Rail Security

Some Actions Taken to Enhance Passenger and Freight Rail Security, but Significant Challenges Remain Gao ID: GAO-04-598T March 23, 2004

Passenger and freight rail services are important links in the nation's transportation system. Terrorist attacks on passenger and/or freight rail services have the potential to cause widespread injury, loss of life, and economic disruption. The recent terrorist attack in Spain illustrates that rail systems, like all modes of transportation, are targets for attacks. GAO was asked to summarize the results of its recent reports on transportation security that examined (1) challenges in securing passenger and freight rail systems, (2) actions rail stakeholders have taken to enhance passenger and freight rail systems, and (3) future actions that could further enhance rail security.

Securing the passenger and freight rail systems are fraught with challenges. Some of these challenges are common to passenger and freight rail systems, such as the funding of security improvements, the interconnectivity of the rail system, and the number of stakeholders involved in rail security. Other challenges are unique to the type of rail system. For example, the open access and high ridership of mass transit systems make them both vulnerable to attack and difficult to secure. Similarly, freight railroads transport millions of tons of hazardous materials each year across the United States, raising concerns about the vulnerability of these shipments to terrorist attack. Passenger and freight rail stakeholders have taken a number of steps to improve the security of the nation's rail system since September 11, 2001. Although security received attention before September 11, the terrorist attacks elevated the importance and urgency of transportation security for passenger and rail providers. Consequently, passenger and freight rail providers have implemented new security measures or increased the frequency or intensity of existing activities, including performing risk assessments, conducting emergency drills, and developing security plans. The federal government has also acted to enhance rail security. For example, the Federal Transit Administration has provided grants for emergency drills and conducted security assessments at the largest transit agencies, among other things. Implementation of risk management principles and improved coordination could help enhance rail security. Using risk management principles can help guide federal programs and responses to better prepare against terrorism and other threats and to better direct finite national resources to areas of highest priority. In addition, improved coordination among federal entities could help enhance security efforts across all modes, including passenger and freight rail systems. We reported in June 2003 that the roles and responsibilities of the Transportation Security Administration (TSA) and the Department of Transportation (DOT) in transportation security, including rail security, have yet to be clearly delineated, which creates the potential for duplicating or conflicting efforts as both entities work to enhance security.

GAO-04-598T, Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail Security, but Significant Challenges Remain This is the accessible text file for GAO report number GAO-04-598T entitled 'Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail Security, but Significant Challenges Remain' which was released on March 23, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Committee on Commerce, Science, and Transportation, U.S. Senate: United States General Accounting Office: GAO: For Release on Delivery Expected at 10:00 a.m. EST: Tuesday, March 23, 2004: Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail Security, but Significant Challenges Remain: Statement of Peter F. Guerrero, Director, Physical Infrastructure Issues; and Norman J. Rabkin, Managing Director, Homeland Security and Justice Issues: GAO-04-598T: GAO Highlights: Highlights of GAO-04-598T, a report to Committee on Commerce, Science, and Transportation, U.S. Senate Why GAO Did This Study: Passenger and freight rail services are important links in the nation‘s transportation system. Terrorist attacks on passenger and/or freight rail services have the potential to cause widespread injury, loss of life, and economic disruption. The recent terrorist attack in Spain illustrates that rail systems, like all modes of transportation, are targets for attacks. GAO was asked to summarize the results of its recent reports on transportation security that examined (1) challenges in securing passenger and freight rail systems, (2) actions rail stakeholders have taken to enhance passenger and freight rail systems, and (3) future actions that could further enhance rail security. What GAO Found: Securing the passenger and freight rail systems are fraught with challenges. Some of these challenges are common to passenger and freight rail systems, such as the funding of security improvements, the interconnectivity of the rail system, and the number of stakeholders involved in rail security. Other challenges are unique to the type of rail system. For example, the open access and high ridership of mass transit systems make them both vulnerable to attack and difficult to secure. Similarly, freight railroads transport millions of tons of hazardous materials each year across the United States, raising concerns about the vulnerability of these shipments to terrorist attack. Passenger and freight rail stakeholders have taken a number of steps to improve the security of the nation‘s rail system since September 11, 2001. Although security received attention before September 11, the terrorist attacks elevated the importance and urgency of transportation security for passenger and rail providers. Consequently, passenger and freight rail providers have implemented