National Academies Press: OpenBook

Security 101: A Physical and Cybersecurity Primer for Transportation Agencies (2019)

Chapter: Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation

« Previous: Summary
Page 9
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 9
Page 10
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 10
Page 11
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 11
Page 12
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 12
Page 13
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 13
Page 14
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 14
Page 15
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 15
Page 16
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 16
Page 17
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 17
Page 18
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 18
Page 19
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 19
Page 20
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 20
Page 21
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 21
Page 22
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 22
Page 23
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 23
Page 24
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 24
Page 25
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 25
Page 26
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 26
Page 27
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 27
Page 28
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 28
Page 29
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 29
Page 30
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 30
Page 31
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 31
Page 32
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 32
Page 33
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 33
Page 34
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 34
Page 35
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 35
Page 36
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 36
Page 37
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 37
Page 38
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 38
Page 39
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 39
Page 40
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 40
Page 41
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 41
Page 42
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 42
Page 43
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 43
Page 44
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 44
Page 45
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 45
Page 46
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 46
Page 47
Suggested Citation:"Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 47

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

9 Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation Risk in the broadest sense is defined as “the possibility of loss or injury.” When an asset or something of value is identified as “at risk” there is a presumption that the asset has been placed in a state or condition that creates or suggests the chance of loss or peril. In terms of security, there are two main categories of risk that transportation agencies face – physical and cyber. But in practice the two types operate in dynamic confluence, with loss or injury occurring in many cases through either a physical or cyber threat, or through a convergence of both. Determining the optimal means to manage security risk is the appropriate starting point irrespective of the type of threat. Before any plans are made,, or any dollars are spent, security planners must become knowledgeable about the nature of risks confronting the agency and the tactics or techniques available to them to respond to present or potential security challenges. Physical Security Risk consists of the much narrower category of possible loss events that result from the intentional harmful acts of other persons. It requires an actor; motivation to do harm, and to constitute actual risk, there must be a capability or opportunity to accomplish the adverse act. The crime of robbery is a good example. For a robbery to be considered to have occurred there must be an actor with the intent to take something of value by force from a victim. Assume the robber has a gun and threatens to shoot the victim if he doesn’t turn over his money. There is a criminal actor, the verbal threat to shoot indicates there is motivation to do harm, and the gun represents the capability to commit the act. Comparatively a much broader safety related risk may consist of a potential accidental release of a chemical substance into the atmosphere or bad weather causing a hazardous condition such as icy roads. In such cases there was no intent by an individual to harm another. Security risk is therefore “threat based” as opposed to “hazard based.” Cybersecurity Risk is also based on the commission of intentional acts. The risk of cyber-attack committed by criminals, hacktivists, terrorists, hostile nation–states, or even individuals seeking self-recognition for technology “prowess” has become a top priority concern for governments and private industry throughout the world. Coupled with outcomes or consequences resulting from either unintentional acts or disruptions caused by natural events, the landscape for securing the information technology critical infrastructure and the control systems associated with that infrastructure becomes more daunting day by day. As the United States and its industries become more and more entangled in the confluence of the internet, there has been a demonstrative change in the way we interface and communicate. Business has been revolutionized and the world has grown smaller, faster, and more complex because of the connectivity enabled by information technology systems. However, along with an increased capacity to communicate and interface technologies and to control operating systems comes an extended set of vulnerabilities that are subject to exploitation. Indeed, the inherent, sometimes unintentional, and often sought after openness and accessibility of IT and ICS systems has created significant opportunities for attackers to penetrate, commandeer, or otherwise neutralize the effectiveness or security of cyber systems. The transportation industry has not been excepted from this exponential growth in risk associated with cyber, IT, and ICS. There have been many reported instances of direct attacks targeting transportation or occurrences in which downside exposure has resulted from exploitations of common, distributed, or shared multi-industry user technologies. Similarly, broad mainstream attacks against widely used information systems or communications technologies have impacted transportation industry operations along with other industries. Transportation ICS systems that are becoming increasingly dependent on the digital world to function present additional concerns in

10 that cyber manipulations of control systems can cause serious injury or death to travelers, passengers or system users. But what is risk management and how does it differ from risk assessment or vulnerability assessment? Understanding these relationships is an essential component of establishing an effective transportation security and defense strategy. Unfortunately, in practice the terms are often confused or used interchangeably, creating unnecessary communications difficulties. Risk Management in the context of physical and cybersecurity consists of the range of activities that a transportation agency can undertake to resolve identified security risks. Although there are variations in application, the risk management process for both physical and cyber require consideration and adoption of many of the same security principles. Optimally, risk should be viewed in the context of transportation business and environmental control factors resulting in recommendations for Risk Response Options. Response Options include Risk - Avoidance, Acceptance, Transfer, Dependency and Spreading and Reduction Strategies including Assessment.   Figure 1: Risk Management/Risk Mitigation Strategies. Source: Adapted from NCHRP Report 525 Volume 14, Security  101:  A Physical Security Primer for Transportation Agencies. Risk Avoidance, the simplest of all solutions for eliminating risk consists of refraining from engaging in the risky activity in the first place. For example, in following along with the robbery scenario the implementation of a cashless fare system will eliminate the risk of loss of cash in the transportation system revenue stream. Similarly, in the scenario where cyber risk is presented by a technological automation of an operational system, the alternative of a non-cyber ventilation system will eliminate the cyber related risk of automating fan mechanisms. Risk Acceptance requires no real action to be taken by the organization. But acceptance should be based on a knowledgeable and responsible recognition of the probability and impact of perceived adverse physical or cyber events. Typically cost benefit analysis can be utilized to determine the tipping point where expending funds to fix a problem exceeds the return on investment that the mitigation achieves.

11 Risk Transfer is the use of insurance to transfer all or parts of liability to another business or entity. Transfer is one of the traditional market mechanisms for estimating, pricing, and distributing risk. Risks related to natural hazards such as fire, earthquake, or flood have been identified and assessed and quantitative actuarial data about these types of incidents has been amassed to evaluate potential losses. However, the process of understanding and managing terrorism risk remains difficult. Currently terrorism risk insurance is available only on a limited basis because there is relatively little experience or actuarial data from which to draw conclusions. Prospective buyers of terrorism risk coverage do not have a reasonable basis for estimating their insurance needs. Similarly, sellers of insurance do not have a reliable means for costing out terrorism risk coverage. In contrast to terrorism coverage, cybersecurity is one of the fastest growing lines of insurance. According to the Betterley Report (June 2017) the annual gross written premium is $4 billion (up from $3.25 billion in 2016 report). Particularly for companies that hold customer personal data or even employee data for companies with large numbers of positions and staff – credit card numbers, medical information, social security numbers, coverage can cost more. Reputational risk, however, cannot be transferred. Risk Dependency and Spreading considers that coordinated collaboration amongst physical and cybersecurity stakeholders including end user operators, security practitioners, designers, manufacturers and distributors, integrators, standards organizations, and government regulators can result in the identification of defensive strategies to effectively reduce security risk. Maximizing the accountability of all stakeholders in the supply chain presents the opportunity for a strong and systematized approach to managing risk that is both highly efficient and cost effective. Risk Reduction is characterized by the implementation of actions that lower the risk to the agency. In relation to security it is also frequently informed by risk assessment; threat, vulnerability and consequence assessment (TVC) analysis; or threat and vulnerability assessment (TVA). Risk Assessment is a systematic process through which assets are identified and valuated, credible threats to those assets are enumerated, applicable vulnerabilities are documented, potential impacts or consequences of a loss event are described, and a qualitative or quantitative analysis of resulting risks is produced. Risks are generally reported in order of priority or severity and attached to some description of a level of risk. Risk assessment answers the questions: What can go wrong? What is the likelihood that it would go wrong? What are the consequences?   Figure 2: Risk Equation. Source: National Research Council 2010. Review of the Department of Homeland Security's  Approach to Risk Analysis. Washington, DC: The National Academies Press, pg 88 The U.S. Department of Homeland Security defines the component parts of risk assessment as follows:  Threat Assessment is “a systematic effort to identify and evaluate existing or potential terrorist threats to a jurisdiction and its target assets.” Importantly, in the context of terrorism, in the absence of threat there is no actual risk of loss or injury. But transportation agencies typically consider threat more broadly to include threats of criminal activity, as well as terrorist activity. Threat definition has two areas of focus, the first towards threat

