Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
4 Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation Risk in the broadest sense is defined as âthe possibility of loss or injury.â When something of value is identified as âat risk,â there is a presumption that the asset has been placed in a condition that creates or suggests the chance of loss or peril. In terms of security, transportation agencies face two main categories of risk, physical and cyber. In practice, the two types operate in dynamic confluence, with loss or injury occurring in many cases through either a physical or cyber threat, or through a convergence of both. Determining the optimal means to manage security risk is the appropriate starting point, irrespective of the type of threat. Before any plans are made or dollars spent, security planners must become knowledgeable about the nature of risks confronting the agency and the tactics or techniques available to respond to present or potential security challenges. Physical security risk consists of the much narrower category of possible loss events that result from the intentional harmful acts of other persons. It requires an actor; motivation to do harm; and, to constitute actual risk, a capability or opportunity to accomplish the adverse act. The crime of robbery is a good example. For a robbery to have occurred there must be an actor with the intent of taking something of value by force from a victim. Assume the robber has a gun and threatens to shoot the victim if he does not turn over his money. There is a criminal actor; the verbal threat to shoot indicates there is motivation to do harm; and the gun represents the capability to commit the act. Comparatively, a much broader safety-related risk may consist of a potential accidental release of a chemical substance into the atmosphere, or bad weather that causes a hazardous condition such as icy roads. In such cases there was no intent by an individual to harm another. Security risk is threat-based as opposed to hazard-based. Cybersecurity risk is also based on the commission of intentional acts. The risk of cyberattack committed by criminals, hacktivists, terrorists, hostile nation-states, or even individuals seeking self- recognition for technology prowess has become a top concern for governments and private industry throughout the world. Coupled with outcomes or consequences resulting from unintentional acts or disruptions caused by natural events, the landscape for securing the IT critical infrastructure and associated control systems becomes more daunting day by day. As the United States and its indus- tries have become more entangled in the confluence of the internet, the ways people interface and communicate have changed demonstratively. Business has been revolutionized and the world has grown smaller, faster, and more complex because of the connectivity enabled by information tech- nology systems. However, along with an increased capacity to communicate and interface, tech- nologies and control operating systems come with an extended set of vulnerabilities that are subject to exploitation. The inherent, sometimes unintentional, and often sought-after openness and acces- sibility of IT and industrial control systems (ICS) have created significant opportunities for attackers to penetrate, commandeer, or otherwise neutralize the effectiveness or security of cybersystems. C H A P T E R 1
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 5 The transportation industry has not been excepted from this exponential growth in risk associ- ated with cyber, IT, and ICS. There have been many reported instances of direct attacks targeting transportation or occurrences in which downside exposure has resulted from exploitations of com- mon, distributed, or shared multi-industry user technologies. Similarly, broad mainstream attacks against widely used information systems or communications technologies have impacted transpor- tation industry operations along with other industries. Transportation ICS, which depend increas- ingly on the digital world to function, present additional concerns because cyber manipulations of control systems can cause serious injury or death to users of transportation systems. But what is risk management, and how does it differ from risk assessment or vulnerabil- ity assessment? Understanding these relationships is an essential component of establishing an effective transportation security and defense strategy. In practice, the terms are often confused or used interchangeably, creating unnecessary communications difficulties. Risk management, in the context of physical and cybersecurity, consists of the range of activi- ties that a transportation agency can undertake to resolve identified security risks. Although there are variations in application, the risk management process for both physical and cyber risks requires consideration and adoption of many of the same security principles. Optimally, risk should be viewed in the context of transportation business and environmental control factors, resulting in recommendations for risk response options. Response options include risk avoidance, acceptance, transfer/insurance, dependency and spreading, and reduction strategies, including assessment (Figure 1-1). Risk avoidance, the simplest of all solutions for eliminating risk, consists of refraining from engaging in a risky activity in the first place. In the robbery scenario, for example, implement- ing a cashless fare system would eliminate the risk of loss of cash in the transportation system revenue stream. Similarly, in a scenario in which cyber risk is presented by technological auto- mation of an operational system, the alternative of a non-cyber-controlled ventilation system would eliminate the cyber-related risk of automating fan mechanisms. Risk acceptance requires no real action to be taken by the organization. But acceptance should be based on a knowledgeable and responsible recognition of the probability and impact of perceived adverse physical or cyber events. Typically, cost-benefit analysis can determine the tipping point where expending funds to fix a problem exceeds the return on investment the mitigation achieves. Risk transfer is the use of insurance to transfer all or parts of liability to another business or entity. Transfer is one of the traditional market mechanisms for estimating, pricing, and distrib- uting risk. Risks related to natural hazards such as fire, earthquake, or flood have been identified and assessed, and quantitative actuarial data about these incidents has been amassed to evaluate potential losses. However, the process of understanding and managing terrorism risk remains difficult. Currently, terrorism risk insurance is available only on a limited basis because there is relatively little experience or actuarial data from which to draw conclusions. Prospective buyers of terrorism risk coverage do not have a reasonable basis for estimating their insurance needs. Similarly, sellers of insurance do not have a reliable means for costing out terrorism risk coverage. In contrast to terrorism coverage, cybersecurity coverage is one of the fastest-growing lines of insurance. According to the 2017 Betterley Report, the annual gross written premium is $4 billion, up from $3.25 billion in the 2016 report (International Risk Management Institute 2017). Particularly for companies that hold customer personal dataâor even companies with data on large numbers of employeesâcoverage for credit card numbers, medical information, and social security numbers can cost more. Reputational risk, however, cannot be transferred. Risk dependency and spreading considers that coordinated collaboration among physical and cybersecurity stakeholders, including end-user operators, security practitioners, designers,
6 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies manufacturers and distributors, integrators, standards organizations, and government regula- tors, can result in the identification of defensive strategies to effectively reduce security risk. Maximizing the accountability of all stakeholders in the supply chain presents the opportu- nity for a strong and systematized approach to managing risk that is both highly efficient and cost-effective. Risk reduction is the implementation of actions that lower the risk to an agency. In relation to security, it is also frequently informed by risk assessment; threat, vulnerability, and consequence (TVC) assessment; or threat and vulnerability assessment (TVA) (Figure 1-2). Risk assessment is a systematic process that includes identifying and valuating assets, enumerating credible threats to those assets, documenting applicable vulnerabilities, describing potential impacts or conse- quences of a loss event, and producing a qualitative or quantitative analysis of resulting risks. Source: Adapted from TRB 2009. Figure 1-1. Risk management/risk mitigation strategies. Source: National Research Council 2010. Figure 1-2. Risk equation.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 7 Risks are generally reported in order of priority or severity and attached to some description of a level of risk. Risk assessment answers the questions: What can go wrong? What is the likelihood that it would go wrong? What are the consequences? The DHS defines risk assessment as having three components (National Research Council 2010). â¢ Threat assessment is âa systematic effort to identify and evaluate existing or potential terrorist threats to a jurisdiction and its target assets.â Importantly in the context of terrorism, in the absence of threat there is no actual risk of loss or injury. But transportation agencies typically consider threat more broadly, to include threats of criminal as well as terrorist activity. Threat definition focuses on two areas: threat scenarios based on real events or perceived exposures, and identification of likely adversaries, tactics, and capabilities. â¢ Vulnerability assessment is âthe identification of weaknesses in physical structures, person- nel protection systems, processes, or other areas that may be exploited by terrorists.â Such weaknesses can occur in facility characteristics, equipment properties, personnel behavior, locations of people and equipment, or operational and personnel practices. â¢ Consequence assessment is âan analysis of the immediate, short- and long-term effects of an event or event combination on an asset.â It is an estimate of the amount of loss or damage that can be expected. A mainstay of both physical and cybersystems security, risk reduction depends primarily on the TVC assessment of an event or series of events to identify opportunities to reduce or mitigate associated losses. Organizations conduct risk assessments to determine risks that are common to the organizationâs core missions and business functions, mission and business processes, mission and business segments, common infrastructure and support services, or information systems. Risk assessment is a function of frequency or likelihood and probability and analysis of consequences. NISTâs Special Publication 800-30: Guide for Conducting Risk Assessments summarizes the steps associated with cyber risk assessment (NIST 2012). Step 1: Prepare for Risk Assessment â¢ Task 1-1. Identify PurposeâIdentify the purpose of the risk assessment in terms of the infor- mation the assessment is intended to produce and the decisions the assessment is intended to support. â¢ Task 1-2. Identify ScopeâIdentify the scope of the risk assessment in terms of organizational applicability, time frame, and architectural/technological considerations. â¢ Task 1-3. Identify Assumptions and ConstraintsâIdentify the specific assumptions and constraints under which the risk assessment is conducted. â¢ Task 1-4. Identify Information SourcesâIdentify the sources of descriptive, threat, vulner- ability, and impact information to be used in the risk assessment. â¢ Task 1-5. Identify Risk Model and Analytic ApproachâIdentify the risk model and analytic approach to be used in the risk assessment. Step 2: Conduct Risk Assessment â¢ Task 2-1. Identify Threat SourcesâIdentify and characterize threat sources of concern, including capability, intent, and targeting characteristics for adversarial threats and range of effects for non-adversarial threats. â¢ Task 2-2. Identify Threat EventsâIdentify potential threat events, relevance of the events, and threat sources that could initiate the events. â¢ Task 2-3. Identify Vulnerabilities and Predisposing ConditionsâIdentify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts.
