Order Code RL32625
CRS Report for Congress
Received through the CRS Web
Passenger Rail Security:
Overview of Issues
Updated October 12, 2004
David Randall Peterman
Analyst in Transportation
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress

Passenger Rail Security: Overview of Issues
Summary
The March 2004 bombing of passenger trains in Spain highlighted the
vulnerability of passenger rail systems to terrorist attack. The number of riders and
access points make it impractical to subject all rail passengers to the type of screening
airline passengers undergo. Nevertheless, steps can be taken to reduce the risks of
an attack.
The 9/11 Commission has called for a systematic analysis of transportation
assets, the risks to those assets, and the costs and benefits of different approaches to
defending those assets; the Commission also called for homeland security assistance
to be distributed based on these assessments of risks and vulnerabilities, rather than
according to population.
Among legislation introduced in response to the general recommendations of
the 9/11 Commission are H.R. 10 and S. 2845, bills proposing wide-ranging changes
to the nation’s intelligence system; they do not directly address passenger rail
security, but S. 2845 (passed Senate October 6, 2004) would have the Department of
Homeland Security create a national strategy for transportation security. This plan
would identify national transportation assets, set risk-based priorities for their
protection, assign responsibilities for their protection, and recommend appropriates
levels and sources of funding for these efforts. H.R. 10 would also direct the
Department of Homeland Security to develop a transportation security plan, but the
plan appears to be focused on aviation.
S. 2273, the Rail Security Act of 2004 (passed Senate October 1, 2004), calls
for risk and vulnerability assessments of freight and passenger rail transportation, and
would provide grants to railroads for security improvements, based in part on the
level of risk and vulnerability. S. 2884, the Public Transportation Terrorism
Prevention Act of 2004 (passed Senate October 1, 2004), would require the
Department of Homeland Security to assess transit agencies and develop security
improvement priorities to be funded through a public transportation security grant
program; the bill would also create a public transportation security research,
development, and demonstration grant program. H.R. 5082, the Public
Transportation Terrorism Prevention and Response Act of 2004, would require the
Departments of Homeland Security and Transportation to jointly assess transit
agencies for threats and vulnerabilities. These assessments would form the basis for
security guidelines and federal security grants which would be administered by the
Department of Transportation.
H.R. 4567, the FY2005 appropriations bill for the Department of Homeland
Security, would provide $162 million in assistance for passenger rail security. This
bill has been passed by Congress, and awaits the President’s signature.
A key challenge facing Congress is balancing the desire for and cost of
increased rail passenger security with the operating efficiency of the systems, the
potential costs of one or more attacks, and with other options for promoting national
security. This report will be updated as warranted.

Contents
Passenger Rail Systems Are Inherently Vulnerable . . . . . . . . . . . . . . . . . . . . 1
What Security Measures Have Been Taken for Passenger Rail? . . . . . . . . . . 2
Industry Security Spending and Funding Requests . . . . . . . . . . . . . . . . . . . . 2
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Evaluating Security Funding Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security Involves Trade-Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Legislative Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Passenger Rail Security: Overview of Issues
In the current atmosphere of heightened concern about terrorism, the March 11,
2004 bombing of commuter trains in Madrid has intensified congressional interest
in reducing the risk of attacks against passenger rail operations in the United States.
This report summarizes the challenges of securing passenger rail systems, options for
making decisions about security funding, and industry requests for funding. It does
not address the security of freight rail operations. However, since some passenger
rail operations use the same track and facilities as freight rail, these topics cannot be
completely separated.
Passenger Rail Systems Are Inherently Vulnerable
Passenger rail service takes four forms: heavy rail (e.g., subway systems like
Washington D.C.’s Metro), commuter rail (e.g., Maryland’s MARC and Virginia’s
Virginia Railway Express [VRE] trains), light rail (e.g., Dallas’ DART) — these all
fall under the category of public transit — and intercity passenger rail (Amtrak).
These forms share certain characteristics that make them vulnerable to attack: they
make scheduled stops along fixed routes; their operations depend on people having
quick and easy access to stations and trains; and the number of access points and
volume of ridership1 make it impractical to subject all rail passengers to the type of
screening that airline passengers undergo. As the 9/11 Commission noted in its final
report, “Surface transportation systems such as railroads and mass transit remain hard
to protect because they are so accessible and extensive.”2
In light of that vulnerability, the casualty rate for terrorist attacks on passenger
rail facilities is lower than might be expected. According to an estimate based on a
database of terrorist incidents maintained by the RAND Corporation and the
Oklahoma City Memorial Institute to Prevent Terrorism, there were a total of 181
terrorist attacks on trains and rail-related targets such as stations worldwide between
1998-2003, an average of 30 per year.3 These incidents resulted in 431 deaths, an
average of 2.4 deaths per attack. One attack — a derailment of a train followed by
attacks on the surviving passengers, in Angola — accounted for 252 of these deaths;
setting aside that exceptional incident, there was an average of one death in each
incident.4 There were no attacks recorded in the United States. Of course, this does
not mean there will not be any attacks in the United States in the future.
1 Annual rail passenger ridership in the United States is over 5 times that of civil aviation.
2 The 9/11 Commission Report: Final Report of the National Commission on Terrorist
Attacks Upon the United States
, New York: W. W. Norton, 2004, p. 391.
3 These numbers do not include the 2004 Madrid bombing, which killed 191 people.
4 Cited by Jack Riley, Director of RAND Public Safety and Justice, in testimony before the
Senate Committee on Commerce, Science, and Transportation, March 23, 2004.

