National Academies Press: OpenBook
« Previous: Chapter 1 Risk Management, Risk Assessment, and Asset Evaluation
Page 48
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 48
Page 49
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 49
Page 50
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 50
Page 51
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 51
Page 52
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 52
Page 53
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 53
Page 54
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 54
Page 55
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 55
Page 56
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 56
Page 57
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 57
Page 58
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 58
Page 59
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 59
Page 60
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 60
Page 61
Suggested Citation:"Chapter 2 Plans and Strategies." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 61

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

48 Chapter 2 Plans and Strategies Once the transportation agency has conducted its risk assessment, the next step is to develop a security plan. In this chapter, planning objectives are highlighted and the core components or elements needed to ensure that a comprehensive plan is developed are examined. This includes developing enterprise-wide approaches to cybersecurity enhancement and governance strategies. Organizational roles and accountabilities are identified with an emphasis on plan maintenance. The chapter concludes with a multi-year overview of the security funding cycle that addresses both operating and capital considerations. Security strategies with plans are essential in defining agency wide goals and how to achieve them. Strategic planning is setting long-term goals, establishing the directions and constraints that will guide and identify assets and capabilities that the agency needs to execute security and supporting plans. These include Security Plans, Asset Management Plans, NIST Framework and Strategy, and Response and Recovery Plans. Security Plan A security plan is a written document containing information about an organization’s security policies, procedures, and countermeasures. The plan should include a concise statement of purpose and clear instructions about agency security requirements. The stated objectives of the security plan need to be attainable and easily understood. The plan should identify intended users and their assignments, responsibilities, and authorities to act pursuant to the plan’s direction. Creating a sound security plan is often as much a management issue as it is a technical one—It involves motivating and educating managers and employees to understand the need for security and their role in developing and implementing an effective and workable security process. Organizational leaders must ensure that security planning is an actual functional activity and part of the agency’s culture. In the transportation environment, the objective of security planning is to ensure both the integrity of operations and the security of assets. Planning for security should result in the integration of protective systems and processes into the organization’s daily business routine. The security plan should also ensure that agency personnel can respond effectively to security-related incidents or emergency conditions. The Public Transportation System Security and Emergency Preparedness Planning Guide (SSEPP) published in 2003 by the Department of Transportation, Federal Transit Administration, contains the following statement of purpose:  Commit to a program that enables the public transportation system to:  Prevent incidents within its control and responsibility, effectively protect critical assets;  Respond decisively to events that cannot be prevented, mitigate loss, and protect employees, passengers, and emergency responders;  Support response to events that impact local communities, integrating equipment and capabilities seamlessly into the total effort; and  Recover from major events, taking full advantage of available resources and programs. The SSEPP describes security planning as “more of a process than a product.” This approach coincides with a vision of a security plan being a dynamic document continually under review and subject to change. In developing the security plan, the need for flexibility should be reinforced.

