Security 101: A Physical Security Primer for Transportation Agencies (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

18 Once the transportation agency has conducted its risk assessment, the next step is to develop a security plan. In this chapter, planning objectives are highlighted and the core components or elements needed to ensure that a comprehensive plan is developed are examined. Organizational roles and accountabilities are identified with an emphasis on plan maintenance. The chapter con- cludes with a multi-year overview of the security funding cycle that addresses both operating and capital considerations. Objectives of a Security Plan A security plan is a written document containing information about an organization’s secu- rity policies, procedures, and countermeasures. The plan should include a concise statement of purpose and clear instructions about agency security requirements. The stated objectives of the security plan need to be attainable and easily understood. The plan should identify intended users and their assignments, responsibilities, and authorities to act pursuant to the plan’s direc- tion. Creating a sound security plan is often as much a management issue as it is a technical one—It involves motivating and educating managers and employees to understand the need for security and their role in developing and implementing an effective and workable security process. Organizational leaders must ensure that security planning is an actual functional activity and part of the agency’s culture. In the transportation environment, the objective of security planning is to ensure both the integrity of operations and the security of assets. Planning for security should result in the integra- tion of protective systems and processes into the organization’s daily business routine. The security plan should also ensure that agency personnel can respond effectively to security-related incidents or emergency conditions. The Public Transportation System Security and Emergency Preparedness Planning Guide (SSEPP) published in 2003 by the Department of Transportation, Federal Transit Administration, contains the following statement of purpose: COMMIT to a program that enables the public transportation system to: • PREVENT incidents within its control and responsibility, effectively protect critical assets; • RESPOND decisively to events that cannot be prevented, mitigate loss, and protect employees, passengers, and emergency responders; • SUPPORT response to events that impact local communities, integrating equipment and capabilities seamlessly into the total effort; and • RECOVER from major events, taking full advantage of available resources and programs. C H A P T E R 2 Plans and Strategies

Plans and Strategies 19 The SSEPP describes security planning as “more of a process than a product.” This approach coincides with a vision of a security plan being a dynamic document continually under review and subject to change. In developing the security plan, the need for flexibility should be rein- forced. Alternatives and options should be incorporated into the plan to make the organiza- tion flexible and capable of responding to various situations or unexpected events. Benefits of a Security Plan The most significant benefit of having a security plan is the help it provides in ensuring that security is integrated into the daily business of the transportation agency. The security plan directs personnel toward prevention and mitigation of the effects of secu- rity incidents by integrating approaches that have proven effective into the operating environment. Security must compete with other system goals, including those of the operations department, engineering, maintenance and others, for limited resources and available funding. Because security is a functional area with little observable return on investment, it can be difficult to balance security costs against other more traditional or bottom line-enhancing transportation agency initiatives. Security initiatives must be seen as cost-effective and well defined in order to compete successfully. Developing a security plan is an effective way to meet cost-benefit and com- petitive resource challenges. The plan can also reduce litigation risk and insurance costs. When the security plan is well struc- tured and soundly developed using the appropriate strategies and elements, the resulting product can be a blueprint for short- term and multi-year security planning. The security plan can address how future purchases would fit into the overall agency operating and capital invest- ment strategy. Security planning also sets out the policies and procedures related to security and any special requirements or considerations unique to the specific agency. The security plan directs personnel toward preventing and mitigating the effects of security incidents by identifying security countermeasures and emergency preparedness response activities that should be taken to protect the transportation system, its employees and customers, and the surrounding communities. Elements of a Security Plan In developing an effective security plan it is necessary to establish what the essential plan ele- ments are for the organization. TCRP Report 86, Volume 10: Hazard and Security Plan Workshop provides an excellent overview of the transportation security planning process. The document also presents a template for Hazard and Security Plan (HSP) development. The template is designed to help transportation programs and transit agencies implement what it describes as the four core planning development functions: • Establishing priorities, • Organizing roles and responsibilities, • Selecting countermeasures and strategies, and • Maintaining the plan. Security Plan Benefits • Defines resource requirements for staffing and equipment • Coordinates the activity of different depart- ments and functions • Establishes action steps for employees in response to an incident • Promotes understanding of the issues involved during a crisis • Identifies information requirements for security incidents • Promotes a sense of ownership and buy-in by employees • Ensures a clear division of tasks and responsibilities • Identifies training requirements