12 scenarios based on real events or perceived exposures, and the second towards identification of likely adversaries, tactics and capabilities.  Vulnerability Assessment is “the identification of weaknesses in physical structures, personnel protection systems, processes, or other areas that may be exploited by terrorists.” Such weaknesses can occur in facility characteristics, equipment properties, personnel behavior, locations of people and equipment, or operational and personnel practices.  Consequence Assessment is “an analysis of the immediate, short and long term affects an event or event combination on an asset.” It is an estimate of the amount of loss or damage that can be expected. A mainstay of both physical and cyber systems security, risk reduction depends primarily of the assessment of threats, vulnerabilities, and consequences (TVC analysis) of an event or series of events in an effort to identify opportunities to reduce or mitigate losses associated with their occurrence. Organizations conduct risk assessments to determine risks that are common to the organization’s core missions and business functions, mission and business processes, mission and business segments, common infrastructure and support services, or information systems. Risk assessment is a function of frequency or likelihood and probability and analysis of consequences. NIST Special Publication 800-30 summarizes the steps associated with cyber risk assessment: Step 1: Prepare for Risk Assessment  Task 1-1. Identify Purpose – Identify the purpose of the risk assessment in terms of the information that the assessment is intended to produce and the decisions the assessment is intended to support.  Task 1-2. Identify Scope – Identify the scope of the risk assessment in terms of organizational applicability, time frame supported, and architectural/technology considerations.  Task 1-3. Identify Assumptions and Constraints – Identify the specific assumptions and constraints under which the risk assessment is conducted.  Task 1-4. Identify Information Sources – Identify the sources of descriptive, threat, vulnerability, and impact information to be used in the risk assessment.  Task 1-5 Identify Risk Model and Analytic Approach – Identify the risk model and analytic approach to be used in the risk assessment. Step 2: Conduct Risk Assessment  Task 2-1. Identify Threat Sources – Identify and characterize threat sources of concern, including capability, intent, and targeting characteristics for adversarial threats and range of effects for non-adversarial threats.  Task 2-2. Identify Threat Events – Identify potential threat events, relevance of the events, and the threat sources that could initiate the events.  Task 2-3. Identify Vulnerabilities and Predisposing Conditions – Identify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts.  Task 2-4. Determine Likelihood – Determine the likelihood that threat events of concern result in adverse impacts, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.  Task 2-5. Determine Impact – Determine the adverse impacts from threat events of concern, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the

13 organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.  Task 2-6. Determine Risk – Determine the risk to the organization from threat events of concern considering: (i) the impact that would result from the events; and (ii) the likelihood of the events occurring. Step 3: Communicate and Share Risk Assessment Results  Task 3-1. Communicate Risk Assessment Results – Communicate risk assessment results to organizational decision makers to support risk responses.  Task 3-2. Share Risk-Related Information – Share risk-related information produced during the risk assessment with appropriate organizational personnel. Step 4: Maintain Risk Assessment  Task 4-1. Monitor Risk Factors – Conduct ongoing monitoring of the risk factors that contribute to changes in risk to organizational operations and assets, individuals, other organizations, or the Nation.  Task 4-2. Update Risk Assessment – Update existing risk assessment using the results from ongoing monitoring of risk factors. For both physical and cyber, risk assessment is one of the most important aspects of risk management and is used to support risk management decision-making. In terms of physical security, it is an evaluation using either quantitative or (more likely) qualitative criteria to predict the overall effectiveness of a system, to identify system weaknesses, and to define existing asset protection capabilities against specific threat scenarios and actors. In cyber, risk assessment is clearly the main method of identifying opportunities for reducing or mitigating losses. Vulnerabilities are identified, catalogued, shared, and, most importantly in risk management, “patched”—a process that is essential to the response methodology of cybersecurity professionals. Non-professionals are taught IT systems “awareness” as a means to minimize human/machine interface (HMI) types of vulnerabilities from breaching IT or ICS security.

14   Figure 3: Risk Scenario Based Process.  Adapted from COBIT 5 for Risk, the Information Systems Audit and Control  Association – www.isaca.com  MnDOT Enterprise Risk Management Framework Minnesota DOT’s Enterprise Risk Management (ERM) framework establishes the standards, processes and accountability structure used to identify, assess, prioritize and manage key risk exposures, including security risk exposures across the agency. The framework enables leaders at all levels to systematically evaluate implications of decisions and actions to the agency’s highest priority goals and objectives or “Key Results Areas” (KRA’s) and effectively manage a broad array of risks in an informed and strategic manner to within an accepted tolerance level.

15   Figure 4: MnDOT Integrated Risk Management & Business Planning Process The ERM Framework applies to three levels of risks: 1. Strategic-level risks impede the achievement of MnDOT’s vision, mission and Key Results. These are broad strategic risk areas and include financial, stakeholder, reputation, legal and compliance, safety and health, and business performance and continuity risks. Strategic risks are monitored and assessed at both the strategic and business-line levels. 2. Business-Line level risks are identified by business-line management groups. These risks impede the agency’s ability to deliver products and services, meet performance targets and accomplish business objectives. MnDOT’s performance metrics provide accountability. 3. Project-level Risks are risks identified by project managers that threaten the scope, schedule, cost or quality of agency projects. Depending on the scope and complexity of the project, these risks may have strategic or business-line consequences that warrant inclusion in the ERM Integrated Risk Register.   Figure 5: MnDOT ERM Framework

16 Strategic Risk Management. At the strategic level, risk management is accomplished through: • Annual risk assessment, management, and strategy development by senior leaders. Senior leaders identify and assess risks to MnDOT’s vision, mission, and key result areas at least annually. Senior leaders specify risk response strategies (avoid, accept, transfer or mitigate) and the person(s) responsible for their implementation. Strategic risk analysis and evaluation at this level identifies the most critical strategic risks to the agency. The ERM Integrated Risk Register is the reporting tool that senior leadership uses to monitor and manage strategic risks. • Identification of emerging risks by senior leaders. At least monthly, senior leadership review progress on key results and assigned risk mitigation actions. Senior leaders also evaluate emergent risks that may require management at this level. These risks may be identified by senior leaders or through evaluation of business-line risks assessed as having “Major” or higher implications for priority agency objectives. Each quarter, the Chief Risk Officer is required to publish a report on the status of active risks at the strategic and business-line levels and their associated mitigation actions. Business-Line Risk Assessment and Management. Business-line risk management consists of risk identification and management for risk events that threaten the successful delivery of products and services. Risks are identified and evaluated primarily by five existing business-line management groups. • Planning Management Group (PMG) • Pre-Construction Management Group (PCMG) • Construction Management Group (CMG) • Administrative Management Group (AMG) • Operations Management Group (OMG) Business-line risks may be monitored by other groups better positioned to manage certain risks (e.g., Data Domain Stewards assigned to manage risks to the quality and security of agency data). Business-line risks threaten the agency’s overall business performance and capability and may affect MnDOT’s reputation, the security of MnDOT assets, compliance with legal and regulatory requirements, safety responsibilities, and/or financial integrity. In instances where the consequences of identified risks are assessed by the business-line management groups as having potential “major” or higher consequences for key results areas, the risks are elevated to the strategic level in the ERM Integrated Risk Register. The business-line focus on MnDOT’s core products and services—the maintenance and operations of the transportation system and the provision of safe, sustainable, reliable mobility options through the delivery of projects— requires evaluation by teams that share responsibility for program and project success. The business-line management groups are responsible for risk assessment and risk management strategies for risks to their respective products and services. Ownership of the specific action may be assigned to a manager in an office or district, but business-line risk evaluation is the responsibility of designated business-line management groups. The Managers Groups are required to conduct annual business-line-level risk assessments and decide on appropriate risk mitigation actions to address risks outside of an accepted tolerance level for performance. Project Level Risk Management. Projects will naturally vary in terms of their size and complexity. Some projects, due to their size or complexity, may have risks with moderate to major strategic and/or business line implications. In these cases, Project Managers are expected to elevate these risks to the Enterprise Risk Management Office for inclusion in the ERM Integrated Risk Register. In a similar manner, senior leaders and business-line management groups may assign specific risk mitigation actions to project managers for implementation. Project managers are expected to routinely identify and manage project risk using a process that scales the depth of risk analysis to the complexity of the project. Senior leaders may identify strategic risks that warrant the management groups’ attention. These risks will supplement those identified and assessed at the business-line level. Targets are set for the core business-lines at the strategic level along with associated key performance indicators that are aligned with key results areas. Examples may include asset management objectives, or targets for operations and maintenance. Enterprise Risk Management Governance. MnDOT’s ERM governance structure makes risk awareness and management an integral part of organizational decision-making at every level. The overall responsibility for risk management resides with senior management and is exercised through the MnDOT Stewardship Council and Business-Line

17 Management Groups. The Chief Risk Officer ensures compliance with the MnDOT ERM Framework throughout the agency. 1. Senior Leadership. The Commissioner and Commissioner’s Staff set the agency’s strategic directions and are responsible for evaluating and managing strategic risks. Commissioner’s Staff is responsible to define and annually validate level of service for the organization’s key results areas or most critical quality of life outcomes. They have decision-making authority and delegate responsibilities for risk management activities within their divisions. Senior leadership is responsible for: • Designing, implementing and maintaining an effective internal control system • Defining the agency’s overall risk appetite / risk tolerance • Ensuring implementation of ERM processes and framework within their divisions • Identifying and evaluating risks on the strategic risk register • Overseeing and resolving any business-line or project risks that have been escalated through the risk management structure • Reviewing and reassessing risk register strategies and implementation results • Reviewing and reassessing identified risks every quarter • Reviewing and reassessing strategic risks every month 2. Business-Line Management Groups, Divisions, Districts and Offices. MnDOT management groups are responsible for the identification, assessment, and management of risks to MnDOT’s products and services delivery. The business-line management groups are responsible for evaluating and establishing level of service and targets for products and services based on risk tolerance and fulfilling level of service commitments for delivery of MnDOT’s products and services. Business-Line Management groups are responsible for: • Coordinating the identification and evaluation of risks within their business-line • Acting on risk mitigations actions delegated to business-lines from the strategic register • Establishing and managing business-line risk registers • Reviewing and reassessing risk registers, strategies and results every month • Reviewing and reassessing risks every quarter • Reviewing and reassessing business-line risks every year Districts, Divisions and Offices are responsible for: • Identifying risks with implications for business-line and or strategic objectives • Identifying, analyzing and evaluating risks to District, Division and Office objectives. • Implementing risk management strategies for District-, Division- and Office-level risks for risks assigned to them by senior leaders or through business-line management groups • Ensuring assigned employees understand their roles and responsibilities for ERM Enterprise Risk Management Office. The Chief Risk Officer directs the Enterprise Risk Management Office. The Chief Risk Officer coordinates risk management across the organization, facilitates consistent and systematic risk assessments, and provides advice to Divisions, Offices, Districts and Managers Groups. The Chief Risk Officer manages and operates the ERM Framework. Office responsibilities include: • Developing and maintaining MnDOT’s risk management Framework and expectations • Assuring compliance with MnDOT policy and procedures • Operating the ERM process • Managing the MnDOT Enterprise Risk Management Office • Directing the MnDOT ERM implementation team • Providing training and increasing risk awareness Risk Monitoring and Evaluation. The goal of the MnDOT ERM framework is to integrate risk management with strategic, business-line operations, and project planning. The ERM framework incorporates both a “bottom-up” and “top-down” approach to risk identification and management. 1. Short-term. The MnDOT ERM deploys an Integrated Risk Register. The risk register provides management visibility to risks and accountability for their management. At both the strategic and business-line levels this will involve revisiting their registers to learn more about the characteristics and performance of each risk. At the strategic level this may involve creating key

18 result area reports that allow senior leadership to track how strategic and business-line risks relate to each of the organization’s key result areas, and thus business objectives. An example of a key result area risk-register report is shown in Figure 3. Figure 6: MnDOT Risk Register Report 2. Long-Term. Strategic and business-line levels annually attend ERM workshops to identify and evaluate new risks that may threaten changing business objectives, strategies, products and services. Risks that repeat are noted to track long-term progress and transformation of these risks over time. Threat Assessment The National Infrastructure Protection Plan (2013) highlights the evolving threats to the Nations’ critical infrastructure. Under an expansive view hazards associated with extreme weather, accidents or technical failures, or pandemics are aligned along with physical (acts of terrorism) and cyber threats.1   Figure 7: National Infrastructure Protection Plan (2013)                                                              1 Notwithstanding this recognition that it is not just security risk that must be managed the treatment of this text will remain focused principally on physical and cybersecurity. Note however that there is limited commentary in the updated text that provides some coverage of hazards including space weather.

19 Threat Assessment – Event Types There are four main categories of homeland security threats against transportation infrastructure. These include explosives, weapons of mass destruction, active threats, and cyber-attacks. Physical Security (IED, VBIED, CBRN, ACTIVE THREATS) Explosives Explosives include both conventional explosives devices (CE) and improvised explosives devices (IED’s). CE is a made of either industrial or military manufactured components such as Trinitrotoluene (TNT), Semtex, or Plastic Explosives (C4). IED’s can be made of the same commercial or military components or other “improvised” materials such as ANFO (Fertilizer Bomb), or compounds featuring Ammonium Nitrate with Aluminum, Sugar or Potassium Chlorate. In the transportation environment the occurrence of attacks of this type are considered as more likely than for other types of threats. Explosives cause an instantaneous or almost instantaneous chemical reaction resulting in a rapid release of energy. The energy is usually released as rapidly expanding gases and heat, which may be in the form of a fireball. The expanding gases compress the surrounding air creating a shock wave or pressure wave. The pressure wave can cause structural damage to the structure while the fireball may ignite other building materials leading to a larger fire. Explosives can cause the destruction of assets within a facility, structural damage to the facility itself, and injuries or fatalities. Explosions may start a fire, which may inflict additional damage and cause additional injuries and fatalities. The type and amount of explosive material used, and location of the explosion will determine the overall impact. There are two methods of delivery of CE’s or IED’s that deserve particular attention – Vehicle Borne Improvised Explosives Devices (VBIED’s) and Suicide Bombings. According to the State Department’s Bureau of Diplomatic Security VBIED’s are “far and away the weapon of choice for terrorist attacks.” Vehicles provide concealment for the bomb as well as the delivery method. As the chart below indicates concealing a 200-500-pound bomb in a sedan is relatively easy. Table 1: Evacuation Distance by Threat and Explosive Mass  Threat Description Explosives Mass 2 (TNT equivalent) Building Evacuation Distance3 Outdoor Evacuation Distance4 H ig h Ex pl os iv es (T N T Eq ui va le nt ) Pipe Bomb 5 lbs 2.3 kg 70 ft 21 m 850 ft 259 m Suicide Belt 10 lbs 4.5 kg 90 ft 27 m 1,080 ft 330 m                                                              2 Based on the maximum amount of material that could reasonably fit into a container or vehicle. Variations possible. 3 Governed by the ability of an unreinforced building to withstand severe damage or collapse. 4 Governed by the greater of fragment throw distance or glass breakage/falling glass hazard distance. These distances can be reduced for personnel wearing ballistic protection. Note that the pipe bomb, suicide belt/vest, and briefcase/suitcase bomb are assumed to have a fragmentation characteristic that requires greater standoff distances than an equal amount of explosives in a vehicle.

20 Suicide Vest 20 lbs 9 kg 110 ft 34 m 1,360 ft 415 m Briefcase/Suitcase Bomb 50 lbs 23 kg 150 ft 46 m 1,850 ft 564 m Compact Sedan 500 lbs 227 kg 320 ft 98 m 1,500 ft 457 m Sedan 1,000 lbs 454 kg 400 ft 122 m 1,750 ft 534 m Passenger/Cargo Van 4,000 lbs 1,814 kg 640 ft 195 m 2,750 ft 838 m Small Moving Van/ Delivery Truck 10,000 lbs 4,536 kg 860 ft 263 m 3,750 ft 1,143 m Moving Van/Water Truck 30,000 lbs 13,608 kg 1,240 ft 375 m 6,500 ft 1,982 m Semitrailer 60,000 lbs 27,216 kg 1,570 ft 475 m 7,000 ft 2,134 m (Source: Adapted from Improvised Explosive Device (IED) Safe Standoff Distance Cheat Sheet, National Ground Intelligence Center US Army Unclassified) Suicide bombings are characterized as an attack upon a target in which an attacker intends to kill others, knowing that he or she will either certainly or most likely die in the process. The means of attack have included vehicles filled with explosives, passenger planes carrying large amounts of fuel, and individuals wearing explosives filled vests. Weapons of Mass Destruction Weapons of Mass Destruction or Effect (WMD)/ (WME) include chemical, biological, radiological or nuclear (CBRN) devices designed to inflict mass casualties. Harmful chemicals that are available for use as a terrorist weapon include warfare agents developed for military use: nerve agents such as Sarin and VX; blister agents such as Mustard; blood agents such as Hydrogen Cyanide; and choking agents such as Chlorine and Phosgene.

21 Table 2: Effects and Treatment of Some Chemical Weapons Developed for Military Use  Source: Chemical Attack Warfare Agents, Industrial Chemicals and Toxins, National Academy of Sciences 2004 Also of concern are toxic industrial and commercial chemicals that are manufactured in the making of petroleum, textiles, plastics, fertilizers, paper, foods, pesticides, household cleaners, and other products. From a transportation perspective these types of chemicals, known as hazardous materials, (HazMat) are particularly important because freight railroads and highways are used to transport them in large quantities often through high population density areas. For passenger, commuter or transit agencies that share railroad lines with these carriers protective strategies designed to reduce the risks associated with transport are a high priority. And finally, there are the chemical toxins of biological origin such as Botulinum or Ricin. These highly toxic agents are products of plants, animals and bacteria. They can be naturally occurring or prepared in a laboratory. Botulinum toxin is the most poisonous substance known to science. Chemical agents can be released in the form of poisonous gases, liquids, or solids. Typically, liquids and vapors are more lethal than solids. Chemical agents are usually fast acting with the major exception of mustard agents for which symptoms appear hours after exposure. Poisoning by chemicals is not contagious but the presence of residual chemical agents on the skin or clothing of an exposed individual can cause others to be affected. Once the agent is neutralized or removed the illness stops spreading. The toxicity, measured in parts per million (PPM) and concentration of a chemical agent determines the severity of an attack. Chemical agents are typically deadlier in confined or crowded areas such as buildings or subways. They can be deployed by spraying with wet or dry aerosol sprayers, vaporizing the chemical for release, using an explosive device to disperse the chemical, pouring, or contamination of food, water or another ingestible such as pharmaceutical drugs. The toxicity of chemicals varies greatly. Some are acutely toxic (cause immediate symptoms); others are not very toxic at all.