49 Alternatives and options should be incorporated into the plan to make the organization flexible and capable of responding to various situations or unexpected events. Benefits of a Security Plan The most significant benefit of having a security plan is the help it provides in ensuring that security is integrated into the daily business of the transportation agency. The security plan directs personnel toward prevention and mitigation of the effects of security incidents by integrating approaches that have proven effective into the operating environment. Security must compete with other system goals, including those of the operations department, engineering, maintenance and others, for limited resources and available funding. Because security is a functional area with little observable return on investment, it can be difficult to balance security costs against other more traditional or bottom line-enhancing transportation agency initiatives. Security initiatives must be seen as cost- effective and well defined in order to compete successfully. Developing a security plan is an effective way to meet cost-benefit and competitive resource challenges. The plan can also reduce litigation risk and insurance costs. When the security plan is well structured and soundly developed using the appropriate strategies and elements, the resulting product can be a blueprint for short term and multi-year security planning. The security plan can address how future purchases would fit into the overall agency operating and capital investment strategy. Security planning also sets out the policies and procedures related to security and any special requirements or considerations unique to the specific agency. The security plan directs personnel toward preventing and mitigating the effects of security incidents by identifying security countermeasures and emergency preparedness response activities that should be taken to protect the transportation system, its employees and customers, and the surrounding communities. Elements of a Security Plan In developing an effective security plan it is necessary to establish what the essential plan elements are for the organization. TCRP Report 86, Volume 10: Hazard and Security Plan Workshop provides an excellent overview of the transportation security planning process. The document also presents a template for Hazard and Security Plan (HSP) development. The template is designed to help transportation programs and transit agencies implement what it describes as the four core planning development functions:  Establishing priorities,  Organizing roles and responsibilities,  Selecting countermeasures and strategies, and  Maintaining the plan. Establishing Priorities As shown in Figure 18, plan development starts with identifying the purpose of the document. Although the plan should be flexible enough to cover a broad range of security incidents, the best way to ensure plan effectiveness is to use a prioritized scenario-based list of critical event types to drive plan activity. This list should consist of events considered routine and most likely to occur, Security Plan Benefits  Defines resource requirements for staffing and equipment  Coordinates the activity of different departments and functions  Establishes action steps for employees in response to an incident  Promotes understanding of the issues involved during a crisis  Identifies information requirements for security incidents  Promotes a sense of ownership and buy-in by employees  Ensures a clear division of tasks and responsibilities  Identifies training requirements

50 as well as those that may occur less frequently but with far-reaching consequences. The HSP identifies the objectives of this phase of security planning as  Create a written statement of purpose covering routine and emergency situations.  Define the situations that the hazard and security plan will cover.  Look at assumptions about the situations surrounding the use of the plan.  Discuss how an organization plan fits into the overall community security and emergency plan.   Figure  18: Hazard  and  security  plan  development.  Source:  TCRP  Report  86,  Volume  10: Hazard  and  Security  Plan  Workshop, 2006. 

51 Organizing Roles and Responsibilities In this phase of planning, key personnel and their security roles and responsibilities are determined. Incident-based priority security tasks should be listed and assigned to a specific individual known as the primary or principal. Secondary responsibility should be assigned to other individuals whose ability to perform will not be compromised by the loss of the primary. Interdependencies of functions should be delineated between departments and coordinating points established to facilitate liaison in areas of overlapping responsibility. Planners should ensure that this section of the plan provides clear and concise direction to assigned personnel regarding their primary and secondary duties. The goal is to achieve the stated objectives and security requirements of the plan under all potential operating conditions or scenarios. The HSP identifies the objective of this phase of the security plan as development of an organizational structure, with a clearly defined chain of command and designated roles and responsibilities, containing  Responsibilities  Continuity of services, including o Designating lines of succession and delegating authority for the successors o Developing procedures for relocating essential departments o Developing procedures for deploying essential personnel, equipment, and supplies o Establishing procedures for backup and recovery of computer and paper records  Contact information Selecting Countermeasures and Strategies  Consistent with emergency management principles, the risk and vulnerabilities reduction measures and strategies associated with transportation sector security planning should follow the five stages of protection activity—prevention, mitigation, preparedness, response, and recovery. Security planners should select countermeasures keeping in mind the concepts of system security, layered or overlapping security, and system integration. The HSP identifies the objectives of this phase of the security plan as follows:  Part A: Prevention o Examine activities to reduce the likelihood that incidents will occur. o Establish safe and secure procedures for passengers, vehicles, drivers, and facilities.  Part B: Mitigation o Examine activities to reduce asset loss or human consequences (such as injuries or fatalities) of an incident. o Establish safe and secure procedures for passengers, vehicles, drivers, and facilities.  Part C: Preparedness o Examine preparedness activities to anticipate and minimize the effects of security- related incidents and equip employees to better manage these incidents. o Establish emergency policies and procedures for passengers, employees, and management to follow in case of emergencies. o Keep training, drills, and contact lists up to date. o Establish and maintain mutual aid agreements with fire departments, emergency medical services, and emergency management services.  Part D: Response o Examine activities used to react to security-related incidents and hazards and help protect passengers, employees, the community, and property. o Establish what information is to be collected by which employee. o Ensure that policies and procedures established in the mitigation and preparedness portions of the HSP are followed.  Part E: Recovery

