A work in progress thought experiment looking at risks to transport security on French high-speed rail…
The terrorism threat to critical national infrastructure has garnered extensive policy focus post-9/11 both in the US and across Europe. The Critical Infrastructure Protection (CIP) cycle is a useful methodological approach for assessing risks to critical infrastructure and formulating and executing risk treatment plans to mitigate risk and focus resources on crisis management and resilience planning (Yustaa, Correaa and Lacal-Aránteguib, 2011). There have been several terrorism incidents across Europe in the post-9/11 era that targeted transport networks, some of the most notable being the 7/7 attacks in London in 2005 (Gove, 2007) and the attacks in Madrid in 2004 (Hamilos, 2007). Developed nations are increasingly reliant on high-speed rail networks to connect major conurbations nationally and across capital cities as part of an integrated European transport network. Well-established lines such as the Train à Grande Vitesse (TGV) links between Paris and Lyon connect the French capital with important economic hubs to the south. A functioning high-speed railway provides ease of travel, reduces capacity requirements for domestic air travel and provides environmentally friendly options for mass transportation. Given the nature of the railway and the distances the TGV line runs between Paris and Lyon, there are numerous challenges in ensuring the provision of a resilient and safe service which may be an attractive target to terrorist groups inspired by transnational Jihadists such as Al Qaeda (AQ) and Islamic State (IS). This paper provides a risk assessment of the high-speed TGV link from Paris to Lyon. It considers the criticality of the service and its key assets, in the context of the potential impact of a successful terrorist attack. Vulnerabilities are identified and examined, along with the intent and capability of terrorist organisations to manifest attacks that exploit security weaknesses against critical infrastructure. A holistic approach to risk management is taken (Giannopoulos, Dorneanu and Jonkeren, 2013), in line with the CIP cycle, which evaluates risk as a function of criticality of infrastructure, vulnerabilities of extant protections and terrorist threat (itself a function of intent and capability of the terrorist organisation). For brevity and illustration, the terrorism threat is assessed from the perspective of transnational Jihadism (IS inspired). Having conducted the risk assessment, a section on risk management examines weaknesses in extant security protections in the salient aspects of French rail transport. Risk treatment measures are then proposed to bolster both protective security of rail infrastructure and resilience of service, which would minimise severity and duration of disruption from a successful terrorism attack.
There are several attributes that contribute to the overall criticality of the service. On a macro level, the TGV services from Paris form part of an established national transportation hub, which is nationalised and important symbol of the French state (Arduin and Ni, 2005). There is significant investment and expansion of TGV as part of the French government’s commitment to transport excellence and affordability (O’Sullivan, 2018). Given the national and international significance to France as a leading nation in the provision and adoption of high-speed rail service, any major outage or failure would be highly reputationally damaging. The second key attribute is the number of daily passenger movements and the economics associated with national disruption. The free flow of both business and leisure passengers to Paris and Lyon is important in terms of the economics of both regions. A third attribute relates to the impact on international passengers and the French tourist industry. Travel routes to the Alps could significantly impact tourists transiting through Paris and Lyon in winter and south to the French Riviera in summer. According to figures provided by the service operator Société nationale des chemins de fer français (SNCF), the line carries a third of domestic rail traffic (44.4m passengers/annum), with 240 trains/day along a track of circa 400km (SNCF, 2018). Over half-a-billion Euros is being invested in the line through co-founded EU and SNCF projects (ibid.).
Impact of loss or disruption
There would be significant reputational damage to the French government and security services, with a potential cascading effect that could impact passenger movements on other high-speed lines. Economic impacts would include loss of ticket sales, refunds, injury claims, cost of repair or replacement of trains and other railway infrastructure and peripheral damage caused by an attack in a locality along any of the 400km route. Displacing passenger movements would impact air capacity, road congestion and could lead to an increase in road accidents, injuries and fatalities. In the aftermath of a successful terrorist attack there would be additional costs relating to scene of crime work, emergency response, reparations, human capital impact (such as trauma and counselling), infrastructure repair/replacement, property loss, costs of public inquiry and intangibles such as foreign relations and reputational damage where citizens of other nations have been injured or killed. On aggregate a large-scale multi-fatality attack with a service outage of several weeks could run into cost impact of hundreds of millions of Euros.
