INFORMATION TECHNOLOGY: Improving Cybersecurity and Resiliency of Train Control Systems Could Reduce Vulnerabilities OIG-A-2019-008 (Summary) | July 9, 2019 This page intentionally left blank. Memorandum To: Scot L. Naparstek Executive Vice President / Chief Operations Officer Christian Zacariassen Executive Vice President / Chief Information Officer From: Eileen Larence Acting Assistant Inspector General, Audits Date: July 9, 2019 Subject: Information Technology: Improving Cybersecurity and Resiliency of Train Control Systems Could Reduce Vulnerabilities (OIG-A-2019-008) The Office of Inspector General (OIG) conducted an audit of Amtrak’s (the company) train control systems. Our audit objective was to assess the company’s efforts to identify and address vulnerabilities in these systems and to ensure resiliency. BACKGROUND The company uses train control systems to dispatch and monitor more than 2,000 trains daily across its network of more than 500 stations and 21,000 miles of track. Given their criticality to safe train operations, we assessed the company’s efforts to identify and address the train control systems’ cybersecurity and resiliency. We compared the company’s efforts in both areas with standards from the National Institute of Standards and Technology. SUMMARY OF RESULTS We identified areas where the cybersecurity and resiliency of the company’s train control systems could be improved and recommended certain improvements to management. MANAGEMENT COMMENTS AND OIG ANALYSIS In commenting on a draft of this report, the Executive Vice President / Chief Operations Officer and Executive Vice President / Chief Information Officer agreed with our recommendation and identified actions that the company is taking or plans to take to address it. SCOPE AND METHODOLOGY We performed our audit work from January 2018 through March 2019 in Washington, D.C.; Philadelphia, Pennsylvania; Wilmington, Delaware; New York City, New York; and Boston, Massachusetts. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Given the sensitive nature of the report’s information, the results have been summarized in this public version of the report. OIG TEAM MEMBERS Jason Venner, Deputy Assistant Inspector General, Audits Vipul Doshi, Senior Director, Audits Gary Mountjoy, Senior Audit Manager Alexander Best, Audit Manager Sheila Holmes, Senior Auditor Brottie Barlow, Auditor Alison O’Neill, Communications Analyst OIG MISSION AND CONTACT INFORMATION Mission The Amtrak OIG’s mission is to provide independent, objective oversight of Amtrak’s programs and operations through audits and investigations focused on recommending improvements to Amtrak’s economy, efficiency, and effectiveness; preventing and detecting fraud, waste, and abuse; and providing Congress, Amtrak management, and Amtrak’s Board of Directors with timely information about problems and deficiencies relating to Amtrak’s programs and operations. Obtaining Copies of Reports and Testimony Available at our website www.amtrakoig.gov Reporting Fraud, Waste, and Abuse Report suspicious or illegal activities to the OIG Hotline www.amtrakoig.gov/hotline or 800-468-5469 Contact Information Eileen Larence Acting Assistant Inspector General, Audits Mail: Amtrak OIG 10 G Street NE, 3W-300 Washington D.C., 20002 Phone: 202-906-4600 Email: Eileen.Larence@amtrakoig.gov
INFORMATION TECHNOLOGY: Improving Cybersecurity and Resiliency of Train Control Systems Could Reduce Vulnerabilities
Published by the Amtrak Office of the Inspector General on 2019-07-09.
Below is a raw (and likely hideous) rendition of the original report. (PDF)