52 o Examine policies to assist in recovering from incidents that have occurred so service can resume as quickly as possible. o Establish a review of policies, documents, plans, and vehicles. o Evaluate response and oversee recovery and restoration of personnel, service, vehicles, and facilities. Maintaining the Plan Finally, the agency must ensure that security plans remain current and responsive to the dynamic changes that can occur in the transportation operating environment while creating a process that will support plan consistency with the future needs of the agency. Optimally, plans will be scalable and upgradable on a flexible timeline that has sufficient sensitivity to external security factors to allow for as-needed adjustments. The HSP recommends programmatic scheduled plan review periodically—at least every 6 months to a year. The document also provides guidelines on how this review should be conducted; suggested steps are as follows:  Identify areas to update.  Determine completeness.  Reassess roles and responsibilities.  Review factual information (especially names and phone numbers included in the plan).  Reevaluate employee knowledge and awareness (training assessments, for example).  Revise programs and procedures included in the HSP. The HSP also suggests that the occurrence of certain events may require planners to accelerate the scheduled conduct of a review. Such events include  The addition of members inside the organization and outside the organization who have specific roles outlined in the HSP (e.g., a new general manager or a new local fire chief);  New operations or processes that affect the HSP (e.g., a new bus line);  New or renovated sites or changes in layout (e.g., a new bus garage or office building); and  Changes with outside agencies, new suppliers, vendors, etc. (e.g., a new memorandum of understanding (MOU) signed with the local sheriff’s department). Other Plans Response and Recovery Plan Response plans address the capabilities needed for response to an incident or event. The size and location of the event will greatly affect the transportation agency’s role in the response effort. A crash involving an overturned tractor- trailer that blocks traffic on one of the state’s main interstates, for example, will obviously require different response actions than the response to a large-scale terrorist attack or the threat of an impending hurricane. Transportation agencies typically fulfill a support role in the emergency response effort, not often serving as the lead emergency response agency. The role transportation plays in response is critical. As the National Response Framework (NRF) states, “The ability to sustain transportation services, mitigate adverse economic impacts, meet societal needs, and move emergency relief personnel and commodities will hinge on effective transportation decisions at all levels.” To be ready for the agency’s role, a comprehensive response plan must be in place. Traffic Incident Management (TIM) provides processes and procedures for responders (firefighters, EMS, law enforcement, towing and recovery, safety patrols, transportation and maintenance crews and 9-1-1 professionals) to work together as a team to clear incidents safely and quickly. A Guide to