CRS-2
What Security Measures Have Been Taken for Passenger
Rail?

On May 20, 2004 the Department of Homeland Security issued security
directives for passenger rail systems.5 These directives have not been made public,
but according to reports, largely reflect actions already taken by many rail systems.6
These include removing or hardening trash containers on boarding platforms that
could be used to hide bombs, increasing the presence of security officers, using video
surveillance in and around stations, using bomb-sniffing dogs for random inspections
of passengers and baggage, and encouraging riders to look for suspicious activity.
With limited options for preventing an attack, transit agencies have focused on
minimizing the harm from an attack (this is referred to as "consequence
management"). Consequence management efforts include vulnerability assessments,
emergency planning, emergency response training and drilling of transit personnel,
ideally in coordination with first responders, as well as purchase of communication
and safety equipment. These actions also help agencies prepare for natural disasters,
criminal activity, and other potential disruptions to their operations.
Industry Security Spending and Funding Requests
The passenger rail community says that it has made security improvements, but
is constrained by the limits of available funding; thus their primary security issue is
finding a way to pay for additional security improvements. The transit industry
(which includes bus-only systems as well as rail systems, but does not include
Amtrak) reports that it has spent $1.7 billion on security activities since 9/11; the
industry has requested $5.2 billion in federal security-related capital investment (for
protection of infrastructure and vehicles, enhancing evacuation capabilities, and
improving emergency response) over the next three years and $800 million annually
in ongoing operating and maintenance expenditures — a total of $7.6 billion over
three years, or just over $2.5 billion annually.7 It is not clear how much of the
requested funding is for securing passenger rail operations versus securing bus
operations; for the transit industry, passenger rail operations represented 67% of total
capital costs and 32% of total operating costs in FY2002.8 Amtrak has identified
5 United States Department of Homeland Security Press Office, “Department of Homeland
Security Announces New Measures to Expand Security for Rail Passengers,” May 20, 2004,
[http://www.dhs.gov/dhspublic/display?theme=43&content=3572&print=true] [viewed
7/19/2004].
6 Peter Whoriskey, “U.S. Issues Anti-Terror Regulations for Rail Systems,” Washington
Post
, May 21, 2004, B1.
7 American Public Transportation Association, Survey of United States Transit System
Security Needs and Funding Priorities: Summary of Findings
, April 2004, p. 1.
8 American Public Transportation Association, 2004 Public Transportation FactBook.

