Engagement Memo—Audit of Train Control Systems Security

We are initiating a security audit of Amtrak’s train control systems, including the Centralized Electrification and Traffic Control (CETC) system, which rely heavily on the use of automated industrial controls to manage train movements in the busy Northeast Corridor. Our objective is to assess the status and effectiveness of company efforts to address any identified security vulnerabilities in the train control systems.

During the audit, we plan to interview company officials and contractors. We also plan to analyze a 2017 industrial control systems security study conducted by an IT security contractor, and the corrective action plan developed by the company to address the vulnerabilities identified in the study. We will also assess company efforts to address any other security vulnerabilities identified during the course of our review. Our work will include visiting industrial control systems field locations and train operations centers. Our request for documents and data will be made as our work progresses. We also will work to minimize the impact of the audit by coordinating interviews and observations with staff in advance.