22 Table 3: Varying Toxicity of Chemicals:  Source: Chemical Attack Warfare Agents, Industrial Chemicals and Toxins, National Academy of Sciences 2004 Weaponized biological agents are naturally occurring microbes or microorganisms deployed in their existing state or modified to increase virulence, designed to cause mass casualties through disease and death. The Centers for Disease Control and Prevention (CDC) groups biological agents into three categories, Category A, B and C, based on factors such as availability, capability of dissemination, mortality or illness rates and impact on the public health system. Category A agents includes Anthrax, Botulinum Toxin, Plague, Smallpox, Tularemia and Viral Hemorrhagic Fevers (Ebola, Marburg virus, Lassa, Machupo). These “highest priority agents” are the so-called “bio- weapons” because they provide the building blocks for weaponization. Category B agents includes Brucellosis, Epsilon Toxin, Food Safety Threats (E. coli 0157:H7, Salmonella, Shigella), Glanders, Melioidosos, Psittacosis and Q Fever, Ricin Toxin, Staphylococcal Enterotoxin B (SEB), Typhus Fever, Viral Encephalitis and Water Safety Threats (Cholera, Giardiasis, Cryptosporidiosis). Scientists have experience with Category B agents as infectious diseases but are unclear about their potential for weaponization. Category C agents include emerging infectious diseases such as Nipah virus and Hantavirus. Biological agents are grouped as being either: (1) infectious; or (2) infectious and contagious. A microorganism that causes infectious disease invades the body making the person sick by attacking organs or cells. Sometimes called pathogens, these microscopic organisms include both viruses and bacteria. There is usually a delay in the onset of symptoms called an “incubation period.” Diseases that are both infectious and contagious can be “caught” by a person who comes in contact

23 with someone else who is infected. The level of contact required to transmit the illness between people can be ever so slight such as through a sneeze or cough. But the contagiousness of a particular disease has nothing to do with the seriousness of the illness. For example both plague and the common cold are both highly contagious, but plague is a much more serious disease. Some infectious diseases are not contagious at all such as Botulism or Tularemia. Biological agents can enter the body through Absorption, Inhalation, Ingestion or Injection. Biological weapons can be prepared for delivery in wet or dry form. Delivery can be through aerosol sprayers, explosive devices, transmission through insects, animals or humans, introduction into food or water, or in some cases on or inside of objects (e.g. anthrax in envelopes). The table reproduced in part below outlines the disease, incubation period and symptoms for selected Category A and Category B biological agents. Table 4: Disease, Incubation Period and Symptoms for Selected Category A and Category B  Biological Agents  Source:  Biological  Attack  Human  Pathogens,  Biotoxins,  and  Agricultural  Threats,  National  Academy of Sciences 2005  Concern exists about the potential for a terrorist attack involving radioactive materials, possibly through the use of a Radiological Dispersion Device (RDD). The best-known type of RDD is a “dirty bomb” a device that uses a conventional explosion to disperse radioactive material so that the blast will contaminate an area with radioactive particles. RDD’s also include other means of dispersal including opening a container of radioactive materials in a populated area, or dispersing

24 powdered or aerosolized materials using sprayers or even airplanes. Radioactive isotopes are considered to have either a high-level or low-level of radioactivity. This is based on the rate of radioactive decay. The faster an isotope decays, the faster it releases, and exhausts, its radiation. The radioactivity of a mass of material is measured in Curies (Ci; 1 Ci = 3.7 x1010 disintegrations per second). Cobalt-60 (the number is the number of neutrons plus protons in the atom’s nucleus), with a half-life of 5.3 years, is highly radioactive; uranium-235, with a half-life of over 700 million years, is not. High-level radioactive materials are difficult for terrorists to acquire so there is a greater chance that the radioactive materials used in a dirty bomb would come from low-level radioactive sources. Low-level radioactive sources are found in hospitals, on construction sites, and at food irradiation plants. If low-level radioactive sources were to be used, the primary danger from a dirty bomb would be the blast itself. Most dirty bombs and other RDD’s would have very localized effects, ranging from less than a city block to several square miles. The effective range would depend on factors such as the amount and type of material, method of dispersal and local weather conditions. According to the CDC, “at the levels created by most probable sources, not enough radiation would be present in a dirty bomb to cause severe illness from exposure to radiation.” Radiation is energy moving in the form of particles or waves. Some examples of electromagnetic radiation are heat, light, radio waves, and microwaves. Radiation strikes people constantly, but most of it, like radio waves and light, is not “ionizing” meaning it does not have enough energy to damage cells significantly. Ionizing radiation is a very high-energy form of electromagnetic that can have an adverse health effect on the human body. The extent of the effect depends on the amount of energy absorbed measured in “rem.” Higher doses produce direct clinical effects including tissue damage, radiation sickness and, at very high levels, rapid death. With chronic low- level exposure, no clinical effects are observed, but the exposed individual may have an increased lifetime risk of developing cancer. Some of the common types of radioactive materials are listed below:

25 (Source: Radiological Attack Dirty Bombs and other Devices, National Academy of Sciences 2004) A nuclear attack by terrorists is a high order magnitude event that would potentially kill a large number of people. As mentioned previously a “dirty bomb” containing high level radioactive material is a potential means of delivery of a nuclear attack. The use of an improvised nuclear device (IND) or a nuclear weapon must also be considered. IND’s, commonly referred to as “suitcase bombs or suitcase nukes” describe a small nuclear weapon, small enough to fit in a suitcase, which is capable of producing a nuclear blast. According to the Department of Health and Human Services “the design and destructive nature of an IND is comparable to the bomb dropped on Hiroshima Japan, at the end of World War II.” Larger nuclear weapons and the explosions that    

26 result from their use are classified based on the amount of energy they produce, or “yield.” A nuclear weapon deployed by terrorists would be expected to have a yield of less than one to several kilotons. A kiloton is not the weight of the bomb but rather the equivalent energy of an amount of the explosive TNT (1kT=1,000 tons of TNT). Large military nuclear weapons are in the megaton (MT) range (1MT=1,000kT). The highly purified plutonium and uranium needed to make a nuclear weapon or suitcase bomb are difficult to acquire. Considerable engineering skill and expertise would be required to construct a nuclear device using plutonium; devices using uranium are technically easier to construct. A nuclear event involves nuclear fission (splitting of atoms) and a highly destructive explosion that creates instant devastation. Significant fatalities, injuries, and infrastructure damage result from the heat and blast of the explosion and persistent high levels of radioactivity are the aftermath of both the initial nuclear radiation and the subsequent radioactive fallout that occurs. Active Threats Armed Assault, known more so today as an Active Shooter incident, occurs when one or more gunmen open fire on random people who have been targeted for no apparent reason. Until more

27 recently armed assault effectively categorized a significant method of choice and event type for terrorists and other criminals who were seeking to deploy a weapon capable of mass casualties. “Hit and run” assault involves a sudden attack on a target and immediate withdrawal to avoid adversary response or retaliation. In some instances, the tactic is coupled along with the use of a massive amount of firepower without concern for target accuracy. This type of indiscriminate attack is difficult to prevent or overcome. Another tactic seen repeatedly in the school shootings at incidents like Columbine, or Virginia Tech, the Orlando Nightclub Shooting, or the Las Vegas Mandalay Bay concert attack is the suicide gunman who bears multiple firearms and fires at will until either killed or committing suicide. This type of attack is carried out using small arms which can include pistols, rifles, shotguns or submachine guns that can be either military issue or civilian weapons. However, although armed assaults with a firearm, or automatic or semi-automatic assault rifle have continued to occur, in the past few years additional types of weapons have been used actively in both terrorism and non-terrorism related events. Weapons used during active threat situations include guns, edged weapons such as knives and cleavers, and other basic weapons. Because these weapons are relatively easy to acquire, and use, FBI and DHS have noted an increasing concern about lone offenders who are particularly difficult to detect, are typically unpredictable, and can use these weapons without significant training. TSA has noted an alarming growth in the use of vehicles as ramming instruments in direct attacks on pedestrians and similar gatherings of persons or bicyclists. These attacks often are conducted by "lone wolf" or radicalized persons using rented, stolen or easily available large motor vehicles. For instance, on Bastille Day in Nice, France, Mohamed Lahouaiej-Bouhlel, drove a 19-ton cargo truck into crowds celebrating the holiday. Lahouaiej-Bouhlel zigzagged into the crowds breaking through police barriers, killing 86 and injuring 458 and shot at police with an automatic pistol before he was shot and killed by police. Other domestic and international ramming incidents have also occurred; indeed, the incidents seem to be quickly multiplying. While the focus of transportation agencies has been on Active Shooter threats, recent incidents have demonstrated the possibility and consequences of active threats involving other weapons. Note also that active threat such as active shooter can transition into a barricaded suspect or hostage situation with the arrival of police. Cybersecurity In the cyber world threats are continually manifested, voluminous and subject to variation. Although there are identified primary types of threats such as “Stuxnet” a worm that attacks critical infrastructure, there are also characterizations of threat types including malware, short for malicious software, defined as any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Ransomware is a type of malicious software that threatens to publish proprietary data or perpetually block access to data or systems unless a ransom is paid. NIST Special Publication 800-30 Revision 1, September 2012 identifies threat event types under the category of adversarial/intentional acts as follows: 1. Perform reconnaissance and gather information a. Perform perimeter network reconnaissance/scanning. Adversary uses commercial or free software to scan organizational perimeters to obtain a better understanding of the information technology infrastructure and improve the ability to launch successful attacks.