20 Security 101: A Physical Security Primer for Transportation Agencies Establishing Priorities As shown in Figure 2-1, plan development starts with identifying the purpose of the document. Although the plan should be flexible enough to cover a broad range of security incidents, the best way to ensure plan effectiveness is to use a prioritized scenario-based list of critical event types to drive plan activity. This list should consist of events considered routine and most likely to occur, as well as those that may occur less frequently but with far-reaching consequences. The HSP identifies the objectives of this phase of security planning as • Create a written statement of purpose covering routine and emergency situations. • Define the situations that the hazard and security plan will cover. • Look at assumptions about the situations surrounding the use of the plan. • Discuss how an organization plan fits into the overall community security and emergency plan. Figure 2-1. Hazard and security plan development. Source: TCRP Report 86, Volume 10, Public Transportation Security Hazard and Security Plan Workshop, 2006

Plans and Strategies 21 Organizing Roles and Responsibilities In this phase of planning, key personnel and their security roles and responsibilities are deter- mined. Incident-based priority security tasks should be listed and assigned to a specific individ- ual known as the primary or principal. Secondary responsibility should be assigned to other individuals whose ability to perform will not be compromised by the loss of the primary. Inter- dependencies of functions should be delineated between departments and coordinating points established to facilitate liaison in areas of overlapping responsibility. Planners should ensure that this section of the plan provides clear and concise direction to assigned personnel regarding their primary and secondary duties. The goal is to achieve the stated objectives and security require- ments of the plan under all potential operating conditions or scenarios. The HSP identifies the objective of this phase of the security plan as development of an organizational structure, with a clearly defined chain of command and designated roles and responsibilities, containing • Responsibilities • Continuity of services, including – Designating lines of succession and delegating authority for the successors – Developing procedures for relocating essential departments – Developing procedures for deploying essential personnel, equipment, and supplies – Establishing procedures for backup and recovery of computer and paper records • Contact information Selecting Countermeasures and Strategies Consistent with emergency management principles, the risk and vulnerabilities reduction measures and strategies associated with transportation sector security planning should follow the five stages of protection activity—prevention, mitigation, preparedness, response, and recov- ery. Security planners should select countermeasures keeping in mind the concepts of system security, layered or overlapping security, and system integration. The HSP identifies the objec- tives of this phase of the security plan as follows: • Part A: Prevention – Examine activities to reduce the likelihood that incidents will occur. – Establish safe and secure procedures for passengers, vehicles, drivers, and facilities. • Part B: Mitigation – Examine activities to reduce asset loss or human consequences (such as injuries or fatali- ties) of an incident. – Establish safe and secure procedures for passengers, vehicles, drivers, and facilities. • Part C: Preparedness – Examine preparedness activities to anticipate and minimize the effects of security-related incidents and equip employees to better manage these incidents. – Establish emergency policies and procedures for passengers, employees, and management to follow in case of emergencies. – Keep training, drills, and contact lists up to date. – Establish and maintain mutual aid agreements with fire departments, emergency medical services, and emergency management services. • Part D: Response – Examine activities used to react to security-related incidents and hazards and help protect passengers, employees, the community, and property. – Establish what information is to be collected by which employee. – Ensure that policies and procedures established in the mitigation and preparedness por- tions of the HSP are followed.

