This document and trademark(s) contained herein are protected by law as indicated in a
notice appearing later in this work. This electronic representation of RAND intellectual
property is provided for non-commercial use only. Unauthorized posting of RAND PDFs
to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law.
Permission is required from RAND to reproduce, or reuse in another form, any of our research
documents for commercial use. For information on reprint and linking permissions, please
see RAND Permissions.
Limited Electronic Distribution Rights
Visit RAND at www.rand.org
Explore the RAND Homeland Security Program
View document details
For More Information
Purchase this document
Browse Books & Publications
Make a charitable contribution
Support RAND
This PDF document was made available from www.rand.org as
a public service of the RAND Corporation.
6
Jump down to document
The RAND Corporation is a nonprofit research
organization providing objective analysis and
effective solutions that address the challenges facing
the public and private sectors around the world.
THE ARTS
CHILD POLICY
CIVIL JUSTICE
EDUCATION
ENERGY AND ENVIRONMENT
HEALTH AND HEALTH CARE
INTERNATIONAL AFFAIRS
NATIONAL SECURITY
POPULATION AND AGING
PUBLIC SAFETY
SCIENCE AND TECHNOLOGY
SUBSTANCE ABUSE
TERRORISM AND
HOMELAND SECURITY
TRANSPORTATION AND
INFRASTRUCTURE
WORKFORCE AND WORKPLACE
This product is part of the RAND Corporation monograph series. RAND
monographs present major research findings that address the challenges facing
the public and private sectors. All RAND monographs undergo rigorous peer
review to ensure high standards for research quality and objectivity.
Securing America’s
Passenger-Rail Systems
Jeremy M. Wilson, Brian A. Jackson, Mel Eisman,
Paul Steinberg, K. Jack Riley
A RAND INFRASTRUCTURE, SAFETY, AND ENVIRONMENT PROGRAM
Homeland Security
Supported by the National Institute of Justice
The RAND Corporation is a nonprofit research organization providing
objective analysis and effective solutions that address the challenges
facing the public and private sectors around the world. RAND’s
publications do not necessarily reflect the opinions of its research clients
and sponsors.
R® is a registered trademark.
© Copyright 2007 RAND Corporation
All rights reserved. No part of this book may be reproduced in any
form by any electronic or mechanical means (including photocopying,
recording, or information storage and retrieval) without permission in
writing from RAND.
Published 2007 by the RAND Corporation
1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138
1200 South Hayes Street, Arlington, VA 22202-5050
4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665
RAND URL: http://www.rand.org
To order RAND documents or to obtain additional information, contact
Distribution Services: Telephone: (310) 451-7002;
Fax: (310) 451-6915; Email: order@rand.org
The research described in this report was supported by the National
Institute of Justice, Office of Justice Programs, U.S. Department of
Justice and was conducted under the auspices of the Homeland Security
Program within RAND Infrastructure, Safety, and Evironment. The
opinions, findings, and conclusions or recommendations expressed in
this publication are those of the authors and do not necessarily reflect the
views of the Department of Justice.
Library of Congress Cataloging-in-Publication Data
Securing America’s passenger-rail systems / Jeremy M. Wilson ... [et al.].


p. cm.


Includes bibliographical references.


ISBN 978-0-8330-4117-3 (pbk. : alk. paper)

1. Railroads—United States—Passenger traffic. 2. Transportation—United
States—Passenger traffic. I. Wilson, Jeremy M., 1974–
TF23.S43 2008
363.28'74—dc22
2007048795
iii
Preface
Communities across the United States rely on reliable, safe, and secure rail systems.
Each weekday, more than 12 million passengers take to U.S. railways. Recent attacks
on passenger-rail systems around the world highlight the vulnerability of this form of
transportation. The high use of passenger rail and the frequency with which terrorists
target rail systems elsewhere call for a commitment to analyzing and improving rail
security in the United States.
The study on which this book reports represented a step in that direction by
providing a framework that security planners and policymakers can use to prepare
for, and protect against, threats to and vulnerabilities of rail systems. The analyses
that emerge from using the framework are general enough to allow the work to be
made publicly available but specific enough to provide guidance from the national
level all the way down to the individual rail systems. These qualities, combined with
this book’s synthesis of issues related to both rail-system vulnerabilities and how to
cost-effectively reduce them, contribute to its broad applicability and utility for those
working to improve rail security. The intended audience of this book includes security
planners—both experts working directly within rail systems and those who facilitate
rail security through their work in governmental or professional organizations—and
policymakers. However, researchers may also be interested in the substantive discus-
sions about terrorism and methodology.
Those who are interested in this book may also be interested in some of RAND’s
other recent studies that relate to security, including the following:
Implementing Security Improvement Options at Los Angeles International Airport
(Stevens, Hamilton, et al., 2006)
Near-Term Options for Improving Security at Los Angeles International Airport (Ste-
vens, Schell, et al., 2004)
Reducing Terrorism Risk at Shopping Centers: An Analysis of Potential Security
Options (LaTourrette et al., 2006)
Protecting Commercial Aviation Against the Shoulder-Fired Missile Threat (Chow
et al., 2005)
•
•
•
•
iv Securing America’s Passenger-Rail Systems
Breaching the Fortress Wall: Understanding Terrorist Efforts to Overcome Defensive
Technologies (Jackson, Chalk, et al., 2007)
Aptitude for Destruction, Vol. 1: Organizational Learning in Terrorist Groups and
Its Implications for Combating Terrorism (Jackson, Baker, et al., 2005)
Estimating Terrorism Risk (Willis et al., 2005)
Exploring Terrorist Targeting Preferences (Libicki, Chalk, and Sisson, 2007).
