Security Experts:

U.S. Senators Voice Cyber Concerns Over China-Made Metro Rail Cars

A group of United States Senators have written a letter to the Washington Metropolitan Area Transit Authority (WMATA) to express safety and security concerns regarding the acquisition of metro rail cars built by a Chinese company.

In their letter to WMATA General Manager and CEO Paul J. Wiedefeld, Sens. Mark R. Warner (D-VA), Tim Kaine (D-VA), Ben Cardin (D-MD) and Chris Van Hollen (D-MD) said they were concerned of the possibility that Metro may contract the Chinese maker to build its newest 8000-series rail cars.

The Senators’ concerns are rooted in a recent Washington Post report that the state-owned China Railway Rolling Stock Corp., or CRRC, might attempt to win a $1 billion Metro contract for hundreds of rail cars. Over the past five years, the company used bargain prices to win four large U.S. transit rail car contracts, the report claims.

“While other cities have welcomed this kind of investment, we have serious concerns about similar activity happening here in our nation’s capital, particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security,” the Senators say in their letter.  

“As Metro continues its procurement process for the 8000-series rail car, we strongly urge you to take the necessary steps to mitigate growing cyber risks to these cars,” they continue. 

The main issue, the letter reveals, is that the new rail cars are expected to incorporate a large number of technologies that could expose them to various cyber-risks, including automatic train control, network and trainline control, video surveillance, monitoring and diagnostics, and data interface with WMATA.

“Many of these technologies could be entirely susceptible to hacking, or other forms of interference, if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers,” the Senators say. 

Furthermore, the letter underlines that a Q&A document posted as part of the Request for Proposals revealed that WMATA has ‘no Buy America or DBE requirements for this contract’. This too raises questions regarding the protections implemented to ensure the integrity of these components, the Senators told Wiedefeld.

The Senators also asked a series of questions regarding Metro’s plans for the rail car procurement process, being interested, among others, in whether the company has received notifications from the Department of Homeland Security “on the attempts of foreign adversaries to infiltrate our critical infrastructure.”

They also ask whether Metro will consult with the Department of Defense prior to awarding a contract to ensure that “railcard built by certain foreign governments” are permitted to operate through the Pentagon.

“U.S. national security should be of the utmost importance as WMATA considers bids for its procurement of 8000-series rail cars, and we therefore request that you consider submitting an addendum to the earlier RFP [Request for Proposals] to ensure that the necessary steps are taken to protect against the aforementioned concerns,” the letter concludes. 

In early January, Senators Marco Rubio (R-FL) and Mark R. Warner (D-VA) – both members of the Senate Select Committee on Intelligence – introduced a new bill to establish a new Office to "to stop the transfer of critical emerging, foundational, and dual-use technologies to countries that pose a national security risk."

RelatedTrains Vulnerable to Hacker Attacks, Researchers Say

RelatedRailway Cybersecurity Firm Cylus Emerges From Stealth

Related: U.S. Senators Introduce Bi-Partisan Bill to Counter China Hacking Threat

view counter