Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
1 NCHRP Report 525, Volume 14: Security 101: A Physical Security Primer for Transportation Agencies (TRB 2009) provided transportation managers and employees with an introductory- level reference document containing essential security concepts, guidelines, definitions, and standards. Since the guide was published, significant advances in transportation security approaches, including new strategies, programs, and ways of doing business, have increased the security and ensured the resiliency of transportation systems. This new understand- ing was summarized in Fundamental Capabilities of Effective All-Hazards Infrastructure Protection, Resilience, and Emergency Management for State Departments of Transportation (AASHTO 2015a), which documented a security domain that had expanded to include the complementary topics of infrastructure protection and system resiliency. Whereas the 2009 Security 101 primer focused on physical security, defending against the full spectrum of threats facing transportation systems today requires a more compre- hensive approach encompassing cyber-physical systems security and cybersecurity aspects. The web-only NCHRP 221/TCRP 67: Protection of Transportation Infrastructure from Cyber Attacks: A Primer (TRB 2015, modified 2016) provided basic reference material concern- ing cybersecurity concepts, guidelines, definitions, and standards, and identified effective practices for protecting transportation systems from cyber events and mitigating damage should an incident or breach occur. Recent guidance at the national level has redirected the focus and long-term direction of the security-related mission within transportation agencies. Since the publication of the Security 101 primer in 2009, a number of national-level directives and executive orders have been issued, each adding to the nationâs complementary goals pertaining to transportation security, infrastructure protection, system resiliency, and emergency management. Transporta- tion agencies are in the process of understanding and incorporating the details of these policy directives and wrestling with their impacts on security and emergency management functions. Hazards and threats to the system have also continued to evolve since the Security 101 primer was published. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes; accidents or unintentional human intervention; or intentional crimi- nal acts (e.g., active shooter incidents). Todayâs transportation systems integrate cyber and physical components, and cyber risks are increasing, including the risk of a cyber incident impacting not only data, but the control systems operating physical infrastructure (e.g., tunnel ventilation systems). This Update of Security 101: A Physical Security and Cybersecurity Primer for Transporta- tion Agencies provides valuable information about accepted practices associated with both physical security and cybersecurity and their applicability to surface transportation. S U M M A R Y Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies
2 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The main audience for this report is transportation personnel who do not have a security background but whose work requires them to address, perform, or supervise security activi- ties as part of their overall job responsibilities. Although the document is designed for those with minimal or no formal security training or experience, it is sufficiently detailed to be of use to security professionals. Each chapter addresses fundamental aspects of security strategy, management, or planning. Chapter 1: Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation Risk management is the appropriate starting point for any decision-making about security, infrastructure protection, and resilience. Chapter 1 provides background on risk manage- ment and information on risk assessment and how it can be used to improve decision-making in managing transportation physical and cyber assets. The chapter defines risks to transpor- tation systems, explains risk management and associated processes, and provides agencies with an understanding of risk and its relationship to security, infrastructure protection, and resilience. It includes discussion of enterprise risk management (ERM) and use of a risk reg- ister, risk assessment frameworks, and the application of risk in asset management programs. Chapter 2: Plans and Strategies This chapter addresses security planning and strategies, including developing enterprise- wide approaches to cybersecurity enhancement and governance strategies. The chapter highlights the core components of a comprehensive security plan, current national frame- works, and strategies and guidance related to cybersecurity planning. Chapter 3: Security Countermeasures Chapter 3 discusses the many tools and countermeasures used to improve the security of critical infrastructure and facilities and other areas. Physical security countermeasures include signs; emergency telephones, duress alarms, and assistance stations; key controls and locks; protective barriers; protective lighting; alarm and intrusion detection systems; electronic access control systems; and surveillance systems and monitoring. For nonpublic spaces, access control, perimeter security, intrusion detection systems, and similar tech- nologies protect facilities from external losses. The cybersecurity tools and countermeasures presented are based on NCHRP Web-Only Document 221/TCRP Web-Only Document 67: Protection of Transportation Infrastructure from Cyber Attacks: A Primer (TRB 2015; modified 2016) and ACRP Report 140: Guidebook on Best Practices for Airport Cybersecurity (TRB 2015a), which provide resources for airport managers and information technology (IT) staff to reduce or mitigate inherent risks of cyberattacks on technology-based systems. This information is supplemented with guidance and practices from other sources, such as National Institute of Standards and Technology (NIST) information security guides and DHS and FHWA cybersecurity recommendations. Chapter 4: Cybersecurity This chapter provides an overview of cybersecurity and its importance for transportation systems. It highlights common myths about cybersecurity and transportation systems to dispel misunderstandings and enable transportation agencies to improve the cybersecurity
Summary 3 and resilience of critical transportation infrastructure more efficiently and effectively. The chapter summarizes issues of particular relevance to transportation system cybersecurity, such as control systems and information technology, data security, cyber-physical systems, and emerging trends. Chapter 5: Workforce Planning and Training/Exercises Chapter 5 emphasizes the role of the workforce by highlighting its contribution to physi- cal security and cybersecurity culture. The chapter contains information on developing and maintaining an effective security-aware and -focused transportation agency workforce, then focuses on workforce planning and awareness and training programs for physical secu- rity and cybersecurity personnel of state DOTs and transit agencies. Training delivery and evaluation issues, exercises, and the Homeland Security Exercise and Evaluation Program (HSEEP) are discussed, and a comprehensive checklist for a full-scale exercise is provided. Chapter 6: Infrastructure Protection and Resilience Chapter 6 provides an overview of the significant role transportation agencies have in infrastructure protection, such as controlling access to critical components, establishing coordination with law enforcement to ensure quick response to incidents, conducting risk and vulnerability assessments, and taking action to mitigate the effects of those risks and vulnerabilities. The chapter emphasizes the shift in focus from protection of assets to resil- ience of systems. Chapter 7: Homeland Security Laws, Directives, and Guidance This chapter contains an overview of public laws, presidential directives, and national frameworks and strategies that establish the legal authorities related to physical and cyber- security.