National Academies Press: OpenBook
« Previous: Chapter 2 - Plans and Strategies
Page 54
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 54
Page 55
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 55
Page 56
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 56
Page 57
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 57
Page 58
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 58
Page 59
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 59
Page 60
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 60
Page 61
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 61
Page 62
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 62
Page 63
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 63
Page 64
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 64
Page 65
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 65
Page 66
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 66
Page 67
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 67
Page 68
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 68
Page 69
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 69
Page 70
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 70
Page 71
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 71
Page 72
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 72
Page 73
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 73
Page 74
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 74
Page 75
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 75
Page 76
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 76
Page 77
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 77
Page 78
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 78
Page 79
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 79
Page 80
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 80
Page 81
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 81
Page 82
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 82
Page 83
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 83
Page 84
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 84
Page 85
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 85
Page 86
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 86
Page 87
Suggested Citation:"Chapter 3 - Security Countermeasures." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 87

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

54 C H A P T E R 3 Physical Countermeasures The fundamental principle for determining what countermeasures to use in any given situation is that utility should control. Transportation agencies must examine the threats against them and identify the most useful means to reduce the vulnerabilities associated with those threats to acceptable levels. Less costly but more effective solutions are often available. Security designers can benefit from a utility scale that assimilates and compares one counter- measure against another. Figure 3-1, from FEMA 430, lists security countermeasures along a sliding scale based on three utility factors—protection provided, cost, and effort required (DHS 2007). Countermeasures appear on the scale moving from “Less Protection, Less Cost, Less Effort” to “Greater Protection, Greater Cost, Greater Effort.” The figure does not pro- vide relative comparisons between the three utility factors, but does provide them for each factor individually. TCRP Research Report 193: Tools and Strategies for Eliminating Assaults Against Transit Operators identifies additional approaches for describing and evaluating physical security countermeasures (TRB 2017b). Table 3-1 describes levels of security based on purpose and definition, with source information. TCRP Research Report 193 also contains a countermeasures rating scale that lists the under- lying description or definition of each rating category (Table 3-2). Implementation costs for many of the countermeasures are difficult to measure due to the variability in system size, preexisting resources, and a variety of other factors. Overly specific prices of equipment and technology for individual countermeasures may quickly become outdated and reduce the use- fulness of the guide. For these reasons, costs are presented as relative values. Once the utility and relative costs of specific countermeasures have been established, the agency should return to the concepts of systems approach, layered security, and systems inte- gration (discussed in Chapter 2, see also Figure 3-2) when deciding how to proceed toward reducing security vulnerabilities. Certain security design techniques or technologies are well suited to serve as solution sets capable of fulfilling security needs. Signs One well-known rule of warfare that is applicable to homeland defense is that neither fences nor signs will stop a determined enemy. Nonetheless, security signs can play an impor- tant role in securing transportation facilities, rights-of-way, and critical infrastructure. They are relatively inexpensive and low-maintenance, and can serve as a deterrent to aggressor actions or tactics. Security Countermeasures

Security Countermeasures 55 Source: DHS 2007. Figure 3-1. Countermeasures scale by protection, cost, effort.

56 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Maintenance of a good security sign program also helps create a working environment in which security is perceived to be taken seriously. Employees become aware of security require- ments through well-placed signs that display the status of restricted or controlled areas, or signs that limit or prohibit certain activities. The signs depicted in Figure 3-3 are approved by the Occupational Safety and Health Administration for use in the workplace. They represent a cross- section of security designs that cover both of these categories. Effective use of signs starts with creation of a sign plan. The plan is a written record that pro- vides a framework for decision-making regarding the installation, replacement, maintenance, and budgeting for the program. It identifies each sign by type and legend and contains a site plan for placement and installation. The U.S. Army Corps of Engineers Sign Standards Manual EP 310-1-6a and Manual EP 310-1-6b provide a checklist of the steps necessary to implement an effective sign plan (U.S. Army Corps of Engineers 2006). The checklist includes (1) an inventory of existing signs and their condition, (2) collection or development of up-to-date pictorials, maps (optimally supported by GIS), diagrams, blueprints, or other representation of the area in need of protecting, (3) preparation of the site plan and sign layout materials, and (4) implementation of the plan in conformance with the guidelines established. Once the implementation plan has been readied, a sign inspection and maintenance schedule should be incorporated into the process. And at this point a word of caution is appropriate. A budgeted, coordinated sign replacement and maintenance schedule is necessary for continu- ing to reinforce the message to transportation system users, employees, and the public that the agency prioritizes security on its properties and facilities. Missing signs defeat the objectives of the security plan layout, while damaged or vandalized security signs reflect badly on the agency’s commitment to security. The Corps of Engineers recommends a formal inspection of security signs semiannually. The inspection should identify signs requiring maintenance or replacement, signs that can be eliminated, and the need for additional signs. Vandalized, damaged, or missing signs should be repaired or replaced as quickly as possible. Purpose Definition Source Prevention Those capabilities necessary to avoid, prevent, or stop a threatened or actual act NIPP (DHS 2013) Deterrence An activity, procedure, or physical barrier that reduces the likelihood of an incident, attack, or criminal activity Transit Agency Security and Emergency Management Protective Measures (FTA 2006) Detection The identification and validation of potential threat or attack that is communicated to an appropriate authority that can act Transit Agency Security and Emergency Management Protective Measures (FTA 2006) Mitigation The application of measure or measures to reduce the likelihood of an unwanted occurrence and/or its consequences DHS Risk Lexicon (2008) Response Capabilities necessary to save lives, protect property and the environment, and meet basic human needs after an incident has occurred NIPP (DHS 2013) Recovery The development, coordination, and execution of plans for impacted areas and operations Transit Agency Security and Emergency Management Protective Measures (FTA 2006) Source: TRB 2017b. Table 3-1. Levels of security.