8 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies â¢ Task 2-4. Determine LikelihoodâDetermine the likelihood that threat events of concern result in adverse impacts, considering: (1) the characteristics of the threat sources that could initiate the events; (2) the vulnerabilities/predisposing conditions identified; and (3) the orga- nizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events. â¢ Task 2-5. Determine ImpactâDetermine the adverse impacts from threat events of concern, considering: (1) the characteristics of the threat sources that could initiate the events; (2) the vulnerabilities/predisposing conditions identified; and (3) the organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events. â¢ Task 2-6. Determine RiskâDetermine the risk to the organization from threat events of concern considering: (1) the impact that would result from the events; and (2) the likelihood of the events occurring. Step 3: Communicate and Share Risk Assessment Results â¢ Task 3-1. Communicate Risk Assessment ResultsâCommunicate risk assessment results to organizational decision-makers to support risk responses. â¢ Task 3-2. Share Risk-Related InformationâShare risk-related information produced during the risk assessment with appropriate organizational personnel. Step 4: Maintain Risk Assessment â¢ Task 4-1. Monitor Risk FactorsâConduct ongoing monitoring of the risk factors that con- tribute to changes in risk to organizational operations and assets, individuals, other organiza- tions, or the nation. â¢ Task 4-2. Update Risk AssessmentâUpdate existing risk assessment using the results from ongoing monitoring of risk factors. For both physical and cyber matters, risk assessment is one of the most important aspects of risk management and is used to support risk management decision-making. In terms of physi- cal security, it is an evaluation using either quantitative or (more likely) qualitative criteria to predict the overall effectiveness of a system, identify system weaknesses, and define existing asset protection capabilities against specific threat scenarios and actors. In cybersecurity, risk assess- ment is clearly the main method of identifying opportunities for reducing or mitigating losses. Vulnerabilities are identified, cataloged, shared, and, most importantly in risk management, âpatchedââa process that is essential to the response methodology of cybersecurity profession- als. Nonprofessionals are taught IT systems awareness as a means to minimize human/machine interface (HMI) vulnerabilities from breaching IT or ICS security (Figure 1-3). Managing Risk: The Example of the Minnesota Department of Transportation Enterprise Risk Management Framework The Minnesota Department of Transportation (MnDOT) Enterprise Risk Management (ERM) framework establishes the standards, processes, and accountability structure used to identify, assess, prioritize, and manage key risk exposures, including security risk exposures across the agency (Figure 1-4). The framework enables leaders at all levels to systematically evaluate implications of decisions and actions to the agencyâs highest priority goals and objec- tives or Key Results Areas (KRAs), and effectively manage a broad array of risks in an informed and strategic manner to within an accepted tolerance level. The ERM Framework applies to three levels of risks (Figure 1-5). 1. Strategic-level risks impede the achievement of MnDOTâs vision, mission, and KRAs. These are broad, strategic risk areas and include financial, stakeholder, reputation, legal and com-
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 9 pliance, safety and health, and business performance and continuity risks. Strategic risks are monitored and assessed at both the strategic and business-line levels. 2. Business-lineâlevel risks are identified by business-line management groups. These risks im- pede the agencyâs ability to deliver products and services, meet performance targets, and accomplish business objectives. MnDOTâs performance metrics provide accountability. 3. Project-level risks are risks identified by project managers. These risks threaten the scope, schedule, cost, or quality of agency projects. Depending on the scope and complexity of the project, these risks may have strategic or business-line consequences that warrant inclusion in the ERM Integrated Risk Register. Strategic Risk Management At the strategic level, risk management is accomplished through annual risk assessment, man- agement, and strategy development by senior leaders. Senior leaders identify and assess risks to MnDOTâs vision, mission, and KRAs at least annually. Senior leaders specify risk response strategies (avoid, accept, transfer or mitigate) and the person(s) responsible for their implemen- tation. Strategic risk analysis and evaluation at this level identify the most critical strategic risks to the agency. The ERM Integrated Risk Register is the reporting tool that senior leadership uses to monitor and manage strategic risks. Senior leaders identify emerging risks. At least monthly, senior leadership reviews progress on key results and assigned risk mitigation actions. Senior leaders also evaluate emergent risks that Source: Adapted from COBIT 5 for Risk, Information Systems Audit and Control Association 2013. Figure 1-3. Risk scenario-based process.
10 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: MnDOT 2014. Figure 1-4. MnDOT integrated risk management and business planning process. Source: MnDOT 2014. Figure 1-5. MnDOT ERM framework.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 11 may require management at this level. These risks may be identified by senior leaders or through evaluation of business-line risks assessed as having âmajorâ or higher implications for priority agency objectives. Each quarter, the chief risk officer is required to publish a report on the status of active risks at the strategic and business-line levels and their associated mitigation actions. Business-Line Risk Assessment and Management Business-line risk management consists of risk identification and management for risk events that threaten the successful delivery of products and services. Risks are identified and evaluated primarily by five existing business-line management groups: â¢ Planning Management Group â¢ Pre-Construction Management Group â¢ Construction Management Group â¢ Administrative Management Group â¢ Operations Management Group Business-line risks may be monitored by other groups better positioned to manage certain risks (e.g., data domain stewards assigned to manage risks to the quality and security of agency data). Business-line risks threaten the agencyâs overall business performance and capability and may affect MnDOTâs reputation, the security of MnDOT assets, compliance with legal and regulatory requirements, safety responsibilities, and/or financial integrity. When the consequences of iden- tified risks are assessed by the business-line management groups as having potential âmajorâ or higher consequences for KRAs, the risks are elevated to the strategic level in the ERM Integrated Risk Register. The business-line focus on MnDOTâs core products and servicesâmaintaining and operating the transportation system and providing safe, sustainable, reliable mobility options through the delivery of projectsârequires evaluation by teams that share responsibility for pro- gram and project success. The business-line management groups are responsible for risk assess- ment and risk management strategies for risks to their respective products and services. Ownership of the specific action may be assigned to a manager in an office or district, but business-line risk evaluation is the responsibility of designated business-line management groups. The management groups are required to conduct annual business-lineâlevel risk assessments and decide on appro- priate mitigation actions to address risks that fall outside of an accepted tolerance level. Project-Level Risk Management Projects vary in terms of their size and complexity. Some projects may have risks with mod- erate to major strategic and/or business-line implications. In these cases, project managers are expected to elevate these risks to the Enterprise Risk Management Office for inclusion in the ERM Integrated Risk Register. In a similar manner, senior leaders and business-line manage- ment groups may assign specific risk mitigation actions to project managers for implementation. Project managers are expected to routinely identify and manage project risk using a process that scales the depth of risk analysis to the complexity of the project. Senior leaders may identify strategic risks that warrant the management groupsâ attention. These risks will supplement those identified and assessed at the business-line level. Targets are set for the core business lines at the strategic level, along with associated key performance indicators that are aligned with KRAs. Examples may include asset management objectives or targets for operations and maintenance. Enterprise Risk Management Governance MnDOTâs ERM governance structure makes risk awareness and management integral parts of organizational decision-making at every level. The overall responsibility for risk management resides with senior management and is exercised through the MnDOT Stewardship Council and
12 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies business-line management groups. The chief risk officer ensures compliance with the MnDOT ERM Framework throughout the agency. An outline of the ERM governance structure makes responsibilities clear. 1. Senior Leadership. The commissioner and commissionerâs staff set the agencyâs strategic directions and are responsible for evaluating and managing strategic risks. The commissionerâs staff defines and annually validates level of service for the organizationâs KRAs or most critical quality-of-life outcomes. They have decision-making authority and delegate responsibilities for risk management activities within their divisions. Senior leadership is responsible for: â Designing, implementing, and maintaining an effective internal control system; â Defining the agencyâs overall risk appetite/risk tolerance; â Ensuring implementation of ERM processes and framework within their divisions; â Identifying and evaluating risks on the strategic risk register; â Overseeing and resolving any business-line or project risks that have been escalated through the risk management structure; â Reviewing and reassessing risk register strategies and implementation results; â Reviewing and reassessing identified risks every quarter; and â Reviewing and reassessing strategic risks every month. 2. Business-Line Management Groups, Districts, Divisions, and Offices. MnDOT management groups are responsible for the identification, assessment, and management of risks to MnDOTâs products and services delivery. The business-line management groups are responsible for evaluating and establishing levels of service and targets for products and services based on risk tolerance and fulfilling level of service commitments for delivery of MnDOTâs products and services. Business-line management groups are responsible for: â Coordinating the identification and evaluation of risks within their business line; â Acting on risk mitigation actions delegated to business lines from the strategic register; â Establishing and managing business-line risk registers; â Reviewing and reassessing risk registers, strategies, and results every month; â Reviewing and reassessing risks every quarter; and â Reviewing and reassessing business-line risks every year. Districts, divisions, and offices are responsible for: â Identifying risks with implications for business-line and/or strategic objectives; â Identifying, analyzing, and evaluating risks to district, division, and office objectives; â Implementing risk management strategies for district-, division- and office-level risks for risks assigned to them by senior leaders or through business-line management groups; and â Ensuring assigned employees understand their roles and responsibilities for ERM. 3. Enterprise Risk Management Office. The chief risk officer directs the Enterprise Risk Management Office. The chief risk officer coordinates risk management across the organization, facilitates consistent and systematic risk assessments, and provides advice to divisions, offices, districts, and managersâ groups. The chief risk officer manages and operates the ERM frame- work. Office responsibilities include: â Developing and maintaining MnDOTâs risk management framework and expectations; â Assuring compliance with MnDOT policy and procedures; â Operating the ERM process; â Managing the MnDOT Enterprise Risk Management Office; â Directing the MnDOT ERM implementation team; and â Providing training and increasing risk awareness. Risk Monitoring and Evaluation The goal of the MnDOT ERM framework is to integrate risk management with strategic, business-line operations, and project planning. The ERM framework incorporates both bottom- up and top-down approaches to risk identification and management.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 13 For the short term, the MnDOT ERM deploys an Integrated Risk Register. The risk register provides risk visibility and accountability to managers. At both the strategic and business- line levels this involves revisiting their registers to learn more about the characteristics and performance of each risk. At the strategic level this may involve creating reports that allow senior leadership to track how strategic and business-line risks relate to each of the organiza- tionâs KRAs and, thus, business objectives. An example of a KRA risk register report appears in Figure 1-6. For the long term, strategic and business-line levels annually attend ERM workshops to iden- tify and evaluate new risks that may threaten changing business objectives, strategies, products, and services. Risks that repeat are noted to track long-term progress and the transformation of these risks over time. Threat Assessment The National Infrastructure Protection Plan (NIPP) (DHS 2013) highlights the evolving threats to the nationâs critical infrastructure (Figure 1-7). Under an expansive view, hazards associated with extreme weather, accidents or technical failures, or pandemics are aligned with physical (acts of terrorism) and cyber threats.1 The four main categories of homeland security threats against transportation infrastructure are explosives, weapons of mass destruction (WMDs), active threats, and cyberattacks. Physical Security Explosives Explosives include both conventional explosives (CEs) and improvised explosive devices (IEDs). CEs are made of industrial or military manufactured components such as Source: MnDOT 2014. Figure 1-6. MnDOT risk register report. 1 It is recognized not just security risk must be managed, however, the treatment of this text focuses principally on physical and cybersecurity.
