Passenger Rail Security: TSA Engages with Stakeholders but Could Better Identify and Share Standards and Key Practices
Recent attacks in the U.S. and Europe highlight the importance of strengthening and securing rail systems around the world.
Among other things, we looked at how the U.S. Transportation Security Administration works with U.S. and foreign transit and security officials and others to identify and share security standards and practices.
TSA may not be fully aware of key rail security practices abroad that can keep passengers safe. TSA could also engage more consistently with foreign surface transportation stakeholders.
We made 2 recommendations, including that TSA provide better guidance for those who serve as its primary overseas representatives.
Paddington Station, London
What GAO Found
The Transportation Security Administration (TSA) assesses passenger rail risks through the Transportation Sector Security Risk Assessment, the Baseline Assessment for Security Enhancement (BASE), and threat assessments. TSA uses the risk assessment to evaluate threat, vulnerability, and consequence for attack scenarios across various transportation modes. TSA surface inspectors use the baseline assessment, a voluntary security review for mass transit, passenger rail, and highway systems, to address potential vulnerabilities and share best practices, among other things.
TSA works with U.S. stakeholders to identify security standards and key practices and identifies foreign standards and practices through multilateral and bilateral exchanges. However, TSA Representatives (TSARs), the primary overseas point of contact for transportation security matters, lack specific guidance on foreign rail stakeholder engagement. As a result, TSA is less likely to be fully aware of key practices in other countries, such as station security guidance. Specific guidance would provide TSARs with clear expectations and encourage more consistent engagement with foreign rail stakeholders.
Examples of Security Key Practices Cited by Passenger Rail Stakeholders
Public Awareness Campaign Canine Units
Emphasize security awareness Detection of vapor from explosives
TSA shares standards and key practices with stakeholders, including those related to cybersecurity, through various mechanisms including BASE reviews; however, this assessment does not fully reflect current industry cybersecurity standards and key practices. For example, it does not include any questions related to two of the five functions outlined in the National Institute of Standards and Technology's Cybersecurity Framework—specifically the Detect and Recover functions. Updating the BASE questions to align more closely with this framework would better assist passenger rail operators in identifying current key practices for detecting intrusion and recovering from incidents.
Why GAO Did This Study
Recent physical and cyberattacks on rail systems in U.S. and foreign cities highlight the importance of strengthening and securing passenger rail systems around the world. TSA is the primary federal agency responsible for securing transportation in the United States.
GAO was asked to review TSA's efforts to assess passenger rail risk, as well as its role in identifying and sharing security standards and key practices. This report addresses (1) TSA's efforts to assess risk; (2) the extent to which TSA works with U.S. and foreign passenger rail stakeholders to identify security standards and key practices; and (3) the extent to which TSA shares passenger rail security standards and key practices with stakeholders.
GAO analyzed TSA risk assessments from fiscal years 2015 through 2019 and reviewed TSA program documents and guidance. GAO interviewed officials from TSA, and from seven domestic rail agencies, three foreign rail agencies, and two foreign government agencies. The results from these interviews are not generalizable but provide perspectives on topics in this review.
GAO is making two recommendations: (1) that TSA update TSAR guidance to include engaging with foreign passenger rail stakeholders; and (2) that TSA update the BASE cybersecurity questions to ensure they reflect key practices. DHS concurred with both recommendations.
Recommendations for Executive Action
|Transportation Security Administration||The TSA Administrator should ensure that the TSAR Regional Operational Implementation Plans include guidance on how TSARs are to engage with foreign surface transportation stakeholders, including passenger rail stakeholders. (Recommendation 1)||
We found that while the Transportation Security Administration (TSA) worked to identify foreign passenger rail security standards and key practices through multilateral and bilateral exchanges, TSA Representatives (TSARs), the primary overseas point of contact for transportation security matters, lacked guidance on foreign rail stakeholder engagement. As a result, we recommended that the TSA Administrator ensure that the TSAR Regional Operational Implementation Plans include guidance on how TSARs are to engage with foreign surface transportation stakeholders, including passenger rail stakeholders. In September 2020, TSA updated its Operational Implementation Plan, which provides the framework for the TSAR Regional Implementation Plans, to include guidance to TSARs for engaging with international stakeholders on global security initiatives, including surface transportation and passenger rail security. TSA further updated its Regional Operational Implementation Plans to include guidance on engaging with international rail stakeholders. These actions are consistent with our recommendation and this updated guidance should improve TSA's ability to identify and share passenger rail security information with international stakeholders. Therefore, we are closing this recommendation as implemented.
|Transportation Security Administration||The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)||
We found that the Transportation Security Administration's (TSA) Baseline Assessment for Security Enhancement (BASE) template did not fully reflect current industry cybersecurity standards and key practices. We recommended that TSA update cybersecurity questions in the BASE template to align more closely with the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, including the Detect and Recover functions. In response to this recommendation, TSA reported that it convened a working group to review the cybersecurity section of the Mass Transit and Passenger Rail BASE template. The group revised the section to include 82 new questions which incorporate all of the core functions of the NIST Framework, including the Detect and Recover functions. TSA's Assistant Administrator for Surface Operations approved the new questions in September 2020. In August 2021, to comply with the Paperwork Reduction Act, TSA published a notice of the proposed changes to the BASE in the Federal Register. The Office of Management and Budget (OMB) approved the BASE changes in March 2022. TSA plans to offer mandatory cybersecurity training to Surface Inspectors between May and December 2022. The revised BASE will be a part of work plan requirements and released at the beginning of the fiscal year. As of May 2022, TSA estimates the BASE changes will be implemented by January 2023. This recommendation will remain open until the cybersecurity questions are in operation.