Source: TRB 2018. EASE OF USE (NOMINAL SCALE OF DIFFICULT- MODERATE-EASY) TRANSIT INDUSTRY USE (NOMINAL SCALE OF HIGH- MED-LOW) TIME TO IMPLEMENT (NOMINAL SCALE OF LONG- MEDIUM-SHORT) LABOR INTENSIVE (SCALE OF UP TO 3 $S) COST TO IMPLEMENT (SCALE OF UP TO 3 $S) EFFECTIVENESS (SCALE OF UP TO 5 STARS) DIFFICULT Requires extensive effort to accomplish HIGH More than two-thirds of transit agencies LONG More than 1 year $$$ Requires extensive new staff or makes heavy demands on current human resources $$$ Requires extensive new facilities, equipment, or publicity, or makes heavy demands on current resources ($2M+) $$ Requires some additional equipment, facilities, and/or publicity ($450K–$2M) $ Limited costs for equipment, facilities, and/or publicity (<$50K–$450K) Demonstrated to be effective by several high-quality evaluations with consistent results Demonstrated to be effective in certain situations Likely to be effective based on balance of evidence from high-quality evaluations or other sources Effectiveness still undetermined; different methods of implementing this countermeasure produce different results Limited or no high-quality evaluation evidence MODERATE Requires some effort to accomplish MEDIUM Between one-third and two- thirds of transit agencies MEDIUM More than 3 months but less than 1 year $$ Requires some additional staff time EASY Requires minimal effort to accomplish LOW Less than one-third of transit agencies SHORT 3 months or less $ Can be implemented with current staff, perhaps with training UNKNOWN Data not available UNKNOWN Data not available Table 3-2. Countermeasures rating scale.

58 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: FTA 2004b. Figure 3-2. Layers of security. Source: http://www.safetysign.com Figure 3-3. Security signs.

Security Countermeasures 59 Emergency Telephones, Duress Alarms, and Assistance Stations Historically, emergency alert or alarm systems have been hardwired communications systems linked to security control centers. Telephone boxes, panic alarm buttons, and intercom systems were typically linked to central stations where dispatchers or monitoring personnel answered emergency calls and sent response personnel to the location to provide assistance. Today wireless technology has added new dimensions and capabilities for the security- related use of these systems. For example, the State Transit Authority of Australia has a fleet of 1,800 buses in the Sydney and Newcastle area. Every bus is outfitted with AVL technology, a driver duress alarm, and a microphone that allows central station personnel to hear what is transpiring on board the vehicle when the driver activates the system. Technology has also expanded the recipient group for duress alarms to include first responders, who can be equipped to receive a location-specific prerecorded voice message using the officer’s existing two-way radios. These systems, by eliminating the monitoring station go-between, can greatly improve the response time for police or security person- nel. Information can be sent close to simultaneously to the command center by digital data packet transmittal. Because of the high costs associated with responding to duress alarms, it is critical for transportation agencies considering the use of emergency alert or alarm systems to conduct a thorough risk assessment to establish the size and scope of the project. Once the needs assessment has been completed, the best way to accomplish the countermeasures analysis is to engineer backward from the response. Taking into account such variables as time, distance, day of the week, and changes in staffing levels, police or security officer response capabilities—whether self-directed or through dispatch—should be examined to determine just how quickly help can arrive on the scene. Next, prospective communications access points for deploying emergency alert or alarm systems should be compared with estimated response capabilities, keeping in mind the potential time variation and, where applicable, the routes and locations of agency rolling stock. If additional security assets are required to make the system viable, they should be designed and planned for prior to implementation. A duress communication system that typically goes unanswered for an extended length of time creates an untenable security oper- ating condition. Under such circumstances alternative security countermeasures should be selected. Key Control and Locks It has been said that security starts and ends with closing the door and locking it. But even the most expensive, well-constructed locking mechanism can be defeated if sufficient skill and time are available to the adversary. According to the U.S. Army Field Manual 3-19.30, most key locks and conventional combination locks can be picked by an expert in a matter of minutes (U.S. Army 2001). More sophisticated manipulation-resistant locks, locks with four or more tumblers, some interchangeable core systems, or relocking devices on safes or doors can provide an “appreciable increase” in difficulty but are still subject to compromise. Locks should be considered at best to be a deterrent and more plausibly as a delay device that does not completely restrict entry to a protected area. Locks are a widely used basic security countermeasure for protecting facilities, activities, personnel, and property. They are present not only on doors but on windows, gates, conveyances, interior offices, supply areas, filing cabinets, and virtually all other kinds of storage containers or areas. Locking hardware is designed to various levels of deterrence or entry delay. It is recom- mended that the agency consult with a professional locksmith for mechanical locks or security

60 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies professional for electromechanical or electromagnetic locks before spending security dollars on new hardware or upgrades. Because keys and locks are frequently the only countermeasure deployed to protect assets and infrastructure, managing key access is fundamental to effective control. Maintaining a good key control system can mean the difference between a robust security program and a compromised, unsecure operating environment. The starting point for establishing an effective key control program is the development of sound, workable policy. The policy must be requirements-based and commensurate with the levels of protection necessary for the location. Obtaining user input into the design of the key control system can assist greatly at a later date, when maintaining dis- cipline associated with the system is important. Management of the system should be assigned to an individual designated as the key control officer (KCO). This individual should be accountable for maintaining the integrity of the key control process by (1) exercising approval authority over the acquisition and storage of all locks and keys, (2) providing oversight for the distribution of keys to agency employees, (3) conducting inspections and inventories, (4) maintaining the organization’s key depository, (5) conducting investigations of key loss, and (6) establishing an official records maintenance system that serves as the control point for all agency activity. Frequently, an organization will be faced with a situation in which key control has previously been compromised, either through a lack of attention to security or by the failure of one or more employees to comply with policy. When current conditions demand retooling the system and process, the agency should create a key control annex to their physical security plan. The newly assigned KCO should conduct a comprehensive survey of all agency physical assets needing pro- tection, to establish a baseline key control plan that can return efficiency to the program. Under this program, when a compromised key access point is identified, locks should be replaced, recoded, or otherwise upgraded as a security plan priority. Fencing Two main issues are associated with the use of fencing as a protective barrier. The first and clearly most important is placement. However, in the context of homeland security, the grade or strength of fencing material is a close second. Consideration must also be given to substituting other types of protective barriers where fencing has traditionally been used (see Figure 3-4). The transportation agency should look at the design aspects of both placement and strength of material in concert, to determine how the use of fencing countermeasures can positively impact risk reduction efforts. Fencing can be used for various purposes in security. Predominant among these is the use of fencing as a deterrent or delaying factor. When deployed in this way, terms such as perimeter line, controlled access zone, and layered defense apply. Perimeter line is the outermost line of defense for an area being protected. A controlled access zone attempts to limit access to the more immediate area being protected. The applicability of fencing in these configurations is apparent. For example, a fence can be used to form the outermost perimeter line. Fencing or, more generally, protective barriers used in conjunction with layered defense principles, present a much broader range of security applications. FEMA 430, Site and Urban Design for Security, presents a three-layer model for protecting a building against attack (DHS 2007). Under this approach, the objective is to “create a defense in depth by creating cumulative suc- cessive obstacles that must be penetrated . . . penetration of the perimeter leads only to further defense systems that must be overcome.” Fencing as a security countermeasure in conjunction with the first and second defensive layers is illustrated in Figure 3-4. Under this configuration, the greater the distance between the building exterior and the perimeter line, the better. This open space concept of security affords