14 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies trinitrotoluene (TNT), Semtex, or plastic explosives (C-4). IEDs can be made of the same com- mercial or military components, or other improvised materials such as ammonium nitrate/fuel oil (ANFO), as in a fertilizer bomb or compounds of ammonium nitrate with aluminum, sugar, or potassium chlorate. In the transportation environment, attacks of this type are considered more likely than other types of threats. Explosives cause an instantaneous or almost instantaneous chemical reaction resulting in a rapid release of energy. The energy is usually released as rapidly expanding gases and heat, which may be in the form of a fireball. The expanding gases compress the surrounding air, creating a shock wave or pressure wave. The pressure wave can cause structural damage, while the fireball may ignite other building materials, leading to a larger fire. Explosives can cause the destruc- tion of assets within a facility, structural damage to the facility itself, and injuries or fatalities. Explosions may start a fire, which may inflict additional damage and cause additional injuries and fatalities. The type and amount of explosive material used and the location of the explosion will determine the overall impact. Two methods of delivery of CEs or IEDs deserve particular attentionâvehicle-borne impro- vised explosive devices (VBIEDs) and suicide bombings. According to the U.S. Department of Stateâs Bureau of Diplomatic Security, VBIEDs are âfar and away the weapon of choice for ter- rorist attacks.â Vehicles provide concealment for the bomb as well as the delivery method. As Table 1-1 indicates, concealing a 200- to 500-lb. bomb in a sedan is relatively easy. Suicide bombings are an attack on a target in which an attacker intends to kill others, know- ing that he or she will certainly or likely die in the process. The means of attack have included vehicles filled with explosives, passenger planes carrying large amounts of fuel, and individuals wearing explosives-filled vests. Source: DHS 2013. Figure 1-7. National Infrastructure Protection Plan.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 15 Weapons of Mass Destruction Weapons of mass destruction or effect (WMD)/(WME) include chemical, biological, radio- logical, or nuclear (CBRN) devices designed to inflict mass casualties. Terrorist weapons can incorporate warfare agents developed for military use, such as nerve agents sarin and VX, the blister agent mustard, blood agent hydrogen cyanide, and choking agents chlorine and phosgene (Figure 1-8). Also of concern are toxic industrial and commercial chemicals that are manufactured in the making of petroleum, textiles, plastics, fertilizers, paper, foods, pesticides, household cleaners, and other products. From a transportation perspective these types of chemicals, known as haz- ardous materials (HazMats), are particularly important because freight railroads and highways are used to transport them in large quantities, often through highly populated areas. For passen- ger, commuter, or transit agencies that share railroad lines with these carriers, protective strate- gies designed to reduce the risks associated with transport are a high priority. Finally, there are chemical toxins of biological origin, such as botulinum and ricin. These highly toxic agents are products of plants, animals, and bacteria. They can occur naturally or be prepared in a labora- tory. Botulinum toxin is the most poisonous substance known to science. Chemical agents can be released in the form of poisonous gases, liquids, or solids. Typically, liquids and vapors are more lethal than solids. Chemical agents are usually fast acting with the major exception of mustard agents, whose symptoms appear hours after exposure. Poisoning by Threat Description Explosives Mass a (TNT equivalent) Building Evacuation Distanceb Outdoor Evacuation Distancec H ig h Ex pl os iv es (T N T Eq ui va le nt ) Pipe Bomb 5 lbs2.3 kg 70 ft 21 m 850 ft 259 m Suicide Belt 10 lbs4.5 kg 90 ft 27 m 1,080 ft 330 m Suicide Vest 20 lbs9 kg 110 ft 34 m 1,360 ft 415 m Briefcase/Suitcase Bomb 50 lbs 23 kg 150 ft 46 m 1,850 ft 564 m Compact Sedan 500 lbs227 kg 320 ft 98 m 1,500 ft 457 m Sedan 1,000 lbs454 kg 400 ft 122 m 1,750 ft 534 m Passenger/Cargo Van 4,000 lbs1,814 kg 640 ft 195 m 2,750 ft 838 m Small Moving Van/ Delivery Truck 10,000 lbs 4,536 kg 860 ft 263 m 3,750 ft 1,143 m Moving Van/Water Truck 30,000 lbs 13,608 kg 1,240 ft 375 m 6,500 ft 1,982 m Semitrailer 60,000 lbs27,216 kg 1,570 ft 475 m 7,000 ft 2,134 m Source: Adapted from U.S. Army 2005. aBased on the maximum amount of material that could reasonably fit into a container or vehicle. Variations possible. bGoverned by the ability of an unreinforced building to withstand severe damage or collapse. cGoverned by the greater of fragment throw distance or glass breakage/falling glass hazard distance. These distances can be reduced for personnel wearing ballistic protection. Note that the pipe bomb, suicide belt/vest, and briefcase/suitcase bomb are assumed to have a fragmentation characteristic that requires greater standoff distances than an equal amount of explosives in a vehicle. Table 1-1. Evacuation distance by threat and explosive mass.
16 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies chemicals is not contagious, but the presence of residual chemical agents on the skin or cloth- ing of an exposed individual can affect others. Once the agent is neutralized or removed, the illness stops spreading. The toxicity, measured in parts per million (PPM), and concentration of a chemical agent determines the severity of an attack. Chemical agents are typically deadlier in confined or crowded areas such as buildings or subways. They can be deployed by spraying with wet or dry aerosol sprayers, vaporizing the chemical for release, using an explosive device to disperse the chemical, pouring, or contaminating food, water, or other ingestibles such as pharmaceutical drugs. The toxicity of chemicals varies greatly. Some are acutely toxic (cause immediate symptoms); others are not very toxic at all (Figure 1-9). Biological Agents Weaponized biological agents are naturally occurring microbes or microorganisms deployed in their existing state or modified to increase virulence, designed to cause mass casualties through disease and death. The Centers for Disease Control and Prevention (CDC) groups biological agents into three categoriesâA, B, and Câbased on factors such as availability, capability of dissemination, mortality or illness rates, and impact on the public health system. Category A agents include anthrax, botulinum toxin, plague, smallpox, tularemia, and viral hemorrhagic fevers (Ebola, Marburg virus, Lassa, Machupo). These âhighest priority agentsâ are called bioweapons because they provide the building blocks for weaponization. Category B agents include brucellosis, epsilon toxin, food safety threats (E. coli 0157:H7, salmonella, shigella), glanders, melioidosis, psittacosis and Q fever, ricin toxin, staphylococcal enterotoxin B, typhus fever, viral encephalitis, and water safety threats (cholera, giardiasis, cryptosporidiosis). Scientists have experience with Category B agents as infectious diseases but are unclear about Source: National Academy of Sciences 2004a. Figure 1-8. Effects and treatment of some chemical weapons developed for military use.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 17 their potential for weaponization. Category C agents include emerging infectious diseases such as Nipah virus and hantavirus. Biological agents are grouped as infectious or infectious and contagious. A microorganism that causes infectious disease invades the body, making the person sick by attacking organs or cells. Sometimes called pathogens, these microscopic organisms include both viruses and bac- teria. There is usually a delay in the onset of symptoms called an incubation period. Diseases that are both infectious and contagious can be caught by a person who comes in contact with someone else who is infected. The level of contact required to transmit the illness between people can be slight, such as a sneeze or cough. But the contagiousness of a disease has nothing to do with the seriousness of the illness. For example, both plague and the common cold are highly contagious, but plague is a much more serious disease. Some infectious diseases, such as botulism and tularemia, are not contagious at all. Biological agents can enter the body through absorption, inhalation, ingestion, or injection. Biological weapons can be prepared for delivery in wet or dry form. Delivery can be through aerosol sprayers; explosive devices; transmission through insects, animals, or humans; introduc- tion into food or water; or on or inside of objects (e.g., anthrax in envelopes). Figure 1-10 outlines the disease, incubation period, and symptoms for selected Category A and Category B biological agents. Source: National Academy of Sciences 2004a. Figure 1-9. Varying toxicity of chemicals.