In assessing vulnerability, three scenarios are considered. The first assumes an on-board attack, which might involve an improvised explosive device (IED) hidden in luggage, an attempt to hijack the train and crash it into a station, or the seizure of hostages. The second scenario considers an attack on the train from outside, which could be in the form of a track side bomb, or a crude derailing attempt (Jenkins, Butterworth and Clair, 2010) using a vehicle. The third scenario considers the vulnerability of control systems to cyber-attack (Chen et al., 2015) and the potential for terrorists to crash or disable trains and track side infrastructure by electronic means (Dong et al., 2010).
Passenger screening and luggage screening within railway systems are often weaker than in air security. This provide opportunities for terrorists to bring explosives onboard. Trains often have cursory physical security onboard, although some do provide armed guards. The ability to prevent or respond to an IED attack on the train, or attempts by multiple terrorist actors to seize control of the train appears somewhat weak and therefore presents a potential vulnerability. Terrorists may additionally target railway staff or drivers through radicalisation or coercion or attempt to infiltrate into the railway system to prosecute insider attacks. A seized train may be driven at unsafe speeds, leading to derailment or crashed at high-speed into a major station.
The protection of over 400km of track, power, crossings and signalling equipment is inordinately complex. Physical security measures such as fencing, and CCTV may protect against vandalism, theft and other safety concerns. The vulnerability of such an expanse to a determined terrorist cell is significant, and there is a multiplicity of options to attack trackside using explosives or placement of objects that might cause derailment. Derailment of a high-speed train travelling at over 200 miles per hour would have catastrophic consequences.
The sophistication of the signalling and control systems across the network is cutting edge, with planned investments to further develop technological capabilities over the coming years. Although safety improvements are uppermost in these initiatives, there are potential vulnerabilities in the introduction of new technology. There may be unforeseen technical difficulties and cyber weaknesses (Rekik, Gransart and Berbineau, 2018) that could be exploited by a sophisticated actor. Rigorous standards, testing, resilience and fail-safe design are all key measures to minimise such vulnerabilities (Fiumara, 2015).
It is important to consider the degree of threat from terrorist organisations in both terms of intention (desire to attack a target) and capability (realistic ability to prosecute the desired attack). This helps to separate out highly improbable scenarios and provide focus for the protection of critical infrastructure and assets through targeted measures. From the attacks in London, Madrid and others, there is a clearly established precedent for transnational Jihadist groups (or those inspired by) to attack European transport systems. The intent and capability are therefore both real (Gregory, 2003). IS inspired attacks have however in recent times used fairly crude methods. The ability of loan actors or small cells to acquire chemicals and synthesise homemade explosives (HME) is certainly credible, and it is plausible that devices could be taken onboard TGV trains with a low probability of detection. This could be via cleaners, catering staff, a duped passenger or by suicide attackers. It seems less plausible that small groups could acquire high explosives (HE) such as Semtex, and blasts may therefore be somewhat localised in train carriages. The threat from coercion or radicalisation of train drivers seems less credible. Both intent and capability are questionable in this case, and a ham-fisted attempt to recruit a staff member could lead to ‘easy’ exposure of the terrorist cell or actor. There is limited evidence to suggest terrorists plan to seize control of trains, however the 9/11 attacks illustrate the folly of false assumption. A small terrorist cell with enough force and training could conceivably seize control of a train and protective measures need to be in place to ensure this is restrictively difficult.
A small device placed and detonated strategically can close railway lines, and potentially derail trains. The Provisional IRA (PIRA) attacked the Belfast/Dublin rail links on many occasions (Hutton, 2019). Their intent was more economic / symbolic; however, a group requires a very moderate level of capability to make good such an attack. Large track-side bombs would be difficult to plant and detonate accurately (via command wire or radio control) and seem to fit less well with the capability of extant groups. Blocking tracks or ramming trains with hijacked lorries or fuel tankers may fit well with terrorist intent, but ability to access high-speed rail track from roads is lower, than say with rural lines in the UK with a multiplicity of level crossings. Although assets are exposed across 400+km of track, attacking signals equipment may be viewed more as a sabotage operation and may therefore lack the ‘spectacular’ element that would pique terrorist intent. The capability to attack multiple points in the rail link may therefore not match with intent to cause mass deaths and community outrage.
Cyber terrorism has concerning potential, but again terrorist intent and capability can both be challenged. The terrorising effect of cyber attack can be somewhat tenuous, although combined with a physical force attack could be an amplifier. The capability of loan or small cell terrorist actors to attack sophisticated control systems is highly debatable. These threats are however credible from nation states and cannot be wholly discounted in other risk analyses.