Security Countermeasures 61 designers the opportunity to use an array of security countermeasures to defend the organiza- tion’s assets, including line-of-sight observation, video surveillance, motion detection, or other intrusion detection technologies. It is also at this point that the second main issue, fencing material, can be considered. Fencing can take security planners beyond deterrence and into prevention, with explosives mitigation and barrier-related interception of a threat at a point of sufficient standoff distance to absorb dangerous explosive blast levels. Depending on the deployment and K Certification class of fencing material, certain aggressor tactics can be completely defeated. K Certification anti-ram standards originated at the U.S. Department of State. The rating is determined from perpendicular barrier impact results of a truck weighing 15,000 lb (6,810 kg) striking the barrier straight on. To meet the standard, the truck’s cargo bed cannot penetrate the barrier by more than 1 meter. Table 3-3 and Figure 3-5 depict the vehicle and crash ratings associated with the truck striking the barriers at speeds of 30 mph, 40 mph, and 50 mph. Source: DHS 2007. Figure 3-4. Use of fencing as a security countermeasure with defensive layers. Source: DHS 2007. Table 3-3. Vehicle and crash ratings.

62 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Figure 3-6 depicts a crash-rated fence that can be reinforced with an integrated cable system to meet K8 standards, according to the manufacturer. Figure 3-7 shows a schematic example of a cable barrier deployable as a means of fencing reinforcement. Protective Barriers Fences are only one type of protective barrier available to security designers. Other types include anti-ram vehicle barriers categorized as passive or active. The alarming growth in the use of vehicles—rented, stolen, or easily available large motor vehicles—as ramming instruments in direct attacks on pedestrians and similar gatherings is an emerging threat requiring greater resiliency and focus on temporary and permanent barriers that block pedestrian traffic areas from vehicular intrusion (Figure 3-8). Anti-ram barrier effectiveness is based on a formula =KE Mv 2 2 where M is the mass of the vehicle and v is the velocity at the time of impact. Passive barriers are fixed countermeasures that include bollards (concrete-filled steel pipe), reinforced street furniture, concrete walls, planters, and berms (DHS/NCSD/CSSP 2012). Source: DHS 2007. Figure 3-5. Truck striking barrier. Source: DHS 2007. Figure 3-6. Crash-rated fence.

Security Countermeasures 63 Source: DOD 1999. Figure 3-7. Cable barrier for fencing reinforcement. Source: DHS 2007. Figure 3-8. Barriers as countermeasures.

64 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Active barriers are movable or retractable to allow passage when authorized. These can include retractable bollards, crash beams, rotating wedge systems, or rising barricades (Figures 3-9, 3-10, and 3-11). Landscape Design Natural barriers such as trees or water can be used effectively to reduce vulnerabilities. Site planning for protected areas can be security minded, with landscape design serving the dual purposes of aesthetics and function (Figure 3-12). Protective Lighting Security professionals, emergency response personnel, and safety practitioners extol the value of manufactured light as a means to protect people and property from harm or unreasonable risk of injury. Used as a security countermeasure during hours of darkness, protective lighting can even create an operating environment that provides better security than in the daytime. This can occur when security designers use capabilities such as glare projection to reduce the ability of an adversary to see the inside of a protected area. Protective lighting objectives include the following: • Adherence to acceptable industry standards for outdoor protective lighting levels as promul- gated by the Illuminating Engineering Society of North America or the guidelines of the New Buildings Institute’s Advanced Lighting Guidelines (New Buildings Institute 2003); Source: DHS 2007. Figure 3-9. Retractable bollards, crash beams. Source: DHS 2007. Figure 3-10. Mobile wedge barrier.

Security Countermeasures 65 • Illumination of all exterior points within the perimeter of the protected area, including walk- ways, vehicle entranceways, fence lines, and critical structures or assets; • Non-transgressing illumination of approach areas to the perimeter line; • Deterrence of aggressor attempts at entry to protected areas; • Support for other security countermeasures such as video surveillance cameras, motion acti- vated sensors, or security forces; and • Resistance to tampering, vandalism, neutralization, or defeat. Similar to other measures, protective lighting security planning requires thoughtful and care- ful study to ensure maximum program benefits. In particular, because of the open access nature of transportation environment, prospective dual use aspects of lighting should be examined for potential integration into mainstream transportation operations. And, vice versa, the security Source: DHS 2007. Figure 3-11. Rising barricade. Source: Michael Van Vandenburgh and Associates 2001. Figure 3-12. Proposal for the redesign of the Washington Monument grounds.