18 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Radioactive Materials Concern exists about the potential for a terrorist attack involving radioactive materials, pos- sibly through the use of a radiological dispersion device (RDD). The best-known type of RDD is a âdirty bomb,â a device that uses a conventional explosion to disperse radioactive material so that the blast will contaminate an area with radioactive particles. RDDs can also be dispersed by opening a container of radioactive materials in a populated area, or dispersing powdered or aerosolized materials using sprayers or aircraft. Radioactive isotopes have either a high or low level of radioactivity, based on the rate of radioactive decay. The faster an isotope decays, the faster it releases and exhausts its radiation. The radioactivity of a mass of material is measured in curies (Ci; 1 Ci = 3.7 x 1010 disintegrations per second). Cobalt-60 (showing the number of neutrons plus protons in the atomâs nucleus), with a half-life of 5.3 years, is highly radioactive; uranium-235, with a half-life of more than 700 million years, is not. High-level radioactive materials are difficult for terrorists to acquire, so there is a greater chance that the radioactive materials used in a dirty bomb would come from low-level radioactive sources. Low-level radioactive sources are found in hospitals, on construction sites, and at food irradiation plants. The primary danger from a dirty bomb using a low-level radioactive source would be the blast itself. Most dirty bombs and other RDDs would have very localized effects, ranging from less than a city Source: National Academy of Sciences 2005a. Figure 1-10. Disease, incubation period, and symptoms for selected Category A and Category B biological agents.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 19 block to several square miles. The effective range would depend on factors such as the amount and type of material, method of dispersal, and local weather conditions. According to the CDC, âat the levels created by most probable sources, not enough radiation would be present in a dirty bomb to cause severe illness from exposure to radiation.â Radiation is energy moving in the form of particles or waves. Some examples of electromagnetic radiation are heat, light, radio waves, and microwaves. Radiation strikes people constantly, but most of it, like radio waves and light, is not ionizing, meaning it does not have enough energy to damage cells significantly. Ionizing radiation is a very high-energy electromagnetic form that can have an adverse health effect on the human body. The extent of the effect depends on the amount of energy absorbed, measured in rems. Higher doses produce direct clinical effects, including tissue damage, radiation sickness, and at very high levels, rapid death. With chronic low-level exposure, no clinical effects are observed, but the exposed individual may have an increased lifetime risk of developing cancer. Some of the common types of radioactive materials are listed in Box 1-1. Box 1-1. Common Radioactive Materials What are some common radioactive materials used in our society? GAMMA EMITTERS Cobalt-60 (Co-60)âcancer therapy, industrial radiography, industrial gauges, food irradiation. Cesium-137 (Cs-137)âsame uses as Cobalt-60 plus well logging. lridium-192 (Ir-192)âindustrial radiography and medical implants for cancer therapy. BETA EMITTER Strontium-90 (Sr-90)âradioisotope thermoelectric generators (RTGs), which are used to make electricity in remote areas. ALPHA EMITTERS Plutonium-238 (Pu-238)âresearch and well logging and in RTGs for space missions. Americium-241 (Am-241)âindustrial gauges and well logging. What Is Ionizing Radiation? When radioactive elements decay, they produce energetic emissions (alpha particles, beta particles, or gamma rays) that can cause chemical changes in tissues. The average person in the United States receives a âbackgroundâ dose of about one-third of a rem* per yearâabout 80% from natural sources including earth materials and cosmic radiation, and the remaining 20% from artificial radiation sources, such as medical x-rays. There are different types of radioactive materials that emit different kinds of radiation: Gamma and X-rays can travel long distances in air and can pass through the body exposing internal organs; it is also a concern if gamma-emitting material is ingested or inhaled. Beta radiation can travel a few yards in the air and in sufficient quantities might cause skin damage; beta-emitting material is an internal hazard if ingested or inhaled. Alpha radiation travels only an inch or two in the air and cannot even penetrate skin; alpha-emitting material is a hazard if it is ingested or inhaled. *A rem is a measure of radiation dose, based on the amount of energy absorbed in a mass of tissue. Dose can also be measured in Sieverts (1 Sievert = 100 rem). Source: National Academy of Sciences 2004b.
20 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies A nuclear attack by terrorists is a high-order magnitude event that would potentially kill a large number of people. A dirty bomb containing high-level radioactive material is a potential means of delivery of a nuclear attack. The use of an improvised nuclear device (IND) or a nuclear weapon must also be considered. An IND, commonly referred to as a suitcase bomb or suitcase nuke, is a nuclear weapon small enough to fit in a suitcase and capable of producing a nuclear blast. Accord- ing to the U.S. Department of Health and Human Services, âthe design and destructive nature of an IND is comparable to the bomb dropped on Hiroshima, Japan, at the end of World War IIâ (National Academy of Sciences 2004b). Larger nuclear weapons and their explosions are classified based on their yield, or the amount of energy they produce. A nuclear weapon deployed by terror- ists would be expected to have a yield of less than 1 kiloton (kT) to several kTs. A kT is not the weight of the bomb but rather the equivalent energy of an amount of the explosive TNT (1 kT=1,000 tons of TNT). Large military nuclear weapons are in the megaton (MT) range (1 MT=1,000 kT). The highly purified plutonium and uranium needed to make a nuclear weapon or suitcase bomb are difficult to acquire. Considerable engineering skill and expertise would be required to construct a nuclear device using plutonium; devices using uranium are easier to construct. A nuclear event involves nuclear fission (splitting of atoms) and a highly destructive explosion that creates instant devastation. Significant fatalities, injuries, and infrastructure damage result from the heat and blast of the explosion. Persistent high levels of radioactivity are the aftermath of both the initial nuclear radiation and the subsequent radioactive fallout that occurs (Boxes 1-2 and 1-3). Active Threats Armed assault, better known today as an active shooter incident, occurs when one or more individuals with one or more guns opens fire on random people who have been targeted for no apparent reason. Until recently, the term armed assault effectively categorized a significant Box 1-2. Characteristics of a Nuclear Explosion A fireball, roughly spherical in shape, is created from the energy of the initial explosion. It can reach tens of millions of degrees. A shockwave races away from the explosion and can cause great damage to structures and injuries to humans. A mushroom cloud typically forms as everything inside of the fireball vaporizes and is carried upwards. Radioactive material from the nuclear device mixes with the vaporized material in the mushroom cloud. Fallout results when the vaporized radioactive material in the mushroom cloud cools, condenses to form solid particles, and falls back to the earth. Fallout can be carried long distances on wind currents as a plume and contaminate surfaces miles from the explosion, including food and water supplies. The ionization of the atmosphere around the blast can result in an electromag- netic pulse (EMP) that, for ground detonations, can drive an electric current through underground wires causing local damage. For high-altitude nuclear detonations, EMP can cause widespread disruption to electronic equipment and networks. Source: National Academy of Sciences 2004b.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 21 method of choice and event type for terrorists and other criminals who were seeking to deploy a weapon capable of mass casualties. Hit-and-run assault involves a sudden attack on a target and immediate withdrawal to avoid adversary response or retaliation. In some instances, the tactic is coupled with the use of a massive amount of firepower without concern for target accuracy. This type of indiscriminate attack is difficult to prevent or overcome. Another tactic seen repeatedly in school shootings such as those at Columbine High School and Virginia Tech, the Pulse night- club shooting in Orlando, Florida, or the Las Vegas Mandalay Bay concert attack is the suicide gunman who bears multiple firearms and fires at will until killed by responders or suicide. This type of attack uses small arms, which can include pistols, rifles, shotguns, or submachine guns that can be military issue or civilian weapons. Although assaults with a firearm or automatic or semiautomatic assault rifle have continued to occur, recently additional types of weapons have been used actively in both terrorism- and non-terrorismârelated events. Weapons used during active threat situations include guns, edged weapons such as knives and cleavers, and other basic weapons. Because these weapons are relatively easy to acquire and use, the Federal Bureau of Investigation (FBI) and DHS have noted an increasing concern about lone offenders, who are particularly difficult to detect and typically unpredictable, and can use these weapons without significant training. The TSA has noted an alarming growth in the use of vehicles as ramming instruments in direct attacks on pedestrians and bicyclists. These attacks often are conducted by âlone wolfâ or radical- ized persons using rented, stolen, or easily available large motor vehicles. For instance, on Bastille Day 2016 in Nice, France, Mohamed Lahouaiej-Bouhlel drove a 19-ton cargo truck into crowds celebrating the holiday. Lahouaiej-Bouhlel zigzagged into the crowds, breaking through police barriers, killing 86 and injuring 458. He shot at police with an automatic pistol before police shot and killed him. Domestic and international ramming incidents seem to be multiplying quickly. While transportation agencies have focused on active shooter threats, recent incidents have demonstrated the possibility and consequences of active threats involving other weapons. Box 1-3. The Nuclear Bombs at Hiroshima and Nagasaki, Japan The August 1945 bombings of Hiroshima and Nagasaki have been the only use or detonation of nuclear weapons except for testing purposes. The Hiroshima bomb was approximately a 16-kiloton uranium bomb; the Nagasaki bomb was approximately a 21-kiloton plutonium bomb. Both were detonated in the air at an altitude of approximately 1,600 feet. The bomb at Hiroshima destroyed buildings over roughly 4 square miles of the city, and about 60,000 people died immediately from the blast, thermal effects, and fire. Within 2â4 months of the bombings, a total estimated 90,000 to 140,000 deaths occurred in Hiroshima and about 60,000 to 80,000 deaths occurred in Nagasaki, mostly as a result of the immediate effects of the bomb and not to fallout. In a group of 87,000 survivors exposed to radiation who were followed in health studies over the past 60 years,* there were about 430 more cancer deaths than would be expected in a similar but unexposed population (there were 8,000 cancers from all causes compared to an expected 7,600). The additional cancer deaths are attributable to radiation. Nearly half of the people in those studies are still alive. *The mean dose of those survivors was 16 rad.
