Cover Image

Not for Sale



View/Hide Left Panel
Click for next page ( 123


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 122
122 necessary for equipment types, methods of installation of used in a tunnel can vary and is typically affected by the fol- countermeasures by contractors, presence of employees for lowing: maintenance and inspection, and use of the facilities by pas- sengers during emergencies. Tunnel mode or usage Road Transit 5.4.1 Recommended Minimum Measures Passenger/freight rail Construction methodology Countermeasure 1: Lighting Immersed tube Lighting provides a basic, reliable, and cost-effective safety Cut-and-cover and security measure. By providing visibility to all critical Bored or mined areas, lighting enables a monitor, controller, or law enforce- Air-rights structures ment official to take the necessary preventive actions to deter Tunnel attributes an intentional threat or to detect a disruption that is occur- Length ring or has occurred in the tunnel environment. In addition, Shape proper lighting allows for the safe evacuation of impacted Occupancy loads tunnel users and employees during an emergency, simultane- Location ously assisting emergency responders arriving to the incident Date of initial construction scene. This safe and efficient response is necessary for any dis- In some cases, very old tunnels reflect the state of venti- ruption, intentional or unintentional, including natural dis- lation technology at the time of construction asters. See Table 42. To provide the best applicable ventilation system, the tun- The cost of lighting schemes varies as a function of the level nel owner or operator must conduct an examination of the of illumination and the quality and quantity of lights current system, if installed, or as designed before construc- installed. The mounting surface (i.e., wall or ceiling) will also tion. This examination needs to include deference to the uses affect the final cost. There are typical types of lighting fixtures of the ventilation system to support the safety of the tunnel and arrangements used in tunnel environments, and their environment. A well-designed, well-maintained ventilation proven histories can provide a reliable barometer for any new system can provide the means to direct and exhaust smoke or installation, upgrade, or retrofit. fouled, toxic air away from tunnel users involved in an inci- dent. The ventilation system effectively maintains or improves the safety of the tunnel. See Table 43. Countermeasure 2: Ventilation System Tunnel ventilation systems require capital investments as The ventilation system is usually the most important life well as assiduous maintenance programs to ensure their safety system in the tunnel. The type of ventilation system effectiveness. Table 42. Countermeasure 1: Lighting. Installed, well-sited lighting system designed to provide illumination Countermeasure Description to all areas of the tunnel environment. High-pressure sodium; low-pressure sodium; incandescent; Types/Components luminescent. Use Roadway lights; area lighting; security lighting; access area lighting. Category Minimum measures. Strengths Visibility in all areas. Susceptible to power failure from external utility; possible Weaknesses misapplication of light for color CCTV applications. Medium--$1 million to $3 million per tunnel. Cost depends on Rough Cost of Implementation tunnel length and type of fixtures. Operation and Maintenance Installation and maintenance may be handled in-house. Training Requirements None. Life Expectancy Infrastructure: 20+ years; Lamps: 24,000 hours. Cost varies widely by system size and utility work required. Comments Electrical costs and lamp replacements every 1 to 3 years. Standard electrician can maintain system.