53 Emergency Management at State Transportation Agencies, Second Edition (2018) provides guidance on existing practices in emergency response planning within the all-hazards context of the National Incident Management System (NIMS). Continuity plans outline essential functions that must be performed during an incident that disrupts normal operations and the methods by which these functions will be performed. They also describe the process for timely resumption of normal operations once the emergency has ended. Continuity of Operations (COOP) plans address the continued performance of core capabilities and critical operations during any potential incident. Continuity of Government (COG) plans address the preservation and/or reconstitution of government to ensure that constitutional, legislative, and/or administrative responsibilities are maintained. NCHRP Report 525 Surface Transportation Security/TCRP Report 86: Continuity of Operations (COOP) Planning Guidelines for Transportation Agencies (2006). Recovery plans developed prior to a disaster enable agencies to effectively direct recovery activities and expedite a recovery effort. Pre-incident recovery planning helps to establish recovery priorities, incorporate mitigation strategies in the wake of an incident, and identify options and changes that should be considered or implemented after an incident. Planning for recovery is an integral part of security and infrastructure protection. The speed and success of recovery can be greatly enhanced by establishing processes and relationships before an event occurs. Preparing for recovery prior to a disaster reduces the problems of trying to locate required capabilities and create policies when scrambling to manage immediate recovery. Recovery efforts are executed more efficiently when resources are pre-positioned, contractors have been pre- approved and alternate facilities are already identified. Having a recovery plan is different from just modifying or adding on to the existing emergency response plans. Pre-event recovery planning helps establish priorities, structure, and organization; define roles and responsibilities; determine resources to be pre-positioned: and identify approaches to support the recovery process. A number of considerations should be taken into account when embarking on a pre-event planning process. An effective pre-event recovery process helps ensure that the recovery process is conducted quickly, efficiently, and cost effectively while limiting disruptions and improving the transportation infrastructure after the recovery. Pre-event recovery planning is addressed in NCHRP Report 753: A Pre-Event Recovery Planning Guide for Transportation (2013). DOTs may coordinate planning efforts with other state agencies, including the state's Emergency Management Agency; county highway departments; with various agencies of the U.S. Department of Transportation; and with DOTs from other states to ensure activities can be easily integrated when necessary. DOTs also need to plan to receive and use resources provided by other states and the federal government during operations. In conducting these activities, DOTs should consider applicable standards and best practices for incorporating risk and resilience into functions and systems. Asset Management Strategy and Plan The Federal Highway Administration (FHWA) on October 24, 2016, published its final rule on required state-approved asset management plans and processes. Asset management is a strategic and systematic process of operating, maintaining, and improving physical assets, with a focus on engineering and economic analysis based upon quality information, to identify a structured sequence of maintenance, preservation, repair, rehabilitation, and replacement actions that will achieve and sustain a desired state of good repair over the lifecycle of the assets at minimum practicable cost. [FHWA-HIF-17-06]

54 The rule addresses requirements established by the Moving Ahead for Progress in the 21st Century Act (MAP-21) and the Fixing America’s Surface Transportation (FAST) Act that States to develop and implement risk-based asset management plans for the National Highway System to improve or preserve asset condition and system performance. The FHWA believes that “understanding risk and how to manage it is emerging as another core competency expected of transportation agencies”. The FHWA supports a broad approach to risk management that includes managing threats and capitalizing on opportunities. The FHWA in Risk-Based Transportation Asset Management, Report 1, summarized the benefits of a risk-based asset management program. It… …provide(s) a new opportunity for DOTS to explain their decisions and demonstrate to the public and policy makers that they are responsible stewards of scarce resources. A risk-based approach to managing corridors and networks can allow DOTS to make the case for the difficult tradeoffs so many are forced to accept because of insufficient revenue to maintain the entire system adequately. When resources are limited, it provides them an opportunity to convey to policy makers and to the public the logic and reasoning behind the need to accept lower levels of service on lesser used roads in return for preserving performance and minimizing risks to more important ones. Such strategies typically represent a well thought- out and methodical approach to decision-making. They demonstrate the strategic best use of limited resources to preserve condition and performance on key routes, as opposed to spreading limited funds equally across the network and accepting a statewide drop in highway condition and performance. NIST Framework and Strategy Development of technology security plans should include a cyber protection plan and technology disaster recovery plans for IT systems and applications. To assist in implementing an approach that is focused on standards, the National Institutes of Standards and Technology (NIST), working with industry groups and the private sector, has developed a framework of baseline standards for cybersecurity. The NIST Framework is technology neutral and relies on existing standards, guidance, and best practice to provide “a common language for describing current and target states of security, identifying and prioritizing changes needed, assessing progress and fostering communications with stakeholders. It is meant to complement, not replace, existing cybersecurity programs”. The Framework is designed to provide a common taxonomy and mechanism for organizations to:  Describe their current cybersecurity posture;  Describe their target state for cybersecurity;  Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;  Assess progress toward the target state;  Communicate among internal and external stakeholders about cybersecurity risk. The NIST Cybersecurity Framework was developed to complement, not replace, an organization’s established risk management process and cybersecurity program. An organization can use its current processes and Figure 19: NIST Cybersecurity Framework 