This project was supported by the National Institute of Justice, Office of Justice
Programs, U.S. Department of Justice. The opinions, findings, and conclusions or rec-
ommendations expressed in this publication are those of the authors and do not neces-
sarily reflect the views of the Department of Justice.
The RAND Homeland Security Program
This research was conducted under the auspices of the Homeland Security Program
within RAND Infrastructure, Safety, and Environment (ISE). The mission of ISE is
to improve the development, operation, use, and protection of society’s essential physi-
cal assets and natural resources and to enhance the related social assets of safety and
security of individuals in transit and in their workplaces and communities. Home-
land Security Program research supports the U.S. Department of Homeland Secu-
rity and other agencies charged with preventing and mitigating the effects of terrorist
activity within U.S. borders. Projects address critical infrastructure protection, emer-
gency management, terrorism risk management, border control, first responders and
preparedness, domestic threat assessments, domestic intelligence, and workforce and
training.
Questions or comments about this monograph should be sent to the project leader,
Jeremy Wilson (Jeremy_Wilson@rand.org). Information about the Homeland Security
Program is available online (http://www.rand.org/ise/security/). Inquiries about home-
land security research projects should be sent to the following address:
Andrew Morral, Director
Homeland Security Program, ISE
RAND Corporation
1200 South Hayes Street
Arlington, VA 22202-5050
703-413-1100, x5119
Andrew_Morral@rand.org
•
•
•
•
v
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
CHAPTER ONE
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Objectives and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Outline of Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
CHAPTER TWO
What Are the Key Rail-Attack Threats and Their Consequences? . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Weapons and Tactics Used Against Rail Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The Targets of Terrorist Attacks in Rail Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Outcomes of Past Terrorist Attacks on Rail Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Lessons from the Threat Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CHAPTER THREE
Qualitative Risk Assessment for a Notional Passenger-Rail System . . . . . . . . . . . . . . . . . . . . . . . 17
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Laying Out a Notional Rail System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Determining Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Qualitatively Assessing Terrorism Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
CHAPTER FOUR
Baseline Security and Operational Characteristics of the Notional Rail System . . . . . . . 25
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
vi Securing America’s Passenger-Rail Systems
Defining the Baseline Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Notional Rail System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Defining Security Layers for the Notional Rail System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
CHAPTER FIVE
Cost-Effectiveness Assessment of Security-Improvement Options for the
Notional Rail System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Assessment-Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Characterizing and Estimating Costs of Security-Improvement Options . . . . . . . . . . . . . . . . . . . . 36
Process-Based Security-Improvement Options: Implementing Enhanced Security
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Technology-Based Security-Improvement Options: Installing Perimeter Fencing
and Intrusion-Detection Systems Adjacent to Ground-Level Tracks. . . . . . . . . . . . . . . . . . . 38
Infrastructure- or Facility-Modification Security-Improvement Options: Installing
Blast-Resistant Containers in Stations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Perimeter-Layer Cost-Effectiveness Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Prioritize Attack Scenarios by Level of Assessed Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Assess Relative Effectiveness of Security-Improvement Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Combine Effectiveness Assessments with Costs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Generate Preferred List of Security-Improvement Options at the Perimeter Layer . . . . . . . . . 61
Test the Robustness of the Overall Cost-Effectiveness Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Assess Security-Improvement Options Across All Layers and Generate System-Level
Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Deal with Economic and Budgetary Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Recognize Interdependence Across Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Ensure a Proper Balance of Security-Improvement Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Assess Timelines for Implementing Security-Improvement Options . . . . . . . . . . . . . . . . . . . . . . . . . 72
Limitations on Using the Analytical Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
CHAPTER SIX
Rail-Security Policy Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Rail-Security Lessons at the System Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
The Future of Rail Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Rail Security Versus the Security of Everything Else . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
APPENDIXES
A. Qualitative Risk Assessment of Rail-Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
B. Cost-Effectiveness Assessment Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
vii
Figures
2.1.
Locations of and Tactics Used for Rail Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.
Average Fatalities and Injuries Resulting from Attacks on Rail Systems,
Overall and by Location of Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3. Distributions of Fatalities and Injuries in Attacks on Rail Systems . . . . . . . . . . . . . . . 14
3.1. The Rail System as a Terrorist Target: A Notional System . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.
Summary of Qualitative Terrorism-Risk Levels Associated with Different
Terrorist Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.1. The Notional Passenger-Rail System Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2.
Potential Terrorist-Attack Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1. Cost-Effectiveness Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.2. Notional Rail-System Network and Potential Perimeter Target Locations. . . . . . 56
5.3.
Example of Interdependence of Security Measures for Access-Control
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.4. The Notional Passenger-Rail System and Potential Changes to It . . . . . . . . . . . . . . . . . 74
A.1. Qualitative Threat of Specific Rail-System Attack Scenarios. . . . . . . . . . . . . . . . . . . . . . 87
A.2. Qualitative Vulnerability of Rail-System Components to Specific Attack
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
A.3. Consequence-Categorization Matrix for Attack Modes and Locations . . . . . . . . . . . 89
A.4. Casualty-Consequence Categorization Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
A.5. Overall Potential-Consequence Ranking for Attack Scenarios, Based on
Casualty Expectations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
A.6. Overall Potential-Consequence Ranking for Attack Scenarios, Based on
Economic Expectations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
A.7. Total Net Consequence Categorization Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
A.8. Overall Total Net Potential-Consequence Ranking for Attack Modes at
Specific Rail-System Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
A.9. Threat-Vulnerability Categorization Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
A.10. Composite Threat-Vulnerability Rankings for Attack Modes at Specific
Locations in a Notional Rail System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
A.11. Threat-Vulnerability-Consequence Categorization Matrix . . . . . . . . . . . . . . . . . . . . . . . . 96
A.12. Composite Qualitative Risk Rankings for Attack Modes at Specific
Locations in a Notional Rail System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
B.1.