28 b. Perform network sniffing of exposed networks. Adversary with access to exposed wired or wireless data channels used to transmit information, uses network sniffing to identify components, resources, and protections. Gather information using open source discovery of organizational information. Adversary mines publicly accessible information to gather information about organizational information systems, business processes, users or personnel, or external relationships that the adversary can subsequently employ in support of an attack. c. Perform reconnaissance and surveillance of targeted organizations. Adversary uses various means (e.g., scanning, physical observation) over time to examine and assess organizations and ascertain points of vulnerability. d. Perform malware-directed internal reconnaissance. Adversary uses malware installed inside the organizational perimeter to identify targets of opportunity. Because the scanning, probing, or observation does not cross the perimeter, it is not detected by externally placed intrusion detection systems. 2. Craft or create attack tools a. Craft phishing attacks. Adversary counterfeits communications from a legitimate/trustworthy source to acquire sensitive information such as usernames, passwords, or SSNs. Typical attacks occur via email, instant messaging, or comparable means; commonly directing users to websites that appear to be legitimate sites, while actually stealing the entered information. b. Craft spear phishing attacks. Adversary employs phishing attacks targeted at high value targets (e.g., senior leaders/executives). c. Craft attacks specifically based on deployed information technology environment. Adversary develops attacks (e.g., crafts targeted malware) that take advantage of adversary knowledge of the organizational information technology environment. d. Create counterfeit/spoof website. Adversary creates duplicates of legitimate websites; when users visit a counterfeit site, the site can gather information or download malware. e. Craft counterfeit certificates. Adversary counterfeits or compromises a certificate authority, so that malware or connections will appear legitimate. f. Create and operate false front organizations to inject malicious components into the supply chain. Adversary creates false front organizations with the appearance of legitimate suppliers in the critical life-cycle path that then inject corrupted/malicious information system components into the organizational supply chain 3. Deliver/insert/install malicious capabilities a. Deliver known malware to internal organizational information systems (e.g., virus via email). Adversary uses common delivery mechanisms (e.g., email) to install/insert known malware (e. g., malware whose existence is known) into organizational information systems. b. Deliver modified malware to internal organizational information systems. Adversary uses more sophisticated delivery mechanisms than email (e.g., web traffic, instant messaging, FTP) to deliver malware and possibly modifications of known malware to gain access to internal organizational information systems. c. Deliver targeted malware for control of internal systems and exfiltration of data. Adversary installs malware that is specifically designed to take control of internal organizational information systems, identify sensitive information, exfiltrate the information back to adversary, and conceal these actions. d. Deliver malware by providing removable media. Adversary places removable media (e.g., flash drives) containing malware in locations external to organizational physical perimeters but where employees are likely to find the

29 media (e.g., facilities parking lots, exhibits at conferences attended by employees) and use it on organizational information systems. e. Insert untargeted malware into downloadable software and/or into commercial information technology products. Adversary corrupts or inserts malware into common freeware, shareware or commercial information technology products. Adversary is not targeting specific organizations, simply looking for entry points into internal organizational information systems. Note that this is particularly a concern for mobile applications. f. Insert targeted malware into organizational information systems and information system components. Adversary inserts malware into organizational information systems and information system components (e.g., commercial information technology products), specifically targeted to the hardware, software, and firmware used by organizations (based on knowledge gained via reconnaissance). g. Insert specialized malware into organizational information systems based on system configurations. Adversary inserts specialized, non-detectable, malware into organizational information systems based on system configurations, specifically targeting critical information system components based on reconnaissance and placement within organizational information systems. h. Insert counterfeit or tampered hardware into the supply chain. Adversary intercepts hardware from legitimate suppliers. Adversary modifies the hardware or replaces it with faulty or otherwise modified hardware. i. Insert tampered critical components into organizational systems. Adversary replaces, though supply chain, subverted insider, or some combination thereof, critical information system components with modified or corrupted components. j. Install general-purpose sniffers on organization controlled information systems or networks. Adversary installs sniffing software onto internal organizational information systems or networks. k. Install persistent and targeted sniffers on organizational information systems and networks. Adversary places within internal organizational information systems or networks software designed to (over a continuous period of time) collect (sniff) network traffic. l. Insert malicious scanning devices (e.g., wireless sniffers) inside facilities. Adversary uses postal service or other commercial delivery services to deliver to organizational mailrooms a device that is able to scan wireless communications accessible from within the mailrooms and then wirelessly transmit information back to adversary. m. Insert subverted individuals into organizations. Adversary places individuals within organizations who are willing and able to carry out actions to cause harm to organizational missions/business functions. n. Insert subverted individuals into privileged positions in organizations. Adversary places individuals in privileged positions within organizations who are willing and able to carry out actions to cause harm to organizational missions/business functions. Adversary may target privileged functions to gain access to sensitive information (e.g., user accounts, system files, etc.) and may leverage access to one privileged capability to get to another capability. 4. Exploit and compromise a. Exploit physical access of authorized staff to gain access to organizational facilities. Adversary follows (“tailgates”) authorized individuals into secure/controlled locations with the goal of gaining access to facilities, circumventing physical security checks.

30 b. Exploit poorly configured or unauthorized information systems exposed to the Internet. Adversary gains access through the Internet to information systems that are not authorized for Internet connectivity or that do not meet organizational configuration requirements. c. Exploit split tunneling. Adversary takes advantage of external organizational or personal information systems (e.g., laptop computers at remote locations) that are simultaneously connected securely to organizational information systems or networks and to nonsecure remote connections. d. Exploit multi-tenancy in a cloud environment. Adversary, with processes running in an organizationally-used cloud environment, takes advantage of multi-tenancy to observe behavior of organizational processes, acquire organizational information, or interfere with the timely or correct functioning of organizational processes. e. Exploit known vulnerabilities in mobile systems (e.g., laptops, PDAs, smart phones). Adversary takes advantage of fact that transportable information systems are outside physical protection of organizations and logical protection of corporate firewalls, and compromises the systems based on known vulnerabilities to gather information from those systems. f. Exploit recently discovered vulnerabilities. Adversary exploits recently discovered vulnerabilities in organizational information systems in an attempt to compromise the systems before mitigation measures are available or in place. g. Exploit vulnerabilities on internal organizational information systems. Adversary searches for known vulnerabilities in organizational internal information systems and exploits those vulnerabilities. h. Exploit vulnerabilities using zero-day attacks. Adversary employs attacks that exploit as yet unpublicized vulnerabilities. Zero-day attacks are based on adversary insight into the information systems and applications used by organizations as well as adversary reconnaissance of organizations. i. Exploit vulnerabilities in information systems timed with organizational mission/business operations tempo. Adversary launches attacks on organizations in a time and manner consistent with organizational needs to conduct mission/business operations. j. Exploit insecure or incomplete data deletion in multitenant environment. Adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment (e.g., in a cloud computing environment). k. Violate isolation in multi-tenant environment. Adversary circumvents or defeats isolation mechanisms in a multi-tenant environment (e.g., in a cloud computing environment) to observe, corrupt, or deny service to hosted services and information/data. l. Compromise critical information systems via physical access. Adversary obtains physical access to organizational information systems and makes modifications. m. Compromise information systems or devices used externally and reintroduced into the enterprise. Adversary installs malware on information systems or devices while the systems/devices are external to organizations for purposes of subsequently infecting organizations when reconnected. n. Compromise software of organizational critical information systems. Adversary inserts malware or otherwise corrupts critical internal organizational information systems. o. Compromise organizational information systems to facilitate exfiltration of data/information. Adversary implants malware into internal organizational

31 information systems, where the malware over time can identify and then exfiltrate valuable information. p. Compromise mission-critical information. Adversary compromises the integrity of mission-critical information, thus preventing or impeding ability of organizations to which information is supplied, from carrying out operations. q. Compromise design, manufacture, and/or distribution of information system components (including hardware, software, and firmware). Adversary compromises the design, manufacture, and/or distribution of critical information system components at selected suppliers. 5. Conduct an attack (i.e., direct/coordinate attack tools or activities) a. Conduct communications interception attacks. Adversary takes advantage of communications that are either unencrypted or use weak encryption (e.g., encryption containing publically known flaws), targets those communications and gains access to transmitted information and channels. b. Conduct wireless jamming attacks. Adversary takes measures to interfere with wireless communications so as to impede or prevent communications from reaching intended recipients. c. Conduct attacks using unauthorized ports, protocols and services. Adversary conducts attacks using ports, protocols, and services for ingress and egress that are not authorized for use by organizations. d. Conduct attacks leveraging traffic/data movement allowed across perimeter. Adversary makes use of permitted information flows (e.g., email communication, removable storage) to compromise internal information systems, which allows adversary to obtain and exfiltrate sensitive information through perimeters. e. Conduct simple Denial of Service (DoS) attack. Adversary attempts to make an Internet-accessible resource unavailable to intended users, or prevent the resource from functioning efficiently or at all, temporarily or indefinitely. f. Conduct Distributed Denial of Service (DDoS) attacks. Adversary uses multiple compromised information systems to attack a single target, thereby causing denial of service for users of the targeted information systems. Conduct targeted Denial of Service (DoS) attacks. Adversary targets DoS attacks to critical information systems, components, or supporting infrastructures, based on adversary knowledge of dependencies. g. Conduct physical attacks on organizational facilities. Adversary conducts a physical attack on organizational facilities (e.g., sets a fire). h. Conduct physical attacks on infrastructures supporting organizational facilities. Adversary conducts a physical attack on one or more infrastructures supporting organizational facilities (e.g., breaks a water main, cuts a power line). i. Conduct cyber-physical attacks on organizational facilities. Adversary conducts a cyber-physical attack on organizational facilities (e.g., remotely changes HVAC settings). j. Conduct data scavenging attacks in a cloud environment. Adversary obtains data used and then deleted by organizational processes running in a cloud environment. k. Conduct brute force login attempts/password guessing attacks. Adversary attempts to gain access to organizational information systems by random or systematic guessing of passwords, possibly supported by password cracking utilities. Conduct nontargeted zero-day attacks. Adversary employs attacks that exploit as yet unpublicized vulnerabilities. Attacks are not based on any adversary insights into specific vulnerabilities of organizations.