new security measures or increased the frequency or intensity of existing activities, including performing risk assessments, conducting emergency drills, and developing security plans. The federal government has also acted to enhance rail security. For example, the Federal Transit Administration has provided grants for emergency drills and conducted security assessments at the largest transit agencies, among other things. Implementation of risk management principles and improved coordination could help enhance rail security. Using risk management principles can help guide federal programs and responses to better prepare against terrorism and other threats and to better direct finite national resources to areas of highest priority. In addition, improved coordination among federal entities could help enhance security efforts across all modes, including passenger and freight rail systems. We reported in June 2003 that the roles and responsibilities of the Transportation Security Administration (TSA) and the Department of Transportation (DOT) in transportation security, including rail security, have yet to be clearly delineated, which creates the potential for duplicating or conflicting efforts as both entities work to enhance security. What GAO Recommends: In our previous report on transportation security (GAO-03-843), we recommended that the Department of Homeland Security and Transportation use a mechanism, such as a memorandum of agreement, to clarify and delineate TSA‘s and DOT‘s roles and responsibilities in transportation security matters. DHS and DOT generally agreed with the report‘s findings; however, they disagreed with the recommendation. We continue to believe our recommendation has merit and would help address security challenges. www.gao.gov/cgi-bin/getrpt?GAO-04-598T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Peter Guerrero at (202) 512-2834 or guerrerop@gao.gov. [End of section] Mr. Chairman and Members of the Committee: We appreciate the opportunity to provide testimony on the security of our nation's rail systems. Although most of the early attention following the September 11 attacks focused on aviation security, emphasis on the other modes of transportation has since grown as concerns are voiced about possible vulnerabilities, such as introducing weapons of mass destruction into this country through ports or launching chemical attacks on mass transit systems. Moreover, terrorist attacks around the world, such as the recent terrorist attack in Spain, have shown that rail systems, like all modes of transportation, are potential targets of attack. As you requested, our testimony today focuses on (1) challenges in securing rail systems, (2) steps rail stakeholders have taken to enhance security since September 11, and (3) future actions that could further enhance rail security. Our comments are based on our reports and testimonies on the security of the entire transportation system, the security of mass transit systems, and railroad safety and security[Footnote 1] as well as a body of our work undertaken since September 11 on homeland security and combating terrorism. Summary: * Securing passenger and freight rail systems is fraught with challenges. Some security challenges are common to passenger and freight rail systems, such as the funding of security improvements, the interconnectivity of the rail system, and the number of stakeholders involved in rail security. For instance, government agencies at the federal, state, and local levels and private companies share responsibility for rail security. The number of stakeholders involved in transportation security can lead to communication challenges, duplication, and confusion. Other security challenges are unique to the type of rail system. For example, the transport of hazardous materials by rail is of particular concern because serious incidents involving these materials have the potential to cause widespread disruption or injury. We recommended in April 2003 that DOT and DHS develop a plan that specifically addresses the security of the nation's freight rail infrastructure.[Footnote 2] DHS has informed us that this plan is in progress. * Passenger and freight rail providers have acted to enhance security since September 11. For example, passenger and freight rail providers have implemented new security measures or increased the frequency or intensity of existing activities, such as performing risk assessments, conducting emergency drills, and developing security plans. The federal government has also taken steps to try to enhance rail security. In the wake of September 11, Congress created the Transportation Security Administration (TSA) and gave it responsibility for the security of all modes of transportation. As TSA worked to establish itself and improve the security of the aviation system during its first year of existence, the Department of Transportation's (DOT) modal administrations acted to enhance passenger and freight rail security. For example, the Federal Transit Administration provided grants for emergency drills to mass transit agencies and the Federal Railroad Administration assisted commuter railroads with the development of security plans. With the immediate crisis of meeting many aviation security deadlines behind it, TSA has been able to focus more on the security of all modes of transportation, including rail security. We reported in June 2003 that TSA was moving forward with efforts to secure the entire transportation system, such as developing standardized criticality, threat, and vulnerability assessment tools, and establishing security standards for all modes of transportation. * Although actions have been taken to enhance passenger and freight security since September 11, the recent terrorist attack on a rail system in Spain naturally focuses our attention on what more could be done to secure the nation's rail