Estimate of Tolerance to Direct Effects of Air Blast. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
viii Securing America’s Passenger-Rail Systems
B.2.
Lethality of Small Explosives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
B.3. Representative Blast Damage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
B.4. Cumulative Cost-Effectiveness of Perimeter-Layer Security-Improvement
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
ix
Tables
2.1. Terrorist Tactics in Rail Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Weapons Used in Rail Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.
Injuries and Fatalities in Rail Incidents, by Terrorist Tactic. . . . . . . . . . . . . . . . . . . . . . . . 15
4.1.
Potential Target Locations Across Layered Security Areas. . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.1. Comparisons of Security-Improvement Option Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2. Marginal Costs of Three Sets of Security-Improvement Options. . . . . . . . . . . . . . . . . . 37
5.3. Risk-Assessment Summary Across Perimeter Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.4.
Assessment of Perimeter Security-Improvement Options Preventing
Terrorist Attacks from Occurring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.5.
Perimeter Security-Improvement Option Assessment Ratings for
Preventing Terrorist Attacks from Occurring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.6.
Benchmark Magnitude of Fatalities Assessed Across the Perimeter Layer . . . . . . . . 47
5.7.
Assessment of Perimeter Security-Improvement Option Effectiveness in
Averting Fatalities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.8.
Benchmark Recovery Times (Days), Estimated Across the Perimeter Layer . . . . . 52
5.9.
Assessment of Perimeter Security-Improvement Option Effectiveness in
Reducing Recovery Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.10.
Benchmark Loss of Operating Revenues ($ million), Estimated Across the
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.11. Assessment of Perimeter Security-Improvement Option Effectiveness in
Reducing Operating-Revenue Losses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.12.
Perimeter-Layer Effectiveness-Assessment Summary Results . . . . . . . . . . . . . . . . . . . . . . 62
5.13.
Perimeter-Layer Security-Improvement Option Effectiveness and Cost
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.14.
Preferred Security-Improvement Options for the Perimeter Layer . . . . . . . . . . . . . . . 64
5.15.
Preferred Security-Improvement Options Across Five Security Layers. . . . . . . . . . . 68
5.16.
System-Level Security-Improvement Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
A.1. Threat Ranking of Attack Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
A.2.
Potential-Consequence Ranking of Attack Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
A.3.
Potential-Consequence Ranking of Attack Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
xi
Summary
Introduction
Communities across the United States rely on reliable, safe, and secure rail systems.
Each weekday, more than 12 million passengers take to U.S. railways. Recent attacks
on passenger-rail systems around the world highlight the vulnerability of rail travel and
the importance of rail security for these passengers. Even though there have been no
successful attacks on rail systems in the United States recently, the FBI and local police
departments have thwarted several planned attacks against the New York subway
system alone. The use of passenger rail and the frequency with which terrorists target it
call for a commitment to analyzing and improving rail security in the United States.
The goal of the study on which this book reports was to develop a framework
for security planners and policymakers that can be used to guide cost-effective rail-
security planning. The security analyzed in this book specifically addresses the risk
of terrorism. As described more fully in Chapter Three, risk is a function of threat
(presence of terrorists with intent, weapons, and capability to attack), vulnerability
(likelihood of damage at a target, given an attack), and consequences (nature and scale
of damage if an attack succeeds). While effective security solutions may address all
three components of risk, this book focuses on addressing vulnerabilities and limit-
ing consequences, since these are the two components of risk most within the realm
of rail-security personnel. The study focused on passenger, as opposed to freight, rail
systems. Because of the tremendous variation in the types of rail systems and the desire
not to reveal the specific security measures of any one rail system, the analysis is based
on a notional rail system that characterizes rail systems typically found in the United
States.
Rail-Attack Threats
Drawing primarily on available data on past terrorist attacks on rail systems from
the RAND-MIPT Terrorism Incident Database (National Memorial Institute for the
Prevention of Terrorism and RAND Corporation, ongoing), we found that the most
xii Securing America’s Passenger-Rail Systems
prevalent terrorist threat to rail systems comes from bombings, that most terrorist
attacks on rail systems produce few fatalities and injuries, and that attacks in densely
packed rail cars and interior rail-facility locations are of particular concern because of
the casualties they can produce. Not all terrorist attacks on rail systems come from
explosives, so security measures must address explosive devices but also appropriately
incorporate the possibility of rarer attack modes. In addition, given the damage associ-
ated with a relatively small number of large attacks, security measures that prevent only
the largest-scale attacks could significantly reduce the human costs associated with this
threat.
Although historical data and the patterns of behavior they document provide
a foundation for security decisionmaking today, it must be emphasized that terror-
ists are dynamic adversaries whose attack patterns may change in response to security
measures. Security portfolios, thus, should not be static defenses, but rather should be
reviewed periodically to ensure that they remain relevant to any changes in terrorists’
targeting methods.
Passenger Rail and Terrorism Risk
To understand the vulnerability of rail systems to the terrorist threat, we constructed a
notional—or hypothetical—rail system. We then subjected that notional system to a
range of attack scenarios to identify the specific set of attacks to which the rail system
was most at risk. The threat scenarios were drawn from past attack reports and other
open-source information.
The vulnerability assessment identified 11 potential target locations (e.g., system-
operation and power infrastructure) within a notional rail system and eight potential
attack modes (e.g., small explosives). These targets and attack modes were combined
to produce 88 different attack scenarios of concern. Each scenario was then categorized
high, medium, low, or no risk.1 The categorization represents qualitative judgments
about terrorists’ ability to exploit the vulnerability and the consequences if they were
to succeed.
