priorities continuously evolve, so too are integrated measures to disrupt, detect, and mitigate threats to the freight rail industry. Recent events indicate a terrorist focus on the rail sector, but predominately target passenger and commuter rail systems. Attacks such as 2017 Parsons Green bombing in London and the 2016 Brussels bombings targeted urban commuter rail infrastructure during peak hours. TSA’s officials made clear that the risks of attack on the freight rail sector are low. The FBI pointed out that their investigative activities still include cargo thefts by criminal actors and gangs, as well as disruptive activities targeting freight rail by environmental activists. The panel identified cyberthreats as an emerging challenge, a common public and private sector threat across customer facing, business, and operational systems.
The panelists agreed that defeating every threat is practically unattainable. However, disrupting plots and creating difficult environments that thwart attacks are key elements of a shared strategy for narrowing risks. It was pointed out during the discussion that, if some of the early indicators of the Parsons Green and Brussels attacks as well as other successful terrorist operations against passenger trains and stations had been recognized, reported, and acted upon, these plots may have been disrupted before the attacks were launched. According to a 16 September 2017 BBC news report, London’s Metropolitan Police commissioner, Cressida Dick, stated that police had interdicted six “significant plots” in the months leading up to the Parsons Green attack. A shared challenge across the rail sector is recognition and early identification of threat indicators.
The TSA and FBI both noted that public and private stakeholders in the rail industry work closely together in developing broad understandings of threat indicators. TSA’s Threat Analysis Division assesses data collected from a wide array of sources, domestically and abroad, to produce threat analysis products that are disseminated to stakeholders in both the public sector and throughout the rail industry in the United States and Canada. Although the discussion panel included representation from many organizations, the panelists knew one another well. Many panelists stated that they talk with one another on a daily basis.
Strength in Partnerships
Developing and maintaining a holistic threat understanding requires constant coordination among the stakeholders, both internal within government and external with the private sector. Thriving partnerships share certain common goals and understandings that weather the test of time. The 9/11 attacks caused significant economic impact across several levels of the aviation industry as well as disrupting many nation-state economies. For both public and private sectors, a unifying common thread is the shared understanding of economic consequences of terrorist plots that target critical infrastructure.
In the rail sector, the railroad police agencies have a long history of working with local public sector police agencies in investigating cargo thefts and rail asset vandalism. Today there is close interaction among federal, local, and railroad agencies, with the FBI’s Rail Security Program and their local field offices taking a proactive role. The FBI frequently supports local law enforcement and railroad police agencies in nonterrorist criminal matters with intelligence and investigative support.
State, local, federal, and railroad partnerships are strengthened through a national network of local-based task forces, such as the FBI-led Joint Terrorism Task Forces (JTTFs). Numbering over 80 JTTFs nationwide, law enforcement representation includes railroad police in many locations.
The American Association of Railroads (AAR) is a nonprofit industry group representing the Class I freight railroads, Amtrak, and some regional railroads. The AAR expressed the strength by which the railroads collaborate with the federal and local government partners. The AAR member railroads have a long history of working with state and local first responders on both safety and security matters. Within the freight railroad industry, AAR leads its members in developing and maintaining unified security plans that are current and inclusive. The AAR unified security plan model focuses on five key areas: (1) train operations, (2) critical infrastructure, (3) hazardous materials, (4) military transport, and (5) cyber and communications. In implementing the plan, the AAR serves as the security information center for the railroad industry and facilitates preparedness exercises jointly, involving railroads and government officials across the United States and Canada. These regular, recurrent, structured exercises are designed to place plans and procedures under stress in realistic terrorism and cyberthreat incident scenarios, develop lessons learned in areas for improvement, and apply those lessons to strengthen future capacities for all participating organizations.
Relationships among federal, state, local, and tribal government agencies are stronger through the establishment of intergovernmental points of contact across jurisdictions. The growth of state and locally operated fusion centers has generated a network of intergovernmental collaboration. Operating under a National Network of Fusion Centers with unifying guidelines, intelligence, advisories, and lessons learned are rapidly and securely communicated. Private sector representatives with proper clearances and bone fide “need to know” are integrated into the National Network of Fusion Centers.