66 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies applicability of agency lighting configurations should be factored into operational planning and decision-making. Planners should also determine the prospects of upgrading the existing lighting system. Taking advantage of opportunities to retrofit existing lighting systems (luminaires) can improve lighting quality, reduce electricity usage, and extend time between required maintenance and replacement, while simultaneously providing environmental benefits such as improved security or safety. Although relatively inexpensive when compared to other security strategies, lighting plans require a continuing strong commitment to maintenance and upkeep. Agencies must budget costs for cleaning and replacing luminaires on a scheduled basis. Different types of lighting sys- tems can help reduce the overall costs associated with upkeep while improving the efficiency of the lighting output, measured luminance (footcandles or lux). The principal sources of lighting in common use today include (1) incandescent lamps, (2) fluorescent lamps, and (3) high-intensity discharge (HID) lamps. All three types convert electrical energy into light or radiant energy. Compared to other light sources, incandescent lights are low in cost, have a relatively short life, and provide low efficiency in lumens per watt of electrical energy. Fluorescent lamps provide longer life and higher lamp efficiency. High-intensity discharge lamps come in different varieties: mercury vapor lamps, known for their efficiency and long life; metal halide lamps, with a much shorter lamp life than vapor but with an efficiency rating about 50% higher, and high pressure sodium (HPS) lamps with both longer life and high lumen efficiency. HPS lamps are used when efficiency is the most important factor (Table 3-4). Luminaires (consisting of a complete lighting unit, lamp, housing, and power supply connec- tivity) are categorized in four general types: floodlight luminaires, street light luminaires, Fresnel lens luminaires, and search light luminaires. Floodlights project to distant points, therefore their use in homeland defense is vital. They are used to illuminate perimeter fence lines, critical facili- ties, or high priority assets. Both incandescent and HID lamps are used in floodlight luminaires. Street lights are used to illuminate large areas as well as entranceways. Mercury vapor lamps are widely used in street lighting because of their long life. Fresnel lens luminaires are directional, high-glare units that project a fan-shaped light beam approximately 180 degrees horizontal and 15 to 30 degrees vertical. They are used in homeland defense to protect high-security locations where transgressing light will not impact the neighboring community. Search lights provide a powerful, concentrated beam distribution. They are usually incandescent, ranging in diameter of reflection from 12 to 24 inches and watts from 250 to 3,000. Search lights are often portable, used to augment fixed lighting at a given location. Alarm Systems Alarms can detect the occurrence of many types of incidents, such as intrusion, smoke or fire, temperature change, gas, or water flow rates, and a full range of other emergency conditions. Type of Lamp Lamp Life Lamp Efficiency Incandescent 500–4,000 hours 17–22 lumens per watt Fluorescent 9,000–17,000 hours 67–100 lumens per watt HID Mercury vapor Metal halide HPS 24,000+ hours 6,000 hours 24,000 hours 31–63 lumens per watt 80–115 lumens per watt 80–140 lumens per watt Source: Adapted from NFPA 2006. Table 3-4. Lamp type, life, and efficiency.

Security Countermeasures 67 Their basic physical security application, however, relates principally to intrusion detection. Alarm functions are also applicable to chemical, biological, and radiological sensors and are more complex depending on the technology associated with the types of sensors. Intrusion detection alarm systems are an important countermeasure in the security planning toolkit. Their main purpose is to work as a force multiplier that allows for the more efficient use of staffing by reducing the number of security personnel required to patrol or monitor a protected area. Indeed, assuming that a response force is within reasonable proximity to alarm systems can completely eliminate the need for a dedicated security patrol force. The versatility of alarm systems also facilitates their use as a substitute for other security counter- measures that are not viable because of safety concerns or operational requirements, or use as a supplemental layer of security to protect critical assets. The main elements of an intrusion detection alarm system include the sensors, the alarm processor, the monitoring system, and the communications architecture that connects these elements. The components of an alarm system include: • Main control unit; • Keypad; • Input devices (sensors); • Transformer; • Power supply; • Telecommunications; and • Output devices. An alarm system can be hard wired, meaning that the system uses wires to connect all input and output devices to the main control unit, or wireless, using radio waves or radio frequency to transmit intrusion alarms. Some systems today, known as hybrids, use a combination of hard- wired and wireless signal carrying methods to communicate intrusion or status. The physical security deployment of intrusion detection systems usually occurs in conjunc- tion with other security countermeasures, such as natural and artificial barriers, access control systems, and other sensor technologies. An effective intrusion detection alarm system must have both an active or passive monitoring capability and a security or law enforcement response team capacity. Sensors are the input mechanism associated with alarm systems. Intrusion sensors can be categorized as interior (Figure 3-13) or exterior (Figure 3-14). Interior sensors perform one of three functions: (1) detect an intruder approaching or pen- etrating a secured boundary, such as a door, wall, roof, floor, vent, or window; (2) detect an intruder moving within a secured area, such as a room or hallway; and (3) detect an intruder moving, lifting, or touching a particular object. Exterior sensors detect intruders crossing a perimeter or boundary or entering a protected zone. While many interior sensors should not be exposed to weather, exterior sensors must be able to withstand outdoor weather conditions. Exterior sensors have a higher nuisance alarm rate than their interior counterparts and a lower probability of detection, primarily because of uncontrollable environmental factors. Many types of sensors are used in intrusion detection alarm systems. These sensors detect through sound, vibration, motion, electrostatic, and/or light beams. Determining which sensors to deploy in response to security vulnerability depends on both operational considerations and technological limitations. Operational considerations include issues such as a facility’s hours of operation; the presence of system users, staff, or other personnel; the value of material, equip- ment, or other critical assets; and the response time of security forces. Technology issues can

68 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: SAVER 2004. Figure 3-13. Interior intrusion sensors—applications index. Source: SAVER 2004. Figure 3-14. Exterior intrusion sensors—applications index.

Security Countermeasures 69 include concerns about radio and electrical interference, sound levels, weather and climate, or other environmental factors. It is recommended that the agency seek professional security assistance in planning for intrusion detection alarm systems. Electronic Access Control Systems Access control systems perform the task of limiting or restricting the access of personnel or vehicles into or out of a controlled zone or area. The technology deployed can be basic or compli- cated, depending on the needs and requirements of the resource or area to be protected. Systems can be stand-alone to control access to a single entry point or multiportal-computer–based, capable of controlling access to hundreds of doors and managing thousands of identification credentials. Prior to implementing an access control system, the agency should have a well-defined under- standing of the threats and vulnerabilities that need to be addressed. In addition, sensitivity to several other factors is important, including: • Nature and tempo of activity in and around the protected area; • Size of the authorized population; • Variation in degrees of accessibility in terms of access levels and time; • Physical characteristics of the area being protected; • Limitations or restrictions caused by the nature of the operating environment; • Climate and weather conditions affecting system operations; • Staffing, training, and support levels available for operation and maintenance of the system; and • Availability of security forces to respond to a report of an unauthorized entry. Protecting transportation agency operations and assets can be a difficult proposition. Because of the open and ubiquitous nature of the operating environment it is not always possible for the move- ments of people to be controlled. In fact, inappropriate screening of system users may create an untenable level of inconvenience that results in the loss of customers. Similarly, an agency whose employees are confronted with unnecessary and overly time-consuming access control regimens will, at best, suffer a loss of productivity through queuing or, at worst, experience compromise of the system itself by activities such as door propping. Access control performance must correspond to the needs of the organization by being responsive to throughput requirements, defined as “the measure of the number of authorized persons or vehicles that can process through an ingress or egress point within a period of time” (DHS 2004). The accurate identification of controlled or restricted areas through a rigorous determination of what locations, assets, or resources need protection is important in accomplishing acceptable throughput. The difference between controlled or restricted areas is based on the necessity of access. Controlled area access should be limited to persons who have official business within the area. Restricted area admittance should be limited to personnel assigned to work in the particular area, or other personnel who have been expressly cleared and authorized. Other individuals entering restricted areas should be accompanied at all times by an authorized individual. The following criteria can assist in defining agency controlled areas or restricted areas: • Operating areas critical to the continued operation or provision of services; • Locations where uncontrolled access would interfere or disrupt personnel in the performance of their duties; • Storage areas that contain valuable equipment or materials; • Locations where operations can result in the existence of hazardous or unsafe conditions; • Office areas where sensitive or confidential information is located; and • Command and control areas that house critical functions.