systems. In our previous work on transportation security, we identified future actions that the federal government could take to enhance security of individual transportation modes as well as the entire transportation system. Two recurring themes cut across our previous work in transportation security--the need for the federal government to utilize a risk management approach and improve coordination of security efforts. Using risk management principles can help guide federal programs and responses to better prepare against terrorism and other threats and to better direct finite national resources to areas of highest priority. A risk management approach can help inform funding decisions for security improvements within the rail system and across modes. We reported in June 2003 that TSA planned to adopt a risk management approach for its efforts to enhance the security of the nation's transportation system. In addition, improved coordination among rail stakeholders could help enhance security efforts across all modes, including passenger and freight rail systems. We reported in June 2003 that the roles and responsibilities of TSA and DOT in transportation security, including rail security, have yet to be clearly delineated, which creates the potential for duplicating or conflicting efforts as both entities work to enhance security. To clarify the roles and responsibilities of TSA and DOT in transportation security matters, we recommended that the Secretary of Transportation and the Secretary of Homeland Security use a mechanism, such as a memorandum of agreement, to clearly delineate their roles and responsibilities. To date, this recommendation has not been implemented. Background: Passenger and freight rail services help move people and goods through the transportation system, which helps the economic well-being of the United States. Passenger rail services can take many forms. Some mass transit agencies, which can be public or private entities, provide rail services, such as commuter rail and heavy rail (e.g., subway) in cities across the United States.[Footnote 3] Through these rail services, mass transit agencies serve a large part of the commuting population. For example, in the third quarter of 2003, commuter rail systems provided an average of 1.2 million passenger trips each weekday. The National Railroad Passenger Corporation (Amtrak) provides intercity passenger rail services in the United States. Amtrak operates a 22,000-mile network, primarily over freight railroad tracks, providing service to 46 states and the District of Columbia. In fiscal year 2002, Amtrak served 23.4 million passengers, or about 64,000 passengers per day. The nation's freight rail network carries 42 percent of domestic intercity freight (measured by ton miles) in 2001--everything from lumber to vegetables, coal to orange juice, grain to automobiles, and chemicals to scrap iron. Prior to September 11, 2001, DOT--namely, the Federal Railroad Administration (FRA), Federal Transit Administration (FTA), and Research and Special Programs Administration (RSPA)--was the primary federal entity involved in passenger and freight rail security matters. However, in response to the attacks on September 11, Congress passed the Aviation and Transportation Security Act (ATSA), which created TSA within DOT and defined its primary responsibility as ensuring security in all modes of transportation.[Footnote 4] The act also gives TSA regulatory authority over all transportation modes. With the passage of the Homeland Security Act, TSA, along with over 20 other agencies, was transferred to the new Department of Homeland Security (DHS).[Footnote 5] Throughout the world, rail systems have been the target of terrorist attacks. For example, the first large-scale terrorist use of a chemical weapon occurred in 1995 on the Tokyo subway system. In this attack, a terrorist group released sarin gas on a subway train, killing 11 people and injuring about 5,500. In addition, according to the Mineta Institute,[Footnote 6] surface transportation systems were the target of more than 195 terrorist attacks from 1997 through 2000. (See fig. 1.): Figure 1: Targets of Attacks on Public Surface Transportation Systems Worldwide, 1997 to 2000: [See PDF for image] [End of figure] Numerous Challenges Exist in Securing Rail Systems: Passenger and freight rail providers face significant challenges in improving security. Some security challenges are common to passenger and freight rail systems; others are unique to the type of rail system. Common challenges include the funding of security improvements, the interconnectivity of the rail system, and the number of stakeholders involved in rail security. The unique challenges include the openness of mass transit systems and the transport of hazardous materials by freight railroads. Common Security Challenges Confront Passenger and Freight Rail Systems: A challenge that is common to both passenger and freight rail systems is the funding of security enhancements. Although some security improvements are inexpensive, such as removing trash cans from subway platforms, most require substantial funding. For example, as we reported in December 2002, one transit agency estimated that an intrusion alarm and closed circuit television system for only one of its portals would cost approximately $250,000--an amount equal to at least a quarter of the capital budgets of a majority of the transit agencies we surveyed.