National Academies Press: OpenBook
« Previous: Chapter 1 - Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation
Page 41
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 41
Page 42
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 42
Page 43
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 43
Page 44
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 44
Page 45
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 45
Page 46
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 46
Page 47
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 47
Page 48
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 48
Page 49
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 49
Page 50
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 50
Page 51
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 51
Page 52
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 52
Page 53
Suggested Citation:"Chapter 2 - Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 53

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

41 Plans and Strategies Once the transportation agency has conducted its risk assessment, the next step is to develop a security plan. This chapter highlights planning objectives and examines the core components of a comprehensive plan, including developing enterprise-wide approaches to cybersecurity enhancement and governance strategies. Organizational roles and accountabilities are identified with an emphasis on plan maintenance. The chapter concludes with a multiyear overview of the security funding cycle, addressing both operating and capital considerations. Security strategies with plans are essential in defining agency-wide goals and how to achieve them. Strategic planning is setting long-term goals, establishing the directions and constraints that will guide and identify assets and capabilities the agency needs to execute security and supporting plans. These include security plans, asset management plans, NIST Framework and strategy, and response and recovery plans. Security Plan A security plan is a written document containing information about an organization’s secu- rity policies, procedures, and countermeasures. The plan should include a concise statement of purpose and clear instructions about agency security requirements. The stated objectives of the security plan need to be attainable and easily understood. The plan should identify intended users and their assignments, responsibilities, and authorities to act pursuant to the plan’s direction. Creating a sound security plan is often as much a management issue as it is a technical one; it involves motivating and educating managers and employees to understand the need for security and their role in developing and implementing an effective and work- able security process. Organizational leaders must ensure that security planning is an actual functional activity and part of the agency’s culture. In the transportation environment, the objective of security planning is to ensure both the integrity of operations and the security of assets. Planning for security should result in the integration of protective systems and processes into the organization’s daily business routine. The security plan should also ensure that agency personnel can respond effectively to security-related incidents or emergency conditions. The Public Transportation System Security and Emergency Preparedness Planning Guide (SSEPP) contains the following statement of purpose (FTA 2003). Commit to a program that enables the public transportation system to: • Prevent incidents within its control and responsibility, effectively protect critical assets; • Respond decisively to events that cannot be prevented, mitigate loss, and protect employees, passengers, and emergency responders; C H A P T E R 2

42 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies • Support response to events that impact local communities, integrating equipment and capa- bilities seamlessly into the total effort; and • Recover from major events, taking full advantage of available resources and programs. The SSEPP describes security planning as “more of a process than a product.” This approach coincides with a vision of a security plan as a dynamic document, continually under review and subject to change. In developing the security plan, the need for flexibility should be reinforced. Alternatives and options should be incorporated into the plan to make the organization flexible and capable of responding to various situations or unexpected events. Benefits of a Security Plan The most significant benefit of a security plan is its help in ensuring that security is integrated into the daily business of the transportation agency. The security plan directs personnel toward prevention and mitigation of the effects of security incidents by integrating approaches that have proven effective into the operating environment. Benefits of a security plan include: • Defines resource requirements for staffing and equipment; • Coordinates the activity of different departments and functions; • Establishes action steps for employees in response to an incident; • Promotes understanding of the issues involved during a crisis; • Identifies information requirements for security incidents; • Promotes a sense of ownership and buy-in by employees; • Ensures a clear division of tasks and responsibilities; and • Identifies training requirements. Security must compete with other system goals, including those of the operations department, engineering, maintenance, and others, for limited resources and funding. Because security is a functional area with little observable return on investment, it can be difficult to balance security costs against other more traditional or bottom-line–enhancing transportation agency initiatives. Security initiatives must be seen as cost-effective and well defined to compete successfully. Devel- oping a security plan is an effective way to meet cost-benefit and competitive resource challenges. The plan can also reduce litigation risk and insurance costs. When the security plan is well struc- tured and soundly developed using the appropriate strategies and elements, the resulting product can be a blueprint for short-term and multiyear security planning. The security plan can address how future purchases would fit into the overall agency operating and capital investment strategy. Security planning also sets out the policies and procedures related to security and any special requirements or considerations unique to the specific agency. The security plan directs personnel toward preventing and mitigating the effects of security incidents by identifying security counter- measures and emergency preparedness response activities that should be taken to protect the transportation system, its employees and customers, and the surrounding communities. Elements of a Security Plan To develop an effective security plan it is necessary to establish the essential plan elements for the organization. TCRP Report 86, Volume 10: Hazard and Security Plan Workshop provides an overview of the transportation security planning process (TRB 2006e). The document also presents a template for developing a hazard and security plan (HSP). The template is designed to help trans- portation programs and transit agencies implement four core planning development functions: • Establishing priorities, • Organizing roles and responsibilities,

