D.C. Metro system beefs up supply-chain cybersecurity provisions for new railcars

U.S. senators have raised security concerns about a new Metro railcar project. The NIST cybersecurity framework will be part of the process now, the transit authority says.
Washington, D.C., Metro subway transit station cybersecurity
A Washington, D.C., Metro station. (Getty Images)

The Washington, D.C., area’s Metro system, in response to U.S. senators who raised security concerns about a new line of railcars, now says it will use the National Institute of Standards and Technology’s cybersecurity framework to vet software and hardware proposed for the project.

Bidders on the railcar procurement, worth an estimated $1 billion and covering up to 800 railcars, also will have to show evidence that a third party tested their software or hardware, Washington Metropolitan Area Transit Authority CEO Paul J. Wiedefeld said Wednesday.

The NIST framework — used widely throughout other industries and government agencies — is a key part of the updated request for proposal, Wiedefeld wrote in a letter to Democratic senators from Virginia and Maryland.

“We are confident that these approaches will impose appropriate controls that limit any malicious actor’s ability to embed malware and for WMATA to monitor and enforce security requirements,” Wiedefeld wrote to Sens. Mark Warner and Tim Kaine of Virginia, and Ben Cardin and Chris Van Hollen of Maryland.


The senators had expressed security concerns over the railcar procurement after reports that a Chinese state-owned manufacturing company could win the bid. They asked if Metro would consult with defense officials before allowing foreign-government-built railcars to stop at the Pentagon, which is part of the Metro system. Alluding to China, the senators wanted to know if Metro would consider a company’s ties to foreign governments with a history of industrial and cyber-espionage when assessing bids.

Wiedefeld said WMATA officials have met with the Department of Defense to “review potential critical infrastructure vulnerabilities,” and that sensitive components in the railcars would be tested by a DOD-approved third party.

He said foreign bids on the project are inevitable. “We would welcome the opportunity to support an American-owned company when purchasing railcars, but unfortunately, there are currently no American-owned railcar manufacturers,” Wiedefeld wrote.

The Metro chief ended his letter emphasizing that lawmakers had raised security issues that an RFP alone cannot fix. Perhaps a new federal law is necessary to protect critical infrastructure “given the congressional concerns about Chinese-manufactured railcars operating in U.S. transit systems,” Wiedefeld suggested.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts