Federal rail security efforts, which have focused since 9-11 on hazardous cargo, must also emphasize protecting the sector’s physical and cyber assets, like bridges and control systems, according to the results [1] of a two-year audit by the Government Accountability Office (GAO).

The federal rail sector-specific agency, the Transportation Security Administration (TSA) also has yet to record mitigation measures across the sector and apply metrics to quantify risk management, GAO found.

GAO catalogued a series of separate efforts to measure risk as a factor of threat, vulnerability and consequence, noting some omissions and contradictions. TSA’s Office of Intelligence, for example, has conducted threat assessments, while its Transportation Sector Network Management office, and the Department of Transportation’s Pipeline and Hazardous Materials Administration (PHMSA) have conducted separate assessments of vulnerability and consequence.

On its own, the rail industry has assessed vulnerabilities and consequences, while TSA’s parent agency, the Department of Homeland Security (DHS), has done its own vulnerability assessment, GAO found.

Investigators noted, however, that the TSA has acted based on risk while separately stating that there is no documented threat to the freight rail sector.

Since 9-11, the TSA has centered its efforts on the security of toxic-inhalation hazard (TIH) chemicals, guided by the White House’s Homeland Security Council, based on the inherent vulnerability of sprawling rail sector, and the dangers posed by intentional release of common industrial chemicals like chlorine or anhydrous ammonia.

As common carriers, railroads are required to transport the chemicals on reasonable request, but they would rather not. TIH cargos constitute only 1 percent of freight rail payloads but account for half of railroads’ insurance premiums, GAO found.

Sector security officials interviewed by GAO “agreed that TIH security was a sound initial focus for TSA’s freight rail security strategy, because TIH was a key security concern and remains a concern today.”

A TSA rule enacted last year requires that carriers maintain a documented chain of custody for TIH cargos, and that they are never left unattended in DHS-designated high-threat urban areas. A PHMSA rule requires that shippers conduct route risk assessments and choose the routes that present the least risk “where commercially practicable.” (See Is Hazmat Safety on Track? [2], March)

GAO called the voluntary cooperation between TSA and private operators to improve security “noteworthy.”

DHS generally concurred with GAO’s findings.