4
Applying the Methodology: Some Specific Research and Development Topics

The focus of this report so far has been on establishing a firm strategic basis for R&D on surface transportation security. A fundamental conclusion of the study is that addressing broad issues of strategy should be DOT's first priority in responding to concerns in this area. This chapter presents some examples of specific R&D opportunities. The selection is not meant to be comprehensive, or even necessarily to represent the topics with the highest priority, but rather to illustrate the application of the methodology recommended in Chapter 3 and indicate where that approach might lead. Some topics are new R&D; others are technologies or processes that already exist in other contexts but have not been applied to improving the security of surface transportation.

The committee believes that the topics presented are promising, but DOT should conduct a full evaluation of its own using the framework of the careful, rigorous strategy that this report recommends. Inclusion in this chapter is not intended as a substitute for such evaluation. For example, more work is needed to determine how each potential project would fit into the broader picture of work being done at other agencies. Indeed, it would probably be unwise for DOT to initiate R&D on as many different topics as are presented here, even if it determined that they were all individually useful and appropriate. Table 4-1 illustrates how some of the topics discussed fit into the matrix structure that is part of the strategy.

Even though this chapter is only a preliminary application of the strategy and is intended primarily to illustrate the methodology, several of its themes are sure to reemerge when a more complete and thorough evaluation is conducted. They include the following, some of which have already been mentioned:



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 43
4 Applying the Methodology: Some Specific Research and Development Topics The focus of this report so far has been on establishing a firm strategic basis for R&D on surface transportation security. A fundamental conclusion of the study is that addressing broad issues of strategy should be DOT's first priority in responding to concerns in this area. This chapter presents some examples of specific R&D opportunities. The selection is not meant to be comprehensive, or even necessarily to represent the topics with the highest priority, but rather to illustrate the application of the methodology recommended in Chapter 3 and indicate where that approach might lead. Some topics are new R&D; others are technologies or processes that already exist in other contexts but have not been applied to improving the security of surface transportation. The committee believes that the topics presented are promising, but DOT should conduct a full evaluation of its own using the framework of the careful, rigorous strategy that this report recommends. Inclusion in this chapter is not intended as a substitute for such evaluation. For example, more work is needed to determine how each potential project would fit into the broader picture of work being done at other agencies. Indeed, it would probably be unwise for DOT to initiate R&D on as many different topics as are presented here, even if it determined that they were all individually useful and appropriate. Table 4-1 illustrates how some of the topics discussed fit into the matrix structure that is part of the strategy. Even though this chapter is only a preliminary application of the strategy and is intended primarily to illustrate the methodology, several of its themes are sure to reemerge when a more complete and thorough evaluation is conducted. They include the following, some of which have already been mentioned:

OCR for page 43
TABLE 4-1 Illustration of the Matrix Categorization of R&D Topics   Type of Attack Response Biological Chemical Cyber and C3 Physical General Prevention platform-edge doors prerelease detection software firewalls explosives detection study of redundancies Mitigation low-tech best practices protective aerosols ITS graceful degradation construction design lessons from natural disasters Monitoring — chemical detector evaluation identification of abnormal activity — video surveillance Recovery decontamination decontamination — rapid bridge repairs bandwidth reservation Investigation — — logging — best practices Systems Integration dispersion modeling dispersion modeling best practices — incident management Note: This table categorizes some of the technologies and processes discussed in this chapter according to type of attack and type of R&D response. Also included, to show how they fit into the matrix concept, are two studies discussed in Chapter 2 (a compendium of lessons learned from past natural disasters and accidents and a study of redundancies and interdependencies). This is not a complete or exclusive list, just some examples arranged to illustrate the matrix approach. the value of taking a dual-use approach, in which security objectives are furthered at the same time as other transportation goals the potential for more use of modeling to develop a better understanding of the scope of the security problem the importance of DOT's role in developing and disseminating information about best practices that use existing technologies and processes, including low-technology alternatives the need to consider security as part of a broader picture, not a wholly new and different problem, but one that is similar and closely connected to the transportation community's previous experience in responding to concerns about safety, natural disasters, and hazardous materials The strategy begins with definition of the problem and establishment of objectives. As discussed in Chapter 3, DOT's broad objectives for R&D efforts in surface transportation security should resemble the following:

OCR for page 43
a comprehensive understanding of the surface transportation system's point and systemic vulnerabilities to hostile attack a comprehensive understanding of existing security technologies and processes and how to apply them effectively to surface transportation the development of new security technologies and processes in response to specific, clearly identified vulnerabilities that are unique to surface transportation the implementation of effective security technologies and processes by surface transportation owners and operators in such a way that vulnerabilities to attack are reduced without significantly compromising other transportation goals The first of these objectives is closely related to the discussion in Chapter 2, and the two studies recommended there follow directly from it. The fourth objective should be an overarching theme of the entire R&D program and how it is implemented. The second and third objectives, which relate to R&D on specific technologies and processes, will be the main subject of this chapter. The focus will be primarily on applying the second and third steps of the strategy (i.e., the identification and evaluation of alternatives). The six categories of R&D response (the rows of the matrix) can be used as midlevel objectives that are subordinate to the broad objectives listed above but are still fairly generic. That is, the vulnerabilities referred to in the broad objectives can be addressed in six ways that divide the problem into more manageable pieces. The remainder of this chapter is organized according to these six categories. More topics are presented in some response categories than in others. This should not be taken to mean that those categories are more important. Indeed, response areas for which few suggestions appear may sometimes be the ones where the most work is needed to identify possible solutions. Prevention Technologies and processes in the ''prevention" category should address the objective of preventing a potential attacker from carrying out a successful attack. (As discussed previously, they should also be evaluated against a host of other objectives, such as their cost, ease of implementation, effect on competing transportation goals, and so on. These other objectives apply in every category, and although this remark will not be repeated in each section of the chapter, it should not be forgotten.) Examples include physical security—"guns, guards, and gates"—software to detect and prevent unauthorized computer access or the transmission of computer viruses, and sensing equipment to detect bombs or other threats before an

OCR for page 43
incident occurs. Some options are generally applicable; others apply only to certain types of attack. Generally Applicable Techniques Fences and other physical barriers could keep potential attackers (of all types) away from vulnerable locations. There may be R&D opportunities in facility design to enhance the effectiveness of such barriers. Those opportunities would only be appropriate for DOT to the extent that the design issues are unique to transportation facilities, but DOT could play a role in disseminating design best practices to the transportation community. Another option could be video monitoring, perhaps employing "smart" video, to help identify an imminent attack before it takes place. Smart video monitors might be able to automatically identify shapes or motions that are associated with suspicious objects or activities. This capability is currently quite limited but should improve with advances in image recognition and video processing. The Defense Advanced Research Projects Agency sponsors R&D in this area, and although video monitoring is far from unique to DOT's niche, DOT could seek to involve the transportation community. For example, a research group could use a transportation application to test its experimental algorithms. Biological and Chemical Attacks One approach to the prevention of biological or chemical attacks could be controlling or monitoring potential agents or their manufacturing precursors. For example, R&D could evaluate the feasibility of establishing and maintaining a database of the purchasers of certain chemicals. Possession of certain microorganisms and biotoxins already requires registration with the Centers for Disease Control and Prevention, and their transfer requires that both shipper and receiver file forms (IOM and NRC, 1999). There seems to be little here that is unique to DOT, however. Another approach to preventing biological and chemical attacks would be to detect the presence of threatening substances before an attack actually released them. R&D in this area might be similar to the Federal Aviation Administration's work on detecting chemical traces of explosives on the outside of baggage to prevent explosive devices from being loaded onto aircraft. Detecting unintended traces of biological or chemical agents may be more difficult than detecting explosives, however. Unless these agents are kept contained with extreme care, any potential attacker will probably be killed by them before he or she can launch an attack. Measures of performance of detection systems could include speed and convenience of operation, ease of maintenance, and the rates of detection and false alarm for various levels of simulated threat. This type of detection is probably a long-term research problem, however, and work at this stage is likely