32 l. Conduct externally-based session hijacking. Adversary takes control of (hijacks) already established, legitimate information system sessions between organizations and external entities (e.g., users connecting from off-site locations). m. Conduct internally-based session hijacking. Adversary places an entity within organizations in order to gain access to organizational information systems or networks for the express purpose of taking control (hijacking) an already established, legitimate session either between organizations and external entities (e.g., users connecting from remote locations) or between two locations within internal networks. n. Conduct externally-based network traffic modification (man in the middle) attacks. Adversary, operating outside organizational systems, intercepts/eavesdrops on sessions between organizational and external systems. Adversary then relays messages between organizational and external systems, making them believe that they are talking directly to each other over a private connection, when in fact the entire communication is controlled by the adversary. Such attacks are of particular concern for organizational use of community, hybrid, and public clouds. o. Conduct internally-based network traffic modification (man in the middle) attacks. Adversary operating within the organizational infrastructure intercepts and corrupts data sessions. p. Conduct outsider-based social engineering to obtain information. Externally placed adversary takes actions (e.g., using email, phone) with the intent of persuading or otherwise tricking individuals within organizations into revealing critical/sensitive information (e.g., personally identifiable information). q. Conduct insider-based social engineering to obtain information. Internally placed adversary takes actions (e.g., using email, phone) so that individuals within organizations reveal critical/sensitive information (e.g., mission information). r. Conduct attacks targeting and compromising personal devices of critical employees. Adversary targets key organizational employees by placing malware on their personally owned information systems and devices (e.g., laptop/notebook computers, personal digital assistants, smart phones). The intent is to take advantage of any instances where employees use personal information systems or devices to handle critical/sensitive information. s. Conduct supply chain attacks targeting and exploiting critical hardware, software, or firmware. Adversary targets and compromises the operation of software (e.g., through malware injections), firmware, and hardware that performs critical functions for organizations. This is largely accomplished as supply chain attacks on both commercial off-the-shelf and custom information systems and components. 6. Achieve results (i.e., cause adverse impacts, obtain information) a. Obtain sensitive information through network sniffing of external networks. Adversary with access to exposed wired or wireless data channels that organizations (or organizational personnel) use to transmit information (e.g., kiosks, public wireless networks) intercepts communications. b. Obtain sensitive information via exfiltration. Adversary directs malware on organizational systems to locate and surreptitiously transmit sensitive information. c. Cause degradation or denial of attacker-selected services or capabilities. Adversary directs malware, such as ransomware, on organizational systems to impair the correct and timely support of organizational mission/business functions. d. Cause deterioration/destruction of critical information system components and functions. Adversary destroys or causes deterioration of critical information

33 system components to impede or eliminate organizational ability to carry out missions or business functions. Detection of this action is not a concern. e. Cause integrity loss by creating, deleting, and/or modifying data on publicly accessible information systems (e.g., web defacement). Adversary vandalizes, or otherwise makes unauthorized changes to, organizational websites or data on websites. f. Cause integrity loss by polluting or corrupting critical data. Adversary implants corrupted and incorrect data in critical data, resulting in suboptimal actions or loss of confidence in organizational data/services. g. Cause integrity loss by injecting false but believable data into organizational information systems. Adversary injects false but believable data into organizational information systems, resulting in suboptimal actions or loss of confidence in organizational data/services. h. Cause disclosure of critical and/or sensitive information by authorized users. Adversary induces (e.g., via social engineering) authorized users to inadvertently expose, disclose, or mishandle critical/sensitive information. i. Cause unauthorized disclosure and/or unavailability by spilling sensitive information. Adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. The information is exposed to individuals who are not authorized access to such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated. j. Obtain information by externally located interception of wireless network traffic. Adversary intercepts organizational communications over wireless networks. Examples include targeting public wireless access or hotel networking connections, and drive-by subversion of home or organizational wireless routers. k. Obtain unauthorized access. Adversary with authorized access to organizational information systems, gains access to resources that exceeds authorization. l. Obtain sensitive data/information from publicly accessible information systems. Adversary scans or mines information on publically accessible servers and web pages of organizations with the intent of finding sensitive information. m. Obtain information by opportunistically stealing or scavenging information systems/components. Adversary steals information systems or components (e. g., laptop computers or data storage media) that are left unattended outside of the physical perimeters of organizations, or scavenges discarded components. 7. Maintain a presence or set of capabilities a. Obfuscate adversary actions. Adversary takes actions to inhibit the effectiveness of the intrusion detection systems or auditing capabilities within organizations. b. Adapt cyber attacks based on detailed surveillance. Adversary adapts behavior in response to surveillance and organizational security measures. 8. Coordinate a campaign a. Coordinate a campaign of multi-staged attacks (e.g., hopping). Adversary moves the source of malicious commands or actions from one compromised information system to another, making analysis difficult. b. Coordinate a campaign that combines internal and external attacks across multiple information systems and information technologies. Adversary combines attacks that require both physical presence within organizational facilities and cyber methods to achieve success. Physical attack steps may be as simple as convincing maintenance personnel to leave doors or cabinets open.

34 c. Coordinate campaigns across multiple organizations to acquire specific information or achieve desired outcome. Adversary does not limit planning to the targeting of one organization. Adversary observes multiple organizations to acquire necessary information on targets of interest. d. Coordinate a campaign that spreads attacks across organizational systems from existing presence. Adversary uses existing presence within organizational systems to extend the adversary’s span of control to other organizational systems including organizational infrastructure. Adversary thus is in position to further undermine organizational ability to carry out missions/business functions. e. Coordinate a campaign of continuous, adaptive, and changing cyber attacks based on detailed surveillance. Adversary attacks continually change in response to surveillance and organizational security measures. f. Coordinate cyber attacks using external (outsider), internal (insider), and supply chain (supplier) attack vectors. Adversary employs continuous, coordinated attacks, potentially using all three attack vectors for the purpose of impeding organizational operations. Threat Assessment - Adversary Types and Motivations In the illustration below, Figure 8, the FTA makes the point that security countermeasures should be designed commensurate with the type of adversary who may attack the transportation facility. Conceptually this represents sound practice; however, transportation agencies should not draw threat related conclusions from presumptions about adversary classification assessments taken in isolation. Care should be taken to ensure that threat assessments are also scenario-based and driven by both factual information and credible intelligence.   Figure 8: Security Countermeasures by Type of Adversary. Source:  Security Design Considerations, Federal  Transportation Administration 2004  As a part of the Department of Defense Unified Facilities Criteria (UFC), DOD published Security Engineering Facilities Planning Manual Draft UFC 4-020-01 in March 2006. The manual contains an overview of aggressor types, capabilities and tactics that are adapted in Tables 4, 5 and 6 below

35 for transportation agency security planning purposes. Aggressors are people who perform hostile acts against assets such as equipment, personnel, and operations. The UFC presents four major aggressor objectives that describe aggressor behavior.  Inflicting injury or death on people  Destroying or damaging facilities, property, equipment, or resources  Stealing equipment, materiel, or information  Creating adverse publicity The three broad categories of aggressors are criminals, protesters and terrorists. Table 5: Criminals by Levels of Sophistication  Criminals (Three Types divided by level of sophistication) The common objective for all three criminal groups is assumed to be theft of assets. Unsophisticated Criminals Unskilled in the use of tools and weapons and have no formal organization. Their targets are those that meet their immediate needs such as drugs, money, and pilferable items. Unsophisticated criminals are interested in opportune targets that present little or no risk. Breaking and entering or smash-and-grab techniques are common. Theft by insiders is also common. Sophisticated Criminals Skilled in the use of certain tools and weapons and are efficient and organized. They plan their attacks and have sophisticated equipment and the technical capability to employ it. Sophisticated criminals are often assisted by insiders. They target high value assets, frequently steal in large quantities, yet target assets with relatively low risk in handling and disposal. Organized Criminal Groups Highly sophisticated, are able to draw on specialists, and are able to obtain the equipment needed to achieve their goals efficiently. These groups form efficient, hierarchical organizations which can employ highly paid insiders. Source: Adapted from Security Engineering Facilities Planning Manual Draft UFC 4-020-01 2006 Table 6: Protesters  Protesters (Two general groups. For the purposes of this text only violent protesters are considered to be a threat.) Both groups are either politically or issues oriented and act out of frustration or anger against the actions of other social or political groups. The primary objectives of both groups commonly include destruction and publicity. Vandals/Activists Commonly unsophisticated and superficially destructive. They generally do not intend to injure people or cause extensive damage to their targets. Their actions may be covert or overt. Typically, they choose symbolic targets that pose little risk to them. Extremist Protest Groups Moderately sophisticated and are usually more destructive than vandals. Their actions are frequently overt and may involve the additional objective or consequence of injuring people. They attack symbolic targets and things they consider to be environmentally, socially, or religiously unsound. Source: Adapted from Security Engineering Facilities Planning Manual Draft UFC 4-020-01 2006