OCR for page 122
123 Table 43. Countermeasure 2: Ventilation system. Countermeasure Description Provides airflow to and from the tunnel space. Supply fans (blowers); exhaust fans; ducts; dampers; louvers; Types/Components power source. Use Coverage of entire tunnel area. Category Minimum measures. Road tunnel systems can be used for non-emergency (i.e., normal) Strengths conditions to remove airborne impurities from the roadway. Weaknesses Requires sustained maintenance to maintain effectiveness. Very high--over 10 million per tunnel. Cost depends on tunnel Rough Cost of Implementation length and ventilation system type. Cost of Operations and 1525 percent. Maintenance High--initial training of control center and maintenance staff, Training Requirements followed by annual incremental refreshers and/or updates. Life Expectancy 1020 years. Cost varies widely by system size and utility work required. Quality Comments of system commensurate with cost. System may be upgraded from original, designed, and installed. Countermeasure 3: Fire Detection System also indicate a breakdown of another crucial tunnel system, or a breach of the tunnel integrity. Fire detection systems are sound investments for the safety and security of any tunnel system. An automated system capable of reaching all points within the tunnel environment Countermeasure 4: Fire Protection System will provide rapid notification of all smoke and flame condi- tions to a monitoring station, thereby triggering a rapid emer- Tunnel fire protection systems can provide a quick gency response. See Table 44. response to a smoke or flame condition, protecting tunnel The smoke and flame conditions may be the result of unin- users and the integrity of the tunnel structure. The type of tentional events, such as malfunctioning equipment or vehi- protection chosen and installed will depend on the tunnel cles. Smoke and flame may also be the result of a disruptive usage. Whereas a wet system might be appropriate for a high- event such as a derailment, collision, or explosion. They may way tunnel application, it would not be appropriate for an Table 44. Countermeasure 3: Fire detection system. Provides a fixed, continually operating series of sensors to detect a Countermeasure Description conflagration. Flame detectors (ultraviolet or infrared); smoke sensors (ionization Types/Components or light); heat sensors; one-button call systems for tunnel users; video monitoring; power source. Use Coverage of entire tunnel area. Category Minimum measures. Provides a rapid means of notification to emergency responders that Strengths a fire or smoke condition exists in the tunnel environment. Installed system is always operational and connected to monitoring facilities. Weaknesses None. Low--less than $1 million per tunnel. Cost depends on tunnel Rough Cost of Implementation length. Typically requires private contractor for monitoring and possible Operation and Maintenance maintenance. Medium--initial training of control center and maintenance staff, Training Requirements followed by annual incremental refreshers and/or updates. System is intentionally automated. Life Expectancy 1020 years. Costs vary widely by system size and utility work required. Quality Comments and cost of systems are fairly standard across all tunnel systems.

OCR for page 122
124 electrified transit or electrified rail tunnel. The most common ferred along a secure pathway. The images are typically type of tunnel fire protection system is the manually operated transmitted from cameras located at the tunnel portals or wet or dry standpipe. Automatic systems such as sprinklers along the road or track bed to an operations control center, and deluge systems (water-based or foam-based) and water where the image is recorded or monitored by an operator. mist systems are used, but are uncommon, particularly in the The CCTV or CCVE image may be shared with decision United States, which presently has only three road tunnels makers and emergency responders through a secure intranet. that use these technologies. The predominant criticism is the This technology is readily available and cost-effective. See limited effectiveness of these systems, particularly for tunnel Table 46. fires that begin inside a vehicle (car or train). Such fires con- This transmission of images conveys the information nec- stitute the majority of tunnel fires. Sprinklers, which have essary for immediate and appropriate response to any inci- fusible links, must be directly over the heat sources to work. dent scene (e.g., the safest path to approach and access the Deluge and water mist systems have open heads, so a high site, the conditions along the route, and what equipment and temperature or flame condition somewhere in the tunnel will resources are required at the location). activate the entire zone. At best, the water will cool down the fire and help to prevent its spread. At worst, the water will cre- Countermeasure 6: Security Awareness Training ate panic in the tunnel and/or weigh down the smoke from the fire, bringing it closer to tunnel users. Annex D in NFPA Security awareness training provides a cornerstone of the 502 [Ref. 5] contains more information on the use of sprin- owner or operator's efforts to form a culture in their agency klers in road tunnels. See Table 45. for security to complement longstanding, prevalent efforts in The general term "fire protection" sometimes includes sys- improving safety. A well-grounded training program may tems, but may also include the establishment of permanent aim to indoctrinate new employees and educate existing structures to aid in the evacuation and shelter of tunnel users employees in their potential to be front line detectors of in the event of an incident involving smoke or flame. The abnormal people or activity that may lead to any disruption establishment of safe zones inside the tunnel, capable of pro- of the tunnel system. See Table 47. viding shelter from the smoke, flame, and heat, can provide Providing employees with the proper tools to detect poten- safety to tunnel users awaiting rescue by emergency respon- tial security threats, borne of insufficient internal procedures ders. Clear evacuation routes with easy-to-understand dia- or external threats, enables the owner or operator to prevent grams and signage would similarly assist tunnel users in a disruption from occurring. Training programs are generally fleeing a hazard or threat. cost-efficient and -effective. Employees typically retain the transferred knowledge, and the message is uniformly distrib- uted to others. Training programs are flexible and can be Countermeasure 5: Closed-Circuit Television (CCTV) altered to include new techniques and information as they System or Closed-Circuit Video Equipment (CCVE) develop. An effective training program should reflect the state CCTV systems or CCVE provide the ability for a monitor of practice and the state of knowledge in the transportation to see inside the tunnel through real-time images trans- and infrastructure security arena. Table 45. Countermeasure 4: Fire protection system. Provides a fixed, continually operating series of distribution Countermeasure Description channels to combat a smoke or flame condition. Wet standpipe; dry standpipe; sprinklers; deluge; water mist; fire Types/Components extinguishers; evacuation pathways, cross-passages, and refuges; power source. Use Coverage of entire tunnel area. Category Minimum measures. Provides an immediate means of mitigating fire or smoke in the Strengths tunnel environment. Some installed systems can be automated. Weaknesses None. High--between $3 million and $10 million per tunnel. Cost depends Rough Cost of Implementation on tunnel length, system size, and utility work required. Operation and Maintenance Typically requires private contractor for maintenance. Medium--initial training of control center and maintenance staff, Training Requirements followed by annual incremental refreshers and/or updates. Life Expectancy 1020 years. Comments Quality and cost of systems are fairly standard across all tunnels.