OCR for page 43
to be broadly applicable in a variety of settings. If that is correct, seeking a transportation-specific niche could be premature. Rather than trying to develop this technology on its own, a more appropriate eventual role for DOT is likely to be evaluating the suitability of technologies developed elsewhere for use in specific surface transportation contexts. Cyber and C3 Attacks R&D topics that could result in improved techniques for resisting cyber and C3 attacks include improved software firewall technologies, hardware and software architectures and associated system designs that could confine the impact of malicious or flawed programs, improved integration of high-performance encryption into networks and systems, and improved security and configuration management tools for distributed computer systems. Most of these topics are already being addressed by research at federal agencies. Measures of performance for them are admittedly difficult to construct (except for the usual factors, such as cost, ease of implementation, and impact on other transportation goals). One possible measure could be the rate of successful attack in a red-team exercise. Physical Attacks The Federal Aviation Administration has a long-standing R&D program on explosives and weapons detection. DOT may find R&D opportunities in adapting that type of technology, which is currently directed toward prevention of airplane bombings and hijackings, for use in surface transportation settings. Adaptation would be an extremely difficult challenge, however, for most parts of the surface transportation system, because traveler access is generally much less controlled than in aviation. There are some exceptions, such as when the objective is to detect large threat quantities. For example, at least two companies have developed drive-through inspection systems for fully loaded trucks and cargo containers that can scan for explosives at a rate of 25 to 30 trucks per hour—too slow for general use on highways, but perhaps acceptable at selected locations, such as border crossings. In some surface transportation situations, dogs are already commonly used for drug detection. For example, dogs are used at some freight ports to find drugs in cargo containers. R&D might develop ways to use these drug-sniffing dogs to detect explosives or other threatening substances at the same time. If this were possible without reducing the effectiveness of the drug detection, it would be a good example of a dual-use approach that exploits other concerns to further security goals at little added cost or inconvenience. (The use of dogs presents a number of operational challenges, however.)

OCR for page 43
Mitigation Technologies and processes in the "mitigation" category should meet the objective of reducing the harmful impact of an attack as it occurs and in its immediate aftermath. Examples include architectural features that harden a structure against the blast of an explosion, fail-safe or redundant control systems, and protective aerosols that can be sprayed into the air to neutralize chemical agents. Measures of performance specific to this category might include the reduction in damage, casualties, and time out of service. Biological and Chemical Attacks There are two main approaches to mitigating the effects of biological and chemical attacks: (1) controlling the dispersal of the agent to prevent or reduce contact with the intended victims and (2) neutralizing or reducing the agent's effectiveness. Controlling Dispersal Controlling agent dispersal can mean either designing a system to reduce dispersal-related characteristics in everyday operation or providing active features, such as barriers or ventilation, that would operate only when an attack is detected. An example of the first approach, platform-edge doors (see Figure 4–1) are fixed panels that fit along the length of a subway platform and remain closed except when a train is in the station loading or unloading passengers. The presence of such a barrier would greatly decrease the piston effect by which trains force contaminated air through tunnels and ventilation systems. Moreover, by slowing the rate at which a biological or chemical agent is dispersed through the system, platform-edge doors would increase the time available for people to escape from the area once an attack was recognized. By reducing the volume of air that must be decontaminated, the existence of a barrier might also reduce the cost and increase the effectiveness of other approaches to mitigation and recovery. Platform-edge doors are already in use in some locations in Britain, France, Russia, and Singapore, although for reasons having nothing to do with security. (They reduce noise and dust and provide a safety barrier between the tracks and the waiting passengers. These other benefits, in addition to possible security benefits, may help to justify their installation—another example of the dual-use idea.) No platform-edge doors have been installed in U.S. subway systems, but they are similar to the doors used in interterminal transit stations at airports such as Dallas and Atlanta. This is an existing technology, but there may still be R&D opportunities in investigating its effectiveness at mitigating the impact of biological and chemical

OCR for page 43
Figure 4-1 Platform-edge doors in the London subway. Photo courtesy of Peter Hampshire, London Underground. attacks, in developing retrofitting techniques for installation in existing subway systems, or simply in adapting and optimizing the technology for use in U.S. subway systems. By its nature, this technology is specific to transportation, so it would be appropriate for DOT's R&D niche. A variety of active approaches have been proposed for blocking the flow of contaminated air to contain a biological or chemical attack, or alternatively, for ventilating contaminated spaces. These include barrier foams, air curtains, decontamination techniques for the ventilation system, and others, all of which would present R&D opportunities (for details, see Swansiger, 1997). Although these devices could be activated manually, they would be more effective if the existence of detection equipment permitted automated activation. As discussed below under "Monitoring," the synergy with detection technology means that active measures would be more useful for mitigating chemical attacks than biological ones.