Plans and Strategies 43 • Selecting countermeasures and strategies, and • Maintaining the plan. Establishing Priorities As shown in Figure 2-1, plan development starts with identifying the purpose of the docu- ment. Although the plan should be flexible enough to cover a broad range of security incidents, the best way to ensure plan effectiveness is to use a prioritized, scenario-based list of critical event types to drive plan activity. This list should consist of events considered routine and most likely to occur, as well as those that may occur less frequently but with far-reaching conse- quences. The HSP identifies the objectives of this phase of security planning: • Create a written statement of purpose covering routine and emergency situations. • Define the situations that the hazard and security plan will cover. • Look at assumptions about the situations surrounding the use of the plan. • Discuss how an organization plan fits into the overall community security and emergency plan. Source: TRB 2006e. Figure 2-1. Hazard and security plan development.

44 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Organizing Roles and Responsibilities In this phase of planning, key personnel and their security roles and responsibilities are determined. Incident-based priority security tasks should be listed and assigned to a specific individual known as the primary or principal. Secondary responsibility should be assigned to other individuals whose ability to perform will not be compromised by the loss of the primary. Interdependencies of functions should be delineated between departments and coordinating points established to facilitate liaison in areas of overlapping responsibility. Planners should ensure that this section provides clear and concise direction to assigned personnel regarding their primary and secondary duties. The goal is to achieve the stated objectives and secu- rity requirements of the plan under all potential operating conditions or scenarios. The HSP identifies the objective of this phase of the security plan as development of an organizational structure, with a clearly defined chain of command and designated roles and responsibilities. It should cover responsibilities: continuity of services, including designating lines of succes- sion and delegating authority for successors, developing procedures for relocating essential departments, developing procedures for deploying essential personnel, equipment, and sup- plies, and establishing procedures for backup and recovery of computer and paper records, and contact information. Selecting Countermeasures and Strategies Consistent with emergency management principles, the risk and vulnerabilities reduction measures and strategies associated with transportation sector security planning should follow the five stages of protection activity—prevention, mitigation, preparedness, response, and recovery. Security planners should select countermeasures keeping in mind the concepts of system security, layered or overlapping security, and system integration. The HSP identifies the objectives of this phase of the security plan as follows: • Part A: Prevention – Examine activities to reduce the likelihood that incidents will occur. – Establish safe and secure procedures for passengers, vehicles, drivers, and facilities. • Part B: Mitigation – Examine activities to reduce asset loss or human consequences (such as injuries or fatalities) of an incident. – Establish safe and secure procedures for passengers, vehicles, drivers, and facilities. • Part C: Preparedness – Examine preparedness activities to anticipate and minimize the effects of security-related incidents and equip employees to better manage these incidents. – Establish emergency policies and procedures for passengers, employees, and management to follow in case of emergencies. – Keep training, drills, and contact lists up to date. – Establish and maintain mutual aid agreements with fire departments, emergency medical services, and emergency management services. • Part D: Response – Examine activities used to react to security-related incidents and hazards and help protect passengers, employees, the community, and property. – Establish what information is to be collected by which employee. – Ensure that policies and procedures established in the mitigation and preparedness portions of the HSP are followed. • Part E: Recovery – Examine policies to assist in recovering from incidents that have occurred so service can resume as quickly as possible.

