Freight Rail Security: Actions Have Been Taken to Enhance Security, but the Federal Strategy Can Be Strengthened and Security Efforts Better Monitored

In response to our recommendation that the Transportation Security Administration (TSA) develop a plan for addressing security threats to freight rail other than Toxic Inhalant Hazard (TIH) chemicals, such as the destruction of or sabotage to freight rail bridges and tunnels or cyber attacks to the rail system, TSA has taken several actions. Specifically, TSA developed a Critical Infrastructure Risk Tool for measuring the criticality and vulnerability of freight railroad bridges, and coordinated development of the tool with Class 1 rail carriers. TSA formally introduced the tool to the rail industry at a Department of Homeland Security I-step workshop in October 2009, and since then has conducted assessments of numerous freight rail bridges throughout the United States. In addition, TSA is also taking steps to address the risk of cyber attacks to the rail system and has developed a TSA cyber risk team, (Cyber Security Awareness Outreach Team), which is working with the rail industry at quarterly I-Step meetings and has used the Freight Rail Sector Coordinating Council (FRSCC) meetings to collaborate on cyber security, including the sharing of information, with rail carriers and other industry stakeholders. As part of this effort, we also recommended that TSA further evaluate methods for estimating the likelihood of various threats occurring and ensure that this information is also considered when developing future risk assessments and strategic updates. To address this, TSA issued the Transportation Sector Security Risk Assessment (TSSRA) on June 30, 2010, which defines and quantitatively weighs various security threats among the transportation modes, including freight rail. Specifically, the TSSRA states that Threat (T) is defined as the likelihood that an attacker will attempt a particular attack scenario, given the intent and capability of the attacker. Intent (I) is defined as the likelihood that an adversary will choose a given attack scenario once they are committed to an attack; and Capability (C) is defined as the likelihood that an adversary will have the resources and skills to undertake a given attack scenario within a defined time frame. The TSSRA uses this formula to provide the estimated likelihood of various threats occurring in the freight rail mode. This recommendation is therefore closed as implemented.

In 2009, we reported that the Transportation Security Administration's (TSA) strategic priorities for securing freight contained some information that is consistent with our prior work on characteristics of a successful national strategy and that is called for in executive requirements. However, these strategic priorities lacked other information that if incorporated, could strengthen the strategy. Specifically, we found that TSA's Freight Rail Model Annex (Annex), which was developed in 2007 as a part of the Transportation Sector Specific Plan (TSSP), could more fully address factors contained in Executive Order 13416 and GAO-identified key characteristics of a successful national strategy. More fully addressing these key characteristics could assist TSA in further developing and strengthening the Annex. These efforts could also enhance the strategy's usefulness in resource and policy decisions to better ensure accountability by making decision making more transparent and comprehensive. To this end, we recommended that TSA's future updates to the Annex more comprehensively address factors contained in Executive Order 13416 and identified key characteristics of a successful national strategy, including (1) describing the methodology used to develop the strategy and which organizations and entities contributed to its development; (2) more clearly defining federal and industry roles and responsibilities; (3) ensuring that performance measures have defined targets and are linked to fulfilling goals and objectives; (4) more systematically addressing specific milestones for completing activities and measuring progress toward meeting identified goals; (5) more thoroughly identifying the resources and investments required to implement the strategy, including priorities for allocating future grants; and (6) more comprehensively identifying linkages with other developed strategies. In response to our recommendation, TSA stated that the updated Annex issued in 2010 incorporates the elements of our recommendation, and in 2012, TSA provided analytical documents that described how its 2010 Annex addressed the elements we previously recommended and where the previous freight rail security strategy document was improved. For example, TSA's 2010 Annex discusses the general roles of federal and industry stakeholders and discusses changes to the Annex pertaining to roles and responsibilities of federal and industry stakeholders. The Annex also discusses specific monies DHS granted to freight rail stakeholders, with priorities for receiving grants, and included a section discussing resources and investments to implement the strategy, as well as priorities. In addition, TSA provided information defining targets for its performance measure, which TSA linked to its objectives and goals of the TSSP. Based on our analysis and TSA's documentation, we believe TSA has sufficiently incorporated the elements contained in Executive Order 13416 and identified key characteristics into its strategy. Therefore, we are closing this recommendation as implemented.