70 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies There are four main elements of an access control system: (1) access control barriers, (2) access control verification or identification equipment, (3) access control panels, and (4) the communications structure that connects these elements together. The system must also pos- sess the means of communicating either directly or indirectly through human interface with response security forces. Access control barriers are identification based, requiring the person or vehicle requesting access to possess some form of information or technology that can be read by the system. Electronic systems are computer controlled, with access determinations made through the query of an authorized user database. Figure 3-15 shows a cipher access control barrier widely used in areas that require frequent entry by authorized users. The cipher lock controls access using information the individual knows (a combination). Figure 3-16 shows a token-based drop arm barrier system used to supplement security per- sonnel at the vehicle entranceway to a controlled area. The vehicle contains some form of a readable proximity sticker such as a bar code or other device that automatically lifts the drop arm barrier once the authorized user database has been interrogated. Source: SAVER 2004. Figure 3-15. Cipher access control barrier. Source: SAVER 2004. Figure 3-16. Token-based drop arm barrier system.

Security Countermeasures 71 There are many types of access control system barriers and perhaps even more identifica- tion methods. (See also sections on keys and locks and protective barriers.) In fact, at least nine card-encoding technologies are available, including better-known technologies such as magnetic stripe or proximity. Today smart card technology and even biometric systems are becoming prevalent. Smart card technology describes a single card that performs more than one function, such as access control as well as photographic identification. Access control–related biometric technology differs from cipher technology, in which the individual seeking entry knows authorizing information, and from token technology, which is based on something the individual possesses that is read by the barrier. Biometric technology is based on who the individual is (Figure 3-17). TCRP Report 86, Volume 4: Intrusion Detection for Public Transportation Facilities Hand- book provides an overview-level checklist that is useful in sizing or engineering an access control system (TRB 2003). However, this list should only be used with the assistance of security professionals who specialize in the design and implementation of access control sys- tems. Establishing an integrated access control system can be a complex project. It involves both short-term and long-term issues of design, maintenance, continued operation, train- ing, and testing. Source: Adapted from NSTC n.d. Figure 3-17. Biometric technologies including iris recognition, fingerprint identification, voice recognition, and palm print identification.

72 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Access control systems can also be quite expensive, and costs are easy to underestimate. Expenditures associated with system infrastructure can quickly climb as the organization’s needs grow and mature. Security planners should contemplate access control implementation based on lifecycle costs and multiyear capital planning (Table 3-5). Surveillance Systems and Monitoring CCTV is being deployed increasingly as a security countermeasure for both homeland security and crime prevention purposes. The general public has, for the most part, accepted the presence of video cameras in public places as a routine part of their daily comings and goings. Video systems can now be observed in facilities such as banks, shopping centers, transportation facilities, casinos, gas stations, convenience stores, and stadiums. Outdoor surveillance cameras are being mounted in downtown districts in major cities, highways, parks and recreation areas, and even at intersections where traffic violators are being caught on film running red lights. The term CCTV is synonymous with surveillance technology and has come to be used as a generic descriptor for video systems. Originally the term was used to differentiate between broadcast television and private video networks. In general, CCTV is a system of one or more video cameras that are connected in a closed circuit or loop. The cameras provide input images to a television monitor for viewing. Depending on security objectives, the CCTV system may also include a recording and playback capability (Figure 3-18). Effectively integrating CCTV into a transportation agency’s security program demands that planners exercise a high level of conceptual understanding of the technology’s capabilities and ability to meet organizational requirements and needs. Video systems do not provide any form of denial of attack or delay in response to aggres- sor tactics or actions. CCTV systems are passive countermeasures. They present no physi- cal barrier, nor do they control access or reduce exposure to dangerous conditions. In the strictest sense, CCTV seeks to deter aggressor actions or targeting by increasing the aggres- sor’s perceived risk of capture or belief in the successful interdiction and prevention of an attack. Recognition of this circumstance means that to effectively deploy CCTV as a deter- rent requires aggressor knowledge of the presence of the system. In addition the aggressor must believe that the CCTV system will indeed prevent or reduce the likelihood of success (Figure 3-19 and Figure 3-20). CCTV also serves a second, almost equally important role as a security tool capable of improving the performance and responsiveness of security forces and intrusion detection systems, including alarm and access control. By adding video surveillance to these sys- tems, an agency can remotely monitor and assess conditions during a security incident. In fact, currently available advanced video surveillance technologies can further expand the effectiveness of video monitoring. Switchers that permit operators to select between video images, multiplexers that facilitate simultaneous viewing, and new video analytic capabili- ties are aiding operators by directing their attention to priority images. Technology such as facial recognition software and thermal imaging systems can further increase the value of video surveillance (Figure 3-21). Selection of Cameras, Digital Recording Systems, Digital High-Speed Networks and Trainlines for Use in Transit-Related CCTV Systems is part of APTA’s IT Standards Program Recommended Practice Series (APTA 2007). It is a valuable technical resource for transportation agencies con- sidering implementing or upgrading CCTV systems. The document covers the selection and use of cameras for CCTV at stations as well as on moving transportation conveyances such as buses

Security Countermeasures 73 Source: TRB 2003. Table 3-5. Checklist for sizing or engineering an access control system.

74 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: SAVER 2005. Figure 3-18. Features of a CCTV system. Source: U.S. DOJ 2006. Figure 3-19. Overt CCTV camera.

