National Academies Press: OpenBook
Page i
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R1
Page ii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R2
Page iii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R3
Page iv
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R4
Page v
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R5
Page vi
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R6
Page vii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R7
Page viii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R8
Page ix
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R9
Page x
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R10
Page xi
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R11
Page xii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page R12

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

2020 N A T I O N A L C O O P E R A T I V E H I G H W A Y R E S E A R C H P R O G R A M NCHRP RESEARCH REPORT 930 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Countermeasures assessment & seCurity experts, LLC New Castle, DE Western management and ConsuLting, LLC Madison, WI Subscriber Categories Data and Information Technology • Public Transportation • Security and Emergencies Research sponsored by the American Association of State Highway and Transportation Officials in cooperation with the Federal Highway Administration

NATIONAL COOPERATIVE HIGHWAY RESEARCH PROGRAM Systematic, well-designed, and implementable research is the most effective way to solve many problems facing state departments of transportation (DOTs) administrators and engineers. Often, highway problems are of local or regional interest and can best be studied by state DOTs individually or in cooperation with their state universities and others. However, the accelerating growth of highway transporta- tion results in increasingly complex problems of wide interest to high- way authorities. These problems are best studied through a coordinated program of cooperative research. Recognizing this need, the leadership of the American Association of State Highway and Transportation Officials (AASHTO) in 1962 ini- tiated an objective national highway research program using modern scientific techniques—the National Cooperative Highway Research Program (NCHRP). NCHRP is supported on a continuing basis by funds from participating member states of AASHTO and receives the full cooperation and support of the Federal Highway Administration, United States Department of Transportation. The Transportation Research Board (TRB) of the National Academies of Sciences, Engineering, and Medicine was requested by AASHTO to administer the research program because of TRB’s recognized objectivity and understanding of modern research practices. TRB is uniquely suited for this purpose for many reasons: TRB maintains an extensive com- mittee structure from which authorities on any highway transportation subject may be drawn; TRB possesses avenues of communications and cooperation with federal, state, and local governmental agencies, univer- sities, and industry; TRB’s relationship to the National Academies is an insurance of objectivity; and TRB maintains a full-time staff of special- ists in highway transportation matters to bring the findings of research directly to those in a position to use them. The program is developed on the basis of research needs identified by chief administrators and other staff of the highway and transportation departments, by committees of AASHTO, and by the Federal Highway Administration. Topics of the highest merit are selected by the AASHTO Special Committee on Research and Innovation (R&I), and each year R&I’s recommendations are proposed to the AASHTO Board of Direc- tors and the National Academies. Research projects to address these topics are defined by NCHRP, and qualified research agencies are selected from submitted proposals. Administration and surveillance of research contracts are the responsibilities of the National Academies and TRB. The needs for highway research are many, and NCHRP can make significant contributions to solving highway transportation problems of mutual concern to many responsible groups. The program, however, is intended to complement, rather than to substitute for or duplicate, other highway research programs. NCHRP RESEARCH REPORT 930 Project 20-59(51)A ISSN 2572-3766 (Print) ISSN 2572-3774 (Online) ISBN 978-0-309-48134-2 Library of Congress Control Number 2020935667 © 2020 National Academy of Sciences. All rights reserved. COPYRIGHT INFORMATION Authors herein are responsible for the authenticity of their materials and for obtaining written permissions from publishers or persons who own the copyright to any previously published or copyrighted material used herein. Cooperative Research Programs (CRP) grants permission to reproduce material in this publication for classroom and not-for-profit purposes. Permission is given with the understanding that none of the material will be used to imply TRB, AASHTO, FAA, FHWA, FMCSA, FRA, FTA, Office of the Assistant Secretary for Research and Technology, PHMSA, or TDC endorsement of a particular product, method, or practice. It is expected that those reproducing the material in this document for educational and not-for-profit uses will give appropriate acknowledgment of the source of any reprinted or reproduced material. For other uses of the material, request permission from CRP. NOTICE The research report was reviewed by the technical panel and accepted for publication according to procedures established and overseen by the Transportation Research Board and approved by the National Academies of Sciences, Engineering, and Medicine. The opinions and conclusions expressed or implied in this report are those of the researchers who performed the research and are not necessarily those of the Transportation Research Board; the National Academies of Sciences, Engineering, and Medicine; or the program sponsors. The Transportation Research Board; the National Academies of Sciences, Engineering, and Medicine; and the sponsors of the National Cooperative Highway Research Program do not endorse products or manufacturers. Trade or manufacturers’ names appear herein solely because they are considered essential to the object of the report. Published research reports of the NATIONAL COOPERATIVE HIGHWAY RESEARCH PROGRAM are available from Transportation Research Board Business Office 500 Fifth Street, NW Washington, DC 20001 and can be ordered through the Internet by going to https://www.nationalacademies.org and then searching for TRB Printed in the United States of America