OCR for page 43
Protective Aerosols In the event of a chemical attack, if immediate escape is impossible, release of a neutralizing agent into the breathing airspace may be the only remedy for people caught in the affected area. Neutralizing aerosols could be developed that would sorb harmful compounds, such as phosphorylating nerve agents, and neutralize them by rapid chemical reactions before they could reach the intended victims. The average specific surface area of an aerosol is hundreds of square meters per gram, which makes aerosol delivery the only flexible way to take rapid remedial action. To provide protection even when the agent used by the attacker is not immediately known, the aerosol chemistry should be designed to counteract a broad spectrum of agents. Sprinkler systems or other mechanisms for dispersing the aerosols would also have to be developed if this option were selected. Low-Technology Biological and Chemical Protection A variety of low-technology approaches have been developed to mitigate the consequences of biological or chemical attacks. These include such simple measures as the use of bleach, surgical masks, or simply breathing through a folded t-shirt or wet cloth and moving to a higher location. These are most likely not so much a topic for R&D on the techniques themselves (although some R&D may be necessary to verify their efficacy) as for public education. Thus, here again, DOT's most important role may be identifying, collecting, and disseminating best practices. Cyber and C3 Attacks Among the promising R&D areas for mitigating the consequences of cyber and C3 attacks specific to surface transportation are ensuring the graceful degradation of damaged or corrupted ITS systems and increasing the robustness of systems that use GPS. Graceful Degradation of an Intelligent Transportation System As systems such as ITS become more widespread, centralized controls may create new vulnerabilities to cyber attacks. No doubt the designers of such systems will seek to incorporate fail-safe features, perhaps including hardware features that are redundant with the control software to protect against unanticipated bugs. There are R&D opportunities in ensuring that designs protect against hostile attacks on the central control system as well as against passive failures. One possibility (drawn from the example discussed in Chapter 2) is the development of onboard controls for taking safety measures independently if instructions

OCR for page 43
received from the central system would reduce vehicle headway to an unsafe distance. The development of redundant or otherwise fault-tolerant system architectures could also contribute to the creation of ITS systems that would degrade gracefully when compromised, either intentionally or otherwise. Such systems would be designed to respond to faults by reducing their functionality in a controlled, planned manner. In most cases, DOT's role in cyber security is likely to be as a consumer of security technologies and processes, rather than a developer or producer. ITS, however, is a situation unique to transportation that will require particular action. Interference Mitigation for GPS The GPS, a satellite-based navigation system originally developed by the Department of Defense, serves marine, airborne, and terrestrial users. There are two GPS services, a civilian one accurate to within 100 meters and a military one accurate to within 20 meters. Enhancements can be used with either service to increase accuracy. One of the primary uses of GPS in surface transportation is determining the location of ships at sea. In addition, GPS receivers are currently being installed in some luxury cars to help identify the fastest route to a destination. As the cost of GPS receivers decreases, the use of GPS in private vehicles is expected to become more widespread. GPS relies on spread-spectrum signaling, which is inherently robust with respect to low-power interference in the same frequency band. High-power interference from a strategically placed source, however, can easily disrupt the reception of a GPS signal. For example, there has been at least one case of a signal from a military air base inadvertently jamming the reception of a GPS signal by a commercial airplane (Brewin, 1998). This type of threat is likely to become more serious as commercial reliance on GPS signals for positioning and navigation increases. Another concern is the possibility of substituting a false GPS signal that conveys incorrect information. This would require much more sophistication on the part of the attacker, however, than simple jamming. Sophisticated reception techniques can improve robustness to interference and hostile jamming. For example, if multiple antennas are placed at the receiver, interference that originates from selected locations can be suppressed. The Air Force is currently funding research on a GPS antenna system with this capability (U.S. Air Force, 1998). Additional research on jam-resistant reception techniques for GPS is being supported by the Air Force Office of Scientific Research. DOT should monitor progress in this area and determine whether interference-resistant technologies being developed for air navigation have wider applicability to other modes of (surface) transportation.