Security Countermeasures 75 or train cars. Recording devices and backbone architecture for support of CCTV are discussed in detail. In its overview section the APTA recommended practice states: This level of quality is intended to facilitate the requirements of the systems design through a formal ‘Systems Requirement Specification’ (SRS) allowing the systems to be designed for every day safety and security requirements as well as revenue protection and anti-crime and anti-terrorist applications requir- ing the identification of unknown people and objects depicted within images and allow systems to be designed to meet the 4 industry accepted categories known as Detect, Monitor, Identify and Recognize. APTA uses the industry-accepted categories of detect, monitor, identify, and recognize to frame the functional requirements of CCTV systems. Specifications are based on image resolu- tion criteria that depend on the security purpose and usage for the video system. Figure 3-22 provides a comparison of screen size image projections for these categories. Source: U.S. DOJ 2006. Figure 3-20. Semi-covert CCTV camera. Source: SAVER 2005. Figure 3-21. Thermal imaging camera and photo.

76 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Figure 3-23 provides operational context and applicability for each category. Figure 3-24 provides a pictorial differentiation between the categories by focusing on image resolution requirements for successful “identification” of a suspect. The photographic images in the bottom two pictures are cropped, enlarged, and enhanced from the photos immediately above them. The determination of image resolution requirements is perhaps the most important aspect of CCTV system design. Without usable images security personnel are unable to discharge their responsibilities. However, the costs attributable to CCTV design can increase exponentially when security planners overreach the system capabilities to meet criteria that serve no objective purpose. This problem extends not just to image quality but also to the functionality of the other component parts of video systems. CCTV design should start with a needs and requirements analysis based on the findings of the agency’s risk assessment. Activity-driven performance func- tions should be identified that articulate each vulnerability or security objective that the CCTV system should address. Cybersecurity Countermeasures There are countermeasures and approaches that transportation agencies can utilize to reduce risks and mitigate impacts of cyber incidents. Significant work has been accomplished in cyber- security, especially in the areas of IT/network security and most recently in ICS cybersecurity. NIST’s Federal Information Processing Standards, with transportation-specific guidance from APTA and FHWA, have developed recommended practices and standards. There are inter- national standards and recommendations from the International Organization for Standard- ization, the Information Systems Audit and Control Association, and Control Objectives for Information and Related Technology (COBIT). Security working groups such as the Computer Security Incident Response Team, the Com- puter Emergency Readiness Team (CERT), and ICS-CERT, which respond to breaches of cybersecurity, have compiled resources of recommended practices that can be applied across all industries. High-level approaches to reduce vulnerabilities and mitigate impacts of incidents, and an overview by category of specific areas to address in cybersecurity, are provided here. Source: APTA 2007, draft. Figure 3-22. Screen size image projections.

Security Countermeasures 77 Some countermeasure resources provide comprehensive guidance and recommendations for a broad range of risks. For example, Critical Controls for Effective Cyber Defense (Informa- tion Systems Audit and Control Association 2013) is a consensus list of the best techniques that “reflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive and deep knowledge about current threats. These experts come from multiple agencies of the U.S. Department of Defense, Nuclear Laboratories of the U.S. Department of Energy, the Computer Emergency Readiness Team of the U.S. Department of Homeland Security, the United Kingdom’s Centre for the Protection of Critical Infrastructure, the FBI and other law enforcement agencies, the Australian Defense Signals Directorate and government and civilian penetration testers and incident handlers.” Figure 3-25 summarizes the Critical Controls’ best practices, ranked by effectiveness in miti- gating incidents. The controls are broken into four groups: (1) those that address operational Source: APTA 2007, draft. Figure 3-23. Operational context and applicability.

78 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: APTA 2007, draft. Figure 3-24. Left: CCTV image likely to be suitable for personal identification. Right: CCTV image unlikely to be suitable for personal identification. conditions that are “actively targeted and exploited,” (2) those that address known “initial entry points,” (3) those that “reduce the attack surface, address known propagation techniques,” and mitigate the impact of an incident, and (4) those related to “optimizing, validating and managing.” The Critical Controls identifies five “quick wins” or the “First Five,” controls that have been found to be “the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations.” The First Five are: 1. Software whitelisting; 2. Secure standard configurations; 3. Application security patch installation; 4. System security patch installation; and 5. Ensuring administrative privileges are not active while browsing the web or handling email. Recommended practices for cybersecurity typically are grouped into categories. For example, the NIST Cybersecurity Framework includes the following under the category Protection (NIST 2014a): • Access Control; • Awareness and Training;

Security Countermeasures 79 • Data Security and Information Protection; and • Protective Technology. Other categories include: • Cyber Hygiene; • Boundary Defense and Network Separation; and • Configuration Management. Cyber Hygiene Common cyber hygiene practices include: 1. Encouraging staff to follow basic security policies and procedures. – Not giving out user names, passwords, or other access codes to anyone. – Not opening emails or attachments from strangers. – Not installing or connecting any personal software or hardware to organization’s network or hardware without permission. – Making passwords complex and changing passwords regularly (every 45–90 days). – Keeping antivirus software current. Regularly downloading and installing vendor security patches. Source: Information Systems Audit and Control Association 2013. Figure 3-25. Summary of Critical Controls’ best practices.

80 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies – Following Bring Your Own Device (BYOD) and mobile device management (MDM) security practices. 2. Removing unnecessary applications and functions from systems. – Reducing or removing general purpose services/interfaces. – Using application specific-least functionality interfaces. – Reducing static open file exchanges (shared folders). – Eliminating hidden hubs. 3. Changing default configuration options and passwords such as manufacturer or vendor’s default passwords. Access Control Access control involves maintaining secure access to assets and associated facilities, limiting it to authorized users, processes, or devices, and authorized activities and transactions. Cybersecurity access control cannot be easily separated from physical security. Inadequate physical security can put cyber assets in jeopardy. Physical damage can compromise cyber assets. This section addresses only the cyber components of access control. Access Control Basics • Use strong passwords and change default passwords often. • Restrict physical access to the network and remote devices. • Disable unused ports and services on ICS devices after testing to assure this will not impact ICS operation. • Restrict user privileges to only those that are required to perform each person’s job (i.e., establish role-based access control and configure role based on principle of least privilege). • Consider the use of two-factor authentication methods for accessing privileged accounts or systems. • Consider using separate authentication mechanisms and credentials for users of the traffic management system network and corporate network. • When remote access is required, consider deploying two-factor authentication through a hardened IPsec/VPN (security protocol for establishing virtual private networks) gateway with split tunneling prohibited for secure remote access. Be prepared to operate without remote access if required. Control System Considerations • Apply appropriate access controls to all field devices such as ramp/gate/signal controllers, dynamic messaging signs, switches, and signaling devices. • Secure remote access channels, e.g., place remote devices on private networks if possible. • Disable telnet, webpage, and web LCD interfaces if not needed. Effective access control includes applying the concept of least-privilege. Every program and every user of the system should operate using the least set of privileges necessary to complete the job. It is also recommended to place controls between network segments, if possible, to limit congestion and cascading effects; this will mitigate the effects of an incident that does occur. In addition, it is important to identify controls to minimize the consequences from human error and other unintentional incidents such as equipment failure. Data Security and Information Protection Transportation agencies have a broad range of data collected and stored on their networks. Along with traffic control and system data, there is personally identifiable information of