[Footnote 7] The current economic environment makes this a difficult time for private industry or state and local governments to make additional security investments. As we noted in June 2003, the sluggish economy has further weakened the transportation industry's financial condition by decreasing ridership and revenues. Given the tight budget environment, state and local governments and transportation operators, such as transit agencies, must make difficult trade-offs between security investments and other needs, such as service expansion and equipment upgrades. Further exacerbating the problem of funding security improvements are the additional costs the passenger and freight rail providers incur when the federal government elevates the national threat condition. For example, Amtrak estimates that it spends an additional $500,000 per month for police overtime when the national threat condition is increased. Another common challenge for both passenger and freight rail systems is the interconnectivity within the rail system and between the transportation sector and nearly every other sector of the economy. The passenger and freight rail systems are part of an intermodal transportation system--that is, passengers and freight can use multiple modes of transportation to reach a destination. For example, from its point of origin to its destination, a piece of freight, such as a shipping container, can move from ship to train to truck. The interconnective nature of the transportation system creates several security challenges. First, the effects of events directed at one mode of transportation can ripple throughout the entire system. For example, when the port workers in California, Oregon, and Washington went on strike in 2002, the railroads saw their intermodal traffic decline by almost 30 percent during the first week of the strike, compared with the year before. Second, the interconnecting modes can contaminate each other--that is, if a particular mode experiences a security breach, the breach could affect other modes. An example of this would be if a shipping container that held a weapon of mass destruction arrived at a U.S. port where it was placed on a train. In this case, although the original security breach occurred in the port, the rail or trucking industry would be affected as well. Thus, even if operators within one mode established high levels of security, they could be affected by the security efforts, or lack thereof, in the other modes. Third, intermodal facilities where passenger and freight rail systems connect and interact with other transportation modes--such as ports--are potential targets for attack because of the presence of passengers, freight, employees, and equipment at these facilities. An additional common challenge for both passenger and rail systems is the number of stakeholders involved. Government agencies at the federal, state, and local levels and private companies share responsibility for rail security. For example, there were over 550 freight railroads operating in the United States in 2002. In addition, many passenger rail services, such as Amtrak and commuter rail, operate over tracks owned by freight railroads. For instance, over 95 percent of Amtrak's 22,000-mile network operates on freight railroad tracks.[Footnote 8] The number of stakeholders involved in transportation security can lead to communication challenges, duplication, and conflicting guidance. As we have noted in past reports, coordination and consensus-building are critical to successful implementation of security efforts.[Footnote 9] Transportation stakeholders can have inconsistent goals or interests, which can make consensus-building challenging. For example, from a safety perspective, trains that carry hazardous materials should be required to have placards that identify the contents of a train so that emergency personnel know how best to respond to an incident. However, from a security perspective, identifying placards on vehicles that carry hazardous materials make them a potential target for attack. Passenger and Freight Rail Systems Also Face Unique Challenges: In addition to the common security challenges that face both passenger and rail systems, there are some challenges that are unique to the type of rail system. In our past reports, we have discussed several of these unique challenges, including the openness of mass transit systems and the size of the freight rail network and the diversity of freight hauled. According to mass transit officials and transit security experts, certain characteristics of mass transit systems make them inherently vulnerable to terrorist attacks and difficult to secure. By design, mass transit systems are open (i.e., have multiple access points and, in some cases, no barriers) so that they can move large numbers of people quickly. In contrast, the aviation system is housed in closed and controlled locations with few entry points. The openness of mass transit systems can leave them vulnerable because transit officials cannot monitor or control who enters or leaves the systems. In addition, other characteristics of some transit systems--high ridership, expensive infrastructure, economic importance, and location (e.g., large metropolitan areas or tourist destinations)--also make them attractive targets because of the potential for mass casualties and economic damage. Moreover, some of these same characteristics make mass transit systems difficult to secure. For example, the number of riders that pass through a mass transit system--especially during peak hours--make some security measures, such as metal detectors, impractical. In addition, the multiple access points along extended routes make the costs of securing each location prohibitive. Further complicating transit security is the need for transit agencies to balance security concerns with accessibility, convenience, and affordability. Because transit riders often could choose another means of transportation, such as a personal automobile, transit agencies must compete for riders. To remain competitive, transit agencies must offer convenient, inexpensive, and quality service. Therefore, security measures that limit accessibility, cause delays, increase fares, or otherwise cause inconvenience could push people away from mass transit and back into their cars. The size and diversity of the freight rail system make it difficult to adequately secure. The freight rail system's extensive infrastructure crisscrosses the nation and extends beyond our borders to move millions of tons of freight each day (see fig. 2.). There are over 100,000 miles of rail in the United States. The extensiveness of the infrastructure creates an infinite number of targets for terrorists. Figure 2: Map of Class I Rail Lines: [See PDF for image] Note: Class I railroads are the largest railroads, as defined by operating revenue. Class I railroads represent the majority of rail freight activity. [End of figure] Protecting freight rail assets from attack is made more difficult because of the tremendous variety of freight hauled by railroads. For example, railroads carry freight as diverse as dry bulk (grain) and hazardous materials.