OCR for page 43
Physical Attacks Analysis of vulnerabilities often leads to the development of new guidelines for structural design. For example, early efforts by the Nuclear Regulatory Commission, working with private industry, postulated various accidents and used the analysis of them to develop design guidelines for licensing nuclear power plants. The commission would postulate broken main steam lines, for example, and the resulting pipe whip would be analyzed to determine the damage to adjacent systems. In this case, the analysis resulted in the development of design methods and requirements for pipe anchors. For surface transportation security, intentional-attack scenarios of varying severity and location would replace accident scenarios. From its work on the vulnerability assessment, DOT already has available many of the tools needed to assess the consequences of an attack, determine the likely damage, and develop protective design enhancements. Box 4-1 highlights some of the design features that might be suggested by Box 4–1 R&D Opportunities in Construction Design Design Features for Bridges In California, it is common to see bridge spans that appear to be tied to their supporting abutments by cables. During earthquakes, these tiebacks and other devices help to keep spans from falling off their supports. Tieback systems are likely to be similarly effective against truck bombs under or near a bridge. This simple scheme could be a cheap and effective way to protect critical bridge spans, even in states where seismic resistance is not included in design specifications. Verifying the effectiveness of this approach would require analysis and testing. Design Features for Tunnels Engineering reviews are likely to show that most tunnels are quite resistant to explosive damage. Access to urban transit tunnels is usually difficult for an explosive device large enough to cause major damage. Remote tunnels (e.g., railroad tunnels in the wilderness) are more accessible, but even they are probably only susceptible to liner damage, portal damage, and temporary blockage from debris. In many cases, the most significant damage is likely to be to utility lines that run through the tunnel, such as electricity, gas, water, or fuel lines. Tunnels would have to be considered on a case-by-case basis, however, and DOT R&D on analysis techniques could help state and local authorities to perform this task. Design Features for Pipelines In some countries, pipeline bombings have become common in recent years. DOT could study these incidents to get a better understanding of the mechanics of such attacks, the resulting damage, and the remedies that have been effective. Communicating the results of this study to domestic pipeline owners and operators through workshops and seminars would not only help them protect their facilities but also heighten their awareness of security concerns.

OCR for page 43
such an assessment. DOT could also promote the use of such techniques by cities and states, perhaps assisted by the Nunn-Lugar-Domenici program (GAO, 1998). Analysis of earthquake damage, like analysis of accidents, has led to many new design guidelines. Building code committees, first formed in the 1930s following the first studies of earthquake forces and how structures respond to them, continue to improve seismic design methods and reduce property damage and loss of life. Research continues to contribute by improving our understanding of the regional and magnitude distribution of earthquakes. Fewer cases of damage from intentional attack are available for study, but just as new knowledge has benefited seismic design, the study of past hostile incidents could be used to guide research directions and code development. It may be decided that design guidelines for protection against explosions should be kept confidential and not incorporated into building codes. For example, the designs of many blast-resistant and defensive military structures are based on Defense Department technical handbooks rather than civilian building codes. The recommendations in these handbooks are the result of years of military research on explosives and penetrators—a reminder of DOT's opportunity to capitalize on the extensive security R&D already conducted by other agencies. At least one off-the-shelf software package already exists for analyzing the structural effects of an explosion. It incorporates a three-dimensional model of the structure itself along with the spatial position and energy of the explosive device, and it predicts the damage caused to each structural element by the blast. Research by DOT may be needed to modify such tools for analysis of transportation-related structures or to identify and extend other tools already available in other agencies. DOT could also conduct field tests or other research to calibrate models against actual results on transportation structures. Monitoring Technologies and processes in the "monitoring" category should meet the objective of recognizing when an attack is under way, characterizing it, and predicting and monitoring its development. Examples include real-time chemical detection systems and intrusion-monitoring software. Generally Applicable Techniques Video monitoring, which has already been discussed in the context of identifying imminent attacks, could also be useful in monitoring the course of an attack that has already begun. Video surveillance requires high-bandwidth communications between the camera and the monitor. These links are often dedicated wires, but they may also be wireless, particularly for cameras on buses and trains. For monitors connected via a local-area network, which may be an attractive approach for buses and