OCR for page 122
125 Table 46. Countermeasure 5: CCTV System or CCVE. Provides a fixed, continually operating channel of video images to Countermeasure Description monitors and responders. Cameras; monitoring stations; recording capacity; image-sharing Types/Components capability; power source. Use Coverage of entire tunnel area. Category Minimum measures. Provides an immediate means of viewing conditions inside the Strengths tunnel environment using real-time video feed. Weaknesses Requires maintenance; systems can quickly become outdated. Medium--between $1 million and $3 million per tunnel. Cost Rough Cost of Implementation depends on tunnel length and coverage (i.e., number of cameras). Maintenance may be handled by in-house personnel. Monitoring Operation and Maintenance should be done by owner or operator's staff. Medium--initial training of control center and maintenance staff Training Requirements required, followed by annual incremental refreshers and/or updates. Life Expectancy 510 years. Quality and cost of systems are fairly standard across all tunnel Comments systems. Table 47. Countermeasure 6: Security awareness training. Countermeasure Description Modular based, instructor-led training program. Types/Components Module-based; initial training; annual refresher sessions. Use Required instruction for all tunnel employees. Category Minimum measures. Low-cost, effective method to teach all employees to be front line Strengths observers of unusual or suspicious behavior. Poor instruction may be transferred to employees. Quality control Weaknesses over instruction is necessary. Rough Cost of Implementation Low--less than $1 million per tunnel. Operation and Maintenance None--measure is not mechanical. Training Requirements High--initial and refresher training of all employees is necessary. Life Expectancy 25 years. The use of external consultants with credentials in tunnel security Comments training may be expedient to the owner or operator. Countermeasure 7: Roving Patrols in any other countermeasure and limited only by the number and availability of trained personnel. The training of patrol Tunnel owners and operators may implement roving personnel can be as comprehensive as desired by the tunnel patrols to increase the level of safety and security vigilance. owner or operator. Patrols provide trained personnel, typically with police powers, to explore the areas in and around the tunnel struc- Countermeasure 8: Hazardous Material (HazMat) ture and support systems. The patrol personnel can act Restrictions immediately to investigate any unusual or suspicious situa- tion and respond immediately to any hazard or threat. The A common existing practice among tunnel owners and usual staggered time delay associated with visits or rounds operators is the restriction of hazardous materials from being provides a layer of uncertainty to anyone intent on perpe- transported through the tunnel structure. This measure is trating an intentional threat. However, patrols are excellent typically enacted to protect the tunnel from explosion or con- resources to interdict a hazard or threat and to lead a tamination that may be caused by an accident or spill. The response. See Table 48. measure is an effective and low-cost way to protect tunnel Roving patrols are flexible in application, and their num- users from a potentially harmful disaster. See Table 49. bers can be increased or decreased quickly to match any per- Restrictions on hazardous materials are generally adhered ceived or actual hazard or threat. This flexibility is unmatched to in public-use tunnel systems, such as highway and transit.