Based on this simple illustrative set of scenarios, the terrorism risk to the rail link is next quantitively assessed, using a scoring mechanism (risk = likelihood x impact). Likelihood is scored 1 to 5, where 5 is very likely. Impact is scored 1 to 5, where 5 is the highest cost/consequence of successful attack. The risk scale therefore runs from 1 to 25.
Scenario 1 (onboard IED attack and/or train hijack) – likelihood 4, impact 3, overall risk 12. Likelihood is here scored based on the precedent of prior European attacks. Impact is scored in the middle, as the attack is somewhat localised and complex to repeat. It is likely that the terrorist actors will be captured or killed during the operation.
Scenario 2 (track side IED or detailing attempt external to train) – likelihood 2, impact 3, overall risk 6. This method of attack may be simpler to mount as there is overall 400km of track to attack. Likelihood seems lower however given the tactics used by IS inspired terrorists in other European attacks. PIRA attacked rail links as part of economic sabotage campaigns, but IS and similar Jihadist actors appear more interested in spectacular civilian mass casualty attacks. These could be mounted using trackside IEDs.
Scenario 3 (cyber attack against railway control systems) – likelihood 1, impact 4, overall risk 4. The low capability and intent of the terrorist groups leads to a low likelihood score for this risk. Impact is high, as there may be rapid and far reaching loss of confidence in the safety of TGV links across France. The Paris/Lyon route may see a massive fall in use, and a significant loss of life/injury for any accident caused. As high-speed lines adopt many fail-safe systems and dedicated track infrastructure, it is likely quite complex to cause a crash by this means – even where the control systems could be subverted or taken offline.
As scenario 1 scored the highest risk, it is used to explore risk management opportunities. Extant weaknesses in the protection of the Paris/Lyon TGV link for this particular risk are considered. Further mitigations are proposed in terms of both ‘hard security’ as well as resilience measures that could be adopted to lessen the impact of a successful attack.
Terrorists wishing to get explosives onto a train have several options. They may carry them onboard themselves concealed in luggage, infiltrate the system as staff (or posing as staff), or dupe others to carry devices onto trains (a modus operandi not generally seen with IS inspired groups and therefore not further discussed in the scope of this paper).
Examining the first option, passenger and luggage screening present significant challenges in balancing cost and convenience with actual security improvements. Using CCTV, behavioural profiling, random searches, x-ray machines and potentially advanced passenger checks could all help with prevention. Visible security controls may help alleviate public concern as well as deter terrorists who may feel their attack could easily fail. Security controls inconvenience the public and create bottlenecks that may themselves be targeted as part of a multi-casualty attack. Behavioural profiling using trained human security operatives along with random security checks could be beneficial. As the TGV adopts technological innovation into delivery of its service, examining the utility of CCTV and Artificial Intelligence (AI) may prove additionally useful. This could be used to check biographic watchlists in near-real-time and look for suspicious activity at ingress/egress points.
Examining the second option, infiltration of the ‘system’ and the insider threat. A terrorist may seek employment with a cleaning or catering company or may simply create fraudulent credentials and attempt to access the train using a bogus identity. Running periodic and spot checks on staff may be helpful in detecting those with known radical sympathies. Counter-terrorism initiatives like the UK PREVENT strategy (HMG, 2018) provide opportunities for colleagues to notify others of concerns. Training staff to look for suspicious activity and packages may help prevent an attack. Ensuring there are adequate access controls to prevent the use of falsified security passes is additionally important. Security notices and advice should be visible in stations and onboard trains.
In terms of mitigating the impact of a successful IED attack onboard the train, adequate first aid supplies should be carried. Train staff should have basic first aid training and know how to react to deal with major trauma. There should be well rehearsed procedures for dealing with a major incident including diversion planning to enable evacuation of seriously injured passengers to hospital. As doctors and nurses may be travelling as passengers their help should be sought. To prevent trains being hijacked, CCTV, door reinforcement and other simple methods used in cockpit security should be considered. Loss of control of the train is a serious issue, and significantly diminishes the ability to reduce the effect of an attack. Drivers and train staff should be trained to respond to serious incidents and be able to advise passengers as to the best course of action to minimise further injury or loss of life. As blasts may start onboard fires, adequate firefighting equipment must be carried, and staff trained in its use.
