Va. & Md. Senators Raise Cyber Concerns about CRRC Rail Cars on Metro
January 24, 2019
Sen. Mark R. Warner (D-VA), along with Sens. Tim Kaine (D-VA), Ben Cardin (D-MD) and Chris Van Hollen (D-MD), wrote to Washington Metropolitan Area Transit Authority (WMATA) General Manager and CEO Paul J. Wiedefeld to express safety and security concerns regarding the possibility that Metro may award a contract to build its newest 8000-series rail cars to a Chinese manufacturing company.
The Senators wrote, “In the transportation sector, there has been increased interest from particular foreign governments to participate in state and local procurements, including those to manufacture and assemble rail cars for transit agencies around the country. While other cities have welcomed this kind of investment, we have serious concerns about similar activity happening here in our nation’s capital, particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security. As Metro continues its procurement process for the 8000-series rail car, we strongly urge you to take the necessary steps to mitigate growing cyber risks to these cars.”
The Washington Post recently reported that “the state-owned China Railway Rolling Stock Corp., or CRRC, has used bargain prices to win four of five large U.S. transit rail car contracts awarded since 2014. The company is expected to be a strong contender for a Metro contract likely to exceed $1 billion for between 256 and 800 of the agency's newest series of rail cars.”
In their letter, the Senators noted that Metro’s 8000-series rail car is expected to incorporate safety and communications technology such as automatic train control, network and trainline control, video surveillance, monitoring and diagnostics, and data interface with WMATA, among other potentially vulnerable mechanisms that could allow a foreign spy, terrorist, or other rogue actor to break in and take control of Metro’s systems to conduct foreign espionage or impact operations.
“Many of these technologies could be entirely susceptible to hacking, or other forms of interference, if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers. In a Q&A document posted as part of the RFP, WMATA noted that there are ‘no Buy America or DBE requirements for this contract,’ raising further questions about what protections will be in place to ensure the integrity of these components,” the Senators told Wiedefeld.
The Senators then posed a series of questions regarding Metro’s plans for the rail car procurement process, including:
The Senators concluded, “U.S. national security should be of the utmost importance as WMATA considers bids for its procurement of 8000-series rail cars, and we therefore request that you consider submitting an addendum to the earlier RFP [Request for Proposals] to ensure that the necessary steps are taken to protect against the aforementioned concerns.”
The full text of the letter is available here.