22 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies A threat such as an active shooter can transition into a barricaded suspect or hostage situation with the arrival of police. Cybersecurity In the cyber world threats are continually manifested, voluminous, and subject to variation. Although primary types of threats have been identified, such as the Stuxnet worm that attacks critical infrastructure, other threat types exist including malware, short for malicious software, defined as any software used to disrupt computer operations, gather sensitive information, or gain access to private computer systems. Ransomware is a type of malicious software that threatens to publish proprietary data or perpetually block access to data or systems unless a ransom is paid. NIST Special Publication 800-30 Revision 1, under the category Adversarial/Intentional Acts, describes how threat events can be carried out (NIST 2012). 1. Perform reconnaissance and gather information a. Perform perimeter network reconnaissance/scanning. Adversary uses commercial or free software to scan organizational perimeters to obtain a better understanding of the infor- mation technology infrastructure and improve the ability to launch successful attacks. b. Perform network sniffing of exposed networks. Adversary with access to exposed wired or wireless data channels used to transmit information uses network sniffing to identify components, resources, and protections. Gather information using open source discov- ery of organizational information. Adversary mines publicly accessible information to gather information about organizational information systems, business processes, users or personnel, or external relationships that the adversary can subsequently employ in support of an attack. c. Perform reconnaissance and surveillance of targeted organizations. Adversary uses various means (e.g., scanning, physical observation) over time to examine and assess organiza- tions and ascertain points of vulnerability. d. Perform malware-directed internal reconnaissance. Adversary uses malware installed inside the organizational perimeter to identify targets of opportunity. Because the scan- ning, probing, or observation does not cross the perimeter, it is not detected by externally placed intrusion detection systems. 2. Craft or create attack tools a. Craft phishing attacks. Adversary counterfeits communications from a legitimate/ trustworthy source to acquire sensitive information such as usernames, passwords, or social security numbers. Typical attacks occur via email, instant messaging, or comparable means; commonly directing users to websites that appear to be legitimate sites, while actu- ally stealing the entered information. b. Craft spear phishing attacks. Adversary employs phishing attacks targeted at high value targets (e.g., senior leaders/executives). c. Craft attacks specifically based on deployed information technology environment. Adver- sary develops attacks (e.g., crafts targeted malware) that take advantage of adversary knowledge of the organizational information technology environment. d. Create counterfeit/spoof website. Adversary creates duplicates of legitimate websites; when users visit a counterfeit site, the site can gather information or download malware. e. Craft counterfeit certificates. Adversary counterfeits or compromises a certificate author- ity, so that malware or connections will appear legitimate. f. Create and operate false front organizations to inject malicious components into the supply chain. Adversary creates false front organizations with the appearance of legitimate suppliers in the critical lifecycle path that then inject corrupted/malicious information system components into the organizational supply chain.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 23 3. Deliver/insert/install malicious capabilities a. Deliver known malware to internal organizational information systems (e.g., virus via email). Adversary uses common delivery mechanisms (e.g., email) to install/insert known malware (e.g., malware whose existence is known) into organizational informa- tion systems. b. Deliver modified malware to internal organizational information systems. Adversary uses more sophisticated delivery mechanisms than email (e.g., web traffic, instant messaging, FTP [file transfer protocol]) to deliver malware and possibly modifications of known malware to gain access to internal organizational information systems. c. Deliver targeted malware for control of internal systems and exfiltration of data. Adver- sary installs malware that is specifically designed to take control of internal organizational information systems, identify sensitive information, exfiltrate the information back to adversary, and conceal these actions. d. Deliver malware by providing removable media. Adversary places removable media (e.g., flash drives) containing malware in locations external to organizational physical perim- eters but where employees are likely to find the media (e.g., facilities parking lots, exhibits at conferences attended by employees) and use it on organizational information systems. e. Insert untargeted malware into downloadable software and/or into commercial informa- tion technology products. Adversary corrupts or inserts malware into common freeware, shareware or commercial information technology products. Adversary is not targeting specific organizations, simply looking for entry points into internal organizational infor- mation systems. Note that this is particularly a concern for mobile applications. f. Insert targeted malware into organizational information systems and information system components. Adversary inserts malware into organizational information systems and information system components (e.g., commercial information technology products), specifically targeted to the hardware, software, and firmware used by organizations (based on knowledge gained via reconnaissance). g. Insert specialized malware into organizational information systems based on system con- figurations. Adversary inserts specialized, non-detectable, malware into organizational information systems based on system configurations, specifically targeting critical infor- mation system components based on reconnaissance and placement within organizational information systems. h. Insert counterfeit or tampered hardware into the supply chain. Adversary intercepts hard- ware from legitimate suppliers. Adversary modifies the hardware or replaces it with faulty or otherwise modified hardware. i. Insert tampered critical components into organizational systems. Adversary replaces, through supply chain, subverted insider, or some combination thereof, critical informa- tion system components with modified or corrupted components. j. Install general-purpose sniffers on organization controlled information systems or networks. Adversary installs sniffing software onto internal organizational information systems or networks. k. Install persistent and targeted sniffers on organizational information systems and net- works. Adversary places within internal organizational information systems or networks software designed to (over a continuous period of time) collect (sniff) network traffic. l. Insert malicious scanning devices (e.g., wireless sniffers) inside facilities. Adversary uses postal service or other commercial delivery services to deliver to organizational mailrooms a device that is able to scan wireless communications accessible from within the mail- rooms and then wirelessly transmit information back to adversary. m. Insert subverted individuals into organizations. Adversary places individuals within orga- nizations who are willing and able to carry out actions to cause harm to organizational missions/business functions.
24 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies n. Insert subverted individuals into privileged positions in organizations. Adversary places individuals in privileged positions within organizations who are willing and able to carry out actions to cause harm to organizational missions/business functions. Adversary may target privileged functions to gain access to sensitive information (e.g., user accounts, system files, etc.) and may leverage access to one privileged capability to get to another capability. 4. Exploit and compromise a. Exploit physical access of authorized staff to gain access to organizational facilities. Adver- sary follows (âtailgatesâ) authorized individuals into secure/controlled locations with the goal of gaining access to facilities, circumventing physical security checks. b. Exploit poorly configured or unauthorized information systems exposed to the Internet. Adversary gains access through the Internet to information systems that are not authorized for Internet connectivity or that do not meet organizational configuration requirements. c. Exploit split tunneling. Adversary takes advantage of external organizational or personal information systems (e.g., laptop computers at remote locations) that are simultaneously connected securely to organizational information systems or networks and to nonsecure remote connections. d. Exploit multi-tenancy in a cloud environment. Adversary, with processes running in an organizationally used cloud environment, takes advantage of multi-tenancy to observe behavior of organizational processes, acquire organizational information, or interfere with the timely or correct functioning of organizational processes. e. Exploit known vulnerabilities in mobile systems (e.g., laptops, PDAs, smart phones). Adversary takes advantage of fact that transportable information systems are outside physical protection of organizations and logical protection of corporate firewalls, and compromises the systems based on known vulnerabilities to gather information from those systems. f. Exploit recently discovered vulnerabilities. Adversary exploits recently discovered vulner- abilities in organizational information systems in an attempt to compromise the systems before mitigation measures are available or in place. g. Exploit vulnerabilities on internal organizational information systems. Adversary searches for known vulnerabilities in organizational internal information systems and exploits those vulnerabilities. h. Exploit vulnerabilities using zero-day attacks. Adversary employs attacks that exploit as yet unpublicized vulnerabilities. Zero-day attacks are based on adversary insight into the information systems and applications used by organizations as well as adversary recon- naissance of organizations. i. Exploit vulnerabilities in information systems timed with organizational mission/business operations tempo. Adversary launches attacks on organizations in a time and manner consistent with organizational needs to conduct mission/business operations. j. Exploit insecure or incomplete data deletion in multi-tenant environment. Adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi- tenant environment (e.g., in a cloud computing environment). k. Violate isolation in multi-tenant environment. Adversary circumvents or defeats isolation mechanisms in a multi-tenant environment (e.g., in a cloud computing environment) to observe, corrupt, or deny service to hosted services and information/data. l. Compromise critical information systems via physical access. Adversary obtains physical access to organizational information systems and makes modifications. m. Compromise information systems or devices used externally and reintroduced into the enterprise. Adversary installs malware on information systems or devices while the systems/ devices are external to organizations for purposes of subsequently infecting organizations when reconnected.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 25 n. Compromise software of organizational critical information systems. Adversary inserts malware or otherwise corrupts critical internal organizational information systems. o. Compromise organizational information systems to facilitate exfiltration of data/ information. Adversary implants malware into internal organizational information systems, where the malware over time can identify and then exfiltrate valuable information. p. Compromise mission-critical information. Adversary compromises the integrity of mis- sion-critical information, thus preventing or impeding ability of organizations to which information is supplied, from carrying out operations. q. Compromise design, manufacture, and/or distribution of information system components (including hardware, software, and firmware). Adversary compromises the design, manufac- ture, and/or distribution of critical information system components at selected suppliers. 5. Conduct an attack (i.e., direct/coordinate attack tools or activities) a. Conduct communications interception attacks. Adversary takes advantage of communi- cations that are either unencrypted or use weak encryption (e.g., encryption contain- ing publicly known flaws), targets those communications and gains access to transmitted information and channels. b. Conduct wireless jamming attacks. Adversary takes measures to interfere with wireless com- munications so as to impede or prevent communications from reaching intended recipients. c. Conduct attacks using unauthorized ports, protocols and services. Adversary conducts attacks using ports, protocols, and services for ingress and egress that are not authorized for use by organizations. d. Conduct attacks leveraging traffic/data movement allowed across perimeter. Adversary makes use of permitted information flows (e.g., email communication, removable storage) to compromise internal information systems, which allows adversary to obtain and exfiltrate sensitive information through perimeters. e. Conduct simple Denial of Service (DoS) attack. Adversary attempts to make an Internet- accessible resource unavailable to intended users, or prevent the resource from functioning efficiently or at all, temporarily or indefinitely. f. Conduct Distributed Denial of Service (DDoS) attacks. Adversary uses multiple com- promised information systems to attack a single target, thereby causing denial of service for users of the targeted information systems. Conduct targeted Denial of Service (DoS) attacks. Adversary targets DoS attacks to critical information systems, components, or supporting infrastructures, based on adversary knowledge of dependencies. g. Conduct physical attacks on organizational facilities. Adversary conducts a physical attack on organizational facilities (e.g., sets a fire). h. Conduct physical attacks on infrastructures supporting organizational facilities. Adver- sary conducts a physical attack on one or more infrastructures supporting organizational facilities (e.g., breaks a water main, cuts a power line). i. Conduct cyber-physical attacks on organizational facilities. Adversary conducts a cyber- physical attack on organizational facilities (e.g., remotely changes heating, ventilation, and air conditioning or HVAC settings). j. Conduct data scavenging attacks in a cloud environment. Adversary obtains data used and then deleted by organizational processes running in a cloud environment. k. Conduct brute force login attempts/password guessing attacks. Adversary attempts to gain access to organizational information systems by random or systematic guessing of pass- words, possibly supported by password cracking utilities. Conduct nontargeted zero-day attacks. Adversary employs attacks that exploit as yet unpublicized vulnerabilities. Attacks are not based on any adversary insights into specific vulnerabilities of organizations. l. Conduct externally based session hijacking. Adversary takes control of (hijacks) already established, legitimate information system sessions between organizations and external entities (e.g., users connecting from off-site locations).