OCR for page 122
126 Table 48. Countermeasure 7: Roving patrols. Mobile police or private security patrols moving in and around the Countermeasure Description tunnel structure. Types/Components Police; private security; mobile; trained. Use Coverage of all tunnel areas. Category Minimum measures. Strengths Trained; mobile; flexible; rapidly deployable. Weaknesses Cost for extended service. Rough Cost of Implementation Low--less than $1 million per tunnel. Operation and Maintenance None--measure is not mechanical. High--specialized, intense training of police and security personnel Training Requirements is required. Life Expectancy 25 years. Comments Table 49. Countermeasure 8: HazMat restrictions. Countermeasure Description Restriction or exclusion of materials in the tunnel system. Types/Components Flammables; chemicals; corrosives; toxic; biological. Use Applicable to all tunnel areas. Category Minimum measures. Removes the hazard or threat from introduction into the tunnel, Strengths thereby eliminating a source of potential disruption. Weaknesses None to owner or operator. Rough Cost of Implementation Low--less than $1 million per tunnel. Operation and Maintenance None--measure is not mechanical. Training Requirements Low--no special training is required for tunnel employees. Life Expectancy Lifetime. Measure is flexible; more stringent standards may be implemented Comments at short notice. Restrictions on the transport of hazardous materials to Conducting background checks of potential employees is ensure their safe handling and passage may be employed so as a common practice to ensure that a candidate is qualified and to allow their passage through freight tunnels. Additional free of criminal or suspicious associations. The investigations restrictions or required processing procedures may slow the conform to local law and policy, including employee collec- progress of acceptable hazardous materials through the tun- tive bargaining agreements. Beyond the initial background nel, slowing commerce and perhaps having an economic investigation, updates are typically done for cause, without a impact on the community. set schedule. Restrictions on hazardous materials are flexible measures Investigations of vendors and contractor personnel are that can be intensified or implemented with increased stan- uncommon at this time. However, such investigations would dards during periods of elevated threat levels. In conjunction provide an extra measure of safety and security. If vendors and with vehicle inspections, hazardous material restrictions can contractor personnel are routinely provided unfettered access be intensified to preclude materials from being transported to the tunnel environment for the purpose of construction, through the tunnel to ensure that they cannot be used in an maintenance, or delivery, then they represent a weak link in intentional attack. the security perimeter for that tunnel system. This weak link is more acute if the vendors or contractors can access the tun- nel without an escort from the owner or operator staff. Countermeasure 9: Background Checks Investigations of employees, vendors, and contractors may Tunnel owners and operators may conduct background be as involved as desired by the owner or operator and as checks of potential employees, vendors, and contractors. See allowed by local law. They can range from cursory credit Table 50. examinations to full-length background checks. The cost is

OCR for page 122
127 Table 50. Countermeasure 9: Background checks. Examinations of the backgrounds of employees, vendors, and Countermeasure Description contractors to discern less-than-qualified individuals and obvious security risks. Criminal database search; personal background investigation; Types/Components credit evaluation. Use All new-hire employees, vendors, and contractors. Category Minimum measures. Reasonable cost to screen personnel with access to the tunnel Strengths system and discern questionable persons. Terms and restrictions may be subject to local law or collective Weaknesses bargaining agreements. Rough Cost of Implementation Low--less than $1 million per tunnel. Measure is not mechanical; however, database tracking of Operation and Maintenance screened personnel must be kept current. Training Requirements Low--no special training required for tunnel employees. Life Expectancy Lifetime. Comments moderate, requiring only the active resource of in-house per- Personnel access control consists of systems that are sonnel to perform the background investigations and to track designed and installed with the purpose of allowing only the employees who have cleared this requirement. This meas- authorized persons into a facility. The facility is meant to be ure is also flexible, can be implemented to various degrees of permeable. The access control devices authenticate users specificity, and implemented with short notice, providing it is entering the fixed location by a variety of methods. permissible under local statute and policy. There are many types of personnel access control devices available, including key cards matched with employment records, verification codes entered manually against a stored Countermeasure 10: Access Controls (Bollards, database, and biometric devices that measure body features Fences, Walls, Locks) and match them to individuals. Access control devices can provide an increased measure of Location access control devices are