The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, non- governmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president. The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. John L. Anderson is president. The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president. The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine. Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org. The Transportation Research Board is one of seven major programs of the National Academies of Sciences, Engineering, and Medicine. The mission of the Transportation Research Board is to provide leadership in transportation improvements and innovation through trusted, timely, impartial, and evidence-based information exchange, research, and advice regarding all modes of transportation. The Board’s varied activities annually engage about 8,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public interest. The program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organizations and individuals interested in the development of transportation. Learn more about the Transportation Research Board at www.TRB.org.

C O O P E R A T I V E R E S E A R C H P R O G R A M S CRP STAFF FOR NCHRP RESEARCH REPORT 930 Christopher J. Hedges, Director, Cooperative Research Programs Lori L. Sundstrom, Deputy Director, Cooperative Research Programs Stephan A. Parker, Senior Program Officer Stephanie L. Campbell, Senior Program Assistant Eileen P. Delaney, Director of Publications Natalie Barnes, Associate Director of Publications NCHRP PROJECT 20-59(51)A PANEL Field of Special Projects Eileen M. Phifer, Michigan DOT, Lansing, MI (Chair) Derial W. Bivens, Hickman, TN Mel A. Coulter, Idaho Transportation Department, Boise, ID Herby Gerard Lissade, California DOT, Sacramento, CA Carl D. Merckle, Ohio DOT, Columbus, OH Lorenzo G. Parra, Massachusetts DOT, Boston, MA Thomas H. Wakeman, III, New York, NY David W. Cooper, TSA Liaison Jeffrey King, FHWA Liaison Michael G. Dinning, Massachusetts Maritime Academy Liaison Gregory M. Jizba, U.S. Army Corps of Engineers Liaison William B. Anderson, TRB Liaison

NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies provides transportation managers and employees with an introductory-level reference document to enhance their working knowledge of security concepts, guidelines, definitions, and standards. The primer is for use primarily by those who are neither security professionals nor well versed in security language. Physical security is integral to an all-hazards approach to preparedness. Cybersecurity cannot be easily separated from physical security; policies and practices for responding to physical security breaches need to also address cybersecurity and incorporate considerations that a cyber incident may have occurred. As such, this report covers the major components of an effective security program at the conceptual level, including risk management and risk assessment; plans and strategies; security countermeasures; cybersecurity; workforce plan- ning and training/exercises; infrastructure protection and resilience; and homeland security laws, directives, and guidance. NCHRP Research Report 930 references the latest practice and guidance in infrastructure protection encompassing cyber and physical security. In 2012, the AASHTO Special Committee on Transportation Security and Emergency Management (SCOTSEM) adopted by formal ballot (as a committee report) TRB’s NCHRP Report 525, Volume 14: Security 101: A Physical Security Primer for Transportation Agencies (available at http://www.trb.org/Publications/Blurbs/162394.aspx). Since publication of NCHRP Report 525, Volume 14, there have been significant changes and a substantial increase in knowledge about surface transportation security. The decade- long effort to improve the state of security and emergency management practice in the transportation industry has produced new strategies, programs, and ways of doing business that have increased the security of our transportation systems as well as ensured their resiliency. NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies was prepared as a light update under NCHRP Project 20-59(51)A by Countermeasures Assessment & Security Experts, LLC, of New Castle, Delaware. It is accompanied by an overview PowerPoint deck and supported by NCHRP Web-Only Document 266: Developing a Physical and Cyber Security Primer for Transportation Agencies. F O R E W O R D By Stephan A. Parker Staff Officer Transportation Research Board

AAR after-action reports ARM analytical risk methodology ATO automatic train operation ATP automatic train protection ATR automatic train regulation ATS automatic train supervision ATSA Aviation and Transportation Security Act AVL automatic vehicle location BART Bay Area Rapid Transit BASE Baseline Assessment for Security Enhancement BYOD Bring Your Own Device CAD computer-aided dispatch CARVER Criticality, Accessibility, Recuperability, Vulnerability, Effect, and Recognizability CBRN chemical, biological, radiological, or nuclear CCTV closed-circuit television CDC Centers for Disease Control and Prevention CE conventional explosives CERT Computer Emergency Readiness Team CFR Code of Federal Regulations CIIP critical information infrastructure protection CIP critical infrastructure protection CMM Capability Maturity Model COBIT Control Objectives for Information and Related Technology COG continuity of government COOP Continuity of Operations Plans CRR Cyber Resilience Review CSET® Cyber Security Evaluation Tool® CSIRT Computer Security Incident Response Team CSSP Control Systems Security Program CVE common vulnerabilities and exposures DDoS Distributed Denial of Service DHS-TRAM Department of Homeland Security terrorism risk analysis methodology DOJ Department of Justice DoS Denial of Service DOT Department of Transportation DSRC dedicated short-range communications E.O. Executive Order EAP emergency action plan EMAC Emergency Management Assistance Compact EMST Emergency Management Staff Trainer ERM enterprise risk management A B B R E V I A T I O N S