The Rail Sector Coordinating Council, stemming from the National Infrastructure Protection Plan, is the rail industry principal liaison forum of coordination between the railroads, stakeholder organizations, and the government. An important coordination strategy for AAR members is to achieve the goals of the National Infrastructure Protection Plan and sector-specific plans by proactively and collaboratively planning, training, exercising, sharing information, and assessing capacities against risks. The railroad industry supports the threat awareness of fusion centers through sharing of advisories on matters pertaining to terrorism, cyberthreats, and measures to mitigate risk.
U.S. Department of Homeland Security’s (DHS) Protective Security Coordination Division fields Protective Security Advisors (PSAs) across the country to engage the 16 critical infrastructure sectors, which include the Freight Rail sub-sector. The PSAs’ primary mission is to protect critical infrastructure. The five mission areas are: (1) plan, coordinate, and conduct security surveys and assessments; (2) plan and conduct outreach activities; (3) support National Special Security Events and Special Event Activity Rating Level I and II events; (4) respond to incidents; and (5) coordinate and support improvised explosive device awareness and risk mitigation training. PSAs are security subject matter experts who engage with state, local, tribal, and territorial government mission partners and members of the private sector stakeholder community to protect the nation’s critical infrastructure. PSAs serve as regional DHS critical infrastructure security specialists, providing a local perspective to and supporting the development of the national risk picture by identifying, assessing, monitoring, and minimizing risk to critical infrastructure at the regional, state, and local levels.
In addition, there is a network of railway enthusiasts, called “rail buffs,” who make a recreational hobby out of observing and noting railroad activity. Many rail buffs are well known to railway engineers and workers; some even on a first name basis. These rail buffs tend to be very familiar with their railway areas of interest and can easily spot suspicious behavior or activity. The rail buff network is loosely connected through the Railfan Network. Local railroad and law enforcement collaboration with rail buffs is an example of grassroots connectivity.
A collaboration challenge from some organizations is continuity of principal points of contact. For some agencies and organizations, personnel assigned to key collaborative positions change every few years. Relationships are built over time and, when personnel change with promotions or reassignments, it can be disruptive. At the very least, a degree of institutional knowledge and expertise needs to be re-learned. This matter tends to be more of an issue with some of the federal agencies than local and railroad organizations.
Through the network of government, private, and citizen collaboration around the freight rail industry, terrorists’ ability to prepare an attack is made more difficult, takes longer and provides much greater risk of detection and interdiction. Collaborative success is demonstrated in the high volume of thwarted terrorist plots in recent years.
State of Rail Sector Information Sharing
Networks of collaboration are only useful and sustainable if they provide value to the network stakeholders. Meaningful information sharing – distilled from data and intelligence analysis – is critical to keeping ahead of evolving terrorist threats. Within the federal agencies, there are verticals of information sharing between agency headquarters and the agency’s field personnel. More important is the information flow that spans across agencies and includes private sector stakeholders.
The federal agencies with responsibilities for freight rail security today are closely integrated in sharing information across common networks and direct collaborative relationships. For example, the FBI information-sharing network goes beyond headquarters to the field, as the FBI oversees 84 JTTFs with representation across numerous federal, state, and local agencies. The FBI’s Rail Security Program engages with railroads and other federal agencies at various levels, with multilateral information sharing. The FBI and TSA also collaborate with trusted international partner countries drawing on intelligence, incident analysis, and lessons learned. Collectively, the network of public and private information analysis, intelligence development, and sharing improves stakeholder threat awareness.
Agencies and private sector information sharing takes many forms. The joint government-industry coordinated Rail Intelligence Working Group (RIWG), is an example of public and private sector collaboration in action for information sharing. The group is comprised of representatives from the FBI, TSA, Amtrak, the American Public Transportation Association, and AAR – a partnership that remains unique across critical infrastructure sectors. Recently, the RIWG analyzed the video and the August 2017 Inspire edition. These materials urged supporters to target trains, particularly emphasizing so-called “Train Derail Operation” with lengthy instructions on building a “homemade derail device” for this purpose. The RIWG developed and disseminated informational awareness advisories through various rail industry and public sector networks, including the AAR’s Railway Alert Network. These materials highlighted both the complexities of the actions advocated and the lack of understanding reflected in the magazine articles of the rail transportation system and its safety and security capacities. This cooperative effort reflects a joint commitment to sharing timely and useful security information across government and industry for security enhancement.