designed and installed security to fixed installations. The devices may be designed to prevent all physical access near a location or into a facility. and installed to refuse entry to persons or items to a fixed Location access control includes simple door locks, steel or location or to provide verification of individuals or equip- concrete bollards, gates, hydraulic risers, and steel curtains. ment entering that location. The devices can be further All access control devices provide an increased measure of divided into two categories, personnel access control and security, but they are not infallible. A door lock can de location access control. See Table 51. defeated by a duplicate key. A computerized control system Table 51. Countermeasure 10: Access controls (bollards, fences, walls, locks). Installation of mechanical and electronic devices to prevent Countermeasure Description unauthorized entry to tunnel areas. Types/Components Bollards; fences; locks; card swipe readers; proximity cards. Use All critical areas of tunnel or tunnel property. Category Minimum measures. Proven and available technology to secure an area from casual Strengths intrusion. Weaknesses Systems can be defeated. Low--less than $1 million. Cost of wall depends on height and Rough Cost of Implementation length. Operation and Maintenance System requires regular maintenance. Training Requirements Low--no special training required for tunnel employees. Life Expectancy Lifetime. Comments

OCR for page 122
128 can be hacked, and overrides can be set in place. Physically, a The systems, now common in many workplaces, may include bollard or fence can be overcome by a superior force exerting the use of photo identification or data codes assigned to each pressure. Access control designs can be flawed (allowing for a employee. To enter a work area, the employee would be missing link of coverage) or poorly maintained (rendering required to display his or her identification and have it them useless). Access control devices designed for a singular accepted by the security monitor or access control device. See purpose and staff can be misapplied. Table 52. There are five basic types of walls: Employee identification systems have proven to be as effec- tive as their level of maintenance and upkeep. Many programs The gravity wall gets its stability entirely from the weight are deficient in tracking the employee throughout his or her of masonry and any soil resting thereon. This wall must be work life and particularly deficient at repossessing and/or of sufficient thickness to resist the forces acting on them deactivating identification cards after employees are trans- without developing tensile stresses. Concrete gravity walls ferred to other assignments or after employees cease to work usually contain a nominal amount of reinforcement near for the employer. the exposed surfaces to control temperature cracking. A highly evolved program should have measures, policies, The semi-gravity wall has largely supplanted the gravity and procedures in place to reclaim the identification cards wall because it is more slender and thus uses less material. of inactive employees and electronically deactivate their However, the semi-gravity wall requires more vertical rein- permission to enter tunnel work areas. This accountability forcement along the inner face and into the footings to loop will maintain the integrity of the employee identifica- resist the rather small tensile forces that develop in these tion system. locations. The cantilever wall is a very common type of wall that con- Countermeasure 12: Intrusion Detection System sists of a base slab and a stem that are fully reinforced to resist the moments and shears to which they are subjected. Intrusion detection systems (IDSs) are technologically The counterfort wall consists of a relatively thin concrete advanced means of monitoring entry across large areas using slab that is supported by vertical counterforts connected to minimal resources. Recent advances in technology provide a the base at intervals on the back side. wide array of choices for implementing this measure. Most The crib wall is usually formed by rectangular elements or IDSs are small, power-saving devices that are capable of being cells stacked on top of one another and filled with soil. linked together and with central monitoring stations. An IDS may also be linked to video capabilities to activate a video feed when it is tripped. An array of beams, lasers, sensors, and Countermeasure 11: Employee Identification alarms can be installed in any part of the tunnel environment. System Application of this measure requires that the tunnel owner or Another measure to prevent trespassing in the tunnel areas operator perform a thorough assessment of the IDS needs is the implementation of an employee identification system. and choose from the best affordable technology. The IDS may Table 52. Countermeasure 11: Employee identification system. Use of photo or other identification to prove employees or vendors Countermeasure Description have permission to be on tunnel property. Types/Components Photo databases; proximity cards. Use All employees, contractors, and vendors. Category Minimum measures. Reasonable cost to provide a first, visible measure to discern Strengths trespassers. Terms and restrictions may be subject to contract or collective Weaknesses bargaining agreements. System can be defeated by forgery, or lack of database maintenance Rough Cost of Implementation Low--less than $1 million. Measure is not mechanical, but database tracking of screened Operation and Maintenance personnel must be kept current. Training Requirements Low--no special training required for tunnel employees. Life Expectancy Lifetime. Comments