55 leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. For organizations with no formal cybersecurity program in place, the Framework can provide a foundation upon which to implement a robust cybersecurity program.   Figure 20: Cybersecurity Risk‐Based Framework. Source: NIST Cybersecurity Framework, 2014.   

56       Idaho Transportation Department (ITD) NIST Framework In a Brookings Institute article, “How State Governments Are Addressing Cybersecurity” (March, 2015), Mississippi and Idaho were considered “truly outstanding” in their focus on cybersecurity. The article reports that these states rely heavily on the standards established by NIST and align their cybersecurity programs to the Framework and other security controls defined in the 800 series of the NIST publications. The Idaho Transportation Department has jurisdictional responsibility for almost 5,000 miles of highway (or 12,000 lane miles), more than 1,700 bridges, and 30 recreational and emergency airstrips. ITD also has responsibility for the Department of Motor Vehicles (DMV) as one of ITD functions, with the resultant need to protect state residents PII found in driving permits, driver's licenses, and other related information. With a significant black market value for Social Security and driver's license numbers, this added incentives to the challenge of improving the cybersecurity of the agency. ITD looked at existing frameworks and approaches to support their efforts. ISO standards were being used at the agency and the team reviewed SANS 20 guidance before deciding to utilize the NIST Framework. The NIST framework provided a common set of terms and values so that the agency could create metrics on movement towards goals - what investment looked like in terms of agency- specific goals and the work accomplished to address identified gaps. The framework gave the agency a structure for demonstrating ROI for the investment of resources, employees and tools that reduced the cyber risk of the agency. To implement the framework at ITD, the agency needed to identify its cyber-related goals (the primary focus was security of DMV related information) and then do an internal analysis on where the current systems were in terms of recommended guidance. The agency went through each NIST framework function (identify, protect, detect, response, recover) by category and subcategory, to assess by tier - a scaled that ranged from partial, through risk informed, then repeatable to adaptive - where the agency’s cybersecurity efforts currently were. ITD added a zero to the scale, recognizing that in some categories and subcategories, the agency either had not been aware, or may not have been addressing certain aspects of security. Based on their experience, ITD recommends setting targets first before conducting the assessments. They caution about setting targets too high, which can result in high cybersecurity costs. Because the targets can be reset over time, the agency recommends focusing on agency-specific cybersecurity risks. For example, for securing customer information ITD considered each function category based on the value of data. ITD found the one of the most difficult parts of the process was understanding how recommended cybersecurity and countermeasures guidance documents such as NIST SP 800 series documents applied to a transportation agency since some were initially geared to federal agencies to address FIPS compliance. It was a challenge to ITD team doing work, but the results were worth it. ITD forced to take hard look at their systems and current approaches and to ask hard questions, especially in deciding how to score the agency. They had to decide on agency goals, which forced them to take a holistic view of whole program. The NIST Framework does not include metric charts and graphical representation in the guidance, so what ITD developed their own to use. They wanted to create metrics to represent in graphical format what investment looked like, e.g. how the agency was moving toward the goals. The agency created a chart that summarized the tier assessments by function and that information is presented to leadership on a regular basis.