CRS-3
$110 million in one-time costs and $10-12 million annually in on-going costs for
security activities.9
The federal government has provided an average of $57.5 million in annual
security grants to transit agencies during FY2003-FY2004. The industry’s request
for $2.5 billion in additional annual security funding is 44 times more than is
currently being spent on transit security. The federal government has provided $100
million in security funding for Amtrak since 9/11, in a one-time appropriation. The
ability of the passenger rail community to fund the requested improvements out of
their own resources is limited: both the transit industry and Amtrak operate at a
deficit and require government assistance to cover their costs; the Federal Transit
Administration (FTA) has estimated that the transit industry requires significant
additional spending merely to keep pace with rising demand; and the DOT Inspector
General has testified that Amtrak requires additional resources merely to return its
system to a state of good repair.10 The 9/11 Commission characterized the federal
emphasis on aviation security spending as “fight[ing] the last war,” noting that
“opportunities to do harm are as great, or greater, in maritime or surface
transportation.”11 But given the size of the passenger rail community’s requested
funding, policy makers will need some degree of consensus as to the potential
effectiveness of the industry’s proposed measures.
Risk Management
One approach that could be used for assessing the level of funding needed and
how to allocate it is threat-based risk management. The Government Accountability
Office (GAO)12 and the 9/11 Commission13 have recommended, and the
Transportation Security Administration (TSA) is committed to,14 using this approach
to guide security efforts.
9 These include security improvements to its largest stations and its tunnels, backup
communications and control capacity, and adding the capability to track train movements
outside the Northeast Corridor. Testimony of E. R. Frazier, Sr., Amtrak Chief of Police and
Security, before the Senate Committee on Commerce, Science, and Transportation, March
23, 2004.
10 Kenneth M. Mead, Inspector General, United States Department of Transportation, The
Future of Intercity Passenger Rail Service and Amtrak
, Testimony before the Senate
Committee on Commerce, Science, and Transportation, CC-2003-106, April 29, 2003
11 The 9/11 Commission Report, p. 391.
12 United States General Accounting Office (GAO), Transportation Security: Federal Action
Needed to Help Address Security Challenges
, GAO-03-843, June 2003, p. 51.
13 The 9/11 Commission Report, pps. 391, 396.
14 Stephen McHale, Deputy Administrator, Transportation Security Administration,
Testimony before the Subcommittee on Infrastructure and Border Security, House Select
Committee on Homeland Security, May 12, 2004.

CRS-4
Threat-based risk management may be conceptualized as an equation:
Vulnerability + Threat + Criticality = Risk.15 ‘Vulnerability’ refers to ways a system
may be open to attack; ‘Threat’ refers to the likelihood of an attack on a system;
‘Criticality’ refers to the potential consequences of an attack; and ‘Risk’ results from
the combination of vulnerability, threat, and criticality. One implication of this
equation is that, while a passenger rail system may be vulnerable, the risk to the
system may nevertheless be low if no threat is apparent, or if the vulnerability is in
a non-critical area. Another implication is that there are several ways to manage the
risk to passenger rail. One way is to make changes in the passenger rail systems to
lower their vulnerability (e.g., hiring more police officers, introducing random
screening of passengers and bags, installing security cameras); another is to reduce
their criticality (e.g., through coordinated emergency response training exercises with
local first responders); and yet another is to make changes elsewhere that reduce
threats to those systems (e.g., putting more money into intelligence and law
enforcement to combat terrorism).
As the above equation indicates, a risk assessment results from the combination
of several studies: vulnerability assessments, threat assessments, and criticality
assessments. Each of these component studies has limitations. The vulnerability of
a system to attack, and the criticality of the system in the event of an attack, must be
assessed on the basis of assumptions about what sorts of attacks might be attempted.
The level of threat to a system is the sort of knowledge typically acquired by
intelligence and law enforcement agencies and will likely change as new information
comes to light. Thus a risk assessment is an estimate, based on several other
estimates, and does not provide unambiguous guidance to prioritizing security
efforts.
Evaluating Security Funding Requests
There are no comprehensive studies by independent sources of passenger rail
security needs and costs. The overall rail industry risk assessment that TSA plans to
do, and which is intended to inform decisions about security improvements, has not
been completed. Individual transit agencies have undertaken vulnerability and
criticality assessments, often with the assistance of technical teams provided by FTA
and TSA, but few agencies have done complete risk assessments, and the individual
agency assessments have not been combined to produce a larger picture. Thus the
industry funding request is based largely on the self-perceived needs of individual
agencies rather than a comprehensive risk management analysis.
In formulating their request for $7.6 billion in security funding over three years,
the managers of passenger rail systems are pushed by the nature of the process to
make a broad request for funding rather than a narrower one, given that the level of
risk to their systems is unknown and the consequences of an attack could be
disastrous. The options available to transit managers for reducing the risk to
15 For more discussion risk management, see Rob Buschman, "Assessing Risks," CRS
T e r r o r i s m E l e c t r o n i c B r i e f i n g B o o k , a v a i l a b l e a t
[http://www.congress.gov/brbk/html/ebter225.html], and Carl A. Roper, Risk Management
for Security Professionals
, Butterworth-Heinemann, 1999.