Plans and Strategies 45 – Establish a review of policies, documents, plans, and vehicles. – Evaluate response and oversee recovery and restoration of personnel, service, vehicles, and facilities. Maintaining the Plan Finally, the agency must ensure that security plans remain current and responsive to the dynamic changes that can occur in the transportation operating environment, while creating a process that will support plan consistency with the future needs of the agency. Optimally, plans will be scalable and upgradable on a flexible timeline that has sufficient sensitivity to external security factors to allow for as-needed adjustments. The HSP recommends program- matic scheduled plan review periodically—at least every 6 months to 1 year. The document also provides guidelines on how this review should be conducted; suggested steps are as follows: • Identify areas to update. • Determine completeness. • Reassess roles and responsibilities. • Review factual information (especially names and phone numbers included in the plan). • Reevaluate employee knowledge and awareness (training assessments, for example). • Revise programs and procedures included in the HSP. The HSP also suggests that the occurrence of certain events may require planners to accelerate the scheduled conduct of a review. Such events include: • The addition of members inside the organization and outside the organization who have specific roles outlined in the HSP (e.g., a new general manager or a new local fire chief); • New operations or processes that affect the HSP (e.g., a new bus line); • New or renovated sites or changes in layout (e.g., a new bus garage or office building); and • Changes with outside agencies such as new suppliers or vendors (e.g., a new memorandum of understanding signed with the local sheriff’s department). Other Plans Response and Recovery Plan Response plans address the capabilities needed for response to an incident or event. The size and location of the event will greatly affect the transportation agency’s role in the response effort. A crash involving an overturned tractor-trailer that blocks traffic on one of the state’s main Interstates, for example, will obviously require different response actions than the response to a large-scale terrorist attack or the threat of an impending hurricane. Transportation agencies typically fulfill a support role in the emergency response effort, not often serving as the lead emergency response agency. However, the role transportation plays in response is critical. As the National Response Framework (NRF) states, “The ability to sustain transportation services, mitigate adverse economic impacts, meet societal needs, and move emergency relief personnel and commodities will hinge on effective transportation decisions at all levels” (FEMA 2016d). For an agency to be ready to fulfill its role, a comprehensive response plan must be in place. The Traffic Incident Management program provides processes and procedures for responders (firefighters, emergency medical personnel, law enforcement, towing and recovery, safety patrols, transportation and maintenance crews, and 911 professionals) to work as a team to clear