Baseline Security and Operational Characteristics of the Notional Rail
System
The end objective is to identify additional increments to security that can be imple-
mented in a cost-effective manner. However, all rail systems have at least some security
measures in place, and those security measures, in turn, have some impact. Thus, we
1 The no-risk categorization results when the attack-target combination is not possible.
Summary xiii
had to further specify our notional rail system by describing the existing baseline secu-
rity system and its effectiveness.
We assumed a relatively simple notional rail network located within a major met-
ropolitan area, consisting of five spokes of unique rail lines going directly into one hub
central station, with the only transfer point between these lines located at the hub sta-
tion. We further assumed that the baseline notional rail-security system would have
the following security measures in place: perimeter and station surveillance systems,2
uniformed patrols, available rapid-deployment forces, and an automated vehicle loca-
tor (AVL) system (assumed to be located at the operation-control center) for detect-
ing unusual delays in trains within any one of the many lines within the notional rail
system.
In addition, we adopted the vision of a multilayered transportation security system
illustrated in a recent Federal Transit Administration report (Rabkin et al., 2004), in
which we defined each layer as going from first safeguarding the outermost perimeter
to the exterior, interior, and restricted access areas to the innermost rail security asset,
the trains.
Cost-Effective Security-Improvement Options for the Notional Rail
System
With the notional system’s existing security defined, we could then turn our atten-
tion to what improvements to that security could be made. We identified 17
security-improvement options (SIOs) within three broad categories: (1) process-based
improvements (e.g., implementing enhanced security training), (2) technology-based
alternatives (e.g., using portable [handheld] detection systems), and (3) infrastructure
and facility modifications (e.g., installing blast-resistant containers).
We assessed the relative effectiveness of the 17 SIOs across the five security
layers laid out above. We evaluate effectiveness by assessing the SIO’s performance
against four criteria: (1) preventing or reducing the probability of a specific terror-
ist attack occurring, (2) reducing or averting the number of fatalities of passengers
in the system, (3) reducing the time necessary for system facilities and infrastruc-
ture to be restored and operations fully resumed, and (4) minimizing rail operating-
revenue losses. The 17 security measures were rated for their incremental impact at
each layer, as well as to their potential system-level contribution across layers.
At the system level (integrating across layers), we identified four broad categories of
cost-effective security measures for system operators to consider: (1) relatively inexpen-
sive solutions with the highest effectiveness-per-dollar metric payoffs (e.g., enhanced
2 The baseline surveillance system is a limited system comprised of CCTV cameras installed at the entrances
and exits and within the infrastructure, concourse areas, corridors, escalators, and other passages leading to the
train platforms.
xiv Securing America’s Passenger-Rail Systems
security training), (2) additional inexpensive solutions to consider with reasonable
levels of effectiveness-per-dollar metric payoffs (e.g., installing retractable bollards at
entrances and exits of the operation-control center and power plant), (3) costlier solu-
tions with highest effectiveness-per-dollar metric payoffs (e.g., installing fixed barriers
at curbsides adjacent to all entrances and passageways leading to ground-level and
underground stations), and (4) relatively expensive, longer-term solutions for future
consideration (e.g., rail-vehicle surveillance systems). For our notional system, even
though we prioritized the mix of security measures relative to affordability, the actual
list of recommendations could depend on a variety of practical constraints, concerns,
or needs, such as the ease and speed of implementation or budget constraints relative
to other rail-system expansion plans, which we identify in this book.
Rail-Security Policy Considerations
Given the open and accessible characteristics of rail systems, the unpredictability of
terrorist attacks, the continual evolution of risk as terrorists learn and improve their
capabilities, and finite resources for security provision, the United States faces a com-
plex security problem that has existed for decades. This book illustrates a process—a
framework and a broad range of management considerations—for thinking through
how to systematically improve the security of U.S. passenger systems to help ensure
maximum protection at the lowest cost.
Rail-Security Lessons at the System Level
Security planners can draw from the framework and analysis described here to struc-
ture their security-improvement efforts. The process begins with conducting a detailed
vulnerability assessment. Once the system’s vulnerabilities are understood, potential
increments or additions to existing security measures can be identified.
As the security posture of a specific rail system is examined, two factors must
be kept in mind. First, security measures designed to thwart terrorism may have an
added impact on preventing and mitigating ordinary crime or may have to be scaled
up to address crime-related issues. Thus, the security measures chosen may have
broader costs and benefits than those relating only to terrorism. Second, terrorists
may seek to overcome defensive measures. Thus, those in charge of acquiring security
improvements must consider how terrorist groups might react to potential security-
improvement defenses put in place, so that they can make informed investment
decisions.
The Future of Rail Security
We have already witnessed some important changes in terrorist-attack patterns against
transportation in the few short years since 9/11, including concerted efforts to develop
Summary xv
bombs that can evade airport detection equipment. Thus, we can predict with near cer-
tainty that terrorist-attack patterns will change in the future, though we cannot predict
with much certainty precisely how those changes will be manifested. Given this uncer-
tainty, rail-security systems must be designed to be responsive to potential changes in
attack patterns, and the consequent impact on the relative effectiveness of the security
portfolio must be reevaluated periodically.
