Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
2020 N A T I O N A L C O O P E R A T I V E H I G H W A Y R E S E A R C H P R O G R A M NCHRP RESEARCH REPORT 930 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Countermeasures assessment & seCurity experts, LLC New Castle, DE Western management and ConsuLting, LLC Madison, WI Subscriber Categories Data and Information Technology ⢠Public Transportation ⢠Security and Emergencies Research sponsored by the American Association of State Highway and Transportation Officials in cooperation with the Federal Highway Administration
NATIONAL COOPERATIVE HIGHWAY RESEARCH PROGRAM Systematic, well-designed, and implementable research is the most effective way to solve many problems facing state departments of transportation (DOTs) administrators and engineers. Often, highway problems are of local or regional interest and can best be studied by state DOTs individually or in cooperation with their state universities and others. However, the accelerating growth of highway transporta- tion results in increasingly complex problems of wide interest to high- way authorities. These problems are best studied through a coordinated program of cooperative research. Recognizing this need, the leadership of the American Association of State Highway and Transportation Officials (AASHTO) in 1962 ini- tiated an objective national highway research program using modern scientific techniquesâthe National Cooperative Highway Research Program (NCHRP). NCHRP is supported on a continuing basis by funds from participating member states of AASHTO and receives the full cooperation and support of the Federal Highway Administration, United States Department of Transportation. The Transportation Research Board (TRB) of the National Academies of Sciences, Engineering, and Medicine was requested by AASHTO to administer the research program because of TRBâs recognized objectivity and understanding of modern research practices. TRB is uniquely suited for this purpose for many reasons: TRB maintains an extensive com- mittee structure from which authorities on any highway transportation subject may be drawn; TRB possesses avenues of communications and cooperation with federal, state, and local governmental agencies, univer- sities, and industry; TRBâs relationship to the National Academies is an insurance of objectivity; and TRB maintains a full-time staff of special- ists in highway transportation matters to bring the findings of research directly to those in a position to use them. The program is developed on the basis of research needs identified by chief administrators and other staff of the highway and transportation departments, by committees of AASHTO, and by the Federal Highway Administration. Topics of the highest merit are selected by the AASHTO Special Committee on Research and Innovation (R&I), and each year R&Iâs recommendations are proposed to the AASHTO Board of Direc- tors and the National Academies. Research projects to address these topics are defined by NCHRP, and qualified research agencies are selected from submitted proposals. Administration and surveillance of research contracts are the responsibilities of the National Academies and TRB. The needs for highway research are many, and NCHRP can make significant contributions to solving highway transportation problems of mutual concern to many responsible groups. The program, however, is intended to complement, rather than to substitute for or duplicate, other highway research programs. NCHRP RESEARCH REPORT 930 Project 20-59(51)A ISSN 2572-3766 (Print) ISSN 2572-3774 (Online) ISBN 978-0-309-48134-2 Library of Congress Control Number 2020935667 © 2020 National Academy of Sciences. All rights reserved. COPYRIGHT INFORMATION Authors herein are responsible for the authenticity of their materials and for obtaining written permissions from publishers or persons who own the copyright to any previously published or copyrighted material used herein. Cooperative Research Programs (CRP) grants permission to reproduce material in this publication for classroom and not-for-profit purposes. Permission is given with the understanding that none of the material will be used to imply TRB, AASHTO, FAA, FHWA, FMCSA, FRA, FTA, Office of the Assistant Secretary for Research and Technology, PHMSA, or TDC endorsement of a particular product, method, or practice. It is expected that those reproducing the material in this document for educational and not-for-profit uses will give appropriate acknowledgment of the source of any reprinted or reproduced material. For other uses of the material, request permission from CRP. NOTICE The research report was reviewed by the technical panel and accepted for publication according to procedures established and overseen by the Transportation Research Board and approved by the National Academies of Sciences, Engineering, and Medicine. The opinions and conclusions expressed or implied in this report are those of the researchers who performed the research and are not necessarily those of the Transportation Research Board; the National Academies of Sciences, Engineering, and Medicine; or the program sponsors. The Transportation Research Board; the National Academies of Sciences, Engineering, and Medicine; and the sponsors of the National Cooperative Highway Research Program do not endorse products or manufacturers. Trade or manufacturersâ names appear herein solely because they are considered essential to the object of the report. Published research reports of the NATIONAL COOPERATIVE HIGHWAY RESEARCH PROGRAM are available from Transportation Research Board Business Office 500 Fifth Street, NW Washington, DC 20001 and can be ordered through the Internet by going to https://www.nationalacademies.org and then searching for TRB Printed in the United States of America
The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, non- governmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president. The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. John L. Anderson is president. The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president. The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine. Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org. The Transportation Research Board is one of seven major programs of the National Academies of Sciences, Engineering, and Medicine. The mission of the Transportation Research Board is to provide leadership in transportation improvements and innovation through trusted, timely, impartial, and evidence-based information exchange, research, and advice regarding all modes of transportation. The Boardâs varied activities annually engage about 8,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public interest. The program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organizations and individuals interested in the development of transportation. Learn more about the Transportation Research Board at www.TRB.org.