57       Security Design Processes A security system should be designed only after a risk assessment has been performed and a comprehensive security plan has been designed. Until these tasks have been completed, the data available will not be sufficient to permit good decisions about security strategies. In a perfect world, strategy is data driven. In business, it is a commonly accepted practice (e.g., “what cannot be measured cannot be managed”). However, the security industry has been slow to use measurable factors in reducing risk because of difficulties in establishing security-related metrics. Chapter 1 discussed risk insurance and the two types of risk cost-benefit analysis methods—quantitative and qualitative. Quantitative analysis is a numbers- or experience-based probability assessment that uses previously collected information to forecast the likelihood of a security event. The goal of quantitative security design is to decrease the ratio of unfavorable security events to total events through the analysis of data related to the known frequency of occurrence of a particular type of Example of ITD NIST Framework Quarterly Goal Tracking The illustration above shows a chart used by ITD to display quarterly results. Goals have been set for each function based on the priorities set by the agency. ITD found that over time, as it became more cybersecurity-adept, the scoring became "harsher" than the initial assessment over time, so in some instances the tier was less in a subsequent quarter. Note: Other organizations have created metrics adapted NIST Framework to easily convey to management their risk treatment plan and results. According to an interview with IDT personnel, University of Michigan utilizes a hi/med/low rating instead of the scoring system used by Idaho. See University IT Policies and Standards at http://cio.umich.edu/policy. The process allowed the IDT team to successfully address the cybersecurity funding challenges of how much budget is available and where in the agency does the budget come. Initially, there was a one person cybersecurity team with tools being paid from business area budgets. Using the NIST framework and the graphic ‘results’ chart, support from senior management was easier to obtain. The chart provided a way to show the agency cyber risk as part of a holistic, ‘big picture’ and could demonstrate the ROI - making the DOT more secure. ITD uses for its technology standards a NIST framework that provided a common set of terms and values so that the agency could create metrics on movement towards goals - what investment looked like in terms of agency-specific goals and the work accomplished to address identified technology gaps. The framework gave the agency a structure for demonstrating ROI for the investment of resources, employees and tools that reduced the cyber risk of the agency.

58 security incident. Once the probability aspects of a security incident have been defined, cost analysis is undertaken to rate the actual amount of loss against the costs of prospective security countermeasures available to reduce the risk associated with an occurrence. In contrast, qualitative analysis is based on characteristics, conditions, and events rather than numeric assessment. This form of analysis demands an in-depth knowledge of the organization being assessed and an understanding of the operating environment in which work is performed. By default, qualitative analysis is the most widely used approach to risk analysis in the security industry. Some believe that qualitative analysis is sufficient and perhaps preferred to address the protection of lower value assets; however, in the most rigorous of applications, its use is by necessity because of an inherent inability to perform quantitative analysis. Whenever feasible, a quantitative analysis based on the collection of objective data should be considered first in the performance of security risk analysis. A typical qualitative assessment assigns relative values to assets based on factors such as criticality of loss and replacement costs. Threats against those assets are also given a relative value based on their probability of occurrence. The result is a risk equation that computes risk as a function of impact and likelihood of occurrence. Qualitative analysis depends on the capabilities of the analyst performing the assessment. Such analysis is more subjective because of the lack of historical information or metric data to support its assumptions. Fortunately, in most circumstances, precision can give way to the grouping of the outcomes of qualitative relative value ratings into categories such as high, medium, or low. Although knowledge of an agency’s characteristics may be more important to qualitative analysis, irrespective of the type of assessment conducted, security strategy design requires transportation agencies to determine which security issues faced are most critical. Once identified, a strategy and timeline for reducing risks and vulnerabilities can be established. The goal of a security design strategy should be the logical and incremental “buy down” of security risk so as to provide acceptable levels of protection for transportation agency assets and operations on a continuing basis. Risk buy down should be focused on what is of priority to the organization to ensure maximized performance levels are maintained. Cost effective security systems use a combination of countermeasures to meet security requirements. These normally include security staffing, training of employees, hardware (including electronic security systems), and security policies and procedures. Employees of transportation agencies and users of transportation systems can be critical resource for maintaining a safe and secure operating environment. Traveler awareness and security awareness programs enables all personnel to contribute to security by providing situational awareness and “saying something” when something does not seem right. (See Chapter 5 for additional information on Awareness Programs.) Security design today demands that these component security resources be attained and then combined in a systematic way that can achieve security objectives while minimizing costs. System security should start with the basics consisting of those countermeasures that are most effective for the least amount of money, as outlined in Figure 20.