OCR for page 43
trains, R&D could determine data rates and data traffic characteristics, which would dictate the size of digital transmission facilities and the resulting quality of service. Video surveillance could also be used to complement other monitoring techniques. The problem of false alarms by chemical detectors is a good example. Strategically placed cameras, coupled with event detection and recognition software, might enable a human operator to confirm quickly that a real attack is under way and to initiate evacuation and mitigation procedures. R&D may be needed to identify effective ways to achieve such synergies. Biological and Chemical Attacks Detecting Chemical Attacks in Progress To minimize the effects of a chemical attack, remedial action must be taken quickly, so real-time detection systems are important. Ideally, a system should sound an alarm before the chemical agent reaches its target. If this is not possible, a quick alarm at the same time as the first casualties would at least prevent additional potential victims from entering the area. As noted in Chapter 3, a number of detection systems for chemical agents have already been developed, but their application in transportation environments such as subway systems presents many challenging problems. The acceptable rate of false alarms is very low in a subway, even in comparison with other large civilian facilities, because even if just one train or station is affected directly, that localized disruption is likely to disrupt operations system-wide. Practical detectors must remain functional during long standby periods. They must respond quickly, probably in about one second or less. They must detect a wide variety of agents, ideally based on their physiological impact rather than a predetermined list of chemicals, much as a smoke detector detects "smoke" without knowing its chemical composition. Given these requirements, an R&D role for DOT may be to evaluate the performance of available detectors in subway use. DOT is not, and should not attempt to be, a leader in the development of new detection technology. Detecting Biological Attacks in Progress If practical biological detectors became available, much of the discussion above would also apply to detecting biological attacks. The availability of biological detectors seems highly unlikely, however, in the foreseeable future. Understanding this judgment requires understanding the differences between detectors and assays. Detectors must operate continuously, whereas assays are conducted during a finite period of time in several discrete, discontinuous steps, such as sample preparation, reagent mixing, incubation, separation, and counting.

OCR for page 43
Although most modern biological assays are automated, there is always a time delay between the introduction of a sample into the system and the actual acquisition of information. The total required time for a biological assay is typically measured in hours, which is too long to be useful for identifying biological attacks in progress. (Automated assays might be useful in the aftermath of an attack, however, as discussed below.) How can DOT determine whether biological assays would meet its needs? As usual, answering this question requires evaluating the technology's performance against the objectives of its intended application. For example, if passengers on a train were exposed to a germ warfare agent, symptoms would probably develop hours later, perhaps days later, but to be of value in preventing exposure, positive identification of the agent would have to be made within seconds of the release. DOT's needs would therefore require an information acquisition rate much faster than assays can provide. A second objective would almost certainly be continuous unattended operation, which is hard to imagine for even the most automated assay systems. The committee is not aware of any detector for biological agents that meets these criteria, or even of any principle on which such a detector could be based. In a number of current R&D efforts (most of them sponsored by the Department of Defense), biological assays are mislabeled as biological sensors or detectors. This mislabeling should not be allowed to create the false impression that direct, continuous, rapid detection of biological agents is possible, let alone imminent. Baseline Measurements of Chemical and Biological Traces in Subways The confined air in an urban subway is likely to be a very difficult background against which to identify either toxic chemicals or harmful microorganisms. Baseline measurements of normal levels of chemical and biological traces, as a guide for the development or selection of detection systems, might be a useful R&D project and would clearly be specific to transportation. However, because real-time detection of biological agents is not foreseeable under any background conditions, the focus of baseline measurements should be on the chemical background. (Although unlikely to contribute to real-time detection, measurements of the biological background might be useful after an incident in conjunction with biological assays during the recovery and investigation phase.) Automated Field Assays, Stand-Off Sensors, and Rapid Off-Site Identification Although existing biological and chemical analytical assay systems are too slow or not sufficiently automated to operate as detection systems, they can be automated for use in the field. For chemical attacks, there are also stand-off sensing systems for identifying the nature, quantity, and concentration of a chemical agent. Automated field assays and stand-off sensors could help emergency