Complementing this work, the AAR publishes the Rail Awareness Daily Analytic Report (RADAR) as well as focused awareness advisories through the Railway Alert Network, keeping railroad and government stakeholders continuously informed on matters of relevance to rail security. Similarly, both TSA and the U.S. Department of Transportation produce and disseminate informational, intelligence, and alert products. Recipients of the governmental and Railway Alert Network products include officials with numerous federal agencies in the United States and Canada, state and regional fusion centers in the United States, and law enforcement and physical and cybersecurity leads for freight and passenger railroads in the United States and Canada.
The FBI’s Tripwire Program has proven highly effective as a means for actionable information sharing. Described as “See Something, Say Something with focus,” the Tripwire Program educates industry stakeholders on key trends and potential indicators of criminal terrorist preparation. Stakeholders are encouraged to report any suspicious activity with relevant details to local law enforcement or the FBI Field Office. The FBI conducts a structured assessment of Tripwire reports, some of which have led to preliminary investigations with a few resulting in criminal investigations and prosecution before planned attacks materialized.
Effective rail industry-centric information management ensures that priorities are aligned, and timely action is taken, in a concerted effort to create conditions to prevent bad outcomes. AAR pointed out three elements of the railroad industry’s security strategy. First, understand that prevention is attainable. Second, worry less about what is not known and learn what can be known as thoroughly as possible. Third, avoid self-inflicted wounds through actions that ease adversaries’ ability to achieve their disruptive, destructive, and event lethal purposes. Gaining continuous situational awareness from reporting by railroad operators while providing these operators with relevant threat intelligence and related security information is advantageous for developing a results-oriented preventive posture.
Through effective information sharing that creates a climate of relevant awareness and response, threats can be either blunted or significantly mitigated in potential effects. AAR also stressed the need to ensure that information-sharing structures avoid inadvertently facilitating the preparation of criminals and terrorists. Rail operations and security information must be shared only with those who have a valid need to know. Government information-sharing networks are only accessible by credentialed personnel who have been vetted and meet agency standards for physical and logical access to systems and information. Similarly, railroads control access to security information received from all sources.
Cyberthreats, vulnerabilities, and attacks are increasing. Threats and attacks are focusing on public facing, business, and operational enterprise systems and devices, including person and nonperson tractions, personal and support staff, and third-party vendors and service providers. The continued expansion of the internet of things and smart connected transactions are creating new and ever-increasing exploitation opportunities. These threats have implications for the freight rail infrastructure, especially given the evolution and integration between rail operation and business enterprise systems, in addition to known ICS/SCADA weaknesses and vulnerabilities.
Public and private sector leaders are working together to address this threat. Cybersecurity is the fastest growing focus of railroads, government agencies, and DoD. DoD’s reliance on commercial rail infrastructure has been long established. Today, DoD TRANSCOM’s surface deployment mission is supported in large part by commercial railroads. DoD’s rail deployments are closely synchronized with mission commands and the railroad industry, where movement information must be secure. Currently, DoD is working with the Critical Infrastructure Resilience Institute, a DHS Science and Technology center of excellence operated by the University of Illinois at Urbana-Champaign, to develop a refined cyberrisk scoring metric.
Similarly, AAR member railroads have elevated cybersecurity at the top of their priority lists. As freight rail systems become more automated and integrated, railroad investment in securing information technology networks – including those in development for the Positive Train Control system, which includes design to mitigate the risk of exploitation by cyberthreats. Amtrak pointed out that they have invested and continue to invest in securing their cyber systems. Nearly 85% of Amtrak’s ticket sales take place on the internet. Amtrak police vigorously investigate growing volume of cyber and financial crimes involving their ticketing system.
A major challenge in top-down information sharing is the security classification of the information. The federal government Code of Federal Regulations (CFR) establishes requirements for managing unclassified but sensitive information. The term “Sensitive Security Information” (Title 49, CFR, Part 1520) is applied to information that falls short of meeting the National Security Classification regulations, but if disseminated it would be detrimental to the transportation security. TSA’s sharing of Sensitive Security Information provides an important intermediate level for broader dissemination with regulatory safeguards and information security standards.