Research and development in improving and maturing countermeasure technolo-
gies and investments in human capital are elements of developing and maintaining
robust security measures. Improvements in the performance of these technologies can
diminish the terrorists’ ability to successfully attack and reduce the indirect costs of
security operations, such as the time required to screen passengers and baggage. Though
technologies can perform many security functions, the people who use and monitor
them are frequently the most critical element of the overall security system, and there
is no substitute for having highly responsive and skilled staff in the security loop. To
maintain the performance of personnel at the highest readiness levels, managers will
have to invest in both enhanced security training and field testing. The former ensures
that the personnel are most adept at operating the latest technologies; the latter helps
ensure that they are highly proficient in implementing the set of emergency-response
protocols and procedures as needed.
Rail Security Versus the Security of Everything Else
A common response by terrorists to the deployment of security measures is simply to
move attack operations away from the defended area to softer targets located elsewhere.
If defenses are deployed in one rail system, this behavior could move risk from one
site to another. Likewise, if rail-security measures are increased across the entire rail-
transportation system, attacks may simply be displaced onto other targets, such as a
shopping mall or sport stadium. Under some circumstances, displacement could be
viewed as a favorable outcome, if, for example, the attack was displaced to a location
that is much easier to respond to than the original target location would have been.
Given that security in one setting relates to security in another, federal policy-
makers ultimately must decide how best to allocate security dollars not only across
rail systems but also across other modes of transportation, critical infrastructure, and
public venues. We cannot, from this analysis, draw conclusions about whether authori-
ties should spend more on rail and less on air-transportation security, because we did
not conduct such cross-mode and cross-target comparisons. We can, however, point to
the applicability of this assessment methodology to decisionmaking about allocating
security resources generally. We strongly encourage analysts, scholars, and research-
ers to extend the application of this form of methodology to such critical resource-
allocation problems.
xvi Securing America’s Passenger-Rail Systems
Conclusions
It bears repeating that the prioritized SIOs identified in this book are specific to the
notional system we analyzed. Furthermore, the analysis performed here captures a
point in time—the attractiveness of different SIOs in our prioritization is driven by
the current costs for those options and their current perceived effectiveness. As a result,
even if the preferred SIOs described here are viewed as reasonable for a given system,
even that conclusion is perishable.
These limitations notwithstanding, the methodology presented here is useful for
planning rail-security options. The methodology should, however, be tested against
other systems of varying complexity. Such testing will yield two insights. First, we will
understand better whether the portfolio of preferred SIOs varies with system complexity
or is largely the same regardless. Since both risk and the nature of preexisting security
measures will vary by the type of system examined, such experimentation will also give
some insight into the dynamic nature of the threat- and security-assessment processes
and, perhaps, the timeline over which the assessments need to be repeated to counter
the fact that terrorists wield new methods and learn potential targets’ defenses over
time. Second, applying the methodology to systems of differing complexity will allow
us to better understand the information demands that the framework imposes. The
methodology is most useful if the information it requires is relatively easily obtained in
a consistent and comprehensive manner.
xvii
Acknowledgments
As with any large, complex analysis, many people offer meaningful contributions
beyond those participating directly on the research team.
We would like to thank the National Institute of Justice for supporting this work.
Greg Hull of the American Public Transportation Association was instrumental, pro-
viding both key contacts and useful background information. We also appreciate the
inputs we received from the staff of the many organizations we interviewed, including
the Association of American Railroads, American Public Transportation Association,
British Transport Police, Metropolitan Police in London, London Underground, Los
Angeles County Sheriff’s Department, Metro de Madrid, Metropolitan Transportation
Authority in New York City, New Jersey Transit, New York City Police Department,
Port Authority of New York and New Jersey, Port Authority Trans-Hudson Corpora-
tion, San Francisco Municipal Transportation Agency, Policia Nacional (the Spanish
national police), Red Nacional de Ferrocarriles Españoles (RENFE, Spain’s national
railway network), Administrador de Infraestructuras Ferroviarias (ADIF, Spain’s
administrator of railway infrastructure), UK Department for Transport, UK Home
Office, UK Network Rail, UK Transport Salaried Staffs’ Association, U.S. Depart-
ment of Homeland Security, and Washington Metropolitan Area Transit Authority.
We also must thank those who provided direct research assistance, including
Greg Hannah, who provided key support relative to our work in the United King-
dom; Brian Carroll and Melanie Sisson, who provided general support throughout
the project; and Drew Curiel for his assistance with data extraction and analysis
from the RAND-MIPT Terrorism Incident Database.
Finally, we must thank Tom LaTourrette, Adrian Dwyer, Genevieve Giuliano,
and Mike Wermuth, who provided important feedback on drafts, and Lisa Bernard,
who offered editorial assistance, all of whom helped to significantly increase the quality
of the final manuscript.
xix
Abbreviations
AAR
American Association of Railroads
ACS
access-control system
ADIF
Administrador de Infraestructuras Ferroviarias
Amtrak
National Railroad Passenger Corporation
APTA
American Public Transit Association
AVL
automated vehicle locator
BART
Bay Area Rapid Transit
BTP
British Transport Police
CNP
Cuerpo Nacional de Policia
CWA
chemical-warfare agent
DHS
U.S. Department of Homeland Security
DOT
U.S. Department of Transportation
ECD
electron-capture detector
FTA
Federal Transit Administration
G&T
Grants and Training
GAO
Government Accountability Office
IDS
intrusion-detection system
IED
improvised explosive device
IMS
ion-mobility spectrometry
IR
infrared
xx Securing America’s Passenger-Rail Systems
MARTA
Metropolitan Atlanta Rapid Transit Authority
MMW
millimeter wave
NYPD
New York City Police Department
PATH
Port Authority Trans-Hudson Corporation
PROTECT Program of Response Options and Technology Enhancements for
Chemical/Biological Terrorism
RENFE
Red Nacional de Ferrocarriles Españoles
ROM
rough order of magnitude
SAW
surface acoustic wave
SFMTA
San Francisco Municipal Transportation Agency
SIO
security-improvement option
SME
subject-matter expert
TIC
toxic industrial chemical
TRL
technology-readiness level
TSSA
Transport Salaried Staffs’ Association
UASI
Urban Area Security Initiative
WMATA Washington Metropolitan Area Transit Authority
1
CHAPTER ONE
Introduction
Background
In 2004, more than 534 million passengers took to U.S. rails (Boardman, 2005),
making more than 3.5 billion trips (APTA, 2006).1 And these estimates do not count
the passengers traveling on the National Railroad Passenger Corporation (Amtrak)
system, the primary intercity rail system in the United States, which totaled 25 mil-
lion in fiscal year 2005 (Berrick, 2007). By comparison, as many people traverse New
York’s Penn Station in a single morning as travel through Chicago’s O’Hare Interna-
tional Airport in about two and a half days (Freeman, 2005).