CRS-5
passenger rail systems are limited to spending on those systems; they do not have the
option, as federal policy makers do, of spending more on federal intelligence and
law-enforcement activities as a means of reducing the risks to passenger rail systems.
In determining how much to spend on passenger rail security, Congress faces trade-
offs in providing more funding for passenger rail systems to improve their security
versus more funding for intelligence and law-enforcement agencies to improve the
security of the nation — including passenger rail systems.
When it comes to deciding how to distribute funding for security within the
passenger rail community, Congress faces the perennial conflict between efficiency
and equity: whether to try to direct funding to where it might have the greatest impact
(by some measure of risk), or whether to try to equalize the amount of funding every
recipient gets (by some measure of equity). The equity approach would largely
ignore risk management considerations and potentially lead to a less than efficient
allocation of resources, from the standpoint of security. In its final report, the 9/11
Commission recommended that “Homeland security assistance should be based
strictly on an assessment of risks and vulnerabilities...Congress should not use this
money as a pork barrel.”16 The Commission’s recommendation included the
proposal that community needs be evaluated according to benchmarks that would be
developed by a panel of security experts. A risk management approach to security
will ultimately result in a system-by-system combination of actions; the wide
variation in risk among different systems may make funding such an approach on a
formula basis difficult.
Security Involves Trade-Offs
As noted above, with a worldwide average of 30 terrorist attacks on passenger
rail each year, the likelihood of a terrorist attack on any particular rail station is low
— but the impact of an attack on a station in the United States (in lives lost and
public reaction) could be high. Congress faces the challenge of determining how
much money should be made available for passenger rail security, in light of other
homeland security needs and other transportation needs, and then determining how
the security funding should be distributed within the passenger rail community.
Security efforts involve tradeoffs in money and time. One key policy issue is
where to strike the balance between the desire for security and the efficient operation
of the rail systems; another is striking the balance between the cost of security efforts
in passenger rail and other federal priorities, including security efforts in other areas.
Some observers, noting that the number of potential terrorist targets in the United
States — such as passenger rail trains — are virtually limitless, question the value
of efforts to make these targets more secure. They note that these efforts are probably
not cost-effective, given that if one set of targets — for example, trains — is made
more secure, terrorists might simply shift to softer targets such as buses or shopping
malls. Moreover, these security efforts impose a variety of costs on the public, in
money, time, inconvenience, and limitations on personal freedoms. These observers
argue that a more effective strategy is to increase funding for efforts to disrupt the
terrorist groups that are the source of these threats (e.g., funding for intelligence and
16 The 9/11 Commission Report, p. 396.