[Footnote 10] The transport of hazardous materials is of particular concern because serious incidents involving these materials have the potential to cause widespread disruption or injury. In 2001, over 83 million tons of hazardous materials were shipped by rail in the United States across the rail network, which extends through every major city as well as thousands of small communities. (Figure 3 is a photograph of a rail tanker car containing one of the many types of hazardous materials commonly transported by rail.) For our April 2003 report on rail security, we visited a number of local communities and interviewed federal and private sector hazardous materials transportation experts.[Footnote 11] A number of issues emerged from our work: * the need for measures to better safeguard hazardous materials temporarily stored in rail cars while awaiting delivery to their ultimate destination--a practice commonly called "storage-in- transit," * the advisability of requiring companies to notify local communities of the type and quantities of materials stored in transit, and: * the appropriate amount of information rail companies should be required to provide local officials regarding hazardous material shipments that pass through their communities. Figure 3: Hazardous Material Rail Tank Car: [See PDF for image] Source: Department of Homeland Security. [End of figure] We recommended in April 2003 that DOT and DHS develop a plan that specifically addresses the security of the nation's freight rail infrastructure.[Footnote 12] This plan should build upon the rail industries' experience with rail infrastructure and the transportation of hazardous materials and establish time frames for implementing specific security actions necessary to protect hazardous material rail shipments. DHS has informed us that this plan is in progress. Rail Stakeholders Have Taken Steps to Improve Security: Since September 11, passenger and freight rail providers have been working to strengthen security. Although security was a priority before September 11, the terrorist attacks elevated the importance and urgency of transportation security for passenger and rail providers. According to representatives from the Association of American Railroads, Amtrak, and transit agencies, passenger and freight rail providers have implemented new security measures or increased the frequency or intensity of existing activities, including: * Conducted vulnerability or risk assessments: Many passenger and freight rail providers conducted assessments of their systems to identify potential vulnerabilities, critical infrastructure or assets, and corrective actions or needed security improvements. For example, the railroad industry conducted a risk assessment that identified over 1,300 critical assets and served as a foundation for the industry's security plan. * Increased emergency drills: Many passenger rail providers have increased the frequency of emergency drills. For example, as of June 2003, Amtrak had conducted two full-scale emergency drills in New York City. The purpose of emergency drilling is to test emergency plans, identify problems, and develop corrective actions. Figure 4 is a photograph from an annual emergency drill conducted by the Washington Metropolitan Area Transit Authority. Figure 4: Emergency Drill in Progress: [See PDF for image] [End of figure] * Developed or revised security plans: Passenger and freight rail providers developed security plans or reviewed existing plans to determine what changes, if any, needed to be made. For example, the Association of American Railroads worked jointly with several chemical industry associations and consultants from a security firm to develop the rail industry's security management plan. The plan establishes four alert levels and describes a graduated series of actions to prevent terrorist threats to railroad personnel and facilities that correspond to each alert level. * Provided additional training: Many transit agencies have either participated in or conducted additional training on security or antiterrorism. For example, many transit agencies attended seminars conducted by FTA or by the American Public Transportation Association. The federal government has also acted to enhance rail security. Prior to September 11, DOT modal administrations had primary responsibility for the security of the transportation system. In the wake of September 11, Congress created TSA and gave it responsibility for the security of all modes of transportation. In its first year of existence, TSA worked to establish its infrastructure and focused primarily on meeting the aviation security deadlines contained in ATSA. As TSA worked to establish itself and improve the security of the aviation system, DOT modal administrations, namely FRA, FTA, and RSPA, acted to enhance passenger and freight rail security (see tab. 1.). For example, FTA launched a multipart initiative for mass transit agencies that provided grants for emergency drills, offered free security training, conducted security assessments at 36 transit agencies, provided technical assistance, and invested in research and development. With the immediate crisis of meeting many aviation security deadlines behind it, TSA has been able to focus more on the security of all modes of transportation, including rail security. We reported in June 2003 that TSA was moving forward with efforts to secure the entire transportation system, such as developing standardized criticality, threat, and vulnerability assessment tools; and establishing security standards for all modes of transportation.