Security Countermeasures 81 employees, contractors, and often, customers. Agencies may have credit card information, and a few, those with responsibility for the state Department of Motor Vehicles, have extensive customer personal information. Data security means that information and records (data) are managed consistently with the organization’s risk strategy to protect the confidentiality (preserving authorized restrictions on information access and disclosure), integrity (guarding against improper information modification or destruction), and availability (ensuring timely and reliable access to and use of information) of information. NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organi- zations (NIST 2013a) includes an extensive catalog of management, operational, and technical security controls that can be applied to transportation agencies. Basics of Data Security and Information Protection • Protect data-at-rest and data-in-transit with encryption when possible. Move data between networks using secure, authenticated, and encrypted mechanisms. Perform an annual review of algorithms and key lengths in use for protection of sensitive data. • Implement protections against data leaks and loss. Data loss protection controls are policy based and include classifying sensitive data, identifying sensitive data across the agency, enforc- ing data security controls, and ongoing reporting and auditing to ensure policy compliance. • Ensure that data assets are formally managed throughout removal, transfers, and disposition. Backups of data and information are conducted, maintained, and tested periodically. Data is destroyed according to security policy. • Ensure adequate data capacity is maintained to ensure availability. • Review cloud provider security practices for data protection. • Ensure integrity-checking mechanisms are used to verify software, firmware, and information integrity. • Ensure development and testing environment(s) are separate from the production environment. Control System Considerations • Communications protocols used in control systems environments are different from IT protocols. • Available computing resources (including CPU time and memory) are limited, so they may not have enough memory and computing resources to support addition of security capabilities. • Some operating systems and applications running on ICS may not operate correctly with commercial off-the-shelf IT cybersecurity solutions. In some instances, vendor license and service agreements may not allow third-party cybersecurity solutions. • Encryption capabilities, error logging, and password protection may not be available. Boundary Defense and Network Separation Protecting the boundaries of systems and separating networks are critical to cybersecurity. The edges of systems are the most vulnerable spots for many reasons. Implementing techni- cal defenses such as firewalls is a common recommended practice. A strong system of network firewalls includes an external firewall to protect from unauthorized persons trying to get into the network and internal firewalls to wall off different departments/divisions. Those areas that contain the most critical applications and sensitive or valuable information should have particu- larly robust protections from each other. As many sources have noted, firewalls are not complete solutions. Coverage and accuracy issues must be considered, along with the likelihood that individual components have direct or wireless connections to the internet through unknown or unapproved channels. For example, printers on the network may have wireless connections.

82 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies For SCADA and control system networks, the connections between remote field devices, e.g., remote terminal units (RTU) or programmable logic controllers (PLC), to the master terminal unit (MTU) are of primary concern. Firewalls between MTUs and RTUs are critical in any system architecture. However, because commercial firewalls do not generally support SCADA protocols, SCADA protocols and the types of ports using the protocols have to be identified and opened in the firewalls for the system. However, security experts have long known that one of the great vulnerabilities in a network is the inadvertent opening of ports that can be attacked. Providing adequate network segmentation between control and business networks is another recommended practice. Segmentation should be risk based, separating information and systems of different levels of criticality. In some transportation systems, physical isolation of one network from another, or air gapping, has been considered as a security technique. In the past, transportation systems may have been closed proprietary systems protected by air gaps and “security by obscurity,” but over time isolated systems shifted to more connected systems, including connectivity to safety- critical control systems found in vehicles and in Advanced Traffic Management Systems. In addi- tion, due to the human factor, there is no true air gap. Users can and often do create a connection through external devices (using USB sticks, thumb drives, laptop connections, VPNs, DVDs, and the like). The Metropolitan Atlanta Rapid Transit Authority (MARTA), as part of a cybersecurity system assessment, defined cybersecurity zones, critical components, and communication conduits with corresponding Security Assurance Levels (SALs) based on an evaluation of the consequences of a successful cyberattack. (For more information, see case study at the end of this chapter.) Typical highway transportation system networks, with and without recommended firewalls, net- work separation, and intrusion detection systems are illustrated in Figure 3-26 and Figure 3-27. It is critical to be aware of how and what systems are connected in agency networks. For exam- ple, it is not uncommon to connect HVAC equipment to the rest of the network. The access for the 2013 Target credit card breach was through the HVAC system. After the Target incident, an estimate was made of vulnerable HVAC systems, and over 55,000 internet-connected systems were found. Many organizations may not be aware that the HVAC system can be found through the web and may not be paying attention to the connections it has to other systems on the network. Configuration Management Transportation networks, especially traffic control systems and field devices, require active configuration and maintenance. As delivered from manufacturers and resellers, default configu- rations from the manufacturers and vendors are designed for easy deployment, not for security. Network devices may have open services and ports and support for older (vulnerable) protocols. Not only must the systems and devices be secured upon installation, their ongoing management and maintenance needs to be secured as well, and must be capable of managing changes and adapting to new vulnerabilities or the emergence of new threats. Secure standard configurations, one of the COBIT Critical Controls First Five or five “quick wins,” are “the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations” (COBIT 2013). NIST 800-82 Guide to Indus- trial Control Systems (ICS) Security states the “most successful method for securing control systems” is to gather industry recommended practices and draw on the wealth of information available from standards for organizational activities (NIST 2013b). Configuration Management Basics • Create and maintain a baseline configuration of information technology and control systems. • Follow strict configuration management. Security configuration of devices should be documented, reviewed, and approved as consistent with agency cybersecurity policy. Any

Security Countermeasures 83 Source: Fok 2015. Figure 3-26. Typical transportation system network with countermeasures. deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. • Document and record all new configuration rules in a configuration management system, with a specific business reason for each change and an expected duration of the need. • Verify standard device configurations to detect changes. All alterations to such files should be automatically reported to cybersecurity personnel. • Restrict access to configuration settings, and ensure the configuration change control processes are in place. • Build and maintain a secure image that is used to build all new systems deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this secure image should be integrated into the organization’s change management processes. Control System Considerations • Negotiate contracts to buy systems configured securely out of the box. • Set security settings of IT products to the most restrictive mode consistent with control system operational requirements. • Ensure that all modifications to the control system network meet security requirements iden- tified in risk assessment and mitigation plans.