26 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies m. Conduct internally based session hijacking. Adversary places an entity within organiza- tions in order to gain access to organizational information systems or networks for the express purpose of taking control (hijacking) an already established, legitimate session either between organizations and external entities (e.g., users connecting from remote locations) or between two locations within internal networks. n. Conduct externally based network traffic modification (man in the middle) attacks. Adversary, operating outside organizational systems, intercepts/eavesdrops on sessions between organizational and external systems. Adversary then relays messages between organizational and external systems, making them believe that they are talking directly to each other over a private connection, when in fact the entire communication is controlled by the adversary. Such attacks are of particular concern for organizational use of commu- nity, hybrid, and public clouds. o. Conduct internally based network traffic modification (man in the middle) attacks. Adver- sary operating within the organizational infrastructure intercepts and corrupts data sessions. p. Conduct outsider-based social engineering to obtain information. Externally placed adversary takes actions (e.g., using email, phone) with the intent of persuading or other- wise tricking individuals within organizations into revealing critical/sensitive information (e.g., personally identifiable information). q. Conduct insider-based social engineering to obtain information. Internally placed adver- sary takes actions (e.g., using email, phone) so that individuals within organizations reveal critical/sensitive information (e.g., mission information). r. Conduct attacks targeting and compromising personal devices of critical employees. Adver- sary targets key organizational employees by placing malware on their personally owned information systems and devices (e.g., laptop/notebook computers, personal digital assis- tants, smart phones). The intent is to take advantage of any instances where employees use personal information systems or devices to handle critical/sensitive information. s. Conduct supply chain attacks targeting and exploiting critical hardware, software, or firmware. Adversary targets and compromises the operation of software (e.g., through malware injections), firmware, and hardware that performs critical functions for organi- zations. This is largely accomplished as supply chain attacks on both commercial off-the- shelf and custom information systems and components. 6. Achieve results (i.e., cause adverse impacts, obtain information) a. Obtain sensitive information through network sniffing of external networks. Adversary with access to exposed wired or wireless data channels that organizations (or organi- zational personnel) use to transmit information (e.g., kiosks, public wireless networks) intercepts communications. b. Obtain sensitive information via exfiltration. Adversary directs malware on organizational systems to locate and surreptitiously transmit sensitive information. c. Cause degradation or denial of attacker-selected services or capabilities. Adversary directs malware, such as ransomware, on organizational systems to impair the correct and timely support of organizational mission/business functions. d. Cause deterioration/destruction of critical information system components and func- tions. Adversary destroys or causes deterioration of critical information system com- ponents to impede or eliminate organizational ability to carry out missions or business functions. Detection of this action is not a concern. e. Cause integrity loss by creating, deleting, and/or modifying data on publicly accessible information systems (e.g., web defacement). Adversary vandalizes, or otherwise makes unauthorized changes to, organizational websites or data on websites. f. Cause integrity loss by polluting or corrupting critical data. Adversary implants corrupted and incorrect data in critical data, resulting in suboptimal actions or loss of confidence in organizational data/services.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 27 g. Cause integrity loss by injecting false but believable data into organizational information systems. Adversary injects false but believable data into organizational information sys- tems, resulting in suboptimal actions or loss of confidence in organizational data/services. h. Cause disclosure of critical and/or sensitive information by authorized users. Adversary induces (e.g., via social engineering) authorized users to inadvertently expose, disclose, or mishandle critical/sensitive information. i. Cause unauthorized disclosure and/or unavailability by spilling sensitive information. Adversary contaminates organizational information systems (including devices and net- works) by causing them to handle information of a classification/sensitivity for which they have not been authorized. The information is exposed to individuals who are not authorized access to such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated. j. Obtain information by externally located interception of wireless network traffic. Adver- sary intercepts organizational communications over wireless networks. Examples include targeting public wireless access or hotel networking connections, and drive-by subversion of home or organizational wireless routers. k. Obtain unauthorized access. Adversary with authorized access to organizational information systems, gains access to resources that exceeds authorization. l. Obtain sensitive data/information from publicly accessible information systems. Adver- sary scans or mines information on publicly accessible servers and web pages of organiza- tions with the intent of finding sensitive information. m. Obtain information by opportunistically stealing or scavenging information systems/ components. Adversary steals information systems or components (e.g., laptop comput- ers or data storage media) that are left unattended outside of the physical perimeters of organizations, or scavenges discarded components. 7. Maintain a presence or set of capabilities a. Obfuscate adversary actions. Adversary takes actions to inhibit the effectiveness of the intrusion detection systems or auditing capabilities within organizations. b. Adapt cyber attacks based on detailed surveillance. Adversary adapts behavior in response to surveillance and organizational security measures. 8. Coordinate a campaign a. Coordinate a campaign of multi-staged attacks (e.g., hopping). Adversary moves the source of malicious commands or actions from one compromised information system to another, making analysis difficult. b. Coordinate a campaign that combines internal and external attacks across multiple infor- mation systems and information technologies. Adversary combines attacks that require both physical presence within organizational facilities and cyber methods to achieve suc- cess. Physical attack steps may be as simple as convincing maintenance personnel to leave doors or cabinets open. c. Coordinate campaigns across multiple organizations to acquire specific information or achieve desired outcome. Adversary does not limit planning to the targeting of one orga- nization. Adversary observes multiple organizations to acquire necessary information on targets of interest. d. Coordinate a campaign that spreads attacks across organizational systems from existing presence. Adversary uses existing presence within organizational systems to extend the adversaryâs span of control to other organizational systems including organizational infra- structure. Adversary thus is in position to further undermine organizational ability to carry out missions/business functions. e. Coordinate a campaign of continuous, adaptive, and changing cyber attacks based on detailed surveillance. Adversary attacks continually change in response to surveillance and organizational security measures.
28 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies f. Coordinate cyber attacks using external (outsider), internal (insider), and supply chain (supplier) attack vectors. Adversary employs continuous, coordinated attacks, potentially using all three attack vectors for the purpose of impeding organizational operations. Threat AssessmentâAdversary Types and Motivations Figure 1-11 illustrates the FTAâs point that security countermeasures should be designed com- mensurate with the type of adversary who may attack the transportation facility. This represents sound practice conceptually; however, transportation agencies should not draw threat-related conclusions from presumptions about adversary classification assessments taken in isolation. Care should be taken to ensure that threat assessments are also scenario based and driven by both factual information and credible intelligence. As a part of the U.S. Department of Defense (DOD) Unified Facilities Criteria (UFC), the department published Security Engineering Facilities Planning Manual Draft UFC 4-020-01 (U.S. DOD/DOD UFC 2006). The manual contains an overview of aggressor types, capabilities, and tactics that are adapted for transportation agency security planning purposes in Tables 1-2, 1-3, and 1-4. Aggressors are people who perform hostile acts against assets such as equipment, per- sonnel, and operations. The UFC presents four major aggressor objectives that describe aggres- sor behavior: â¢ Inflicting injury or death on people; â¢ Destroying or damaging facilities, property, equipment, or resources; â¢ Stealing equipment, material, or information; and â¢ Creating adverse publicity. The three broad categories of aggressors are criminals, protesters, and terrorists. Source: FTA 2004a. Figure 1-11. Security countermeasures by type of adversary.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 29 Criminals (Three types divided by level of sophistication) The common objective for all three criminal groups is assumed to be theft of assets. Unsophisticated criminals Unskilled in the use of tools and weapons and have no formal organization. Their targets are those that meet their immediate needs, such as drugs, money, and pilferable items. Unsophisticated criminals are interested in opportune targets that present little or no risk. Breaking and entering or smash-and-grab techniques are common. Theft by insiders is also common. Sophisticated criminals Skilled in the use of certain tools and weapons and are efficient and organized. They plan their attacks and have sophisticated equipment and the technical capability to employ it. Sophisticated criminals are often assisted by insiders. They target high-value assets and frequently steal in large quantities, yet target assets with relatively low risk in handling and disposal. Organized criminal groups Highly sophisticated, are able to draw on specialists, and are able to obtain the equipment needed to achieve their goals efficiently. These groups form efficient, hierarchical organizations that can employ highly paid insiders. Source: Adapted from DOD 2006. Table 1-2. Criminals by levels of sophistication. Protesters (Two general groups. For the purposes of this text only violent protesters are considered to be a threat.) Both groups are either politically or issues-oriented and act out of frustration or anger against the actions of other social or political groups. The primary objectives of both groups commonly include destruction and publicity. Vandals/activists Commonly unsophisticated and superficially destructive. They generally do not intend to injure people or cause extensive damage to their targets. Their actions may be covert or overt. Typically, they choose symbolic targets that pose little risk to them. Extremist protest groups Moderately sophisticated and are usually more destructive than vandals. Their actions are frequently overt and may involve the additional objective or consequence of injuring people. They