In April 2009, we reported that the Transportation Security Administration's (TSA) had limited ability to measure the impact of federal and industry efforts on achieving the agency's key performance measure for the freight rail security program because the agency was unable to obtain critical data necessary to consistently measure results. Specifically, TSA's key performance measure for its freight rail security program was to reduce the cumulative risk of the shipment of toxic inhalation hazards (TIH) by 81 percent by the end of 2013. To measure its progress, TSA collects risk data in major U.S. cities and compares it with the same data from preceding years. However, when establishing the measure, TSA was unable to obtain key data necessary to accurately measure some data for its baseline year of mid-2005 to mid-2006. As a result, in 2007, TSA developed a general estimate for this missing data using its and industry's expert judgment and inserted this data estimate into its calculation of risk. We reported that there were questions regarding the validity and appropriateness of applying a uniform estimate of risk to all locations because of the wide variances in this data that TSA found during subsequent years. Therefore, we believed the accuracy of TSA's uniform estimate and the associated percent of cumulative reduction in risk that TSA reported as being achieved was uncertain. However, since 2007, TSA has been able to collect more relevant, accurate, and timely TIH risk data and we recommended that TSA take steps to revise the baseline year associated with its TIH risk reduction measure to enable the agency to report results more accurately. In response to our recommendation, TSA included a disclaimer in its 2010 Transportation Systems Sector Security Plan Freight Rail Security Modal Annex, which described the limitations in the baseline data used to measure the risk associated with TIH rail shipments. In addition, TSA reported that the TIH annual risk reduction goal would be 10 percent each year using the previous year's risk measurement as a baseline. Further, in 2012 TSA documented that its cumulative goal for TIH rail risk reduction would be measured with 2009 as the baseline measure. Through these changes, TSA will be able to more accurately and reliably measure progress in reducing the risk that TIH rail shipments pose throughout the United States where these shipments have the most risk. This recommendation is therefore closed as implemented.

To address our recommendation that the Transportation Security Administration (TSA) take steps to more fully track and assess the implementation and effectiveness of security actions being taken to secure freight rail, TSA initiated various efforts, including developing a database that captures every security control point location where toxic inhalation hazard (TIH) rail cars were standing unattended in major cities. As we reported, TSA determined that TIH rail cars' vulnerability in major cities (identified as high threat urban areas or HTUAs) could be partially mitigated by freight rail operators (1) reducing the overall time that TIH spent in the major cities, or (2) having freight rail employees attend TIH cars while the cars were stopped in identified security control points. These security actions serve both as a deterrent to unauthorized activity and as a means to detect unauthorized access to TIH cars. TSA documented the extent to which freight rail operators implement these actions by deploying TSA Surface Transportation Inspectors to conduct field observations at security control points where TIH cars are stopped or held. In fiscal year 2012, TSA reported that inspectors conducted approximately 12,900 observations of TIH cars in 20 HTUAs. TSA's database shows the extent to which these actions have reduced risk posed by TIH cars in HTUAs. In conjunction with the observations, TSA's database identifies the extent to which freight rail operators have implemented two major security actions and also measures the relative risk reduction of the implementation of these security actions. For non-TIH threats to freight rail, TSA officials now assess the security of freight rail bridges and tunnels using a similar type of methodology to its HTUA TIH reviews and are tracking railroad actions taken as a result of these assessments, including the extent to which they reduce vulnerability to the infrastructure. TSA's infrastructure assessment includes descriptions of security actions taken by the freight rail company, a discussion of the sufficiency of these security actions, and any recommended actions that would mitigate the risk to the bridge. According to TSA officials, as of March 2013, TSA completed vulnerability assessments of 217 freight rail bridges and 69 freight rail tunnels. Because these assessments include compilations of security actions and recommendations that can be used to identify potential improvements to security if the agency determines the need to arise, we believe that TSA's efforts address the recommendation and are therefore closing it as implemented.

TSA has taken several steps to better ensure federal agencies are coordinating as effectively as possible, including ensuring relevant assessments and information are shared and TSA and FRA field inspector resources are leveraged. Specifically, TSA, prior to assessing a railroad bridge will now obtain any prior DHS Infrastructure Protection (IP) assessments of the same bridge in order to fully leverage relevant information and analysis before conducting their own assessment, which TSA said has helped them expedite their assessments in some cases. In addition, in 2012, TSA and DHS IP signed an Information Sharing and Access Agreement (ISAA) to define the roles and responsibilities of IP and TSA in collaboratively sharing specific transportation sector-related risk information, including threat, vulnerability, and consequence assessment reports, Site Assistance Visit (SAV) reports, Man-Portable Air Defense Systems (MANPADS), and Corporate Security Reviews (CSR), among other things. TSA officials told us they also assessed the degree to which obtaining FRA inspection data would be useful, but decided after looking at FRA's data that it is unrelated to TSA's mission because it is so heavily focused on safety as opposed to security. As a result, TSA decided not to obtain FRA data on a scheduled basis. However, TSA has extended an open invitation to the FRA to attend future Corporate Security Reviews (CSRs) and FRA extended an invitation to TSA to participate in their reviews. TSA also agreed to set up introductory meetings between FRA's Regional Safety Operation Managers (RSOMs) and TSA's Regional Security Inspectors. In addition, TSA and select members of the Freight Rail Government Coordinating Council (FR GCC), including Federal Railroad Administration (FRA) and Department of Homeland Security infrastructure Protection (DHS-IP), met to discuss our recommendation, and as a result, created a FR GCC Information Sharing Subgroup, which aims to ensure relevant inspections and assessments are shared between FRA and TSA inspectors. In addition, TSA said they have also given several unclassified and classified threat briefings to the American Association of Railroads (AAR) and various rail carriers, and are also working with industry to develop cyber vulnerability assessments tools. Moreover, TSA, through DHS's Intermodal Security Training and Exercise Program (I-STEP), has held tabletop exercises to test plans and procedures for communication and information sharing between federal, state, and local government stakeholders and Class 1 Railroad owner/operators, local short line railroads, passenger rail, and industry organizations in preventing a railroad transportation security incident. This recommendation is therefore closed as implemented.