OCR for page 43
personnel identify the nature of an attack (or apparent attack) in the immediate aftermath of a release. Micromechanical structures have made the miniaturization and automation of these procedures more economical and even portable. Applications include DNA analysis, gene detection, immunoassays, and toxin assays. The Department of Defense has invested heavily in programs to develop these systems, and this investment has produced some very impressive results. The resulting systems are assays, however, not detectors. Rapid off-site identification, say within one or two hours, could play a role similar to that of field assays. That capability would be enhanced by the development of contingency plans for critical locations. One measure of performance against which to evaluate all of these alternatives might be a ''confusion matrix"—a table of estimates of the likelihood of various correct and incorrect identifications, given various chemical and biological samples. Cyber and C3 Attacks Monitoring and detecting intrusions into information systems is a major topic of ongoing research. Most current systems use one of two techniques. Either they seek to recognize known hostile software and attacks, or they attempt to recognize deviations from an expected pattern of behavior. The former may leave the system vulnerable to attacks not previously encountered; the latter may leave the system vulnerable to slow deviations from the norm and to erroneous reactions to unexpected external events. Because transportation C3 systems are ultimately constrained by the physical characteristics of the transportation network, detecting and monitoring cyber and C3 attacks may be a more limited and thus more tractable problem in the transportation setting than in general. This may be a promising area for research. Physical Attacks Because monitoring responses mostly address the period during an attack, and bomb explosions are by their nature sudden, there appears to be little opportunity for R&D in this category. Recovery Technologies and processes in the "recovery" category are designed to facilitate rapid reconstitution of services after an attack. Examples include chemical and biological decontamination procedures, backup information systems, plans for rerouting traffic around affected locations, techniques for rapid repair of bridges and roadways, protective clothing and equipment for emergency

OCR for page 43
personnel, and bandwidth reservation and priority schemes to ensure rapid delivery of messages (voice, data, or video) in emergency situations. Measures of performance would include the speed of recovery and the confidence that recovery is complete and robust. Biological and Chemical Attacks Other agencies have worked extensively on technologies and processes related to decontamination after a chemical or biological attack. Wash-down procedures, including automated and even robotic systems, are one example. In the past, however, the agents of interest have typically been on a relatively short list of agents believed to be most suitable for military use. Work remains to be done to address other potential agents, such as industrial and agricultural chemicals, that are not in the military class but are still harmful. Besides decontamination, verification that an attack site is truly decontaminated is particularly important for civilian situations such as transportation. When is it considered safe, for example, to reenter a vehicle or facility that has been contaminated? Determining and disseminating advice on best practices for the use of existing equipment may be the most important role here for DOT. Other R&D opportunities might include investigating how facilities could be designed to facilitate decontamination or examining ways to minimize the environmental impact of decontamination procedures on surrounding areas. Physical Attacks DOT may have a useful role in adapting rapid bridge and roadway repair techniques, originally developed by the Department of Defense, for civilian use. The key here may simply be to educate potential users about these technologies and make them more easily available to the private sector. Investigation The objective of technologies and processes in the "investigation" category is to determine what happened in an attack, how it happened, and who was responsible. An additional objective is often to answer these questions in a way that can serve as evidence for an eventual prosecution of the perpetrators. The probability of discovery is a likely measure of performance. Identifying lessons learned from past incidents may be the most suitable subject for DOT's R&D in the investigation category. Some other topics include investigating ways to tag substances that are potential chemical agents or their production precursors; developing forensics teams like those that investigate arsons and bombings; and investigating issues involved in the tagging of

OCR for page 43
explosives. All of these seem more appropriate roles for other agencies than for DOT, however. As surface transportation makes increasing use of networked information systems, failures in those systems (whether caused by an attack or just an accident) will lead to a need for "cyber forensics." Little is known about how to build networked information and control systems so that they can be analyzed in this fashion. (In contrast, investigators have substantial experience with "black boxes" for airplanes and, more recently, automobiles.) Basic research in system structuring and monitoring will be needed to make this a reality. For example, some mission-critical systems might require logging with write-once storage media. The more basic aspects of this problem may be too widely applicable to be an appropriate task for DOT, but their application to transportation could be appropriate, especially because of the dual-use link with accident safety. Systems Responses Technologies and processes in the "systems responses" category are designed to ensure that other elements of the system function properly together. This category also includes understanding the problem more thoroughly to improve the evaluation and selection of responses in other categories. Because the surface transportation system is so diverse and the problem of protecting it against attack is so complex, there are many opportunities for R&D on systems integration—that is, on integrating technologies and processes across functions and transportation modes to optimize a combination of security and other transportation goals. Generally Applicable Techniques A process for "incident management" is already widely used in surface transportation in response to relatively minor incidents—for example, to coordinate the rapid clearing of highway lanes after traffic accidents. This process is mostly a matter of coordination and integration among local governments, police departments, towing companies, and so on. There may be development needs, however, in expanding the concept to broader application in response to intentional attacks. Some similar ideas have already been put in place, under the auspices of the Federal Emergency Management Administration and others, for response to accidental spills of hazardous materials. A system for reporting incidents and possible incidents would also be valuable. Low-level events—probes rather than actual attacks—may not be reported at all, and if they are, they are likely to be reported in the context of safety rather than security. Thus current reporting mechanisms are not as useful for intelligence purposes as they could be. For example, if there were a repeated pattern of bolt-loosening incidents on railroads, would the railroads share this information