46 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies incidents safely and quickly. A Guide to Emergency Management at State Transportation Agen- cies, Second Edition, provides guidance on practices in emergency response planning within the all-hazards context of the National Incident Management System (NIMS) (TRB 2019). Continuity plans outline essential functions performed during an incident that disrupt normal operations, and the methods of performing these functions. These plans also describe the process for timely resumption of normal operations once the emergency has ended. Con- tinuity of operations plans (COOPs) address the continued performance of core capabilities and critical operations during any potential incident. Continuity of government plans address the preservation and/or reconstitution of government to ensure that constitutional, legisla- tive, and/or administrative responsibilities are maintained (TRB 2006a). Recovery plans developed prior to a disaster enable agencies to effectively direct recovery activities and expedite a recovery effort. Pre-incident recovery planning helps to establish recovery priorities, incorporate mitigation strategies in the wake of an incident, and identify options and changes that should be considered or implemented after an incident. Planning for recovery is an integral part of security and infrastructure protection. The speed and success of recovery can be greatly enhanced by establishing processes and relationships before an event occurs. Preparing for recovery prior to a disaster reduces the problems of trying to locate required capabilities and create policies when scrambling to manage immediate recovery. Recovery efforts are executed more efficiently when resources are pre-positioned, contractors have been preapproved, and alternate facilities have been identified. Having a recovery plan is different from just modifying or adding onto the existing emergency response plans. Pre-event recovery plan- ning helps establish priorities, structure, and organization; define roles and responsibilities; deter- mine resources to be pre-positioned; and identify approaches to support the recovery process. A number of considerations should be taken into account when embarking on a pre-event plan- ning process. An effective pre-event recovery process helps ensure the recovery process is con- ducted quickly, efficiently, and cost-effectively while limiting disruptions and improving the transportation infrastructure after the recovery. Pre-event recovery planning is addressed in NCHRP Report 753: A Pre-Event Recovery Planning Guide for Transportation (TRB 2013a). Departments of transportation may coordinate planning efforts with other state agencies, including the state’s emergency management agency, county highway departments, various agencies of the U.S.DOT, and transportation departments from other states, to ensure activi- ties can be easily integrated when necessary. Transportation departments also need to plan to receive and use resources provided by other states and the federal government during opera- tions. In conducting these activities, departments of transportation should consider applicable standards and best practices for incorporating risk and resilience into functions and systems. Asset Management Strategy and Plan The FHWA on October 24, 2016, published its final rule on required state-approved asset management plans and processes. Asset management is a strategic and systematic process of operating, maintaining, and improving physical assets, with a focus on engineering and economic analysis based on quality information, to identify a structured sequence of main- tenance, preservation, repair, rehabilitation, and replacement actions that will achieve and sustain a desired state of good repair over the life cycle of the assets at minimum practicable cost (FHWA 2016). The rule addresses requirements established by the MAP-21 and FAST acts for states to develop and implement risk-based asset management plans for the National Highway System, to improve or preserve asset condition and system performance.

Plans and Strategies 47 The FHWA believes that “understanding risk and how to manage it is emerging as another core competency expected of transportation agencies.” The FHWA supports a broad approach to risk management that includes managing threats and capitalizing on opportunities. The FHWA, in Risk-Based Transportation Asset Management, Report 1, summarized the benefits of a risk-based asset management program (FHWA 2012). [It] provide(s) a new opportunity for DOTS to explain their decisions and demonstrate to the public and policy makers that they are responsible stewards of scarce resources. A risk-based approach to man- aging corridors and networks can allow DOTS to make the case for the difficult tradeoffs so many are forced to accept because of insufficient revenue to maintain the entire system adequately. When resources are limited, it provides them an opportunity to convey to policy makers and to the public the logic and reasoning behind the need to accept lower levels of service on lesser used roads in return for preserving performance and minimizing risks to more important ones. Such strategies typically represent a well thought-out and methodical approach to decision-making. They demonstrate the strategic best use of limited resources to preserve condition and performance on key routes, as opposed to spreading limited funds equally across the network and accepting a statewide drop in highway condition and performance. NIST Framework and Strategy Development of technology security plans should include a cyber protection plan and tech- nology disaster recovery plans for IT systems and applications. To assist in implementing an approach that is focused on standards NIST, working with industry groups and the private sector, has developed a framework of baseline standards for cybersecurity (Figure 2-2). The NIST Cybersecurity Framework is technology-neutral and relies on existing standards, guid- ance, and best practice to provide “a common language for describing current and target states of security, identifying and prioritizing changes needed, assessing progress and fostering communica- tions with stakeholders. It is meant to complement, not replace, existing cybersecurity programs” (NIST 2018). The framework is designed to provide a common taxonomy and mechanism for organi- zations to: • Describe their current cybersecurity posture; • Describe their target state for cybersecurity; • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; • Assess progress toward the target state; • Communicate among internal and external stakeholders about cybersecurity risk. Source: NIST 2018. Figure 2-2. NIST Cybersecurity Framework.

