oversight

INFORMATION TECHNOLOGY: Improving Cybersecurity and Resiliency of Train Control Systems Could Reduce Vulnerabilities

Published by the Amtrak Office of the Inspector General on 2019-07-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

INFORMATION TECHNOLOGY:
Improving Cybersecurity and Resiliency of Train Control
Systems Could Reduce Vulnerabilities




                            OIG-A-2019-008 (Summary) | July 9, 2019
This page intentionally left blank.
Memorandum
To:          Scot L. Naparstek
             Executive Vice President / Chief Operations Officer
             Christian Zacariassen
             Executive Vice President / Chief Information Officer

From:        Eileen Larence
             Acting Assistant Inspector General, Audits

Date:        July 9, 2019

Subject:     Information Technology: Improving Cybersecurity and Resiliency of Train
             Control Systems Could Reduce Vulnerabilities (OIG-A-2019-008)

The Office of Inspector General (OIG) conducted an audit of Amtrak’s (the company)
train control systems. Our audit objective was to assess the company’s efforts to identify
and address vulnerabilities in these systems and to ensure resiliency.

BACKGROUND
The company uses train control systems to dispatch and monitor more than 2,000 trains
daily across its network of more than 500 stations and 21,000 miles of track. Given their
criticality to safe train operations, we assessed the company’s efforts to identify and
address the train control systems’ cybersecurity and resiliency. We compared the
company’s efforts in both areas with standards from the National Institute of Standards
and Technology.

SUMMARY OF RESULTS
We identified areas where the cybersecurity and resiliency of the company’s train
control systems could be improved and recommended certain improvements to
management.

MANAGEMENT COMMENTS AND OIG ANALYSIS
In commenting on a draft of this report, the Executive Vice President / Chief Operations
Officer and Executive Vice President / Chief Information Officer agreed with our
recommendation and identified actions that the company is taking or plans to take to
address it.
SCOPE AND METHODOLOGY
We performed our audit work from January 2018 through March 2019 in Washington,
D.C.; Philadelphia, Pennsylvania; Wilmington, Delaware; New York City, New York;
and Boston, Massachusetts. We conducted this performance audit in accordance with
generally accepted government auditing standards. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives. We
believe that the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives. Given the sensitive nature of the report’s
information, the results have been summarized in this public version of the report.

OIG TEAM MEMBERS
Jason Venner, Deputy Assistant Inspector General, Audits

Vipul Doshi, Senior Director, Audits

Gary Mountjoy, Senior Audit Manager

Alexander Best, Audit Manager

Sheila Holmes, Senior Auditor

Brottie Barlow, Auditor

Alison O’Neill, Communications Analyst
      OIG MISSION AND CONTACT INFORMATION
                                Mission
The Amtrak OIG’s mission is to provide independent, objective oversight
of Amtrak’s programs and operations through audits and investigations
focused on recommending improvements to Amtrak’s economy, efficiency,
and effectiveness; preventing and detecting fraud, waste, and abuse; and
providing Congress, Amtrak management, and Amtrak’s Board of
Directors with timely information about problems and deficiencies relating
to Amtrak’s programs and operations.



           Obtaining Copies of Reports and Testimony
              Available at our website www.amtrakoig.gov



                Reporting Fraud, Waste, and Abuse
        Report suspicious or illegal activities to the OIG Hotline
                      www.amtrakoig.gov/hotline
                                    or
                              800-468-5469



                         Contact Information
                             Eileen Larence
               Acting Assistant Inspector General, Audits
                            Mail: Amtrak OIG
                         10 G Street NE, 3W-300
                         Washington D.C., 20002
                           Phone: 202-906-4600
                  Email: Eileen.Larence@amtrakoig.gov