36 Table 7: Terrorists by Areas of Operation and Levels of Sophistication  Terrorists (Three Types based on their areas of operation and their sophistication.) Terrorists are ideologically, politically, or issue oriented. They commonly work in small, well-organized groups or cells. They are sophisticated, skilled with tools and weapons, and possess an efficient planning capability. Terrorist objectives usually include death, destruction, theft, and publicity. Domestic Terrorists Terrorists indigenous to the United States, Puerto Rico, and the US territories who are not directed by foreign interests. Domestic terrorists in the United States have typically been political extremists operating in distinct areas of the country. They have primarily consisted of ethnic and white supremacy groups, many with ties to groups that originated during the 1960's and 1970's. Historically, most acts of terrorism in the United States by domestic terrorists have been less severe than those outside the United States, and operations have been somewhat limited. One noted exception to that trend was the bombing of the Alfred P. Murrah Building in Oklahoma City. International Terrorists International terrorists are either connected to a foreign power or their activities transcend national boundaries. International terrorists have typically been better organized and better equipped than their domestic counterparts. They have included political extremists and ethnically or religiously oriented groups. Their attacks have also been more severe and more frequent than those by domestic terrorists in the United States. Examples of foreign terrorist groups designated by the U.S. Department of State include the Revolutionary Group 17 November, the Aum Shinrikyo Group, Basque Fatherland and Liberty (ETA), Sendero Luminoso (Shining Path), and the al-Aqsa Martyrs Brigade. State Sponsored Terrorists Generally operate independently, but receive foreign government support, to include intelligence and even operational support. They have exhibited military capabilities and have used a broad range of military and improvised weapons. They have historically staged the most serious terrorist attacks, including suicidal attacks. They are predominantly ethnically or religiously oriented. Some of these groups have legitimate political wings in addition to their terrorist wings. Examples of state sponsored terrorist groups designated by the U.S. Department of State include al Qaida, the Palestinian Islamic Jihad, Hezbollah, and the Revolutionary Armed Forces of Columbia (FARC). Source: Adapted from Security Engineering Facilities Planning Manual Draft UFC 4-020-01 2006 Vulnerability Assessment – Physical Security As mentioned above managing security risk for transportation agencies is a threat and scenario based activity. Threat definition should be considered the tool by which vulnerabilities of transportation operations and systems are measured. Agency police or security personnel, assisted by federal, state and local law enforcement and homeland security professionals must evaluate the actual and potential threats against their respective agencies in terms of both threat types and aggressor types. After the baseline of threat information has been identified security management must turn to the collection of data and information about the specific organization at risk to determine the existing status of systems and security countermeasures. An analysis of weaknesses and opportunities for aggressor exploitation must be performed to establish the current capabilities of the organization to block, thwart, or mitigate an attack. The performance of a vulnerability

37 assessment sometimes referred to as a security vulnerability assessment (SVA) is the method used to address this issue. Vulnerability assessment starts with an examination of the transportation agency’s assets to establish what needs to be protected. It proceeds next to the evaluation of the capabilities of existing protection systems to secure those assets and finally to the determination of security gaps that should be addressed to reduce or buy down security risk. Critical Asset identification consists of determining what transportation agency assets need security and protection. It underlies all risk assessment activities. Critical Assets include the people, property and information assets of a transportation agency that are required to enable the organization to execute its primary responsibilities, activities and functions. In the case of information systems the designation of “CIIP” (Critical Information Infrastructure Protection) has developed as a subset of the more widely-known concept of Critical Infrastructure Protection (CIP). Transportation agencies are complex businesses with a need to integrate many different functional, technical and operating components and systems. Integration includes both physical aspects of the transportation infrastructure, as well as the integration of business and customer related processes. Safety and reliability, operating policies and procedures, maintenance, training, and customer needs are all important system attributes that impact critical asset identification. All systems are in actuality composed of an integrated collection of smaller systems or subsystems. How these systems or subsystems are engineered determines the effectiveness of the transportation agency from a performance perspective. Assets should be considered critical based on their value as determined by the organization and the short and long-term consequences of their loss, damage or destruction. DHS states, “criticality assessments help planners determine the relative importance of assets, helping to prioritize the allocation of resources to the most critical assets.” Factors affecting the criticality of assets include:  Loss and Damage Consequences – casualty risk, environmental impact, replacement costs, and replacement/down time;  Consequences to Public Services – emergency response functions, government continuity, military importance;  Consequences to the General Public – available alternatives, economic impact, public health impact, functional importance and symbolic importance. Critical Assets identification is a priority task that must be undertaken prior to the performance of a risk assessment or in particular the vulnerability assessment part of the analysis. The Transportation Systems Sector-Specific Plan of the National Infrastructure Protection Plan (May 2015) identifies the individualized transportation agency approach to asset identification as the “ownership view.”

38   Figure 9: Transportation Sector Profile – Transportation Systems Sector‐Specific Plan It is one of four “system risk views” that represent multiple means to capture data about the critical infrastructure of transportation systems: Modal View – The modal view treats all classes of assets within a mode collectively as a system. Infrastructure information in the modal view is categorized by interdependencies and supply implications that are specific to a particular mode of transportation. In addition to focusing on individual assets, nodes, and links, information specific to the modal view includes how those assets, nodes, and links interact within the mode and with other modes, their emergent properties and governing principles, or legislative information with specific modal impact. Geographic View – The geographic risk view compiles transportation infrastructure data within specific regions of the Nation. The boundaries of those regions may vary based on the purpose and necessary parameters of an assessment. Regions may contain markedly different assets and systems, and thus the risks to those systems and the types of data collected from those regions will differ as well. Data collection in this view will allow an information set to be defined by what is physically located within that region and the processes or policies that impact that specific region. Therefore, assets, links, nodes, and emergent properties within a defined geographic area are evaluated as an integrated system. Functional View – The functional view of data collection looks at the function a system fulfills within the supply chain. Examples of a functional view of systems include all of the assets, links, nodes, processes, policies, and emergent properties associated with: Delivery of critical medicines; or Delivery of chlorine for drinking water or other purposes; or Delivery of heating oil to the Northeast. By examining the function a system plays in society, the critical aspects of the system can be measured. This view also will have value in identifying interdependencies with other critical infrastructure.

39 Ownership View – The ownership view examines information on ownership of assets, including the owner/operator’s decision structure, policies, and procedures, and recognizes those assets owned by the same entity as an integrated system. Security Surveys The preferred means to conduct a SVA is through the performance of a security survey. The survey is a fact gathering question based process that uses various data collection tools to obtain necessary information about the characteristics of the organization, its systems and operations, and the consequences to the organization that would result from a successful attack against identified threat targets. Interestingly SVA methodology is quite varied in the security industry. There are numerous different approaches and techniques for assessing agency vulnerabilities. In the transportation sector some of the more frequently used methodologies include, Analytical Risk Methodology (ARM), DHS Terrorism Risk Analysis Methodology (DHS-TRAM), Maritime Sector Risk Analysis Methodology (MSRAM), and CARVER. The figures below depict information about the ARM methods and DHS-TRAM. Both methods are approved by FEMA’s grant programs.   Figure 10: Analytical Risk Management (ARM) at a Glance   Figure 11: DHS TRAM Vulnerability Assessment ‐ Decision Tree Analysis

40 Additionally, there are self-directed vulnerability assessment methods and checklists available from various organizations including DHS, FHWA, DOE and the FBI. TSA provides direct assistance to transportation modes including Transit, Rail and Highway through the Baseline Assessment for Security Enhancement (BASE) and Corporate Security Review Programs. Performing the Physical Security Survey Preferably the SVA should be conducted by a trained team of security professionals using an industry accepted methodology as opposed to a self-assessment question list or checklist. Team members must be capable of understanding and interpreting the protection objectives, operating environment, priorities and inherent weaknesses of the transportation agency under review. The team should include a project manager responsible for the final report product of the assessment; as well as subject matter experts in transportation sector and mode security. The security trained component of the team should be assisted by a cross-disciplinary group of management and operating personnel with expertise in agency operations including communications, engineering, mechanical, facilities and transportation. To the extent necessary this group should be further supported by specialists such as information technology professionals, human resources trainers, finance and procurement officers, and systems analysts. Figure 12 is an illustration of the process by which a SVA team works through the critical asset evaluation step of a highway vulnerability assessment approach. Note the presence of threat experts, vulnerability experts and transportation professionals on the SVA team. Figure 12: Critical Asset Evaluation Step. Guide to Highway Vulnerability Assessment for Critical Asset Identification  and Protection, American Association of State and Highway Transportation Officials, 2002 Vulnerability Assessment – Cybersecurity In the strictest sense, a vulnerability in cyber is basically a weakness in an information system or the procedures, controls or implementation processes surrounding the system that can be exploited by an intentional actor or compromised by non-adversarial error, natural events or accident. Generally, information system vulnerabilities result from lapses in security controls. However, more and more the exploitation of vulnerabilities has been enabled by rapidly emerging changes in technology or changes in organizational operations or mission. Successful exploitation of a vulnerability is a function of three inter-related elements: a susceptibility of the information system itself to attack; an available means to access the system’s specific security control lapse or vulnerability; and the capability of an adversary to carry out the actions necessary to exploit the information system.