59   Figure 21: Security Countermeasures Cost Scale  Then, using assessment data obtained through analysis, the agency adds more costly system components until the level of security required to protect critical assets has been met. But developing a systems approach to security is more challenging than simply costing out security countermeasures into a hierarchy and applying them to an existing security vulnerability or situation. Transportation security issues are dynamic and evolving. Changing characteristics, conditions, and events require the synthesis of available resources in order to compensate for the weaknesses or loss of capabilities of one security countermeasure for the other. “Layered security” (also referred to as overlapping security) enables security design strategists to overcome uncertainty in security resource allocation and decision making. For example, the protection of a critical transportation asset such as a fuel depot may be accomplished first by establishing a procedure that employees must be present at the depot during all hours of operation without exception. During after hours, fencing, gates, lights, and locks would be used to secure the fuel facility. Finally security patrols would make periodic checks at the facility as an additional protective measure. If specific threats are received that the fuel depot is a target of attack, the configuration of security countermeasures can be adjusted to meet the new security requirements. Assuming the facility remains open, additional staff could be assigned to be present at all times. Gates could be locked during hours of operation and identification checked for all persons seeking to enter the depot. Security forces could be permanently assigned to remain on the grounds. In this simplified scenario, increased vigilance is made possible by the layers of overlapping security capabilities that already exist. However, the redeployment of personnel to increase the security at the fuel depot degrades security countermeasures available to protect the agency’s other assets. Sizing the scope of this potential loss of security resource during critical periods becomes an important part of the agency’s security design strategy. Overlapping security does not end with the layering of security countermeasures alone. As pointed out in Making the Nation Safer, “transportation security can best be achieved through well-designed security systems that are integrated with transportation operations.” (pg. 214) The text goes on to describe security methods and techniques that are “dual use, adaptable and opportunistic” (pg. 220) as optimal in the diverse and dynamic transportation sector. For example, closed circuit television

60 (CCTV), increased lighting or patrols by security personnel may improve the effectiveness of service delivery along with reducing crime and increasing security. A “system” can be defined as “an integrated collection of components or elements designed to achieve an objective according to a plan.” (Design and Evaluation of Physical Protection Systems, April 2001, Mary Lynne Garcia) Systems can be small or large, complex or relatively simple. Complex systems usually are composed of smaller subsystems designed to work together. In the transportation sector, security systems integration can include the convergence of classic functions (e.g., safety, crime prevention, fire prevention, communications, and facility management) with functions unique to the industry (e.g., fleet management, package and cargo tracking and control, or dispatching operations). When considering the opportunities for integrating security with other transportation functions, it is important to recognize that the synergies that can be achieved are two- directional. Security-related technologies and procedures can be integrated with existing or newly created systems to produce non-security benefits and non-security systems or subsystems can be applied more broadly to reducing security risks and vulnerabilities. Central to this concept of security systems integration is recognition that, prior to making new investments, existing systems and functions should be surveyed in order to explore opportunities for expanded use. For example, rather than deploying costly new surveillance systems, cameras, and monitoring stations, a bridge operator whose function is to safely raise or lower a bridge over navigable waters may be given new security inspection requirements to periodically check for signs of forced entry to bridge access points. Depending on the criticality of the bridge in terms of transportation operations, this approach may be optimal. The design of an integrated security system is properly performed through a structured methodology known as system engineering. Security-related system engineering is defined as the protection of physical infrastructure components and logical structures and processes from threats and vulnerabilities. (Garcia, 2001) The process begins with definition of requirements, continues through to design and analysis of multiple potential solutions, and ends with selection and testing of the best design to meet requirements and goals and then begins again.   Security Funding The familiar axiom “If you fail to plan, then plan to fail” applies to transportation security. The FTA’s SSEPP states the issue even more succinctly: “Plan first, then spend.” Security is highly sensitive to adverse consequences and prone to reactionary influences that may or may not result in an appropriate response to an incident. Crisis response to a security incident or series of security incidents demands that we exercise good judgment and sound policy so that we don’t spend money carelessly or ineffectively. Security practitioners and risk management professionals recognize that it can be difficult to establish the value of a specific security countermeasure or activity. This difficulty is compounded when measures are grouped together or security is layered in a protective system. But quantifying the operating costs, savings, and/or revenues that will result from project implementation and incorporating those results into financial planning will ensure that security funding is considered on balance with other agency funding priorities. Security programs should be well thought out and sustainable over a predetermined term. The objectives and integration of security with other operating disciplines and management processes should be conducive to the overall goals of the transportation agency. Optimally, overlapping security funding cycles should be considered. At minimum the agency should conduct security planning on a 1-year basis for both operating and capital and on a 5-year basis for capital improvements. (Some transportation organizations may use as much as a 1-year, 3-year, 5-year, and 10-year capital investment planning strategy). Accomplishing both short- and longer term planning will provide continuity and a structured methodology for balancing the cost