84 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Bring-Your-Own-Device (BYOD)–Recommended Security Practices Replicating traditional cybersecurity policies to address mobile devices and other employee- or contractor-owned consumer devices—known as Bring Your Own Device (BYOD)—may be difficult and impractical. Privacy is a major concern in consumer-owned devices, which raises issues of separating agency data from private data. Applying controls to the data rather than the device may be a more practical solution. Basic measures for a BYOD approach include: • Assess and document risks in information security (operating system compromise due to mal- ware, device misuse, and information spillover risks); operations security (personal devices may divulge information about a user when conducting specific activities in certain environments); and transmission security (protections to mitigate transmission interception). • Consider data sensitivity when reviewing apps in use and conducting a risk assessment. Clarify ownership of the apps and data. • Identify permitted and supported devices to prevent introduction of malicious hardware and firmware. Recommend an approach to content storage (e.g., cloud vs. device). • Apply controls to the data rather than the device. Set operational principles on the use of allowed cloud services. • Define content applications that are required, allowed, or banned, and consider use of mobile device management (MDM) and mobile application management (MAM) enterprise systems to enforce policies. Source: Fok 2015. Figure 3-27. Typical transportation system network without countermeasures.

Security Countermeasures 85 • Address app compatibility issues (e.g., accidental sharing of sensitive information due to dif- ferences in information display between platforms). • Keep policies and processes up to date. Employee agreements that address wiping personal and corporate data must be active, not passive, with signatures and human resource records. Monitoring and Detection Many resources have cited the importance of monitoring, logging, and analyzing success- ful and attempted intrusions to systems/networks as a critical component of cybersecurity. These elements are essential to “establishing a continuing process for security improvement” (Lebanidze & Ramsbrock 2011). Recommended Practice: Securing Control and Communications Systems in Rail Transit Environments, Part 2 includes a companion concept to defense-in-depth– detection-in-depth, a “way to detect that an intruder has gained access.” The practice recom- mends that detection methods be created for each zone and defensive layer (APTA 2019). It is recommended that anomalies, successful and attempted intrusions, and accidental and unintended incidents be logged and analyzed as part of an ongoing cybersecurity process. Common monitoring and detection challenges have been identified: • There is too much data to analyze. • Too many alerts and false positives occur to effectively identify problems and issues. • There is incomplete visibility of network and endpoints. • Any deficiencies in monitoring, logging, and analysis provide opportunities for network com- promises and security incidents. Intrusions can be hidden, and are commonly hidden; the average time to detect data breaches and/or a malicious insider is over 200 days. Even when incidents are detected, without protected and complete logging records it is difficult to deter- mine the details of the incident and what effects it has on the network and systems. Poor or nonexistent log analysis processes allow intrusions such as APT, or advanced per- sistent threats, for months or years without anyone in the organization knowing about it, even though the evidence may be recorded in unexamined log files. Case Study Metropolitan Atlanta Rapid Transit Authority The Metropolitan Atlanta Rapid Transit Authority (MARTA) operates heavy rail, bus transit, and paratransit ser- vices. MARTA’s heavy rail system is composed of four lines, including two lines serving the Hartsfield-Jackson At- lanta International Airport. Its bus operations encompass 91 routes covering 1,000 route-miles. MARTA, the ninth largest U.S. transit system in terms of unlinked passenger trips, provided 135 million trips in 2012 (APTA 2014). MARTA used information generated by the Cybersecurity Evaluation Tool (CSET®) along with APTA’s Recom- mended Practice Part 2 to conduct cybersecurity gap analysis and risk assessment. CSET®, developed by DHS’s Control Systems Security Program, assists agencies and asset owners in assessing their cybersecurity practices through a series of detailed questions about components, architecture, policies, and procedures. Figure 3-28 shows CSET’s Four-Step Process. In December 2012, DHS conducted a 2-day, on-site consultation assisting MARTA in using CSET. The tool determined MARTA’s Security Assurance Level (SAL) based on answers to questions on the consequences of a successful cyber attack. Depending on the SAL, a cybersecurity level to protect against a worst-case scenario was then (continued on next page)

86 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies established. Each component received gap and priority ratings, and on-site and off-site SAL ratings. A network diagram created with the assistance of the tool helped MARTA staff visualize the criticality of network compo- nents and define cybersecurity zones, critical components, and communication conduits. Figure 3-29 shows the ICS administrative-level results. Source: APTA, DHS/TSA, & MARTA 2013. Figure 3-28. CSET Four-Step Process. Source: APTA, DHS/TSA, & MARTA 2013. Figure 3-29. ICS Administrative-level results. Case Study (Continued).

Security Countermeasures 87 Source: APTA, DHS/TSA, & MARTA 2013. ICS Administrative-level Access Control results identified gaps and were matched with APTA controls. They were then analyzed according to availability, probability, and severity. The result of the assessment was a 300+-page report with High-level recommendations and observations. MARTA has been prioritizing the recommendations with the assistance of APTA. Challenges in implementing recommendations were due to difficulty in replacing or retrofitting legacy systems, and agency resource constraints. Figure 3-30 shows MARTA’s High-level timeline for its train control and SCADA cybersecurity. Figure 3-30. MARTA Cybersecurity High-level timeline. Case Study (Continued).

Next: Chapter 4 - Cybersecurity »
Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing and can impact not only data, but the control systems—like tunnel-ventilation systems—operated by transportation agencies.>

The TRB National Cooperative Highway Research Program's NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

The report is accompanied by a PowerPoint for the project and NCHRP Web-Only Document 266: Developing a Physical and Cyber Security Primer for Transportation Agencies.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!