41 But as NIST Special Publication 800-30 points out, “vulnerabilities are not identified only within information systems...vulnerabilities can be found in organizational governance structures (e.g., the lack of effective risk management strategies and adequate risk framing, poor intra-agency communications, inconsistent decisions about relative priorities of missions/business functions, or misalignment of enterprise architecture to support mission/business activities)... or in external relationships (e.g., dependencies on particular energy sources, supply chains, information technologies, and telecommunications providers), mission/business processes (e.g., poorly defined processes or processes that are not risk-aware), and enterprise/information security architectures (e.g., poor architectural decisions resulting in lack of diversity or resiliency in organizational information systems).” Whether caused by internal flaws to information systems or more broadly by inadequate business practices or supply chain weaknesses, it is essential that transportation organizations understand the extent of their current and future reliance on information systems, control systems and other transportation network systems. The following sections outline the vulnerabilities of these systems and how to mitigate the vulnerabilities associated with their utilization. Common Vulnerabilities of Information Systems The list of vulnerabilities for IT systems is far too voluminous and fluid to be included in the research. However, the information is readily available. The National Vulnerability Database (https://nvd.nist.gov) currently contains a listing of more than 71, 429 CVE’s (Common Vulnerabilities and Exposures). The NVD is the U.S. government repository of standards based vulnerability management data. CVE is a publicly available free to use list or dictionary of standardized identifiers for common computer vulnerabilities or exposures. Information in the CVE is organized by year going back to 1999. It is available for download in numerous formats CVRF, HTML, XML, and Text. Common Vulnerabilities of Industrial Control Systems In 2001 the U.S. Department of Homeland Security published the document, Common Cybersecurity Vulnerabilities in Industrial Control Systems. The report provides a useful summary of information system vulnerabilities. The information into sub-divided into three categories: (1) vulnerabilities inherent in the ICS product; (2) vulnerabilities caused during the installation, configuration, and maintenance of the ICS; and (3) the lack of adequate protection because of poor network design or configuration. See Figure 13. Common Vulnerabiliyiers of Transportation Operations Systems Traffic Management Centers (TMCs) use ITS technologies to manage traffic, address incidents, provide travel and incident data and information, and communicate with the region’s transportation agencies, media, and other relevant stakeholders. TMCs contain a computer network, application servers, data servers, and wireless peripherals. Field equipment such as sensors transmit information and data back to the TMC for analysis and dissemination. TMCs also control and manage traffic signals to enhance the efficiency of traffic flows. Dynamic message signs help disseminate analyzed information and provide guidance to travelers. Common vulnerabilities include the following: • Poorly configured field network devices; • Malware delivered using email or a compromised website; • Malware walked in by a user either inadvertently or deliberately;

42 • Compromised partner networks; • Poorly configured external firewall, switches, or agency webpages; • Compromised user credentials; and • Unauthorized physical entry. In addition, physical design of the TMC and TMC policies (such as allowing public tours) can facilitate breaches. Figure 13: Vulnerability Communications Access Paths to Control Systems Performing the Cybersecurity Survey Although there are currently very few models specifically tailored to surface transportation assets or organizations, there are workable risk assessment models and methodologies available for use in establishing the parameters by which cybersecurity risk will be evaluated. For example, the DHS ICS CERT Cybersecurity Evaluation Tool (CSET®) has been utilized by a number of transportation organizations to conduct assessments. CSET® is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The CSET output is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls. Information about CERT ICS is readily available at https://ics-cert.us-cert.gov/Assessments Consequence Assessment – Physical Security Consequence analysis, also called impact analysis, is basically an assessment of the perceived impact of an adverse event or series of events on critical infrastructure or processes. It is:

43  an analysis of the immediate, short and long-term effects of an event or event combination on an asset.  an estimate of the amount of loss or damage that can be expected.  an indication of the effects of that event on people, assets, or functions – a characterization of “value”. Determining the underlying criticality of an asset is a fundamental component of consequence assessment. Factors affecting the criticality of assets include:  Loss and Damage Consequences – casualty risk, environmental impact, replacement costs, and replacement/down time;  Consequences to Public Services – emergency response functions, government continuity, military importance;  Consequences to the General Public – available alternatives, economic impact, public health impact, functional importance and symbolic importance. Establishing a consequence rating for physical assets can be difficult because of a lack of experience factors or actuarial data. Virtually all forms of risk assessment used in transportation use qualitative tables or matrices that present a relational comparison between critical assets. Relative analysis allows for prioritization of needs and requirements and directs transportation agency security responses towards eliminating or mitigating the most significant threats. Figure 14 below depicts a “pair wise” consequence assessment that illustrates the individual scores for frequency, property damage, injury, and fatalities. Figure 14 presents the pair wise data and Figure 15 presents a high level relational matrix that supports decision making.   Figure 14: “Pair Wise” Consequence Assessment

44   Figure 15: FTA Threat and Vulnerability Resolution Matrix

45 Consequence Assessment – Cybersecurity Regarding information systems, the level of impact is attributable to the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. In the transportation environment impact transfers over to a potential for loss of life or serious injury based on the potential for the health and welfare of passengers or other system users to be adversely affected by the compromise of agency controlled or operated SCADA or ICS systems. Indeed transportation system operators are faced with a “duty of care” for system users that extends beyond the typical cyber breach. At present there is no fully developed listing of foundational cyber critical assets for surface transportation organizations. For transit, APTA SS-ECS-RP-001-13, Cybersecurity Considerations for Public Transit provides a very useful grouping of critical assets in transit into three main categories. The transit IT “ecosystem” and definitions for each of the categories follows: Figure 16: APTA SS‐ECS‐RP‐001‐13 | Cybersecurity Considerations for Public Transit  Operational systems: These systems integrate supervisory control and data acquisition (SCADA), original equipment manufacturer (OEM) and other critical component technologies responsible for the control, movement and monitoring of transportation equipment and services (i.e., train, track and signal control). Often such systems are interrelated into multimodal systems such as buses, ferries and metro modes.  Enterprise information systems. This describes the transit agency’s information system, which consist of integrated layers of the operating system, applications system and business system. Holistically, enterprise information systems encompass the entire range of internal and external information exchange and management.  Subscribed systems: These consist of “managed” systems outside the transportation agency. Such systems may include Internet service providers (ISPs), hosted networks, the agency website, data storage, cloud services, etc. Examples include control systems that support operational systems, SCADA, traction power control, emergency ventilation control, alarms and indications, fire/intrusion detection systems, train control/signaling, fare collection, automatic vehicle location (AVL), physical security feeds (CCTV, access control), public information systems, public address systems, and radio/wireless/related communication. Networks for traffic management, yard management, crew management, vehicle management, vehicle maintenance, Figure 16. APTA SS-ECS-RP-001-13 | Cybersecurity Considerations for Public Transit Figure 17: APTA SS‐ECS‐RP‐001‐13 | Cybersecurity Considerations  for Public Transit 

46 positive train control, traffic control, and remote railway switch control, main line work orders, wayside maintenance, on-track maintenance, intermodal operations, threat management and passenger services. And business management systems that support administrative processes including transaction processing systems, management information systems, decision support, executive support, financial pay systems, HR, training, and knowledge management. NIST Special Publication 800-30 guidelines recommend identifying information system critical assets based on an assessment perceived or potential:  Harm to Operations o Inability to perform current missions/business functions o Inability, or limited ability, to perform missions/business functions in the future o Inability to restore missions/business functions  Harms (e.g., financial costs, sanctions) due to Noncompliance o With applicable laws or regulations o With contractual requirements or other requirements in other binding agreements (e.g., liability) o Direct financial costs o Relational harms  Harm to Assets o Damage to or loss of physical facilities o Damage to or loss of information systems or networks o Damage to or loss of information technology or equipment o Damage to or loss of component parts or supplies o Damage to or of loss of information assets o Loss of intellectual property  Harm to Individuals o Injury or loss of life o Physical or psychological mistreatment o Identity theft o Loss of Personally Identifiable Information o Damage to image or reputation  Harm to Other Organizations o Harms (e.g., financial costs, sanctions) due to noncompliance o Direct financial costs o Relational harms  Harm to the Nation o Damage to or incapacitation of a critical infrastructure sector o Loss of government continuity of operations o Relational harms And finally, NERC CIP-002-3 provides a classification approach that designates assets based on information compromise criticality; either – public, restricted, confidential, or private – suggesting that the level of security protection and controls can be managed by assignment commensurate with the risk of release.  Public - This information is in the public domain and does not require any special protection. For instance, the address and phone number of the headquarters of your electric cooperative is likely to be public information.  Restricted - This information is generally restricted to all or only some employees in your organization, and its release has the potential of having negative consequences on your organization’s business mission or security posture. Examples of this information may include:

47 o Operational procedures o Network topology or similar diagrams o Equipment layouts of critical cyber assets o Floor plans of computing centers that contain critical cyber assets  Confidential - Disclosure of this information carries a strong possibility of undermining your organization’s business mission or security posture. Examples of this information may include: o Security configuration information o Authentication and authorization information o Private encryption keys o Disaster recovery plans o Incident response plans Risk Assessment Report The end result of the risk assessment is the publication of a report that accomplishes the objective of establishing the current security status of the transportation agency, in terms of; (1) critical asset identification, (2) threats and vulnerabilities existing against those assets, and (3) consequences or ramifications of successful attacks against those assets. The efficacy of this report will be determined primarily by the comprehensiveness and derivation of facts and opinions produced by the conduct of interviews, examinations, observations, analysis and investigations. To the extent practicable opinions should be expressed as such. At the conclusion of the report findings and recommendations should be rendered that can be used to assist in the formulation of the transportation agency’s security needs and requirements planning documentation.    

Next: Chapter 2 Plans and Strategies »
Security 101: A Physical and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing, and can impact not only data, but the control systems - like tunnel-ventilation systems - operated by transportation agencies.

This update, a pre-publication draft of NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies, provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!