ESF Emergency Support Function ETA Employment and Training Administration FBI Federal Bureau of Investigation FE functional exercise FEMA Federal Emergency Management Agency FIOP Federal Interagency Operational Plan FTE full-time equivalent HID high-intensity discharge HMI human/machine interface HPS high pressure sodium HSEEP Homeland Security Exercise and Evaluation Program HSP hazard and security plan HSPD Homeland Security Presidential Directives HVAC heating, ventilation, and air conditioning ICS industrial control systems IED improvised explosive device IND improvised nuclear device INS Immigration and Naturalization Service IP Improvement Plan IRVS Integrated Rapid Visual Screening Series ISC Interagency Security Committee I-STEP Intermodal Security Training and Exercise Program IT information technology ITD Idaho Transportation Department ITS intelligent transportation systems JITT just-in-time training KCO key control officer KRA Key Results Areas KSA knowledge, skills, and abilities MAM mobile application management MARTA Metropolitan Atlanta Rapid Transit Authority MDM mobile device management MitFLG Mitigation Framework Leadership Group MnDOT Minnesota Department of Transportation MPO metropolitan planning organization MSEL Master Scenario Events List MSRAM maritime sector risk analysis methodology MTI Mineta Transportation Institute MTU master terminal unit NDRF National Disaster Recovery Framework NICCS National Initiative for Cybersecurity Careers and Studies NICE National Initiative for Cybersecurity Education NIMS National Incident Management System NIPP National Infrastructure Protection Plan NIST National Institute of Standards and Technology NRF National Response Framework NSTC National Science and Technology Council NSTS National Strategy for Transportation Security NTAS National Terrorism Advisory System OT operation technology

PDD Presidential Decision Directive PKEMRA Post-Katrina Emergency Management Reform Act PLC programmable logic controller PPD Presidential Policy Directive PPM parts per million PTO public transportation operator RDD radiological dispersion device RSF recovery support function RTU remote terminal unit SAFE Security and Accountability For Every Port Act SAL Security Assurance Level SAVER System Assessment and Validation for Emergency Responders SCADA supervisory control and data acquisition SCMS security credential management system SCOR Standing Committee on Research SCOTSEM Special Committee on Transportation Security and Emergency Management SFMTA San Francisco Municipal Transportation Agency SRIA Sandy Recovery Improvement Act SRS Systems Requirement Specification SSEPP System Security and Emergency Preparedness Planning SSI sensitive security information SVA security vulnerability assessment SWAT Special Weapons and Tactics TEP Training and Exercise Plan TERA Transportation Emergency Response Application TMC traffic management center TNT trinitrotoluene TOMIE Tunnel Operations, Maintenance, Inspection, and Evaluation TSM&O transportation systems management and operations TSS Transportation Systems Sector TSSSP Transportation Systems Sector-Specific Plan TTT train-the-trainer TTX tabletop exercises TVA threat and vulnerability assessment TVC threat, vulnerability, and consequence UFC Unified Facilities Criteria VBIED Vehicle-Borne Improvised Explosive Devices VoIP Voice over Internet Protocol VPN virtual private network VTC video teleconferencing WMD weapon of mass destruction WME weapon of mass effect

Note: Photographs, figures, and tables in this report may have been converted from color to grayscale for printing. The electronic version of the report (posted on the web at www.trb.org) retains the color versions. 1 Summary 4 Chapter 1 Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 41 Chapter 2 Plans and Strategies 54 Chapter 3 Security Countermeasures 88 Chapter 4 Cybersecurity 102 Chapter 5 Workforce Planning and Training/Exercises 148 Chapter 6 Infrastructure Protection and Resilience 163 Chapter 7 Homeland Security Laws, Directives, and Guidance 187 References 192 Appendix Information Resources C O N T E N T S

Next: Summary »
Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing and can impact not only data, but the control systems—like tunnel-ventilation systems—operated by transportation agencies.>

The TRB National Cooperative Highway Research Program's NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

The report is accompanied by a PowerPoint for the project and NCHRP Web-Only Document 266: Developing a Physical and Cyber Security Primer for Transportation Agencies.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!