C O O P E R A T I V E R E S E A R C H P R O G R A M S CRP STAFF FOR NCHRP RESEARCH REPORT 930 Christopher J. Hedges, Director, Cooperative Research Programs Lori L. Sundstrom, Deputy Director, Cooperative Research Programs Stephan A. Parker, Senior Program Officer Stephanie L. Campbell, Senior Program Assistant Eileen P. Delaney, Director of Publications Natalie Barnes, Associate Director of Publications NCHRP PROJECT 20-59(51)A PANEL Field of Special Projects Eileen M. Phifer, Michigan DOT, Lansing, MI (Chair) Derial W. Bivens, Hickman, TN Mel A. Coulter, Idaho Transportation Department, Boise, ID Herby Gerard Lissade, California DOT, Sacramento, CA Carl D. Merckle, Ohio DOT, Columbus, OH Lorenzo G. Parra, Massachusetts DOT, Boston, MA Thomas H. Wakeman, III, New York, NY David W. Cooper, TSA Liaison Jeffrey King, FHWA Liaison Michael G. Dinning, Massachusetts Maritime Academy Liaison Gregory M. Jizba, U.S. Army Corps of Engineers Liaison William B. Anderson, TRB Liaison
NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies provides transportation managers and employees with an introductory-level reference document to enhance their working knowledge of security concepts, guidelines, definitions, and standards. The primer is for use primarily by those who are neither security professionals nor well versed in security language. Physical security is integral to an all-hazards approach to preparedness. Cybersecurity cannot be easily separated from physical security; policies and practices for responding to physical security breaches need to also address cybersecurity and incorporate considerations that a cyber incident may have occurred. As such, this report covers the major components of an effective security program at the conceptual level, including risk management and risk assessment; plans and strategies; security countermeasures; cybersecurity; workforce plan- ning and training/exercises; infrastructure protection and resilience; and homeland security laws, directives, and guidance. NCHRP Research Report 930 references the latest practice and guidance in infrastructure protection encompassing cyber and physical security. In 2012, the AASHTO Special Committee on Transportation Security and Emergency Management (SCOTSEM) adopted by formal ballot (as a committee report) TRBâs NCHRP Report 525, Volume 14: Security 101: A Physical Security Primer for Transportation Agencies (available at http://www.trb.org/Publications/Blurbs/162394.aspx). Since publication of NCHRP Report 525, Volume 14, there have been significant changes and a substantial increase in knowledge about surface transportation security. The decade- long effort to improve the state of security and emergency management practice in the transportation industry has produced new strategies, programs, and ways of doing business that have increased the security of our transportation systems as well as ensured their resiliency. NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies was prepared as a light update under NCHRP Project 20-59(51)A by Countermeasures Assessment & Security Experts, LLC, of New Castle, Delaware. It is accompanied by an overview PowerPoint deck and supported by NCHRP Web-Only Document 266: Developing a Physical and Cyber Security Primer for Transportation Agencies. F O R E W O R D By Stephan A. Parker Staff Officer Transportation Research Board
AAR after-action reports ARM analytical risk methodology ATO automatic train operation ATP automatic train protection ATR automatic train regulation ATS automatic train supervision ATSA Aviation and Transportation Security Act AVL automatic vehicle location BART Bay Area Rapid Transit BASE Baseline Assessment for Security Enhancement BYOD Bring Your Own Device CAD computer-aided dispatch CARVER Criticality, Accessibility, Recuperability, Vulnerability, Effect, and Recognizability CBRN chemical, biological, radiological, or nuclear CCTV closed-circuit television CDC Centers for Disease Control and Prevention CE conventional explosives CERT Computer Emergency Readiness Team CFR Code of Federal Regulations CIIP critical information infrastructure protection CIP critical infrastructure protection CMM Capability Maturity Model COBIT Control Objectives for Information and Related Technology COG continuity of government COOP Continuity of Operations Plans CRR Cyber Resilience Review CSET® Cyber Security Evaluation Tool® CSIRT Computer Security Incident Response Team CSSP Control Systems Security Program CVE common vulnerabilities and exposures DDoS Distributed Denial of Service DHS-TRAM Department of Homeland Security terrorism risk analysis methodology DOJ Department of Justice DoS Denial of Service DOT Department of Transportation DSRC dedicated short-range communications E.O. Executive Order EAP emergency action plan EMAC Emergency Management Assistance Compact EMST Emergency Management Staff Trainer ERM enterprise risk management A B B R E V I A T I O N S