48 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The NIST Cybersecurity Framework was developed to complement an organization’s estab- lished risk management process and cybersecurity program. An organization can use its current processes and leverage the framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. For organizations with no formal cybersecurity program in place, the framework can provide a foundation upon which to implement a robust cybersecurity program (Figure 2-3). Security Design Processes A security system should be designed only after a risk assessment has been performed and a comprehensive security plan has been designed. Until these tasks have been completed, the available data will not be sufficient to permit good decisions about security strategies. In a perfect world, strategy is data driven; in business, it is a commonly accepted practice (e.g., “what cannot be measured cannot be managed”). However, the security industry has been slow to use measur- able factors in reducing risk because of difficulties in establishing security-related metrics. The design of an integrated security system is performed properly through a structured meth- odology known as system engineering. Security-related system engineering is the protection of physical infrastructure components and logical structures and processes from threats and vulnerabilities (Garcia 2001). The process begins with definition of requirements, continues through to design and analysis of multiple potential solutions, and ends with selection and testing of the best design to meet requirements and goals and then begins again. Chapter 1 discussed risk insurance and the two types of risk cost-benefit analysis methods— quantitative and qualitative. Quantitative analysis is a numbers- or experience-based prob- ability assessment that uses previously collected information to forecast the likelihood of a security event. The goal of quantitative security design is to decrease the ratio of unfavorable Source: NIST 2014a. Figure 2-3. Cybersecurity Risk-Based Framework.

Plans and Strategies 49 The Idaho Transportation Department (ITD) uses a chart to display quarterly results (Figure 2-4). Goals have been set for each function based on the priorities set by the agency. ITD found that over time, as it became more cybersecurity-adept, the scoring became “harsher” than the initial assessment, so in some instances the tier was lower in a subsequent quarter. The ITD process allowed the team to successfully address the cybersecurity funding challenges of how much is available and where in the agency it comes from. Initially, there was a one-person cybersecurity team with tools being paid from business-area budgets. Using the NIST Framework and the results chart, support from senior management was easier to obtain. The chart showed cyber risk as part of the agency’s holistic “big picture” and demonstrated the return on investment. ITD uses for its technology standards an NIST Framework that provided a common set of terms and values so that the agency could create metrics on movement towards goals—what investment looked like in terms of agency-specific goals and the work accomplished to address technology gaps. The framework gave the agency a structure for demonstrating return on investment in resources, employees, and tools that reduced the agency’s cyber risk. Other organizations have adapted the NIST Framework to easily convey to management their risk treatment plan and results. According to an interview with ITD personnel, the University of Michigan utilizes a hi/med/low rating instead of the scoring system used by Idaho. See University IT Policies and Standards at http://cio.umich.edu/policy Source: NIST 2014a. Figure 2-4. Example of ITD NIST Framework quarterly goal tracking.

50 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies security events to total events through the analysis of data related to the known frequency of occurrence of a particular type of security incident. Once the probability aspects of a security incident have been defined, cost analysis is undertaken to rate the actual amount of loss against the costs of prospective security countermeasures available to reduce the risk associated with an occurrence. Whenever feasible, a quantitative analysis based on the collection of objective data should be considered first in performing a security risk analysis. In contrast, qualitative analysis is based on characteristics, conditions, and events rather than numeric assessment. This form of analysis demands an in-depth knowledge of the organization being assessed and an understanding of the operating environment in which work is performed. Some believe that qualitative analysis is sufficient and perhaps preferred to address the protec- tion of lower-value assets; however, it is by default that qualitative analysis is the most widely used approach to risk analysis in the security industry. In the most rigorous applications, its use is by necessity because of an organization’s inability to perform quantitative analysis. A typical qualitative assessment assigns relative values to assets based on factors such as criticality of loss and replacement costs. Threats against those assets are also given a relative value based on their probability of occurrence. The result is a risk equation that computes risk as a function of impact and likelihood of occurrence. Qualitative analysis depends on the capabilities of the analyst performing the assessment. It is more subjective because of the lack of historical information or metric data to support its assumptions. However in most circumstances, precision can give way to grouping the out- comes of qualitative relative value ratings into categories such as high, medium, or low. Although knowledge of an agency’s characteristics may be more important to qualitative analysis, either type of assessment requires a transportation agency to determine which secu- rity issues are most critical. Once identified, a strategy and timeline for reducing risks and vulnerabilities can be established. The goal of a security design strategy should be the logical and incremental “buy-down” of security risk, to provide acceptable levels of protection for transportation agency assets and operations on a continuing basis. Risk buy-down should be focused on what is of priority to the organization, to ensure maximum performance is main- tained. Cost-effective security systems use a combination of countermeasures to meet secu- rity requirements. These normally include security staffing, training of employees, hardware (including electronic security systems), and security policies and procedures. Employees of transportation agencies and users of transportation systems can be critical resources for maintaining a safe and secure operating environment. Traveler awareness and security awareness programs enable all stakeholders to contribute to security by providing situational awareness and advocating for “saying something” when something does not seem right. (See Chapter 5 for additional information on Awareness Programs.) Security design today demands that these component security resources be systematically attained then combined in a way that achieves security objectives while minimizing costs. System security should start with the basics—those countermeasures that are most effective for the least amount of money. These are outlined in Figure 2-5. Then, using assessment data obtained through analysis, the agency can add more costly system components until the level of security required to protect critical assets has been met. But developing a systems approach to security is more challenging than simply costing out security countermeasures into a hierarchy and applying them to an existing security vulnerability or situation. Transportation security issues are dynamic and evolving. Changing characteristics, condi- tions, and events require the synthesis of available resources to compensate for the weaknesses or

