How Secure Is U.S. Passenger Rail, And What Does “Critical Rail Infrastructure Security” Look Like?
01/01/26
How Secure Is U.S. Passenger Rail, And What Does “Critical Rail Infrastructure Security” Look Like?
Main Takeaway
Amtrak and other passenger rail systems are open networks designed for throughput and access. You cannot bolt aviation-style checkpoint screening onto hundreds of stations and platforms without breaking the service. The right security model is layered and intelligence-led: visible policing and K9, randomization, strong incident response, and serious attention to the cyber-physical stack that runs signals, interlockings, and dispatch.
About The Security Nexus. The Security Nexus is a Maryland based national security consultancy. We specialize in strategic advisory, education, and public engagement. Through podcasts, blogs, training, and consulting, we provide insight into cyber threats, hybrid warfare, and strategic security policy. Our mission is to inform, educate, and empower professionals and the public through clear, accessible, actionable knowledge. Visit TheSecurityNexus.net and listen to the companion podcast episode for context and field notes from an Amtrak trip.
⸻
Background
Passenger rail is an open system. Stations feed riders from streets, buses, and metro without fixed entry points. The volume alone defeats airport-style screening. London’s Tube handles millions of journeys and hundreds of stations; any attempt to funnel that volume through checkpoints would cripple operations and create new crowd-safety risks (Mayor of London data summarized in Nunes, Cruz, and Simões).
Transport systems must be judged on resilience and efficiency, not zero-risk. Research on network reliability and vulnerability shows why: the aim is to keep the system working under disturbance and recover fast when it fails. In practice that means designing for robustness, rapid rescheduling, and clear recovery priorities rather than chasing total prevention.
What My Trip Reveals, and What It Doesn’t
The episode notes describe boarding Amtrak with no ID check and no baggage screening. Treat those observations as transcript only and anecdotal, not a census of the whole system. In open rail, deliberate randomization and mobile patrols substitute for fixed checkpoints. Research on public-area security near transport hubs shows that prevention techniques have to be balanced against cost, crowding, and flow; there is no single “airport-style” control that transfers neatly into rail concourses.
How Amtrak-Style Security Actually Works
Layered rail security typically includes:
• Uniformed policing on trains and in stations; specialized public safety units; and K9 teams for explosive detection. Dave Jones, Chief Officer of the Metro Vancouver Transit Police, describes this mix, including IED response, K9, and a public safety unit, as core to metropolitan rail security practice.
• Randomized bag checks and special operations that avoid predictable patterns. In the public-area risk literature, randomization is a common theme to avoid displacement and gaming.
• Intelligence sharing and community partnerships. Jones’s briefing note stresses inter-agency relationships and outreach to vulnerable populations to improve reporting and early warning.
• Emergency response and recovery. Modern rail security emphasizes fast detection, passenger information, and service recovery after disruptions because passengers cannot always self-re-route quickly; agencies must correct disruptions fast and communicate clearly.
In short, rail security relies on a mix of visible deterrence, flexible checks, and rapid incident management rather than universal gates. That design choice follows from the network’s open architecture and throughput needs.
Threat Model
Below is a concise threat model for U.S. passenger rail. Each item lists a plausible path, likely impact, and current mitigation posture drawn from the sources.
Terrorism targeting crowded spaces
• Path: attacker moves within open concourses or platforms and seeks dense crowds.
• Impact: casualties, fear, and extended disruption.
• Posture: visible patrols, K9 sweeps, and targeted operations in public areas; research frameworks emphasize selecting measures with acceptable cost and flow impacts.
Active shooter or edged-weapon attacks
• Path: individual attacker in cars, platforms, or waiting areas.
• Impact: casualties and panic; secondary crowd crush risk.
• Posture: armed transit police, rapid response units, and passenger information systems to move people safely and resume service.
IEDs and sabotage
• Path: person-borne or bag-borne devices in stations or trains; sabotage near interlockings.
• Impact: casualties, infrastructure damage, and extended shutdowns.
• Posture: explosives K9, targeted patrols of sensitive areas, and specialized IED response capabilities described in Jones’s briefing note.
Insider threats
• Path: employee access misused to alter operations or aid attackers.
• Impact: signal failures, unsafe movements, or insider-enabled crime.
• Posture: standards and lifecycle controls under CENELEC TS 50701 and related IEC 62443 practices focus on zones, conduits, access control, and risk-based mitigations across the system life cycle.
Onboard crime and disorder
• Path: thefts, assaults, disorder on trains and in stations.
• Impact: rider fear and reputational cost; operational delays.
• Posture: routine patrols, CCTV, and K9 presence; community engagement and problem-oriented policing highlighted in Jones’s program.
Cyber and operational technology (OT) risks
• Path: attacks on interlocking, signaling, or Automatic Train Supervision; pivot via corporate IT into OT.
• Impact: unsafe conditions, forced slow orders, loss of dispatch visibility, or shutdowns.
• Posture: European and international practice is converging on CENELEC TS 50701 with IEC 62443 for zones and conduits, risk assessment, and security lifecycle management; guidance from UIC and ENISA reinforces risk methods like STRIDE tailored to rail.
Chokepoints
• Path: single points of failure such as signal interlockings, the Operations Control Center, tunnels, and bridges.
• Impact: network-wide delays; cascading disruption.