61 and effectiveness of security measures against the capabilities of the transportation organization to fund security improvements. In relation to security, most costs associated with short-term operating funding cycles are labor related. For a transportation agency that maintains its own police or security force, these operating costs can run as high as 90 to 92% of budget allocation. But determining the correct number of police and security employees is highly contingent on the threats and vulnerabilities of the agency balanced against the mix of security measures that have been deployed to reduce security risk. In particular, the transportation agency must weigh the costs of security personnel against the prospective use of other less-costly security countermeasures, such as improved policies and procedures, employee security awareness training, or security systems, including locks, access control, or intrusion detection systems. Just like an operating budget, and in conjunction with operating budget development, planning and management of the capital improvement plan should occur in a regular, annual cycle. It is here that often security funding meets its most significant challenges in the allocation of available resources. When possible, security expenditure recommendations at this stage in the funding cycle should contribute to the overall efficiency of the transportation agency in the performance of its core mission, goals, and objectives. Although not always the case, certain security measures such as increased lighting, improved communications, passenger flow gating, or simply directional signs can serve the dual purpose of adding to the effectiveness of service delivery. Five-year capital planning is the point in the funding cycle where an agency can take best advantage of the development of a security plan. Longer term security improvements that seek to reduce the vulnerabilities of an agency’s transportation critical infrastructure can be designed as components of larger systems and subsystems that are central to the strategic future of the organization. For example, an out-year strategy to replace the soon-to-be-antiquated or inefficient traffic control center of an agency can be augmented by the addition of security improving closed-circuit television (CCTV) technology that permits traffic controllers to observe the operating conditions at train stations or along bus routes. Similarly, a decision by management to invest in Automatic Vehicle Locator (AVL) technology for rolling stock can serve the important security and emergency response benefit of identifying the exact location of a vehicle in distress on the system. Thinking about security improvements in this way also facilitates the cost-effective designing-in of security measures at the outset of capital projects, instead of spending significantly more money to retrofit security into existing infrastructure. Security systems in and of themselves also require multi-year planning to ensure their effectiveness and continued usefulness. The replacement or upgrading of security system components should be contemplated as a continuous process that is capable of meeting the stated physical protection system requirements of the organization and flexible enough to respond to the changing security threats and vulnerabilities that occur over time.    

Next: Chapter 3 Security Countermeasures »
Security 101: A Physical and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing, and can impact not only data, but the control systems - like tunnel-ventilation systems - operated by transportation agencies.

This update, a pre-publication draft of NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies, provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!