Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
6 Summary NCHRP Report 525, Volume 14: Security 101: A Physical Security Primer for Transportation Agencies (2009) provided transportation managers and employees with an introductory-level reference document containing essential security concepts, guidelines, definitions, and standards. Since the guide was published, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency. This new understanding was summarized in the 2015 Fundamental Capabilities of Effective All Hazards Infrastructure Protection, Resilience and Emergency Management for State DOT report which documented a security domain that has now expanded to include the complementary topics of infrastructure protection and system resiliency. Also, while the 2009 Security 101 primer focused on physical security, defending against the full spectrum of threats facing transportation systems today requires a more comprehensive approach encompassing cyber-physical systems security and cybersecurity aspects to be added to the physical security discussion. NCHRP Report 221/TCRP Report 67: Protection Of Transportation Infrastructure From Cyber Attacks: A Primer (2015) provided transportation organizations basic reference material concerning cybersecurity concepts, guidelines, definitions and standards and identified effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an incident or breach occur. Recent guidance at the national level has redirected the focus and long-term direction of the security-related mission within transportation agencies. Since the publication of the Security 101 primer in 2009, a number of national level directives and executive orders have been issued, each one adding to the nationâs complementary goals pertaining to transportation security, infrastructure protection, system resiliency and emergency management. Transportation agencies are in the process of understanding and incorporating the details of these policy directives and are wrestling with their impacts on on-going security and emergency management functions. Hazards and threats to the system have also continued to evolve since the Security 101 Primer was published. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, accidents or unintentional human intervention or intentional criminal acts (e.g. active shooter incidents). Because todayâs transportation systems integrate cyber and physical components, cyber risks are increasing, and include the risk of a cyber incident impacting not only data, but the control systems operating a portion of the physical infrastructure operated by transportation agencies (e.g., tunnel ventilation systems). This update to Security 101: A Physical Security Primer for Transportation Agencies provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation. The main audience for this document is transportation personnel without a security background whose work requires them to address, perform,or supervise security activities as part of their overall job responsibilities. Although the document is designed for those with minimal or no formal security training or experience, the guide is also a handy reference guide sufficiently detailed to be of use to security professionals as well. Each chapter addresses fundamental aspects of security strategy, management, or planning.
7 Chapter 1 Risk Management and Risk Assessment Risk management is the appropriate starting point for any decision-making about security, infrastructure protection, and resilience. This chapter provides background on risk management and information on risk assessment and how it can be used to improve decision making in managing transportation physical and cyber assets. The information contained in the chapter defines risks to transportation systems, explains risk management and associated processes, and provides agencies with an understanding of risk and its relationship to security, infrastructure protection, and resilience. The chapter includes discussion on enterprise risk management and use of a risk register, risk assessment frameworks, and the application of risk in asset management programs. Chapter 2 Plans and Strategies This chapter addresses security planning and strategies including developing enterprise-wide approaches to cybersecurity enhancement and governance strategies. The chapter highlights the core components of a comprehensive security plan, current national frameworks, strategies and guidance related to cybersecurity planning. Chapter 3 Security Countermeasures This chapter discusses the many tools and countermeasures used to improve the security of critical infrastructure and facilities, and other areas. Physical security countermeasures include signs; emergency telephones, duress alarms, and assistance stations; key controls and locks; protective barriers; protective lighting; alarm and intrusion detection systems; electronic access control systems; and surveillance systems and monitoring. For nonpublic spaces, access control, perimeter security, intrusion detection systems, and other similar types of technology are deployed to protect facilities from external losses. Cybersecurity tools and countermeasures available to address transportation systems are based on Protection Of Transportation Infrastructure From Cyber Attacks: A Primer (NCHRP 221/TCRP 67, 2015), a basic reference material concerning cybersecurity concepts, guidelines, definitions and standards and on the Guidebook on Best Practices for Airport Cybersecurity (ACRP Report 140, 2015) that provides resources for airport managers and IT staff to reduce or mitigate inherent risks of cyberattacks on technology-based systems. This information is supplemented with guidance and practices from other sources such as NIST Information Security guides and DHS or FHWA cybersecurity recommendations. Chapter 4 Cybersecurity This chapter provides an overview of cybersecurity and why it is important for transportation systems. It highlights common myths about cybersecurity and transportation systems to dispel misunderstandings so as to enable transportation agencies to more efficiently and effectively improve the cybersecurity and resilience of critical transportation infrastructure. The chapter also contains a summary of issues of particular relevance to transportation system cybersecurity such as Control Systems and Information Technology, data security, cyber-physical systems and emerging trends. Chapter 5 Workforce Planning and Training/Exercises This chapter emphasizes the role of the workforce by highlighting its contribution to security and cybersecurity culture. It contains information on developing and maintaining an effective security- aware and focused transportation agency workforce and then focuses on workforce planning and awareness and training programs for physical security and cybersecurity personnel of state DOTs
8 and transit agencies. Training delivery and evaluation issues, and exercises, exercise types, and HSEEP are also discussed, and a comprehensive checklist for a Full-Scale exercise is provided. Chapter 6 Infrastructure Protection and Resilience This chapter provides an overview of the significant role transportation agencies have in infrastructure protection such as controlling access to critical components, establishing coordination with law enforcement to ensure quick response to incidents, conducting risk and vulnerability assessments, and taking action to mitigate the effects of those risks and vulnerabilities. It also includes information to assist transportation agencies in understanding the impact of a shift in focus from protection of assets to resilience of systems. Chapter 7 Homeland Security Laws, Directives, and Guidance This section contains an overview of public laws, presidential directives, national frameworks and strategies that establish the legal authorities related to physical and cybersecurity.