• Posture: sources identify interlocking and ATS-OCC conduits as critical and call for targeted hardening and monitoring of those connections.
Critical Rail Infrastructure
In practice, “critical rail” maps to assets and functions whose failure halts traffic or erodes safety: interlockings, ATS at the operations center, power distribution, communications, and major nodes like tunnels and movable bridges. Nunes, Cruz, and Simões identify interlocking and the OCC link as especially critical and note that modern rail subsystems are highly automated and interdependent, which elevates their cyber risk.
Standards help organize roles and work. TS 50701 adapts IEC 62443 concepts to rail, including zones and conduits, and sets out a security lifecycle from prerequisites and concept through risk analysis and operation. This gives operators and suppliers a common playbook and ties security decisions to risk, budget, and system scope.
When disruption does occur, research on service recovery shows passengers cannot always re-route quickly; agencies must detect, inform, and correct fast. That means robust passenger information systems and preplanned recovery actions, not only deterrence.
What Travelers Can Do
• Pack light and keep your bag within sight. Random checks occur and unattended bags trigger responses.
• Board mid-car and note exits. Move away from disorder or conflict rather than engaging.
• If you see something you believe is dangerous, report it to crew or station staff.
• Save the rail operator’s emergency number, and learn the basic evacuation diagram posted in the car.
• Expect delays during special operations and be patient with crowd control that is designed to prevent secondary harm during incidents. These practices align with the response and passenger-information posture discussed in the research.
What Policymakers and Operators Should Do Next
1. Harden the interlocking–ATS–OCC conduit. Segment, monitor, and exercise failover for the interlocking and ATS link identified as a critical path. Tie controls to TS 50701 and IEC 62443 risk levels.
2. Adopt a formal cybersecurity lifecycle. Use TS 50701 phases to drive governance from prerequisites and concept through operation. Make scope and purpose explicit and align supplier work to the same model.
3. Build an intelligence-led patrol model. Resource visible policing, K9, and a flexible public safety unit. Sustain inter-agency relationships and community outreach to improve reporting and early warning.
4. Plan recovery first. Invest in passenger information and disruption playbooks; measure time to detect, time to inform, and time to restore. Research shows agencies must correct disruptions quickly because riders cannot always self-re-route.
5. Use rail-specific risk methods. Apply STRIDE-based risk for signaling and control, as in Shift2Rail and UIC guidance; map zones and conduits, estimate target security levels, and document residual risk.
6. Exercise with scenario realism. Blend physical and cyber injects that test interlocking failures, OCC loss of visibility, and crowd management under partial shutdowns. Evidence from resilience studies supports planning for disturbance and rapid rescheduling.
7. Instrument the network. Use non-identifying turnstile counts and real-time flows to detect anomalies and inform response, while preserving civil liberties. Research highlights the value of such data for disruption management.
Conclusion
Passenger rail will never look like aviation screening, and that is by design. Security lives in layered policing, randomization, and well-rehearsed recovery, with growing urgency around the cyber-physical systems that move trains safely. The measure of success is not a fantasy of perfect prevention. It is a rail network that detects, contains, and bounces back, keeping national mobility resilient.
Categories and Tags
Categories: Critical Infrastructure; Intelligence and Espionage; Cyber Conflict; National Security Strategy
Tags: rail security; Amtrak; interlocking; ATS; OCC; K9; resilience; IEC 62443; TS 50701; STRIDE; passenger information; disruption recovery
Sources (Chicago Author-Date)
Cavone, G., L. Blenkers, T. van den Boom, M. Dotoli, C. Seatzu, and B. De Schutter. 2019. “Railway Disruption: A Bi-Level Rescheduling Algorithm.” In 6th International Conference on Control, Decision and Information Technologies (CoDIT), 54–59. https://doi.org/10.1109/CoDIT.2019.8820380.
Ge, Lei, Stefan Voß, and Lei Xie. 2022. “Robustness and Disturbances in Public Transport.” Public Transport 14: 239–312. (Selected references cited for resilience and disturbance management).
Jones, Dave. 2023. “The Role of Intelligence in Critical Infrastructure Protection: Securing the Metro Railway and Public Transportation.” Briefing note, Canadian Association for Security and Intelligence Studies Vancouver, 6th Annual Conference.
Kongsap, P., and S. Kaewunruen. 2024. “Agent-Based Modelling for Railway Operations and Security: A Review.” Frontiers in Built Environment 10.3389/fbuil.2024.1249584. (Sections on disruption response and cyber-physical threats).
Nunes, João, Tiago Cruz, and Paulo Simões. 2024. “Securing the Future of Railways: CENELEC TS 50701 in Context.” In Proceedings of the 23rd European Conference on Cyber Warfare and Security (ECCWS 2024), 331–340. (Sections on critical interlocking–ATS–OCC conduits and the TS 50701 lifecycle).
Sensors Editorial Team (Ibadah et al.). 2024. “Securing the Future of Railways: A Comprehensive Guide to Cybersecurity Threats.” Sensors 24: 8218. (Summaries of IEC 62443, TS 50701, UIC and Shift2Rail methods). https://doi.org/10.3390/s24208218.
Skorupski, Jacek, and collaborators. 2018. “A Decision Framework for Security in Public Areas Near Airports and Connected Stations.” Safety 4: 36. (Used for prevention-versus-flow considerations in public spaces).