22 Security 101: A Physical Security Primer for Transportation Agencies • Part E: Recovery – Examine policies to assist in recovering from incidents that have occurred so service can resume as quickly as possible. – Establish a review of policies, documents, plans, and vehicles. – Evaluate response and oversee recovery and restoration of personnel, service, vehicles, and facilities. Maintaining the Plan Finally, the agency must ensure that security plans remain current and responsive to the dynamic changes that can occur in the transportation operating environment while creating a process that will support plan consistency with the future needs of the agency. Optimally, plans will be scala- ble and upgradable on a flexible timeline that has sufficient sensitivity to external security factors to allow for as-needed adjustments. The HSP recommends programmatic scheduled plan review periodically—at least every 6 months to a year. The document also provides guidelines on how this review should be conducted; suggested steps are as follows: • Identify areas to update. • Determine completeness. • Reassess roles and responsibilities. • Review factual information (especially names and phone numbers included in the plan). • Reevaluate employee knowledge and awareness (training assessments, for example). • Revise programs and procedures included in the HSP. The HSP also suggests that the occurrence of certain events may require planners to accelerate the scheduled conduct of a review. Such events include • The addition of members inside the organization and outside the organization who have spe- cific roles outlined in the HSP (e.g., a new general manager or a new local fire chief); • New operations or processes that affect the HSP (e.g., a new bus line); • New or renovated sites or changes in layout (e.g., a new bus garage or office building); and • Changes with outside agencies, new suppliers, vendors, etc. (e.g., a new memorandum of understanding (MOU) signed with the local sheriff’s department). Security Design Processes A security system should be designed only after a risk assessment has been performed and a comprehensive security plan has been designed. Until these tasks have been completed, the data available will not be sufficient to permit good decisions about security strategies. In a perfect world, strategy is data driven. In business, it is a commonly accepted practice (e.g., “what cannot be measured cannot be managed”). However, the security industry has been slow to use mea- surable factors in reducing risk. because of difficulties in establishing security-related metrics. Chapter 1 discussed risk insurance and the two types of risk cost-benefit analysis methods— quantitative and qualitative. Quantitative analysis is a numbers- or experience-based probabil- ity assessment that uses previously collected information to forecast the likelihood of a security event. The goal of quantitative security design is to decrease the ratio of unfavorable security events to total events through the analysis of data related to the known frequency of occurrence of a particular type of security incident. Once the probability aspects of a security incident have been defined, cost analysis is undertaken to rate the actual amount of loss against the costs of prospective security countermeasures available to reduce the risk associated with an occurrence. In contrast, qualitative analysis is based on characteristics, conditions, and events rather than numeric assessment. This form of analysis demands an in-depth knowledge of the organization

Plans and Strategies 23 being assessed and an understanding of the operating environment in which work is performed. By default, qualitative analysis is the most widely used approach to risk analysis in the security industry. Some believe that qualitative analysis is sufficient and perhaps preferred to address the protection of lower value assets; however, in the most rigorous of applications, its use is by necessity because of an inherent inability to perform quantitative analysis. Whenever feasible, a quantitative analysis based on the col- lection of objective data should be considered first in the performance of secu- rity risk analysis. A typical qualitative assessment assigns relative values to assets based on factors such as criticality of loss and replacement costs. Threats against those assets are also given a relative value based on their probability of occurrence. The result is a risk equation that computes risk as a function of impact and like- lihood of occurrence. Qualitative analysis depends on the capabilities of the analyst performing the assessment. Such analysis is more subjective because of the lack of historical information or metric data to support its assumptions. Fortunately, in most circumstances, precision can give way to the grouping of the outcomes of qualitative relative value ratings into categories such as high, medium, or low. Although knowledge of an agency’s characteristics may be more important to qualitative analysis, irrespective of the type of assessment conducted, security strat- egy design requires transportation agencies to determine which security issues faced are most critical. Once identified, a strategy and timeline for reducing risks and vulnerabilities can be established. The goal of a security design strategy should be the logical and incremental “buy down” of security risk so as to provide accept- able levels of protection for transportation agency assets and operations on a con- tinuing basis. Risk buy down should be focused on what is of priority to the organization to ensure maximized performance levels are maintained. Cost- effective security systems use a combination of countermeasures to meet secu- rity requirements. These normally include security staffing, training of employees, hardware (including electronic security systems), and security policies and procedures. Secu- rity design today demands that these component security resources be attained and then combined in a systematic way that can achieve security objectives while minimizing costs. System security should start with the basics consisting of those countermeasures that are most effective for the least amount of money, as outlined in Figure 2-2. RISK = IMPACT × LIKELIHOOD LIKELIHOODIMPACT Low Medium High High Most Critical and Most Probable Medium Low Least Critical and Least Probable Likelihood and Impact of Loss Figure 2-2. Security countermeasures cost scale.