Plans and Strategies 51 loss of capabilities of a security countermeasure. Layered security (also referred to as overlap- ping security) enables security design strategists to overcome uncertainty in security resource allocation and decision-making. For example, protecting a critical transportation asset such as a fuel depot may be accomplished first by requiring employees to be present at the depot during all hours of operation, without exception. After hours, fencing, gates, lights, and locks would be used to secure the fuel facility. Finally, security patrols would make periodic checks at the facility as an additional protective measure. If specific threats are received that the fuel depot is a target of attack, the configuration of security countermeasures can be adjusted to meet the new security requirements. Assuming the facility remains open, additional staff could be assigned to be present at all times. Gates could be locked during hours of operation and identification checked for all persons seeking to enter the depot. Security forces could be permanently assigned to remain on the grounds. In this simplified scenario, increased vigilance is made possible by the layers of overlapping security capabilities that already exist. However, the redeployment of personnel to increase security at the fuel depot degrades security countermeasures available to protect the agency’s other assets. Sizing the scope of this potential loss of a security resource during critical periods becomes an important part of the agency’s security design strategy. Overlapping security does not end with the layering of security countermeasures. As pointed out in Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, “transportation security can best be achieved through well-designed security systems that are integrated with transportation operations” with security methods and techniques that are “dual use, adaptable and opportunistic” in the diverse and dynamic transportation sector (National Research Council 2002). For example, closed-circuit television (CCTV), increased lighting, or patrols by security personnel may improve the effectiveness of service delivery along with reducing crime and increasing security. A system can be defined as “an integrated collection of components or elements designed to achieve an objective according to a plan” (Garcia 2001). Systems can be small or large, complex or relatively simple. Complex systems usually are composed of smaller subsystems designed to work together. In the transportation sector, security systems integration can include the con- vergence of classic functions (e.g., safety, crime prevention, fire prevention, communications, and facility management) with functions unique to the industry (e.g., fleet management, pack- age and cargo tracking and control, or dispatching operations). When considering opportunities for integrating security with other transportation functions, it is important to recognize Source: TRB 2009; Ernest Frazier. Figure 2-5. Security countermeasures cost scale.