[Footnote 13] Table 1: Key Actions Taken by DOT Modal Administrations to Help Secure the Rail System, September 2001 to May 2003: DOT modal administration: Federal Railroad Administration; Security efforts: * Shared threat information with railroads and rail labor; * Reviewed Association of American Railroads' and Amtrak's security plans; * Assisted commuter railroads with their security plans; * Provided funding for security assessments of three commuter railroads, which were included in FTA's assessment efforts; * Reached out to international community for lessons learned in rail security. DOT modal administration: Federal Transit Administration; Security efforts: * Awarded $3.4 million in grants to over 80 transit agencies for emergency response drills; * Offered free security training to transit agencies; * Conducted security assessments at the largest 36 transit agencies; * Provided technical assistance to 19 transit agencies on security and emergency plans and emergency response drills; * Increased funding for security research and development efforts. DOT modal administration: Research and Special Programs Administration; Security efforts: * Established regulations for shippers and transporters of certain hazardous materials to develop and implement security plans and to require security awareness training for hazmat employees; * Developed hazardous materials transportation security awareness training for law enforcement, the industry, and the hazmat community; * Published a security advisory, which identifies measures that could enhance the security of the transport of hazardous materials; * Investigated the security risks associated with placarding hazardous materials, including whether removing placards from certain shipments improves shipment security, and whether alternative methods for communicating safety hazards could be deployed. Source: GAO presentation of information provided by DOT modal administrations. [End of table] Risk Management and Coordination Key to Enhancing Security: Although steps have been taken to enhance passenger and freight security since September 11, the recent terrorist attack on a rail system in Spain naturally focuses our attention on what more could be done to secure the nation's rail systems. In our previous work on transportation security, we identified future actions that the federal government could take to enhance security of individual transportation modes as well as the entire transportation system. For example, in our December 2002 report on mass transit security, we recommended that the Secretary of Transportation seek a legislative change to give mass transit agencies more flexibility in using federal funds for security- related operating expenses, among other things.[Footnote 14] Two recurring themes cut across our previous work in transportation security--the need for the federal government to utilize a risk management approach and the need for the federal government to improve coordination of security efforts. Using risk management principles to guide decision-making is a good strategy, given the difficult trade-offs the federal government will likely have to make as it moves forward with its transportation security efforts. We have advocated using a risk management approach to guide federal programs and responses to better prepare against terrorism and other threats and to better direct finite national resources to areas of highest priority.[Footnote 15] As figure 5 illustrates, the highest priorities emerge where threats, vulnerabilities, and criticality overlap. For example, rail infrastructure that is determined to be a critical asset, vulnerable to attack, and a likely target would be at most risk and therefore would be a higher priority for funding compared with infrastructure that was only vulnerable to attack. The federal government is likely to be viewed as a source of funding for at least some rail security enhancements. These enhancements will join the growing list of security initiatives competing for federal assistance. A risk management approach can help inform funding decisions for security improvements within the rail system and across modes. Figure 5: Representation of Risk: [See PDF for image] [End of figure] A risk management approach entails a continuous process of managing, through a series of mitigating actions, the likelihood of an adverse event happening with a negative impact. Risk management encompasses "inherent" risk (i.e., risk that would exist absent any mitigating action), as well as "residual" risk (i.e., the risk that remains even after mitigating actions have been taken). Figure 6 depicts the risk management framework. Risk management principles acknowledge that while risk cannot be eliminated, enhancing protection from known or potential threats can help reduce it. (Appendix I provides a description of the key elements of the risk management approach.) We reported in June 2003 that TSA planned to adopt a risk management approach for its efforts to enhance the security of the nation's transportation system. According to TSA officials, risk management principles will drive all decisions- -from standard-setting, to funding priorities, to staffing. Figure 6: Risk Management Framework: [See PDF for image] Source: GAO analysis. [End of figure] Coordination is