Freight Rail Security Regulatory Influence
Both DHS and U.S. Department of Transportation provide federal regulatory oversight of freight rail security matters. Additionally, some states apply regulations that impact freight rail security. The TSA Rail Transportation Security Rule (Title 49, CFR, Parts 1520 and 1580), promulgated in 2006, is among the federal regulations designed to strengthen rail industry security and reduce risk associated with the transport of security-sensitive materials. The Rail Security Rule developed into regulatory requirements practices that most railroads had already implemented. For example, the rule requires secure chain of custody of security-sensitive materials, which most railroads had already performed pursuant to agreed, voluntary security actions with TSA as a prudent business practice. The rule further requires regulated railroads to designate a rail security coordinator and mandates security concern reporting to TSA. The rail security coordinator requirement does enhance consistency in public and private sector coordination with the regulated railroads.
Regulations, at both state and federal levels, have generated linear reporting mandates and prescribed standards. However, regulatory reporting standards tend to be reactive and cannot replace stakeholder driven initiatives to build strong, functional relationships. As one TSA official stated, “Our success has been built on collaboration, not regulation.”
Many on the panel pointed out that regulation alone does little to enhance rail security and may, in some instances, produce the self-inflicted damage that should be avoided. The U.S. Department of Transportation requirement for railroads to report to states detailed information on the routes used, and frequencies of operations on those routes each week, by trains transporting high volumes of crude oil and other flammable liquids has resulted in publication of those schedules. Open-source publication of the operations of hazardous shipments unnecessarily releases security and safety information outside the first responder and community emergency planning agencies – and needlessly exacerbates risk.
Regulatory oversight by government inspectors and reporting regimes strain the railroads’ personnel resources. In some situations, rail security coordinators and other railroad personnel are drawn away from performance based rail security matters to address report legibility or formatting. Security regulatory development and implementation should be collaborative between public and private sectors – as the private sector best practices often exceed regulatory standards.
The current and future state of freight rail security continues to change. The panel addressed a number of key strengths and some challenges for securing the nation’s freight rail infrastructure. Some of the salient points from the Emerging Threats to Freight Rail Infrastructure roundtable discussion include:
- Threats are dynamic – There is significant evidence that threat trends involving the freight rail transportation infrastructure are changing. Intelligence assessments and extremists’ propaganda and threats reflect a continuing interest of terrorists in targeting rail systems. Cyberthreats are increasing as well, which has implications for business and operations networks of railroads. Generally, the threat to rail systems is low but, as one participants stated, “Low does not mean ‘no’.”
- Cyberthreats are increasing – This includes attacks on public facing, business, and operational enterprise systems, including person and nonperson tractions, personal and support staff, and third -party vendors and service providers. The continued expansion of the internet of things and smart connected transactions are creating new and ever-increasing exploitation opportunities. This has implications for the freight rail infrastructure, especially given the evolution and integration between rail operation and business enterprise systems.
- Criminal activities overshadow terrorist threat – The federal, state, local, and railroad police agencies investigate far more cargo theft, vandalism, and disruptive criminal activity, including trespass and blockades by protesters, than terrorist plots involving the freight rail sector.
- Stakeholder partnerships are strong – The coordinated effort among federal, state, local, and private sector agencies and organizations is stronger than ever before. Through rail sector focused task forces, fusion centers, working groups and interagency networks, collaboration for planning, information sharing, training, outreach, response, and recovery are based on common goals of enhancing security.
- Public and private partnerships are collaborative – Stakeholder organizations in the public and private sectors have designated points of contact and established functional structures to promote collaboration and coordination around rail system security. Effective practices for elevating prevention and response capacities are widely shared among the railroads and with public sector agencies.
- Information sharing is multi-lateral and relevant – Intelligence and security information sharing occurs continuously among freight and passenger railroads, federal government agencies, state and regional fusion centers, and law enforcement agencies through a variety of networks. This extensive effort develops and sustains a current and relevant understanding of threat indicators and informs reporting capacities among stakeholders in industry and government. Enhancing security through constant emphasis on effective information sharing remains a common focus with public and private sector organizations. All involved apply appropriate protections based on need-to-know and access controls.
- Freight railroad security focus and capacities are strong – The Class I railroads, as well as most others, maintain strong security capabilities. AAR provides uniform and consistent guidance and support for its railroad members. The railroad industry’s unified security plan in use by all Class I railroads and many others is an industry standard. AAR supports security awareness training through products disseminated to freight and passenger railroads via the Railway Alert Network and facilitates preparedness exercises for the railroad industry, which includes public sector agencies in the United States and Canada. The railroads actively engage with federal, state, and local investigative and intelligence agencies to ensure continued access to relevant information and analysis.