52 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies that the synergies can be two-directional. Security-related technologies and procedures can be integrated with existing or newly created systems to produce non-security benefits, and non-security systems or subsystems can be applied more broadly to reduce security risks and vulnerabilities. Central to this concept of security systems integration is recognition that, prior to making new investments, existing systems and functions should be surveyed to explore opportunities for expanded use. For example, rather than deploying costly new surveillance systems, cameras, and monitoring stations, a bridge operator whose function is to safely raise or lower a bridge over navigable waters may be given new security inspection requirements to check periodically for signs of forced entry to bridge access points. Depending on the criticality of the bridge in terms of transportation operations, this approach may be optimal. Security Funding The axiom “If you fail to plan, then plan to fail” applies to transportation security. The FTA’s SSEPP states the issue even more succinctly: “Plan first, then spend” (FTA 2003). Security is highly sensitive to adverse consequences and prone to reactionary influences that may or may not result in an appropriate response to an incident. Crisis response to a security incident or series of incidents demands the exercise of good judgment and sound policy to prevent spend- ing money carelessly or ineffectively. Security practitioners and risk management professionals recognize that it can be difficult to establish the value of a specific security countermeasure or activity. This difficulty is compounded when measures are grouped together or security is lay- ered in a protective system. But quantifying the operating costs, savings, and/or revenues that will result from project implementation and incorporating those results into financial planning will ensure that security funding is considered on balance with other agency funding priorities. Security programs should be well thought out and sustainable over a predetermined term. The objectives and integration of security with other operating disciplines and management pro- cesses should be conducive to the overall goals of the transportation agency. Overlapping of security funding cycles should be considered. At minimum, an agency should conduct security planning on a 1-year basis for both operating and capital and a 5-year basis for capital improvements. (Some transportation organizations may use as much as a 1-year, 3-year, 5-year, and 10-year capital investment planning strategy.) Accomplishing both short- and longer-term planning will provide continuity and a structured methodology for balancing the cost and effectiveness of security measures against the transportation organiza- tion’s capability to fund security improvements. In relation to security, most costs associated with short-term operating funding cycles are labor related. For a transportation agency that maintains its own police or security force, these operating costs can run as high as 90% to 92% of budget allocation. But determining the correct number of police and security employees is highly contingent on the threats and vulnerabilities of the agency balanced against the mix of security measures deployed to reduce security risk. In particular, the transportation agency must weigh the costs of security personnel against the prospective use of other less-costly secu- rity countermeasures, such as improved policies and procedures, employee security awareness training, or security systems, including locks, access control, or intrusion detection systems. Just like an operating budget, and in conjunction with operating budget development, plan- ning and managing the capital improvement plan should occur in a regular, annual cycle. It is here that security funding often meets its most significant challenges in the allocation of available resources. When possible, security expenditure recommendations at this stage in the funding cycle should contribute to the overall efficiency of the transportation agency in

Plans and Strategies 53 performing its core mission, goals, and objectives. Although not always the case, certain secu- rity measures such as increased lighting, improved communications, passenger flow gating, or simply directional signs can serve the dual purpose of adding to the effectiveness of service delivery. Five-year capital planning is the point in the funding cycle where an agency can take best advantage of the development of a security plan. Longer-term security improvements that seek to reduce the vulnerabilities of an agency’s transportation critical infrastructure can be designed as components of larger systems and subsystems that are central to the organization’s strategic future. For example, an out-year strategy to replace the soon-to-be-antiquated or inefficient traf- fic control center of an agency can be augmented by adding security-improving CCTV technol- ogy that permits traffic controllers to observe operating conditions at train stations or along bus routes. Similarly, a decision by management to invest in AVL technology for rolling stock can serve the important security and emergency response benefit of identifying the exact location on the system of a vehicle in distress. Thinking about security improvements in this way also facilitates the cost-effective designing-in of security measures at the outset of capital projects, instead of spending significantly more money to retrofit security into existing infrastructure. Security systems in and of themselves also require multiyear planning to ensure their effective- ness and continued usefulness. The replacement or upgrading of security system components should be contemplated as a continuous process that is capable of meeting the stated physical protection system require- ments of the organization and flexible enough to respond to the changing security threats and vulnerabilities that occur over time.

Next: Chapter 3 - Security Countermeasures »
Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing and can impact not only data, but the control systems—like tunnel-ventilation systems—operated by transportation agencies.>

The TRB National Cooperative Highway Research Program's NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

The report is accompanied by a PowerPoint for the project and NCHRP Web-Only Document 266: Developing a Physical and Cyber Security Primer for Transportation Agencies.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!