CRS-6
law enforcement agencies) and for efforts to respond to any attacks (e.g., funding for
first responders).17 Others argue — though rarely in print — that the government and
other entities should take visible actions intended to increase the security of people's
daily activities even if the value of those actions is uncertain, because it is important
for Americans' sense of security that the federal government and other organizations
be perceived as doing something to make them safer. But such actions involve trade-
offs too, and one of the trade-offs is that resources may be applied to activities with
limited security value that might otherwise be applied to activities with greater
security value.
Legislative Actions
The 9/11 Commission’s recommendations for passenger rail security (and other
transportation modes) were that the protection of transportation assets must be
prioritized according to relative risk, and that funding for transportation security must
be distributed according to assessments of relative risk and vulnerability. Among
legislation introduced in response to the general recommendations of the 9/11
Commission are H.R. 10, H.R. 5082, S. 2273, S. 2845, and S. 2884.
H.R. 10 and S. 2845 are wide-ranging bills focusing on reforming federal
intelligence operations. They do not directly address passenger rail security.
However, S. 2845 would direct DHS to develop a national strategy for transportation
security.18 This plan would identify national transportation assets, set risk-based
priorities and practical methods for protecting those assets, assign responsibilities
among federal, state and local governments and the private sector for their protection,
and recommend appropriate levels and sources for funding these efforts. The Senate
passed S. 2845 on October 6, 2004.
H.R. 10 would direct DHS to prepare modal transportation security plans, but
focuses on aviation security, requiring that the aviation security plan have risk-based
priorities, select cost-effective methods of protection, assign roles to various levels
of government and stakeholders; no mention is made of the security plans for other
modes.19 H.R. 10 also consolidates two existing federal criminal statutes into one,
to deter and punish terrorist acts against rail carriers and mass transportation
providers.20 The House passed H.R. 10 on October 8, 2004. There are a number of
17 Jennifer Barrett, “An Enormous Waste of Money,” Newsweek Web Exclusive, March 17,
2004, [http://www.msnbc.msn.com/id/4549661/] [viewed 7/8/2004].
18 S.Amdt. 3702 to S. 2845, agreed to on 9/28/2004.
19 The language in the House bill refers to “a transportation sector specific plan and
transportation modal security plans in accordance with this section”; since the statutory
section being amended concerns civil aviation, it is not clear whether the House bill is
requiring security plans for all transportation modes or only for aviation (the rest of the
language in this section of the bill refers to aviation security planning). At the least, this
language continues the emphasis on aviation security, compared to other transportation
modes, that the 9/11 Commission criticized.
20 H.Amdt. 791 to H.R. 10, agreed to on 10/8/2004.

CRS-7
differences between the House and Senate bills; the House and Senate will now
attempt to reconcile these bills in conference.
S. 2273, the Rail Security Act of 2004, was passed by the Senate on October 1,
2004. It would direct DHS to complete a vulnerability assessment of freight and
passenger rail transportation and to develop a prioritized set of recommendations for
improving rail security. It would also authorize DHS to make grants to freight and
passenger railroads, hazardous material shippers, State and local governments (for
passenger facilities and infrastructure not owned by Amtrak), and others, for security
improvements or the costs of responding to acts of terrorism. The principle by which
the grants would be distributed is not clear: DHS is directed to develop procedures
to ensure that the grants are expended in accordance with the security priorities DHS
has developed, but DHS is also directed to distribute the grants equitably, “taking
into account geographic location”, while for grants awarded for passenger rail
security, DHS is to take into account passenger volume and whether a station is used
by commuter rail as well as intercity passenger rail. What constitutes an equitable
distribution is left to the discretion of DHS. S. 2273 would authorize $350 million
for these security grants in FY2005. It would also provide $670 million to Amtrak
for life-safety improvements to tunnels in New York City, Baltimore, and
Washington, D.C. S. 2273 had previously been submitted as an amendment to S.
2845, but was not accepted.
S. 2884, the Public Transportation Terrorism Prevention Act of 2004, was also
passed by the Senate on October 1, 2004. It would require DHS to assess transit
agencies and develop security improvement priorities to be funded through a public
transportation security grant program; the bill would also create a public
transportation security research, development, and demonstration grant program.
These grant programs would be administered by DHS. The bill would authorize $3.5
billion for these programs for FY2005-FY2007. S. 2884 had previously been
submitted as an amendment to S. 2845, but was not accepted.
H.R. 5082, the Public Transportation Terrorism Prevention and Response Act
of 2004, was ordered to be reported by the House Transportation and Infrastructure
Committee on September 29, 2004. It would require DHS and DOT to jointly assess
transit agencies for threats and vulnerabilities. These assessments would form the
basis for security guidelines and grants. DOT would develop security improvement
priorities for each transit agency assessed, and the agencies shall use their grant funds
for projects based on these priorities. The bill would authorize $3.4 billion for transit
security grants for FY2005-FY2007, to be provided through DOT. No further House
action has been taken on this bill.
H.R. 4567, the FY2005 appropriations bills for the Department of Homeland
Security, would provide $162 million for rail and transit security: $12 million to TSA
for rail security activities, and $150 million in grants for rail security to states and
local agencies under the high-risk, high density urban areas security initiative. The
conference report (H.Rept. 108-774) was passed by the House on October 9 and by
the Senate on October 11; it now awaits the President’s signature.