- Information security challenges remain – Some information and intelligence obtained by federal agencies is highly classified and has limited distribution in its raw form. Agencies have developed standards for redacting or recasting classified information into unclassified intelligence products while still maintaining security protocols. TSA’s Sensitive Security Information is an example of unclassified but sensitive information, which can be shared and managed in accordance with federal regulations. Representatives of state and local agencies as well as designated private sector employees, with bone fide need-to-know, may be sponsored for security clearance to receive classified briefings and intelligence products.
- There are three key risk mitigation points – (1) Understand that prevention is attainable; (2) learn as much as possible about what can be known; and (3) avoid self-inflicted wounds. Many potential threats and security risks can be avoided or substantially mitigated by acting on timely and actionable information. Develop thorough practical understanding of security threats at the right levels and align resources and capabilities accordingly. Recognize that resources are finite; partnerships based on common priorities and practical information can be effective in actionably preventing most risks. Avoid inadvertently making the terrorists’ or criminals’ planning and preparedness easier to put into action. Maintain informational and operational security over sensitive information that could be useful to terrorists and criminals.
- Railroads are prioritizing cybersecurity – As the industry moves toward greater reliance on integrated cyber systems, railroads recognize the economic returns for investing in secure system designs. Cybersecurity is a high priority throughout the railroad industry.
- Railroad regulations have limitations – Regulations levied on the freight rail industry have increased over the years. Many of the regulatory requirements codify and establish government oversight over best practices that had already been established by freight and passenger railroads. Some regulations between jurisdictions undermine strong security measures. Regulations alone do not create collaboration. Greater alignment between regulatory rule making and the railroads would go a long way to harmonizing best practices and achieving the shared goals between the public and private sector.
Western railroad system infrastructure continues to be an evolving terrorist target of interest. Expressed terrorist organizations’ desires to sow economic harm through attacks involving critical infrastructures – for example, passenger and freight rail systems – is publicized in their global outreach to affiliated and non-affiliated groups as well as lone actors seeking recognition. Although the proliferation of global, web-based outreach by certain terrorist groups to unaffiliated groups and lone actors may indicate the effectiveness of multinational counterterrorist operations, it also creates new challenges for pre-attack detection and interdiction.
In the United States, the continued strengthening of public and private partnerships in the freight rail sector creates extreme difficulties for terrorists and criminals to succeed in executing attack plots. Intergovernmental cooperation and information sharing continue to improve with actionable lessons learned and pre-attack indicators shared bilaterally between local personnel and national agencies. Similarly, the daily interaction between the rail industry and government officials, at all levels, enhances situational awareness such that terrorist pre-attack and plot indications are more likely detected and proactively thwarted. Joint federal, state, and local interdiction and prosecution of terrorist plotters are indications of the successes stemming from public and private partnerships.
Challenges remain for private sector and government agencies in the freight rail sector. As demonstrated by the security and safety initiatives implemented by railroad companies and standardized by private industry organizations like the AAR, the private sector’s economic interests drive innovation that stay ahead of government regulations. Many of the railroad companies’ security procedures exceed regulatory minimum requirements, whereas some regulations even divert private sector resource priorities in counterproductive ways. Intergovernmental regulations and policies need greater alignment in developing cohesion between federal, state, and private sector shared objectives for freight rail security and safety. With emerging cyberrisks and the growing need for information security in the global digital age, all stakeholders in the rail transportation sector need to examine ways to deny terrorist plotters and attackers access to open source information and resources. Creating greater difficulties for terrorists and criminals is a universally shared public and private sector sustainable goal.
DomPrep would like to thank all those who participated in the 10 October 2017 discussion, upon which this white paper is based. The participants who contributed to this important discussion include but are not limited to the following:
Zamawang Almemar, Chair of ZAMA and Associates LLC
Wayne “Jake” Carson, Chief, Mission Assurance Branch/TRANSCOM, DOD - SDDC/JDPAC/TRANSCOM/Mission Assurance Division
James A. Cook, Inspector, Amtrak Police Department
Thomas Farmer, Assistant Vice President Security, Association of American Railroads
James Finney, Protective Security Advisor – National Capital Region, Department of Homeland Security
Albert J. Guarnieri, Supervisory Special Agent, Federal Bureau of Investigation
Thomas J. Lockwood, Board Member, Secure Technology Alliance