Unfortunately, recent attacks against rail and subway systems highlight the vul-
nerability of rail travel and the importance of rail security for these passengers. For
example, in Delhi in February 2007, explosives in two suitcases on a train bound
for Lahore killed at least 66 people and injured 13 others (“Leaders Condemn India
Train Blast,” 2007); in London in July 2005, three suicide bombers detonated bombs
on the Underground subway system, killing 39 people and injuring more than 660.2
And in Madrid in March 2004, 10 bombs were detonated on commuter trains during
rush hour, killing 191 people and injuring more than 1,800. Although there have
been no recent successful attacks on rail systems in the United States, the FBI and
local police departments have thwarted several planned attacks against the New York
subway system alone (e.g., Rashbaum, 2007; Associated Press, 2007; Wedge, 2006;
Oren, Mazor, and Geller, 2006). In the past, terrorists have targeted rail systems to
produce both economic damage (by damaging or disrupting the operation of the sys-
tems) and human casualties (by injuring or killing the passengers). As recent opera-
tions against these systems suggest, a central focus in contemporary terrorist targeting
of these systems has been to produce large-scale, mass-casualty attacks.
Passenger-rail systems are particularly vulnerable for a number of reasons, many
of which RAND authors and the U.S. Government Accountability Office (GAO) staff
1 This includes commuter, heavy, and light rail systems.
2 An additional suicide bomber detonated an explosive device on a double-decker bus, killing an additional 13
people and injuring more than 110 (“7 July Bombings,” undated).
2 Securing America’s Passenger-Rail Systems
have described previously (e.g., Riley, 2004; Berrick, 2007). For example, the “open”
nature of rail systems, encompassing multiple access points and hubs serving mul-
tiple carriers on which passengers freely move about, makes them vulnerable to attack.
Consider that there are more than 3,400 rail stations and nearly 33,000 miles of track
in the United States (APTA, 2006).3 Also, passenger volume and density make rail
systems vulnerable by concentrating large numbers of people in confined spaces. On
an average weekday, passengers make more than 12 million unlinked trips by rail, not
counting those made on Amtrak (APTA, 2006).4 For some rail systems, their “iconic”
status and relation to the regional economy and daily life may increase their vulner-
ability. More generally, they present an opportunity to disrupt a distributed network
by a single attack. For terrorist organizations seeking to produce mass-casualty attacks,
such a “target-rich environment” makes rail systems particularly attractive.
The physical features and environments of rail systems also make them difficult to
secure. Rail systems vary in age, design, and usage of above- and below-ground infra-
structure. This often makes retrofitting rail systems to include new security technol-
ogy, which is difficult and costly. For example, retractable bollards may be a desirable
measure to implement at rail power-plant entrance and exit access points. However,
even though the cost to procure bollards is relatively low, installing them can be expen-
sive, if not impossible, depending on the composition of the ground infrastructure
immediately below their desired placement. If the operation of bollards is not properly
coordinated with security, they can also diminish emergency access when the situation
arises, which highlights the need to consider carefully the potential trade-off between
each security-improvement benefit while maintaining the more desirable, operational
features of rail systems, such as easy access, privacy, efficiency, and ease of use.5
Finally, the U.S. government and railway operators have made attempts to improve
railway security. Transportation Security Administration inspectors and rail operators
have conducted security-risk readiness assessments (Hawley, 2007); also, various secu-
rity measures have been considered and implemented, such as greater surveillance,
public-awareness campaigns, and general response planning.6 Yet there is still much to
be done, according to the findings in a recent GAO report focused on the ability of the
U.S. Department of Homeland Security (DHS) to objectively assess the risks of ter-
rorist attacks, the vulnerability needs of critical infrastructure assets, and the equitable
3 This includes commuter, heavy, and light rail systems, including Amtrak.
4 Unlinked passenger trips refers to the number of passengers who board rail vehicles. They are counted each time
they board a vehicle regardless of the number of vehicles they use to travel from their origin to their destination.
See APTA (2006).
5 For a discussion of the economic consequences of such trade-offs, see Jackson, Dixon, and Greenfield
(2007).
6 The Federal Transit Administration (FTA) compiled a list for assisting passengers and rail operators to observe
of suspicious indicators of questionable activity and unattended packages and the recommended course of action
to take in these situations as part of its Transit Watch program. See FTA (undated).
Introduction 3
allocation of grant funding across urban areas for improving rail-passenger security
(Berrick, 2007). For example, at the operational level, not all rail workers appear to
understand their roles and responsibilities in improving passenger security. Surveys of
rail workers suggest that rail engineers and track workers have little information about
the security framework and how to respond during a terrorist event (Teamsters Rail
Conference, 2005). This could potentially undermine any effort that attempts to pro-
mote their vigilance in identifying and acting on threats.
