Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

U.S. Senators Voice Cyber Concerns Over China-Made Metro Rail Cars

A group of United States Senators have written a letter to the Washington Metropolitan Area Transit Authority (WMATA) to express safety and security concerns regarding the acquisition of metro rail cars built by a Chinese company.

A group of United States Senators have written a letter to the Washington Metropolitan Area Transit Authority (WMATA) to express safety and security concerns regarding the acquisition of metro rail cars built by a Chinese company.

In their letter to WMATA General Manager and CEO Paul J. Wiedefeld, Sens. Mark R. Warner (D-VA), Tim Kaine (D-VA), Ben Cardin (D-MD) and Chris Van Hollen (D-MD) said they were concerned of the possibility that Metro may contract the Chinese maker to build its newest 8000-series rail cars.

The Senators’ concerns are rooted in a recent Washington Post report that the state-owned China Railway Rolling Stock Corp., or CRRC, might attempt to win a $1 billion Metro contract for hundreds of rail cars. Over the past five years, the company used bargain prices to win four large U.S. transit rail car contracts, the report claims.

“While other cities have welcomed this kind of investment, we have serious concerns about similar activity happening here in our nation’s capital, particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security,” the Senators say in their letter.  

“As Metro continues its procurement process for the 8000-series rail car, we strongly urge you to take the necessary steps to mitigate growing cyber risks to these cars,” they continue. 

The main issue, the letter reveals, is that the new rail cars are expected to incorporate a large number of technologies that could expose them to various cyber-risks, including automatic train control, network and trainline control, video surveillance, monitoring and diagnostics, and data interface with WMATA.

“Many of these technologies could be entirely susceptible to hacking, or other forms of interference, if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers,” the Senators say. 

Furthermore, the letter underlines that a Q&A document posted as part of the Request for Proposals revealed that WMATA has ‘no Buy America or DBE requirements for this contract’. This too raises questions regarding the protections implemented to ensure the integrity of these components, the Senators told Wiedefeld.

The Senators also asked a series of questions regarding Metro’s plans for the rail car procurement process, being interested, among others, in whether the company has received notifications from the Department of Homeland Security “on the attempts of foreign adversaries to infiltrate our critical infrastructure.”

They also ask whether Metro will consult with the Department of Defense prior to awarding a contract to ensure that “railcard built by certain foreign governments” are permitted to operate through the Pentagon.

“U.S. national security should be of the utmost importance as WMATA considers bids for its procurement of 8000-series rail cars, and we therefore request that you consider submitting an addendum to the earlier RFP [Request for Proposals] to ensure that the necessary steps are taken to protect against the aforementioned concerns,” the letter concludes. 

In early January, Senators Marco Rubio (R-FL) and Mark R. Warner (D-VA) – both members of the Senate Select Committee on Intelligence – introduced a new bill to establish a new Office to “to stop the transfer of critical emerging, foundational, and dual-use technologies to countries that pose a national security risk.”

RelatedTrains Vulnerable to Hacker Attacks, Researchers Say

RelatedRailway Cybersecurity Firm Cylus Emerges From Stealth

Related: U.S. Senators Introduce Bi-Partisan Bill to Counter China Hacking Threat

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.

ICS/OT

Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...