Information Technology: Better Identifying and Tracking Operational Technology Assets Across the Company Would Improve Cybersecurity

Our objective for this report was to assess the effectiveness of the company’s practices for identifying and tracking its operational technology assets to facilitate its ability to protect them from cybersecurity threats. We identified opportunities for the company to improve its practices for identifying and tracking its OT assets for cybersecurity purposes and made four recommendations. Given the sensitive nature of the report’s information, we have summarized the results in this public version of the report. In commenting on a draft of this report, company executives agreed with our recommendations and identified actions that the company is taking to address them. THE TRANSPORTATION SECURITY ADMININSTRATION AND THE DEPARTMENT OF TRANSPORTATION HAVE DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECUITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For Amtrak OIG, public disclosure is governed by 5 U.S.C. § 552 and 49 CFR parts 15 and 1520. This public version of the report has been redacted.