Objectives and Scope
The goal of the study on which this book reports was to develop a framework for secu-
rity planners and policymakers that can be used to guide security planning and opera-
tional decisions—a framework that is driven by assessments of the foremost threats to,
and vulnerabilities of, passenger-rail systems and of the cost-effectiveness of mitigation
strategies for addressing those threats and vulnerabilities.
The study focused on passenger, as opposed to freight, rail systems. Unless oth-
erwise noted, the terms passenger rail and rail refer to heavy-rail systems, defined as
electric railways (including metro, subway, rapid-transit, or rapid-rail systems) capable
of handling heavy volumes of traffic. Heavy rail is characterized by high speed and
rapid-acceleration passenger cars operating singly or in multicar trains on fixed rails.
They also operate on separate rights of way from which all other vehicular and foot
traffic is excluded. Moreover, they are generally high-platform loading. Within the
United States, examples of heavy-rail systems include the Metrorail in Washington,
D.C.; Metropolitan Atlanta Rapid Transit Authority (MARTA); the Metro Red Line
in Los Angeles; and Bay Area Rapid Transit (BART) in San Francisco and Oakland
(APTA, undated[d]). Our analysis centers on heavy-rail systems, and, although it may
offer some parallel lessons for them, it does not specifically address light- or commuter-
rail systems.7
Because of the tremendous variation in the types of rail systems, and because we
do not wish to publicly display the operational and security features of any specific
rail system, the assessments of risk and the cost-effectiveness of mitigation strategies
are based on a notional rail system. Our notional rail system is not real, but it has the
typical features of rail systems found throughout the United States, including those
7 By contrast, light-rail systems are composed of lightweight passenger cars operating singly or in short, two-car
trains on fixed rails. Light-rail cars are generally electrically powered, run on exclusive right-of-way tracks, and
are not separated from vehicular or pedestrian traffic over the majority of their distance. These are commonly
called streetcars, tramways, or trolleys. Commuter-rail systems are electric or diesel-propelled railways operating
between a central city and its adjacent suburbs. Commuter-rail service, also called metropolitan rail, regional
rail, or suburban rail, is characterized by multitrip tickets, specific station-to-station fares, and the presence of
only one or two stations in the urban area’s central business district. See APTA (undated[b]).
4 Securing America’s Passenger-Rail Systems
that we studied in depth. More detail on the rail systems we visited and the interviews
conducted is highlighted in the subsequent chapters.
Approach
A primary goal of rail-security policy is to determine the most cost-effective strategies
for mitigating the risk of rail passengers to terrorist incidents. As described more fully
in Chapter Three, risk is a function of threat (presence of terrorists with intent, weap-
ons, and capability to attack), vulnerability (likelihood of damage at a target, given
an attack), and consequences (nature and scale of damage if the attack succeeds). This
book focuses mostly on reducing risk by reducing vulnerabilities and limiting conse-
quences. Reducing risk by acting against threat is the responsibility of policymakers
elsewhere (see Willis et al., 2005).
We seek to meet this goal by adapting an analytic framework that RAND research-
ers developed and employed on other security-resource allocation problems (e.g., Ste-
vens, Schell, et al., 2004; LaTourrette et al., 2006). The present application is novel in
that it represents the first use of cost-effectiveness assessment methods in improving
passenger rail–system security. In addition, the rail environment is considerably more
complex than the other applications of the framework, in particular given passenger
rail’s function of moving large numbers of people quickly and relatively inexpensively.
Conceptually, the steps in using the framework to make security-resource allo-
cation decisions are relatively simple. First, the framework is used to empirically
assess the risk to rail systems from terrorism. This analysis generates, in turn, a list of
security-improvement options (SIOs) that addresses the scenarios (based on target
location and attack modes) assessed as high risk. The options are then assessed as
to their relative cost-effectiveness. Throughout, the framework offers conceptual ways
of thinking about security provisions, raises critical questions that must be answered
about the trade-offs implicit in security investments, and highlights how analysis can
inform security planning. Detailed discussion about specific aspects of the framework
is presented in subsequent chapters.
The analyses that emerge from using the framework are general enough to allow
the work to be made publicly available but specific enough to provide guidance from
the national level all the way down to individual rail systems. These qualities, com-
bined with the book’s synthesis of issues related to both rail-system vulnerabilities and
how to cost-effectively reduce them, contribute to its broad applicability and utility for
security planners, policymakers, and researchers.
Introduction 5
Outline of Book
The next chapter assesses the key attack threats confronting rail transportation and the
consequences of attacks, while Chapter Three enumerates the vulnerabilities of and
assesses the risk to a typical, but notional, rail system from the key threats. Chapter
Four describes the notional rail system and baseline set of operational security measures
in place for protecting passengers. Chapter Five outlines the assessment framework and
compares the effectiveness and costs of SIOs and strategies to address high-risk attack
scenarios against the notional rail system. The final chapter discusses key policy lessons
learned for improving rail security based on the overall analysis. Appendix A contains
the full, sequential, qualitative risk analysis we conducted, which underlies the find-
ings we discuss in Chapter Three. Appendix B contains the basis of the cost estimates
of SIOs, lethal characteristics of different attack modes, and the performance of the
options at preventing or mitigating the damage consequences of terrorist attacks, all
of which are the back-up details relevant to performing the cost-effectiveness analysis
discussed in Chapter Five.
7
CHAPTER TWO
What Are the Key Rail-Attack Threats and Their
Consequences?