attack symbolic targets and things they consider to be environmentally, socially, or religiously unsound. Source: Adapted from DOD 2006. Table 1-3. Protesters. Table 1-4. Terrorists by areas of operation and levels of sophistication. Terrorists (Three types based on their areas of operation and their sophistication.) Terrorists are ideologically, politically, or issue oriented. They commonly work in small, well-organized groups or cells. They are sophisticated, skilled with tools and weapons, and possess an efficient planning capability. Terrorist objectives usually include death, destruction, theft, and publicity. Domestic terrorists Terrorists indigenous to the United States, Puerto Rico, and the U.S. territories who are not directed by foreign interests. Domestic terrorists in the United States have typically been political extremists operating in distinct areas of the country. They have primarily consisted of ethnic and white supremacy groups, many with ties to groups that originated during the 1960s and 1970s. Historically, most acts of terrorism in the United States by domestic terrorists have been less severe than those outside the United States, and operations have been somewhat limited. One noted exception to that trend was the 1995 bombing of the Alfred P. Murrah Building in Oklahoma City. International terrorists International terrorists are either connected to a foreign power or their activities transcend national boundaries. International terrorists have typically been better organized and better equipped than their domestic counterparts. They have included political extremists and ethnically or religiously oriented groups. Their attacks have also been more severe and more frequent than those by domestic terrorists in the United States. Examples of foreign terrorist groups designated by the U.S. Department of State include the Revolutionary Organization 17 November, the Aum Shinrikyo group, Basque Fatherland and Liberty, Sendero Luminoso (Shining Path), and the al-Aqsa Martyrs Brigade. (continued on next page)
30 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Vulnerability AssessmentâPhysical Security Managing security risk for transportation agencies is a threat- and scenario-based activ- ity. Threat definition is the tool by which vulnerabilities of transportation operations and systems should be measured. Agency police or security personnel, assisted by federal, state, and local law enforcement and homeland security professionals must evaluate the actual and potential threats against their respective agencies in terms of both threat types and aggressor types. After the baseline of threat information has been identified, security management must turn to collecting data and information about the organization at risk to determine the status of systems and security countermeasures. An analysis of weaknesses and opportunities for aggressor exploitation must be performed to establish the organizationâs current capabilities to block, thwart, or mitigate an attack. A vulnerability assessment, sometimes referred to as a security vulnerability assessment (SVA), addresses this issue. Vulnerability assessment starts with examining the transportation agencyâs assets to establish what needs to be protected. It proceeds to evaluating the capabilities of existing protection systems to secure those assets and, finally, to determining security gaps that should be addressed to reduce or buy down security risk. Critical asset identificationâdetermining what transportation agency assets need secu- rity and protectionâunderlies all risk assessment activities. Critical assets include the people, property, and information assets of a transportation agency that are required for the organization to execute its primary responsibilities, activities, and functions. In the case of information systems, critical information infrastructure protection (CIIP) has developed as a subset of the more widely known concept of critical infrastructure protec- tion (CIP). Transportation agencies are complex businesses that integrate many functional, technical, and operating components and systems. Integration includes both physical aspects of the transportation infrastructure, as well as business- and customer-related processes. Safety and reliability, operating policies and procedures, maintenance, training, and customer needs are all important system attributes for identifying critical assets. All systems are composed of an integrated collection of smaller systems or subsystems. How these systems or subsystems are engineered determines the effectiveness of the transportation agency from a performance perspective. Terrorists (Three types based on their areas of operation and their sophistication.) Terrorists are ideologically, politically, or issue oriented. They commonly work in small, well-organized groups or cells. They are sophisticated, skilled with tools and weapons, and possess an efficient planning capability. Terrorist objectives usually include death, destruction, theft, and publicity. State-sponsored terrorists Generally operate independently, but receive foreign government support, to include intelligence and even operational support. They have exhibited military capabilities and have used a broad range of military and improvised weapons. They have historically staged the most serious terrorist attacks, including suicidal attacks. They are predominantly ethnically or religiously oriented. Some of these groups have legitimate political wings in addition to their terrorist wings. Examples of state-sponsored terrorist groups designated by the U.S. Department of State include al Qaeda, the Palestinian Islamic Jihad, Hezbollah, and the Revolutionary Armed Forces of Colombia. Source: Adapted from DOD 2006. Table 1-4. (Continued).
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 31 Assets should be considered critical based on their value as determined by the organization and the short- and long-term consequences of their loss, damage, or destruction. Several factors affect the criticality of assets: â¢ Loss and damage consequencesâcasualty risk, environmental impact, replacement costs, and replacement/down time; â¢ Consequences to public servicesâemergency response functions, government continuity, military importance; and â¢ Consequences to the general publicâavailable alternatives, economic impact, public health impact, functional importance, and symbolic importance. Critical assets identification is a priority task that must be undertaken prior to performing a risk assessment, in particular the vulnerability assessment part of the analysis. The NIPP Transportation Systems Sector-Specific Plan (DHS 2015a) identifies the individual- ized transportation agency approach to asset identification as the ownership view (Figure 1-12). It is one of four system risk views, multiple means to capture data about the critical infrastruc- ture of transportation systems. Modal view. The modal view treats all classes of assets within a mode collectively as a system. Infrastructure information in the modal view is categorized by interdependencies and supply Source: DHS 2015a. Figure 1-12. Transportation Systems Sector profileâownership view.
32 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies implications that are specific to a particular mode of transportation. In addition to focusing on individual assets, nodes, and links, information specific to the modal view includes how those assets, nodes, and links interact within the mode and with other modes, their emergent proper- ties and governing principles, or legislative information with specific modal impact. Geographic view. The geographic risk view compiles transportation infrastructure data within specific regions. The boundaries of those regions may vary based on the purpose and parameters of an assessment. Regions may contain markedly different assets and systems, and thus the risks to those systems and the types of data collected from those regions will differ as well. Data collection in this view will enable an information set to be defined by what is physically located within that region and the processes or policies that impact that region. Assets, links, nodes, and emergent properties within a defined geographic area are evaluated as an integrated system. Functional view. The functional view of data collection looks at the function a system ful- fills within the supply chain. Examples include all of the assets, links, nodes, processes, policies, and emergent properties associated with delivery of critical medicines, chlorine for drinking water, or heating oil to a cold climate. By examining the function a system plays in society, the critical aspects of the system can be measured. This view also will have value in identifying inter- dependencies with other critical infrastructure. Ownership view. The ownership view examines ownership of assets, including the owner/ operatorâs decision structure, policies, and procedures, and recognizes those assets owned by the same entity as an integrated system. Security Surveys The preferred means to conduct an SVA is a security survey. The survey is a fact-gathering, question-based process that uses various data collection tools to obtain necessary information about the characteristics of the organization, its systems and operations, and the consequences to the organization that would result from a successful attack against identified threat targets. SVA methodology in the security industry is varied. There are numerous approaches and tech- niques for assessing agency vulnerabilities. In the transportation sector some of the more fre- quently used methodologies include analytical risk methodology (ARM), DHS terrorism risk analysis methodology (DHS-TRAM), maritime sector risk analysis management (MSRAM), and the U.S. Armyâs CARVER matrix (Criticality, Accessibility, Recuperability, Vulnerability, Effect, and Recognizability). Figure 1-13 shows the ARM process, and Figure 1-14 illustrates Source: FEMA. Figure 1-13. Analytical risk management (ARM) at a glance.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 33 the DHS-TRAM decision tree. Both methods are approved by Federal Emergency Management Agency (FEMA) grant programs. Self-directed vulnerability assessment methods and checklists are also available from various organizations, including DHS, FHWA, DOE, and the FBI. TSA provides direct assistance to transportation modes including transit, rail, and highway through the Baseline Assessment for Security Enhancement (BASE) and Corporate Security Review programs. Performing the Physical Security Survey Preferably, the SVA should be conducted by a trained team of security professionals using an industry-accepted methodology, as opposed to a self-assessment question list or checklist. Team members must be capable of understanding and interpreting the protection objectives, operating environment, priorities and inherent weaknesses of the transportation agency under review. The team should include a project manager responsible for the final report product of the assessment as well as subject matter experts in transportation sector and mode security. The security-trained component of the team should be assisted by a cross-disciplinary group of management and operating personnel with expertise in agency operations including commu- nications, engineering, mechanical, facilities, and transportation. To the extent necessary, this group should be further supported by specialists such as information technology professionals, human resources trainers, finance and procurement officers, and systems analysts. Figure 1-15 illustrates the process by which an SVA team works through the critical asset evaluation step of a highway vulnerability assessment approach. Note the presence of threat experts, vulnerability experts, and transportation professionals on the SVA team. Source: FEMA. Figure 1-14. DHS-TRAM vulnerability assessmentâdecision tree analysis.