24 Security 101: A Physical Security Primer for Transportation Agencies Then, using assessment data obtained through analysis, the agency adds more costly system components until the level of security required to protect critical assets has been met. But devel- oping a systems approach to security is more challenging than simply costing out security counter- measures into a hierarchy and applying them to an existing security vulnerability or situation. Transportation security issues are dynamic and evolving. Changing characteristics, conditions, and events require the synthesis of available resources in order to compensate for the weaknesses or loss of capabilities of one security countermeasure for the other. “Layered security” (also referred to as overlapping security) enables security design strategists to overcome uncertainty in security resource allocation and decisionmaking. For example, the protection of a critical transportation asset such as a fuel depot may be accomplished first by establishing a procedure that employees must be present at the depot during all hours of oper- ation without exception. During after hours, fencing, gates, lights, and locks would be used to secure the fuel facility. Finally security patrols would make periodic checks at the facility as an additional protective measure. If specific threats are received that the fuel depot is a target of attack, the configuration of security countermeasures can be adjusted to meet the new security requirements. Assuming the facility remains open, additional staff could be assigned to be present at all times. Gates could be locked during hours of operation and identification checked for all persons seeking to enter the depot. Security forces could be permanently assigned to remain on the grounds. In this simplified scenario, increased vigilance is made pos- sible by the layers of overlapping security capabilities that already exist. However, the redeployment of personnel to increase the secu- rity at the fuel depot degrades security countermeasures available to protect the agency’s other assets. Sizing the scope of this potential loss of security resource dur- ing critical periods becomes an important part of the agency’s security design strategy. Overlapping security does not end with the layering of security countermeasures alone. As pointed out in Making the Nation Safer, “transportation security can best be achieved through well-designed security systems that are integrated with transportation operations.” (pg. 214) The text goes on to describe security methods and techniques that are “dual use, adaptable and opportunistic” (pg. 220) as optimal in the diverse and dynamic transportation sector. A “sys- tem” can be defined as “an integrated collection of components or elements designed to achieve an objective according to a plan.” (Design and Evaluation of Physical Protection Systems, April 2001, Mary Lynne Garcia) Systems can be small or large, complex or relatively simple. Complex systems usually are composed of smaller subsystems designed to work together. In the trans- portation sector, security systems integration can include the convergence of classic functions (e.g., safety, crime prevention, fire prevention, communications, and facility management) with functions unique to the industry (e.g., fleet management, package and cargo tracking and con- trol, or dispatching operations). When considering the opportunities for integrating security with other transportation functions, it is important to recognize that the synergies that can be achieved are two-directional. Security-related technologies and procedures can be integrated with existing or newly created systems to produce non-security benefits and non-security sys- tems or subsystems can be applied more broadly to reducing security risks and vulnerabilities. Central to this concept of security systems integration is recognition that, prior to making new investments, existing systems and functions should be surveyed in order to explore opportuni- ties for expanded use. For example, rather than deploying costly new surveillance systems, cam- eras, and monitoring stations, a bridge operator whose function is to safely raise or lower a bridge over navigable waters may be given new security inspection requirements to periodically check Layered Security for a Fuel Depot FUEL DEPOT TOTAL SECURITY SYSTEM Daytime Staffing Fencing Gates and Locks Security Patrols Protective Lighting