A major transport link such as the TGV routes across France present multiple points of attack to determined terrorists. High speed rail travel in Europe is key enabler in both commercial and leisure sectors and forms part of everyday life in France. A successful attack against the rail infrastructure would be injurious to public confidence in government and the train operator. Certain types of attack such as cyber attack against railway control systems could be exceptionally impactful, but their likelihood seems low due to both intent and capability of terrorist actors. Soft measures such as training and having well-rehearsed crisis management plans may have the highest pay-off in terms of saving lives in the event of a successful attack. Enforcing good security checks at the entry points into the TGV system is essential, however hard security is costly and may be resented by a travelling public that demands both convenience and security. Innovative approaches using behavioural psychology and future technologies may help to strengthen security, although levels of public acceptability have (in certain regards) not yet been fully proven. There is scope to pilot AI technologies, facial recognition and biographic watchlist checking to seek to prevent nefarious actors boarding. Targeted security checks appear best suited to the threat profile.
Arduin, J.-P. and Ni, J. (2005) French TGV Network Development [online]
Available at: http://www.ejrcf.or.jp/jrtr/jrtr40/pdf/f22_ard.pdf
Chen, B., Schmittner, C., Ma, Z., Temple, W.G., Dong, X., Jones, D.L. and Sanders, W.H. (2015) Security Analysis of Urban Railway Systems: The Need for a Cyber-Physical Perspective. Computer Safety, Reliability, and Security, Cham, 2015.
Dong, H., Ning, B., Cai, B. and Hou, Z. (2010) Automatic Train Control System Development and Simulation for High-Speed Railways.IEEE Circuits and Systems Magazine. 10: 6-18.
Fiumara, F. (2015) The Railway Security: Methodologies and Instruments for Protecting a Critical Infrastructure. In: Setola, R., Sforza, A., Vittorini, V. and Pragliola, C. (ed.) Railway Infrastructure Security (Topics in Safety, Risk, Reliability and Quality). Springer. pp. 25-63.
Giannopoulos, G., Dorneanu, B. and Jonkeren, O. (2013) Risk Assessment Methodology for Critical Infrastructure Protection [online]
Available at: https://core.ac.uk/download/pdf/38627566.pdf [Accessed: 15.03.2020]
Gove, M. (2007) Celsius 7/7. Phoenix.
Gregory, S. (2003) France and the war on terrorism. Terrorism and Political Violence, 15 (1), 124-147.
Hamilos, P. (2007) The worst Islamist attack in European history. The Guardian [online], Available at: https://www.theguardian.com/world/2007/oct/31/spain [Accessed: 15.03.2020]
HMG (2018) CONTEST – The United Kingdom’s Strategy for Countering Terrorism [online] Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/716907/140618_CCS207_CCS0218929798-1_CONTEST_3.0_WEB.pdf [Accessed: 15.03.2020]
Hutton, B. (2019) Delay to train ‘prevented IRA bomb disaster in 1989’. The Times [online], 29.12.2019 Available at: https://www.thetimes.co.uk/article/delay-to-train-prevented-ira-bomb-disaster-in-1989-tx97r27fq [Accessed: 15.03.2020]
Jenkins, B.M., Butterworth, B.R. and Clair, J.-F. (2010) The 1995 Attempted Derailing of the French TGV (High-Speed Train) and a Quantitative Analysis of 181 Rail Sabotage Attempts [online] Available at: https://transweb.sjsu.edu/sites/default/files/TGV_book%20%28with%20covers%29.pdf [Accessed: 15.03.2020]
O’Sullivan, F. (2018) France’s High-Speed Rail Expansion Takes a New Direction [online] Available at: https://www.citylab.com/transportation/2018/09/france-tgv-expansion/569992/ [Accessed: 14.03.2020]
Rekik, M., Gransart, C. and Berbineau, M. (2018) Cyber-physical Threats and Vulnerabilities Analysis for Train Control and Monitoring Systems. International Symposium on Networks, Computers and Communications (ISNCC), Rome.
SNCF. (2018) More, better orchestrated trains offering higher standards of service [online] Available at: https://www.sncf-reseau.com/en/entreprise/newsroom/sujet/paris-lyon-high-speed-line [Accessed: 14.03.2020]
Yustaa, J.M., Correaa, G.J. and Lacal-Aránteguib, R. (2011) Methodologies and applications for critical infrastructure protection: State-of-the-art. Energy Policy, 39 (10), 6100-6119.