Introduction
As illustrated by the examples provided in the previous chapter, passenger-rail systems
have been attractive targets for terrorist attacks through much of the history of modern
terrorism. Open and accessible by design and necessity, crowded with people, and key
for the functioning of economic and daily life in the cities they serve, these systems
represent both attractive and high-impact targets. Their openness and high usage also
make them difficult to secure. As the attacks in Madrid and London demonstrate,
attacks on rail systems can result in high casualty counts.
In this chapter, we discuss the key rail-attack threats and the consequences of
attack. To assess the risks of terrorists targeting passenger railways, we examined avail-
able data on past terrorist attacks on such systems. The majority of the data came from
the RAND-MIPT Terrorism Incident Database (National Memorial Institute for the
Prevention of Terrorism and RAND Corporation, ongoing),1 although the research
team supplemented those data with descriptions of incidents from previously published
examinations of terrorism against rail targets and from incidents included in other
databases (Jenkins, 1997; Jenkins and Gersten, 2001; Rabkin et al., 2004; Monterey
Institute of International Studies, undated[a]). Examining the data from these sources
provided a picture of rail attacks over a long period of time; we looked at attacks that
occurred from the 1920s up to the end of 2006. For this examination, the more inclu-
sive definition of rail targets was used rather than limiting the assessment to attacks on
only passenger-rail targets.2
Because of major differences across the data sources, the majority of incidents
are very recent (e.g., 40 percent of the 886 attacks for which information is available
1 The RAND-MIPT Terrorism Incident Database is a comprehensive databank of global terrorists and inci-
dents. See National Memorial Institute for the Prevention of Terrorism and RAND Corporation (ongoing).
2
In our data set, approximately 55 percent of the attacks could be identified as attacks on passenger-rail targets,
but only 10 percent of attacks could be positively identified as having been staged on freight-rail targets. The
remaining 35 percent could not be categorized either way. Given the comparatively small number of definitively
freight incidents and the likelihood that eliminating those incidents would not, in fact, remove all freight-related
incidents from the data set, we opted to work with the data set in its entirety.
8 Securing America’s Passenger-Rail Systems
occurred between 1990 and 2000, and 41 percent between 2000 and 2006.) Given
that the interest of this work is focused on security measures that can be taken now
against today’s (and tomorrow’s) terrorist threat, this bias toward recent events is not
necessarily a problem. The recent past provides at least a baseline from which to con-
sider adversary behavior and to explore how it will either remain the same or diverge
from established patterns.
This recent-past bias means that the data we describe do not provide a representa-
tive picture of terrorist activity against rail targets over this full time period. As a result,
we will cautiously use the information drawn from this examination of past events to
make descriptive points about the types of attacks groups have staged, the targets they
have attacked, and their outcomes, rather than quantitative arguments about absolute
levels of risk for particular attack types or scenarios. In addition, it is broadly accepted
that there have been changes in the nature of the terrorist threat in recent years, specifi-
cally that there are more terrorist groups seeking to carry out mass-casualty attacks. A
number of recent terrorist operations have sought to do this through the use of many
simultaneous bombings and the pursuit—though fortunately not the use—of uncon-
ventional weapons. Given that the role of security efforts is to prevent future attacks,
the potential effects of such changes must be considered in planning.
In the context of the wider terrorist threat, attacks on rail systems represent only
a small fraction of overall terrorist activity. For the years 1998 through 2006, the
RAND-MIPT Terrorism Incident Database contains approximately 24,000 attacks.
Our data set on rail attacks, drawn from that database and others, includes only 455
rail attacks during those years, meaning that attacks on rail targets constitute less than
2 percent of overall recent terrorist activity. Looking at the fraction of attacks on rail
targets over time, there is also no indication that terrorists are increasingly targeting
these systems, although there is some evidence that they are shifting more generally
to softer targets (Libicki, Chalk, and Sisson, 2007; Chalk et al., 2005). Nevertheless,
prominent, recent operations against rail targets by groups either affiliated with or
sympathetic to al Qaeda are a cause for concern, particularly since those attacks have
resulted in considerable numbers of causalities and significant damage to the targeted
systems.
What follows is a discussion of the weapons and tactics used against rail systems,
the targets of rail attacks, and the outcomes of such attacks.
Weapons and Tactics Used Against Rail Systems
Table 2.1 shows that, consistent with data on terrorists’ tactical choices in general,
the majority of the terrorist incidents that occurred on rail systems involved bomb-
ings. Such operations represented 80 percent of the attacks for which information was
What Are the Key Rail-Attack Threats and Their Consequences? 9
Table 2.1
Terrorist Tactics in Rail Incidents
Tactic
Number
Percentage
Armed attack
55
6
Arson
29
3
Barricade or hostage
2
0
Bombing
708
80
Hijacking
2
0
Kidnapping
3
0
Sabotage
49
6
Unconventional attack
24
3
Unknown
9
1
Logistics activity (nonattack)
5
1
Total
886
100
SOURCES: Analysis of rail-incident data compiled from National Memorial Institute for the Prevention
of Terrorism and RAND Corporation (ongoing), Jenkins (1997, 2001), Rabkin et al. (2004), and Monterey
Institute of International Studies (undated[b]).
NOTE: Sabotage refers to the damaging of rail systems without the use of a weapon (e.g., removal of
rails, manual damaging of equipment). Logistics activity refers to incidents in which terrorist activity
occurred on a train but was not part of an attack operation. For example, if a terrorist group were
moving a bomb from one place to another and it detonated inadvertently, such an incident would be
included in this category. Bombs found in rail vehicles or stations that were not yet set to detonate are
also included here.
available, with the next most common operations being armed attacks and sabotage
(which each represented just 6 percent of the total incidents).
Not unexpectedly, given the dominance of bombing operations, more than three-
quarters of the attacks used explosives (Table 2.2).3 However, illustrating that terro