Plans and Strategies 25 for signs of forced entry to bridge access points. Depending on the criticality of the bridge in terms of transportation operations, this approach may be optimal. The design of an integrated security system is properly performed through a structured methodology known as system engineering. Security-related system engineering is defined as the protection of physical infrastructure components and logical structures and processes from threats and vulnerabilities. (Garcia, 2001) The process begins with defini- tion of requirements, continues through to design and analysis of multiple potential solu- tions, and ends with selection and testing of the best design to meet requirements and goals and then begins again. Security Funding The familiar axiom “If you fail to plan, then plan to fail” applies to transportation security. The FTA’s SSEPP states the issue even more succinctly: “Plan first, then spend.” Security is highly sensitive to adverse consequences and prone to reactionary influences that may or may not result in an appropriate response to an incident. Crisis response to a security incident or series of secu- rity incidents demands that we exercise good judgment and sound policy so that we don’t spend money carelessly or ineffectively. Security practitioners and risk management professionals rec- ognize that it can be difficult to establish the value of a specific security countermeasure or activ- ity. This difficulty is compounded when measures are grouped together or security is layered in a protective system. But quantifying the operating costs, savings, and/or revenues that will result from project implementation and incorporating those results into financial planning will ensure that security funding is considered on balance with other agency funding priorities. Security pro- grams should be well thought out and sustainable over a predetermined term. The objectives and integration of security with other operating disciplines and management processes should be conducive to the overall goals of the transportation agency. Optimally, overlapping security funding cycles should be considered. At minimum the agency should conduct security planning on a 1-year basis for both operating and capital and on a 5-year basis for capital improvements. (Some transportation organizations may use as much as a 1-year, 3-year, 5-year, and 10-year capital investment planning strategy). Accomplishing both short- and longer term planning will provide continuity and a structured methodology for bal- ancing the cost and effectiveness of security measures against the capabilities of the transporta- tion organization to fund security improvements. In relation to security, most costs associated with short-term operating funding cycles are labor related. For a transportation agency that maintains its own police or security force, these operating costs can run as high as 90 to 92% of budget allocation. But determining the correct number of police and security employees is highly contingent on the threats and vulnerabilities of the agency balanced against the mix of security measures that have been deployed to reduce security risk. In particular, the trans- portation agency must weigh the costs of security personnel against the prospective use of other less-costly security countermeasures, such as improved policies and procedures, employee security awareness training, or security systems, including locks, access control, or intrusion detection systems. Just like an operating budget, and in conjunction with operating budget development, plan- ning and management of the capital improvement plan should occur in a regular, annual cycle. It is here that often security funding meets its most significant challenges in the allocation of available resources. When possible, security expenditure recommendations at this stage in the funding cycle should contribute to the overall efficiency of the transportation agency in the performance of its core mission, goals, and objectives. Although not always the case, certain SYSTEM ENGINEERING Design and Analysis Selection and Testing Requirements System Engineering

26 Security 101: A Physical Security Primer for Transportation Agencies security measures such as increased lighting, improved communications, passenger flow gat- ing, or simply directional signs can serve the dual purpose of adding to the effectiveness of ser- vice delivery. Five-year capital planning is the point in the funding cycle where an agency can take best advantage of the development of a security plan. Longer term security improvements that seek to reduce the vulnerabilities of an agency’s transportation critical infrastructure can be designed as components of larger systems and subsystems that are central to the strategic future of the organization. For example, an out-year strategy to replace the soon-to-be-antiquated or ineffi- cient traffic control center of an agency can be augmented by the addition of security improving closed-circuit television (CCTV) technology that permits traffic controllers to observe the oper- ating conditions at train stations or along bus routes. Similarly, a decision by management to invest in Automatic Vehicle Locator (AVL) technology for rolling stock can serve the important security and emergency response benefit of identifying the exact location of a vehicle in distress on the system. Thinking about security improvements in this way also facilitates the cost-effective designing-in of security measures at the outset of capital projects, instead of spending significantly more money to retrofit security into existing infrastructure. Security systems in and of them- selves also require multi-year planning to ensure their effectiveness and continued usefulness. The replacement or upgrading of security system components should be contemplated as a con- tinuous process that is capable of meeting the stated physical protection system requirements of the organization and flexible enough to respond to the changing security threats and vulnerabil- ities that occur over time.