OCR for page 122
129 be layered to cover essential control centers; mechanical and dedicated stairwells, cross-passageways and, occasionally, shel- electrical equipment rooms; and vulnerable areas inside, ter areas that are safe from smoke and fire. The relatively sim- above, and around the tunnel. This evaluation may require ple task of planning an evacuation is an effective, cost-efficient, external expertise. See Table 53. and easy way to help an impacted tunnel user evacuate. See The amount of IDS equipment selected by the tunnel Table 54. owner or operator will determine the total cost. Most IDSs An effective evacuation protocol needs to be kept fresh and require only standard maintenance and little more than a active through constant oversight, exercise, and updating. low-voltage power source. Many evacuation plans are distributed to the public and tun- IDS provides a strong link in the security posture against nel users in the form of leaflets or flyers. both the intentional threat, such as someone intent on caus- ing disruption to the tunnel, and the unintentional hazard, Countermeasure 14: Extend/Heighten Supply such as a homeless person entering a mechanical room on a Air Intakes cold night. Newly constructed air intakes are accessible by height, by protective structures, or both. However, some existing air Countermeasure 13: Evacuation Protocols intakes must be retrofitted to remove the possibility of harm- All tunnel systems may have, as a minimum, evacuation ful substances or agents being introduced into the system. See protocols designed to aid tunnel users in self-rescue and evac- Table 55. uation from an incident area before the arrival of emergency There are various types of tunnel ventilation air intake struc- response personnel. Evacuation protocols typically consist of tures. Road tunnels served by full transverse or semi-transverse working plans and signage to direct tunnel users to pathways, supply systems typically house the fans and associated Table 53. Countermeasure 12: Intrusion detection system. The installation of devices designed to provide notice when a person Countermeasure Description or item enters a specific area. Types/Components Beam; laser; sensor; alarm. Use Some or all tunnel access points. Category Minimum measures. Unstaffed, cost-effective means to monitor a large area with the Strengths least resources. Weaknesses Relies upon efficient maintenance to remain operational. Medium--between $1 million and $3 million per tunnel. Cost Rough Cost of Implementation depends on size of protected property. Operation and Maintenance High--system requires maintenance. Training Requirements None. Life Expectancy 510 years. Comments Table 54. Countermeasure 13: Evacuation protocols. Establishment of evacuation protocols that are well-known, Countermeasure Description exercised, and supported. Types/Components Plans; signage; public instruction; drills and exercises. Use In all areas of the tunnel. Category Minimum measures. Strengths Provides a means for tunnel users and employees to self-rescue. Weaknesses None. Rough Cost of Implementation Low--less than $1 million per tunnel. Operation and Maintenance Low--signage and instruction need only to be updated. Training Requirements None. Life Expectancy 2025 years. Comments

OCR for page 122
130 Table 55. Countermeasure 14: Extend/heighten supply air intakes. Design and construct durable air intake structures of increased Countermeasure Description height to thwart intentional or unintentional interference with the airflow. Types/Components Shafts; fences; screens; ductwork. Use All air intake devices. Category Minimum measures. This measure is a one-time investment to protect the air intake Strengths structures. New design may eventually be overcome by circumstance or Weaknesses intentional act of disruption. Medium--between $1 million and $3 million per tunnel. Cost Rough Cost of Implementation depends on local conditions. Operation and Maintenance Medium. Training Requirements None. Life Expectancy 2040 years. Comments equipment in large ventilation structures. The supply airflow Countermeasure 15: Anti-Virus Software travels through intake louvers into the supply air plenum and through dampers, fans, sound attenuators, and ductwork All tunnel system data networks must have programs to before entering the tunnel. This path typically dictates that the detect and eliminate computer-generated viruses. On a daily intake louvers be located on an upper floor of the building, basis, hundreds of viruses, weak or virulent, will attempt to even though this upper floor is relatively inaccessible to the enter the data system, normally through an external data con- public. nection. These attempts, largely indiscriminate, must be Transit systems, on the other hand, commonly have side- thwarted at the point of entry (the external data connection). walk gratings that serve to bring outside air into the system. Intentional introduction of viruses from inside the network These gratings can lead to tunnels or stations and can be used must also be prevented through a series of anti-virus meas- in natural (piston-action) or