Maryland & Virginia Senators Raise Cyber Concerns about Foreign Rail Cars on Metro
WASHINGTON – U.S. Senators Ben Cardin and Chris Van Hollen (both D-Md.) along with Senators Mark Warner and Tim Kaine (D-Va.), wrote to Washington Metropolitan Area Transit Authority (WMATA) General Manager and CEO Paul J. Wiedefeld to express safety and security concerns regarding the possibility that Metro may award a contract to build its newest 8000-series rail cars to a Chinese manufacturing company.
The Senators wrote, “In the transportation sector, there has been increased interest from particular foreign governments to participate in state and local procurements, including those to manufacture and assemble rail cars for transit agencies around the country. While other cities have welcomed this kind of investment, we have serious concerns about similar activity happening here in our nation’s capital, particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security. As Metro continues its procurement process for the 8000-series rail car, we strongly urge you to take the necessary steps to mitigate growing cyber risks to these cars.”
The Washington Post recently reported that “the state-owned China Railway Rolling Stock Corp., or CRRC, has used bargain prices to win four of five large U.S. transit rail car contracts awarded since 2014. The company is expected to be a strong contender for a Metro contract likely to exceed $1 billion for between 256 and 800 of the agency's newest series of rail cars.”
In their letter, the Senators noted that Metro’s 8000-series rail car is expected to incorporate safety and communications technology such as automatic train control, network and trainline control, video surveillance, monitoring and diagnostics, and data interface with WMATA, among other potentially vulnerable mechanisms that could allow a foreign spy, terrorist, or other rogue actor to break in and take control of Metro’s systems to conduct foreign espionage or impact operations.
“Many of these technologies could be entirely susceptible to hacking, or other forms of interference, if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers. In a Q&A document posted as part of the RFP, WMATA noted that there are ‘no Buy America or DBE requirements for this contract,’ raising further questions about what protections will be in place to ensure the integrity of these components,” the Senators told Wiedefeld.
The Senators then posed a series of questions regarding Metro’s plans for the rail car procurement process, including:
- While we are aware that nearly all passenger railcar manufacturers in the United States are foreign-owned, what steps is WMATA taking to ascertain and mitigate against the involvement of foreign governments in this procurement?
- Has Metro received briefings from the Department of Homeland Security or related agencies on the attempts of foreign adversaries to infiltrate our critical infrastructure and the significant cyber vulnerabilities that can stem from them doing so?
- Will Metro take a company’s ties to foreign governments with a record of industrial and cyber espionage into account when evaluating bids, particularly if such company is a state-owned enterprise?
- If so, will Metro allow sensitive component parts of these railcars to be sourced from such countries?
- Will Metro consult with the Department of Defense prior to awarding a contract to confirm whether the Department would permit railcars built by certain foreign governments to operate through the Pentagon?
- We understand that Metro has announced that the RFP will be amended to include baseline cybersecurity protocols. Please provide information about these protocols and how they are being developed. How will Metro evaluate bidder responses to this forthcoming cybersecurity addendum? Will Metro review these responses with the Department of Transportation (USDOT) and the Department of Homeland Security, and seek the concurrence of USDOT and DHS in its cybersecurity evaluations before making any final contract award in this procurement? What specific requirements will the addendum include to ensure that any communications technology included in the rail car procurement is protected from being exploited for surveillance purposes?
The Senators concluded, “U.S. national security should be of the utmost importance as WMATA considers bids for its procurement of 8000-series rail cars, and we therefore request that you consider submitting an addendum to the earlier RFP [Request for Proposals] to ensure that the necessary steps are taken to protect against the aforementioned concerns.”
Next Article Previous Article