ESF Emergency Support Function ETA Employment and Training Administration FBI Federal Bureau of Investigation FE functional exercise FEMA Federal Emergency Management Agency FIOP Federal Interagency Operational Plan FTE full-time equivalent HID high-intensity discharge HMI human/machine interface HPS high pressure sodium HSEEP Homeland Security Exercise and Evaluation Program HSP hazard and security plan HSPD Homeland Security Presidential Directives HVAC heating, ventilation, and air conditioning ICS industrial control systems IED improvised explosive device IND improvised nuclear device INS Immigration and Naturalization Service IP Improvement Plan IRVS Integrated Rapid Visual Screening Series ISC Interagency Security Committee I-STEP Intermodal Security Training and Exercise Program IT information technology ITD Idaho Transportation Department ITS intelligent transportation systems JITT just-in-time training KCO key control officer KRA Key Results Areas KSA knowledge, skills, and abilities MAM mobile application management MARTA Metropolitan Atlanta Rapid Transit Authority MDM mobile device management MitFLG Mitigation Framework Leadership Group MnDOT Minnesota Department of Transportation MPO metropolitan planning organization MSEL Master Scenario Events List MSRAM maritime sector risk analysis methodology MTI Mineta Transportation Institute MTU master terminal unit NDRF National Disaster Recovery Framework NICCS National Initiative for Cybersecurity Careers and Studies NICE National Initiative for Cybersecurity Education NIMS National Incident Management System NIPP National Infrastructure Protection Plan NIST National Institute of Standards and Technology NRF National Response Framework NSTC National Science and Technology Council NSTS National Strategy for Transportation Security NTAS National Terrorism Advisory System OT operation technology
PDD Presidential Decision Directive PKEMRA Post-Katrina Emergency Management Reform Act PLC programmable logic controller PPD Presidential Policy Directive PPM parts per million PTO public transportation operator RDD radiological dispersion device RSF recovery support function RTU remote terminal unit SAFE Security and Accountability For Every Port Act SAL Security Assurance Level SAVER System Assessment and Validation for Emergency Responders SCADA supervisory control and data acquisition SCMS security credential management system SCOR Standing Committee on Research SCOTSEM Special Committee on Transportation Security and Emergency Management SFMTA San Francisco Municipal Transportation Agency SRIA Sandy Recovery Improvement Act SRS Systems Requirement Specification SSEPP System Security and Emergency Preparedness Planning SSI sensitive security information SVA security vulnerability assessment SWAT Special Weapons and Tactics TEP Training and Exercise Plan TERA Transportation Emergency Response Application TMC traffic management center TNT trinitrotoluene TOMIE Tunnel Operations, Maintenance, Inspection, and Evaluation TSM&O transportation systems management and operations TSS Transportation Systems Sector TSSSP Transportation Systems Sector-Specific Plan TTT train-the-trainer TTX tabletop exercises TVA threat and vulnerability assessment TVC threat, vulnerability, and consequence UFC Unified Facilities Criteria VBIED Vehicle-Borne Improvised Explosive Devices VoIP Voice over Internet Protocol VPN virtual private network VTC video teleconferencing WMD weapon of mass destruction WME weapon of mass effect
Note: Photographs, figures, and tables in this report may have been converted from color to grayscale for printing. The electronic version of the report (posted on the web at www.trb.org) retains the color versions. 1 Summary 4 Chapter 1 Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 41 Chapter 2 Plans and Strategies 54 Chapter 3 Security Countermeasures 88 Chapter 4 Cybersecurity 102 Chapter 5 Workforce Planning and Training/Exercises 148 Chapter 6 Infrastructure Protection and Resilience 163 Chapter 7 Homeland Security Laws, Directives, and Guidance 187 References 192 Appendix Information Resources C O N T E N T S