34 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Vulnerability AssessmentâCybersecurity In the strictest sense, a cyber vulnerability is a weakness in an information system or the proce- dures, controls, or implementation processes surrounding the system that can be exploited by an intentional actor or compromised by non-adversarial error, natural event, or accident. Generally, information system vulnerabilities result from lapses in security controls. However, more frequently the exploitation of vulnerabilities has been enabled by rapidly emerging changes in technology or changes in organizational operations or mission. Successful exploitation of a vulnerability is a func- tion of three interrelated elements: a susceptibility of the information system itself to attack; an avail- able means to access the systemâs specific security control lapse or vulnerability; and the capability of an adversary to carry out the actions necessary to exploit the information system. But as pointed out in NIST Special Publication 800-30, âvulnerabilities are not identified only within information systems . . . vulnerabilities can be found in organizational governance struc- tures (e.g., the lack of effective risk management strategies and adequate risk framing, poor intra-agency communications, inconsistent decisions about relative priorities of missions/ business functions, or misalignment of enterprise architecture to support mission/business activities) . . . or in external relationships (e.g., dependencies on particular energy sources, sup- ply chains, information technologies, and telecommunications providers), mission/business processes (e.g., poorly defined processes or processes that are not risk-aware), and enterprise/ information security architectures (e.g., poor architectural decisions resulting in lack of diversity or resiliency in organizational information systems)â (NIST 2012). Whether vulnerabilities are brought about by internal flaws to information systems or more broadly by inadequate business practices or supply chain weaknesses, it is essential that transpor- tation organizations understand the extent of their current and future reliance on information systems, control systems, and other transportation network systems. The following sections outline vulnerabilities of these systems and how to mitigate them. Common Vulnerabilities of Information Systems The list of vulnerabilities for IT systems is far too voluminous and fluid to be included here, however, the information is readily available. The National Vulnerability Database (https://nvd. nist.gov) currently lists more than 71,429 common vulnerabilities and exposures (CVEs) (NIST Source: AASHTO 2002. Figure 1-15. Critical asset evaluation step.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 35 2019). The database is the U.S. government repository of standards-based vulnerability man- agement data. The CVE is a free, publicly available dictionary of standardized identifiers for common computer vulnerabilities or exposures, organized by year going back to 1999. It is avail- able for download in numerous formats, including CVRF, HTML, XML, and Text. Common Vulnerabilities of Industrial Control Systems Common Cybersecurity Vulnerabilities in Industrial Control Systems is a useful summary of information system vulnerabilities (DHS 2001). The report is divided into three categories: (1) vulnerabilities inherent in the ICS product; (2) vulnerabilities caused during the installation, configuration, and maintenance of the ICS; and (3) lack of adequate protection because of poor network design or configuration (Figure 1-16). Source: DHS 2001. Figure 1-16. Vulnerable communications access paths to control systems.
36 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Common Vulnerabilities of Transportation Operations Systems Traffic management centers (TMCs) use intelligent transportation systems (ITS) technolo- gies to manage traffic, address incidents, provide travel and incident data and information, and communicate with the regionâs transportation agencies, media, and other stakeholders. TMCs contain a computer network, application servers, data servers, and wireless peripherals. Field equipment such as sensors transmit information and data back to the TMC for analysis and dissemination. TMCs also control and manage traffic signals to enhance the efficiency of traffic flows. Dynamic message signs help disseminate analyzed information and provide guidance to travelers. Common vulnerabilities include the following: â¢ Poorly configured field network devices; â¢ Malware delivered using email or a compromised website; â¢ Malware walked in by a user, either inadvertently or deliberately; â¢ Compromised partner networks; â¢ Poorly configured external firewall, switches, or agency webpages; â¢ Compromised user credentials; and â¢ Unauthorized physical entry. In addition, the TMC physical design and TMC policies such as allowing public tours, can facilitate breaches. Performing the Cybersecurity Survey Although currently few models are tailored specifically to surface transportation assets or organizations, workable risk assessment models and methodologies are available for establish- ing evaluation parameters for cybersecurity risk. For example, the DHS ICS-CERT (Computer Emergency Response Team) Cybersecurity Evaluation Tool (CSETÂ®) has been used by several transportation organizations to conduct assessments. CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The CSET output is a pri- oritized list of recommendations for improving the cybersecurity posture of the organizationâs enterprise and industrial control cybersystems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls. Information about ICS- CERT is available at https://ics-cert.us-cert.gov/Assessments Consequence AssessmentâPhysical Security Consequence analysis, also called impact analysis, is an assessment of the perceived impact of an adverse event or series of events on critical infrastructure or processes. It includes the following: â¢ An analysis of the immediate, short- and long-term effects of an event or event combination on an asset; â¢ An estimate of the amount of loss or damage that can be expected; and â¢ An indication of the effects of that event on people, assets, or functionsâa characterization of âvalue.â Determining the underlying criticality of an asset is a fundamental component of conse- quence assessment. Factors affecting the criticality of assets include:
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 37 â¢ Loss and damage consequencesâcasualty risk, environmental impact, replacement costs, and replacement/down time; â¢ Consequences to public servicesâemergency response functions, government continuity, military importance; â¢ Consequences to the general publicâavailable alternatives, economic impact, public health impact, functional importance, and symbolic importance. Establishing a consequence rating for physical assets can be difficult because of a lack of expe- rience factors or actuarial data. Virtually all forms of risk assessment used in transportation use qualitative tables or matrices that present a relational comparison between critical assets. Relative analysis allows for prioritization of needs and requirements and directs transporta- tion agency security responses toward eliminating or mitigating the most significant threats. Figure 1-17 depicts a pair-wise consequence assessment that illustrates the individual scores for frequency, property damage, injury, and fatalities. Figure 1-18 presents a high-level relational matrix that supports decision-making. Consequence AssessmentâCybersecurity Regarding information systems, the level of impact is attributable to the magnitude of harm that can be expected from the consequences of unauthorized disclosure, modification, or destruction of information, or loss of information or information system availability. Transpor- tation organizations also must consider a potential for loss of life or serious injury, based on the potential for the health and welfare of passengers or other system users to be adversely affected by the compromise of agency-controlled or agency-operated systems of supervisory control and data acquisition (SCADA) or ICS. Transportation system operators are faced with a duty of care for system users that extends beyond the typical cyber breach. Currently there is no fully developed list of foundational cyber-critical assets for sur- face transportation organizations. NIST Special Publication 800-30 recommends identifying Source: U.S.DOT 2001. Figure 1-17. Pair-wise consequence assessment.
38 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies information-systemâcritical assets based on an assessment of perceived or potential harms (NIST 2012). APTAâs Cybersecurity Considerations for Public Transit provides a useful grouping of critical transit assets into three main categories (APTA 2014). Figure 1-19 shows the transit IT ecosystem and categories. Operational systems. These systems integrate SCADA, original equipment manufacturer, and other critical component technologies responsible for the control, movement, and monitor- ing of transportation equipment and services (i.e., train, track, and signal control). Such systems often are interrelated with multimodal systems such as buses, ferries, and metro modes. Enterprise information systems. This is the transit agencyâs information system, consisting of integrated layers of operating system, applications system, and business system (Figure 1-20). Enterprise information systems encompass the entire range of internal and external information exchange and management. Source: U.S.DOT 2018. Figure 1-18. FTA threat and vulnerability resolution matrix. Source: APTA 2014. Figure 1-19. APTA transit ecosystem categories.
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 39 Subscribed systems. These consist of âmanagedâ systems outside the transportation agency, including internet service providers, hosted networks, the agency website, data storage, cloud services, and the like. Examples include control systems that support operational systems, SCADA, traction power control, emergency ventilation control, alarms and indications, fire/intrusion detection systems, train control/signaling, fare collection, automatic vehicle location (AVL), physical security feeds (closed circuit television, access control), public information systems, public address systems, and radio/wireless/related communication. Other systems could be networks for traffic, yard, crew, or vehicle management; vehicle maintenance; positive train control, traffic control, and remote rail- way switch control; main line work orders; wayside or on-track maintenance; intermodal opera- tions; threat management; and passenger services. Subscribed business management systems could be those that support administrative processes, including transaction processing systems, manage- ment information systems, decision support, executive support, financial pay systems, human resources, training, and knowledge management. Harm to operations. These might include inability to perform current missions or business functions; inability or limited ability to perform missions or business functions in the future; and inability to restore missions or business functions. Harms (e.g., financial costs, sanctions) due to noncompliance. Lack of compliance could refer to applicable laws or regulations; contractual requirements or requirements in other bind- ing agreements (e.g., liability); direct financial costs; or relational harms. Harm to assets. This would include damage to or loss of physical facilities; damage to or loss of information systems or networks; damage to or loss of information technology or equipment; damage to or loss of component parts or supplies; damage to or loss of information assets; and loss of intellectual property. Harm to individuals. Potential harms are injury or loss of life; physical or psychological mistreatment; identity theft; loss of personally identifiable information; and damage to image or reputation. Figure 1-20. Enterprise information system. Source: APTA 2014.
40 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Harm to other organizations. These include harms (e.g., financial costs, sanctions) due to noncompliance; direct financial costs; and relational harms. Harm to the nation. Damage to or incapacitation of a critical infrastructure sector, loss of government continuity of operations, and relational harms are among potential harms. Finally, NERC CIP-002-3 designates assets based on information compromise criticalityâpublic, restricted, confidential, or privateâsuggesting that the level of security protection and controls can be managed by assignment commensurate with the risk of release (North American Electric Reliability Corporation 2017). Public. This information is in the public domain and does not require any special protec- tion. For instance, the address and phone number of the headquarters of your electric coopera- tive is likely to be public information. Restricted. This information is generally restricted to all or some employees in your orga- nization, and its release could result in negative consequences for your organizationâs business mission or security posture. Examples may include operational procedures, network topology or similar diagrams, equipment layouts of critical cyber assets, and floor plans of computing centers that contain critical cyber assets. Confidential. Disclosure of this information carries a strong possibility of undermining your organizationâs business mission or security posture. Examples of this information may include security configuration information, authentication and authorization information, pri- vate encryption keys, disaster recovery plans, or incident response plans. Risk Assessment Report The end result of the risk assessment is the publication of a report establishing the current security status of the transportation agency in terms of (1) critical asset identification, (2) threats and vulnerabilities existing against those assets, and (3) consequences or ramifications of suc- cessful attacks against those assets. The efficacy of this report will be determined primarily by its comprehensiveness and derivation of facts and opinions, produced by interviews, examina- tions, observations, analysis, and investigations. To the extent practicable, opinions should be expressed as such. At the conclusion of the report, findings and recommendations should be rendered that can be used to help formulate the agencyâs planning documentation for security needs and requirements.