OCR for page 43
with each other and with the intelligence community? Or if there were a pattern of unusual activity in the transportation sector's C3 systems, would that fact even be identified? Developing a reporting system of this kind would require significant work to identify means of collecting, protecting, and correlating data and to establish criteria for reporting information to the appropriate parties. Other possibilities include modeling and simulation of organizational responses and coordination, and the development of methods for system-level exercises, training, and public education and communication. Chemical Attacks A serious system-level concern for responding to chemical attacks is the lack of understanding of how chemical agents would disperse through a facility under attack. R&D could be conducted to model and experimentally verify the behavior of turbulent chemical plumes, in both closed and open spaces, especially the airflow patterns in specific surface transportation situations, taking into account various passenger loads, weather conditions, and so on. Releases of simulant chemicals could also be studied to help develop response strategies. Dispersion and ventilation could also be addressed more generally. Note that DOT's situation is different from that of the Defense Department because DOT deals primarily with closed spaces (such as vehicles, stations, or tunnels) whereas the Defense Department still deals primarily with open spaces (battlefields). As a result, there are differences between the issues that DOT and the Defense Department need to model and understand, including differences in the agents of concern, their physical properties, and the characteristics of the airflow. Cyber and C3 Attacks DOT could develop best-practices guidelines on computer security for surface transportation providers to help owners and operators learn from each other's experiences. This work would be transportation-specific because best practices for a railroad, for example, are not necessarily the same as best practices for another type of company, such as a bank. The guidelines would not have to become regulations, but they could help to bring transportation companies up to speed on the issues of concern and the state of the art in responding to those issues. The emphasis should be on integrating best practices into everyday operations, making security best practices a component of business best practices. Implementation would require that DOT play a proactive coordinating role in communicating results to the broad transportation community. The growing and evolving automation of control systems may make surface transportation more and more vulnerable to cyber attacks. For example, supervisory control and data acquisition (SCADA) systems are increasingly being used for the automation or remote control of pipeline operations. Existing commercial

OCR for page 43
technology and research by other agencies could be useful for protecting surface transportation against cyber threats to these systems. An R&D effort in this area by DOT could develop broad guidelines to assist developers of surface transportation infrastructure control systems in making their systems more resistant to cyber attacks. The emphasis should be on ensuring that control systems degrade gracefully, which may require planned redundancy, backup plans, and other measures. As noted in Chapter 2, a clearer picture of the interdependencies of transportation C3 systems with other parts of the surface transportation system would be extremely useful. Finally, control systems could benefit from disaster planning exercises, such as preplanning and modeling. Because control in transportation systems tends to be real-time, test beds distinct from operational systems often already exist, and these could be used to work on disaster planning. Summary The R&D topics described in this chapter are intended to illustrate the application of the strategy discussed in Chapter 3. When DOT conducts a more complete and thorough evaluation using that strategy, it may or may not find them to be the highest-priority topics. Nevertheless, four themes are sure to remain: the value of taking a dual-use approach, in which security objectives are furthered at the same time as other transportation goals the potential for more use of modeling to improve understanding of the scope of the security problem the importance of DOT's role in developing and disseminating information about best practices that use existing technologies and processes, including low-technology alternatives the need to consider security as part of a broader picture, not a wholly new and different problem, but one that is similar and closely connected to the transportation community's previous experience in responding to concerns about safety, natural disasters, and hazardous materials