There is something soothing and almost majestic about freight railcars rolling down the tracks. Chugging along slowly and deliberately, trains — full of goods valued in the billions that were collected and ready to be distributed at various locations — travel to reach domestic and foreign markets. It’s American commerce on open display. At the same time, the business of freights, especially as it pertains to the very narrow policy issues, is less pure or heartwarming. Take for instance, the issue of cybersecurity. There, the freights argue that a vital component of train wireless communications, which is of particular interest to many, should be effectively exempt from the recently proposed Transportation Security Administration’s (TSA) cyber security requirements. Even as a conservative critic of government over-intervention and opponent of excessive regulatory burdens, it is hard to square this circle of thinking.
For this purpose, the focus of concern involves Positive Train Control, or PTC. Spectrum aficionados will remember the mad scramble to help train companies obtain 222 MHz licenses so PTC could meet congressional operating deadlines. As a fundamental network upgrade, PTC employs wireless technology with the goal of preventing train-to-train collisions, over-speed derailments, and movement of trains through improper switching. Linking train locomotives and rail centers allows the constant sharing of critical information relayed back and forth between the two locations. This in turn permits the issuance of alerts to locomotive engineers with any potential safety concerns. When necessary, the PTC system can step in to initiate automatic train breaking capabilities.
There’s little doubt that PTC is an added safety feature, but falsely triggering PTC via nefarious cyberattacks can also make it a cyber issue. TSA acknowledges that PTC has a cyber component – at least a cyber impact – worthy of deeming it a critical cyber system and proposes PTC be included in cyber requirements and enhancements. The proposed regulations read, “Additionally, if a PTC system were to be the target of a cyberattack that resulted in a widespread disruption in system communication where the result was an inability to initialize communications with multiple locomotives, then trains would have to be held until the issue was resolved or [the Federal Railroad Administration] otherwise authorized continued operations.”
Yet, the freights, sized big to small, find such a PTC cyber view unacceptable. In a recent filing with TSA, they argue PTC solely serves as an additive, operational technology. That is, they believe that trains can operate without the technology and it has little to no cyber implication. The freights favor leaving PTC out of TSA’s cyber requirements or to themselves to determine, as the alternative “would create burdens for the railroads that are simply unsustainable, without adding to cybersecurity in any meaningful way.”
It’s hard to justify the freight’s strong opposition in this case. While added costs are noted and important, excluding PTC from cyber requirements altogether seems misguided or borderline negligent. It is not unreasonable or irrational to fathom what horrible things could be done with a cyber-caused outage, intentional spectrum interference, and/or manipulation of PTC’s requirements. Plots of countless horror movies have centered on such cataclysmic catastrophes and are modeled after real life. Just last summer, France faced a physical incident as saboteurs executed a coordinated attack on the high speed rail lines leading up to the Paris Olympics. Further, the Ukrainian train system deals with constant cyberattacks, including shutting down ticketing, by Russian forces designed to promote chaos and hurt morale. Is it unthinkable to see PTC being used for malicious purposes? Hardly. Thus, completely excluding PTC seems like a tough lift.
To be clear, TSA’s proposed rules contain many layers, and ultimately some of them may be deemed inappropriate or unnecessary. During the regulatory process, TSA will have the opportunity to narrow the burdens or target the requirements more directly. From a larger perspective, should TSA issue these regulations or another agency? Is the scope of these cyber requirements properly designed? Those are policy calls for the Trump Administration officials to make.
TSA’s proposed rules also raise a follow-on concern. Since TSA is rationally contemplating cyber involvement with PTC in the 222 MHz band, should TSA be equally concerned if other freight train wireless communications are shifted to the same band? The question arises, should policy makers not have larger worries if this same band also contained Centralized Train Control (CTC)? If one cyber event can create harm with one type of train communications, the same event could in theory take down two types and be more problematic. The setup for this possibility is, in fact, happening now: several large freight trains are already in the process of consolidating wireless communications into 222 MHz. A single point of failure is a real fear. Perhaps the solution should be to require different, but interoperable, network operations, configurations, and vendors to diversify the threat points. That could make it more difficult for one cyberattack to be so debilitating to knock out PTC and CTC simultaneously.
Freight rails do not support PTC being subject to TSA’s proposed cyber rules. But a total exclusion requires a serious leap of logic. Similarly, consolidation of freight wireless communications in the 222 MHz likely will enlarge TSA’s cyber concerns. These are important topics to resolve if or when TSA’s rules move forward.
Michael O'Rielly, a technology and telecom policy expert, served as an FCC commissioner from 2013 to 2020. Before that, he spent 20 years in Congress, holding key staff roles in the Senate and House, ending as a policy advisor to Senate Republican Whip John Cornyn.