also a key action in meeting transportation security challenges. As we have noted in previous reports, coordination among all levels of the government and the private industry is critical to the success of security efforts. The lack of coordination can lead to such problems as duplication and/or conflicting efforts, gaps in preparedness, and confusion. Moreover, the lack of coordination can strain intergovernmental relationships, drain resources, and raise the potential for problems in responding to terrorism. The administration's National Strategy for Homeland Security and the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets also emphasize the importance of and need for coordination in security efforts. In particular, the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets notes that protecting critical infrastructure, such as the transportation system, "requires a unifying organization, a clear purpose, a common understanding of roles and responsibilities, accountability, and a set of well-understood coordinating processes.": We reported in June 2003 that the roles and responsibilities of TSA and DOT in transportation security, including rail security, have yet to be clearly delineated, which creates the potential for duplicating or conflicting efforts as both entities work to enhance security. Legislation has not defined TSA's role and responsibilities in securing all modes of transportation. ATSA does not specify TSA's role and responsibilities in securing the maritime and land transportation modes in detail as it does for aviation security. Instead, the act simply states that TSA is responsible for ensuring security in all modes of transportation. The act also did not eliminate DOT modal administrations' existing statutory responsibilities for securing the different transportation modes. Moreover, recent legislation indicates that DOT still has security responsibilities. In particular, the Homeland Security Act of 2002 states that the Secretary of Transportation is responsible for the security as well as the safety of rail and the transport of hazardous materials by all modes. To clarify the roles and responsibilities of TSA and DOT in transportation security matters, we recommended that the Secretary of Transportation and Secretary of Homeland Security use a mechanism, such as a memorandum of agreement to clearly delineate their roles and responsibilities. The Department of Homeland Security (DHS) and DOT disagreed with our recommendation, noting that DHS had the lead for the Administration in transportation security matters and that DHS and DOT were committed to broad and routine consultations. We continue to believe our recommendation is valid. A mechanism, such as a memorandum of agreement, would serve to clarify, delineate, and document the roles and responsibilities of each entity. This is especially important considering DOT responsibilities for transportation safety overlap with DHS' role in securing the transportation system. Moreover, recent pieces of legislation give DOT transportation security responsibilities for some activities, including the rail security. Consequently, the lack of clearly delineated roles and responsibilities could lead to duplication, confusion, and gaps in preparedness. A mechanism would also serve to hold each entity accountable for its transportation security responsibilities. Finally, it could serve as a vehicle to communicate the roles and responsibilities of each entity to transportation security stakeholders. Observations: Securing the nation's passenger and freight rail systems is a tremendous task. Many challenges must be overcome. Passenger and freight rail stakeholders have acted to enhance security, but more work is needed. As passenger and freight rail stakeholders, including the federal government, work to enhance security, it is important that efforts be coordinated. The lack of coordination could lead to duplication and confusion. More importantly, it could hamper the rail sector's ability to prepare for and respond to attacks. In addition, to ensure that finite resources are directed to the areas of highest priority, risk management principles should guide decision-making. Given budget pressures at all levels of government and the sluggish economy, difficult trade-offs will undoubtedly need to be made among competing claims for assistance. A risk management approach can help inform these difficult decisions. This concludes our prepared statement. We would be pleased to respond to any questions you or other Members of the Committee may have. Contacts and Acknowledgments: For information about this testimony, please contact Peter Guerrero, Director, Physical Infrastructure Issues, on (202) 512-2834; or Norman Rabkin, Managing Director, Homeland Security and Justice Issues, on (202) 512-8777. Individuals making key contributions to this testimony included Nikki Clowers, Susan Fleming, Maria Santos, and Robert White. [End of section] Appendix I: Key Elements of a Risk Management Approach: Threat Assessment. Threat is defined as potential intent to cause harm or damage to an asset (e.g., natural environment, people, man-made infrastructures, and activities and operations). A threat assessment identifies adverse events that can affect an entity and may be present at the global, national, or local level. Criticality assessment. Criticality is defined as an asset's relative worth. A criticality assessment identifies and evaluates an entity's assets based on a variety of factors, including importance of a function and the significance of a system in terms of national security, economic activity, or public safety. Criticality assessments help to provide a basis for prioritizing protection relative to limited resources. Vulnerability assessment. Vulnerability is defined as the inherent state or condition of an asset that can be exploited to cause harm. A