mechanical ventilation systems. ures to protect the data network from itself. See Table 56. In any case, these air intakes must be protected from tamper- The installation of anti-virus software is a common prac- ing and harm. Retrofit designs include the construction of a tice for anyone who has a computer or uses a data network. vent shaft of sufficient height around the existing grating, the The software is readily available and relatively inexpensive. erection of fencing or some other permeable barrier at a suf- The effectiveness of this countermeasure is very high if the ficient distance from the existing grating, or the relocation of software is backed by a program of updates and mainte- the grating via interior ductwork and/or structural elements. nance. Such a program is readily available from commercial Table 56. Countermeasure 15: Anti-virus software. Install software designed to thwart the introduction of malicious Countermeasure Description software code into the data network of the tunnel owner or operator. Types/Components Software code. Use Entire data network. Category Minimum measures. This measure is an investment to protect the integrity of the data Strengths network. Weaknesses None. Rough Cost of Implementation Low--less than $1 million per tunnel. Operation and Maintenance Low. Training Requirements None. Life Expectancy Virus code definitions need to be continually updated. This countermeasure is readily available from vendors who can Comments provide a reliable, continually updated product to the tunnel owner or operator.

OCR for page 122
131 vendors and typically included in the price of the software manually. Later, retrofit controls may have been added to allow purchase. remote monitoring and operation. These retrofits should not have interfered with the ability of staff to manually throw a lever or a switch. Power sources to operate the systems should Countermeasure 16: Computer Firewalls also be redundant. This may be accomplished through a dual A complementary layer of cyber security for the tunnel feed or battery backup. data network includes the installation of firewalls. Firewalls The design of some newer tunnel systems may have elimi- are cyber codes written to prevent unauthorized entry to nated manual control of MEC systems, relying instead on the parts of the data network. These virtual partitions will technology available to allow remote or automated control. If authenticate the privilege rights of people attempting to enter this is the case, efforts should be made to restore local, man- areas of the network and deny access to those who do not ual control of these support systems to provide the tunnel appear on a specified list. See Table 57. owner or operator with important redundancy. This advance Firewall software is frequently tied to anti-virus protec- planning will ensure safe and continuous operation if the data tion by commercial vendors. The cost is relatively low for connection is disabled or destroyed. the protection provided. The challenge to the tunnel owner or operator is to establish the policies and regulations that will determine where the firewalls should exist. The tunnel Countermeasure 18: Regularly Scheduled Data owner or operator needs to establish permission levels for Backup employees and visitors and then match those levels to the order of information contained within the whole of the All data networks should be duplicated regularly to pro- network. tect against loss of information. These backups should be done to a server in a remote location from the main data processing center. The different locations lessen the risk Countermeasure 17: Backup Manual Control that both primary and secondary data collection centers of Systems will be disabled by a localized event. Commercial services The design of new tunnels and the retrofit of older systems provide remote location data backups at a reasonable cost. should include options for manual operation of MEC sys- See Table 59. tems, including those used for safety and security. Ventilation, The owner or operator will need to determine the when lighting, pumps, and alarms should be capable of manual and how often data should be backed up, as well as which operation if their connections to the control center are pieces of information should be copied. The remote backups breached. See Table 58. may be done on any schedule, but should be no less often than This redundancy exists in many older facilities, where the once per day. The selected data may include financial, opera- equipment was originally designed and installed to be operated tional, and/or transaction information. Table 57. Countermeasure 16: Computer firewalls. Install software designed to partition the data files of the tunnel Countermeasure Description owner or operator and allow only authorized access to the file compartments. Types/Components Software code. Use Across entire data network. Category Minimum measures. This measure is an investment to protect the integrity of the data Strengths network and halt unauthorized access. Weaknesses None. Rough Cost of Implementation Low--less than $1 million per tunnel. Operation and Maintenance Low. Training Requirements None. Firewall settings and protection codes require regular maintenance Life Expectancy and update. This countermeasure is readily available from vendors who can Comments provide a reliable, continually updated product to the tunnel owner or operator.