vulnerability assessment identifies the extent that these inherent states may be exploited, relative to countermeasures that have been or could be deployed. Risk Assessment. Risk assessment is a qualitative and/or quantitative determination of the likelihood of an adverse event occurring and the severity, or impact, of its consequences. It may include scenarios under which two or more risks interact, creating greater or lesser impacts, as well as the ranking of risky events. Risk characterization. Risk characterization involves designating risk on a categorical scale (e.g., low, medium, and high). Risk characterization provides input for deciding which areas are most suited to mitigate risk. Mitigation Evaluation. Mitigation evaluation is the identification of mitigation alternatives to assess the effectiveness of the alternatives. The alternatives should be evaluated for their likely effect on risk and their cost. Mitigation Selection. Mitigation selection involves a management decision on which mitigation alternatives should be implemented among alternatives, taking into account risk, costs, and the effectiveness of mitigation alternatives. Selection among mitigation alternatives should be based upon pre-considered criteria. There are as of yet no clearly preferred selection criteria, although potential factors might include risk reduction, net benefits, equality of treatment, or other stated values. Mitigation selection does not necessarily involve prioritizing all resources to the highest risk area, but in attempting to balance overall risk and available resources. Risk mitigation. Risk mitigation is the implementation of mitigating actions, depending upon an organization's chosen action posture (i.e. the decision on what to do about overall risk). Specifically, risk mitigation may involve risk acceptance (taking no action), risk avoidance (taking actions to avoid activities that involve risk), risk reduction (taking actions to reduce the likelihood and/or impact of risk), and risk sharing (taking actions to reduce risk by sharing risk with other entities). As shown in figure 6, risk mitigation is best framed within an integrated systems approach that encompasses action in all organizational areas; including personnel, processes, technology, infrastructure, and governance. An integrated systems approach helps to ensure that taking action in one or more areas would not create unintended consequences in another area. Monitoring and evaluation. Monitoring and evaluation is a continuous repetitive assessment process to keep risk management current and relevant. It should involve reassessing risk characterizations after mitigating efforts have been implemented. It also includes peer review, testing, and validation. FOOTNOTES [1] U.S. General Accounting Office, Transportation Security: Federal Action Needed to Help Address Security Challenges, GAO-03-843 (Washington, D.C.: June 30, 2003); Rail Safety and Security: Some Actions Already Taken to Enhance Rail Security, but Risk-based Plan Needed, GAO-03-435 (Washington, D.C.: April 30, 2003); and Mass Transit: Federal Action Could Help Transit Agencies Address Security Challenges, GAO-03-263 (Washington, D.C.: December 13, 2002). [2] GAO-03-435. [3] Commuter rail is characterized by passenger trains operating on railroad tracks and providing regional service (e.g., between a central city and adjacent suburbs). Heavy rail is an electric railway that can carry a heavy volume of traffic. Heavy rail is characterized by high speed and rapid acceleration, passenger rail cars operating singly or in multicar trains on fixed rails, separate rights-of-way from which all other vehicular and foot traffic is excluded, sophisticated signaling, and high-platform loading. Most subway systems are considered heavy rail. [4] P.L. No. 107-71, 115 Stat. 597 (2001). [5] P.L. No. 107-296, 116 Stat. 2135 (2002). [6] The Mineta Transportation Institute was established by Congress as part of the Intermodal Surface Transportation Efficiency Act of 1991 (ISTEA). The Mineta Institute focuses on international surface transportation policy issues as related to three primary responsibilities: research, education, and technology transfer. [7] GAO-03-263. [8] Freight railroads and commuter rail agencies also operate between Boston Massachusetts, and Washington, D.C., on the Northeast Corridor, which is primarily owned by Amtrak. [9] U.S. General Accounting Office, Mass Transit: Challenges in Securing Transit Systems, GAO-02-1075T (Washington, D.C.: Sept. 18, 2002); U.S. General Accounting Office, Homeland Security: Effective Intergovernmental Coordination Is Key to Success, GAO-02-1011T (Washington, D.C.: Aug. 20, 2002); and, U.S. General Accounting Office, National Preparedness: Integration of Federal, State, Local, and Private Sector Efforts Is Critical to an Effective National Strategy for Homeland Security, GAO-02-621T (Washington, D.C.: Apr. 11, 2002). [10] Federal hazardous material transportation law defines a hazardous material as a substance or material that the Secretary of Transportation has determined is capable of posing an unreasonable risk to health, safety, and property when transported in commerce (49 U.S.C. � 5103). It includes hazardous substances such as ammonia, hazardous wastes from chemical manufacturing processes, and elevated temperature materials such as molten aluminum. [11] GAO-03-435. [12] GAO-03-435. [13] GAO-03-843. [14] GAO-03-263. DOT agreed to carefully consider our recommendations as it moved forward with its efforts to improve transit security. [15] U.S. General Accounting Office, Homeland Security: A Risk Management Approach Can Guide Preparedness Efforts, GAO-02-208T (Washington, D.C.: October 31, 2001); and Combating Terrorism: Threat and Risk Assessments Can Help Prioritize and Target Program Investments, GAO/NSIAD-98-74 (Washington, D.C.: April 9, 1998).