Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
62 Chapter 3 Security Countermeasures The fundamental principal for determining what countermeasures to use in any given situation is that utility should control. Transportation agencies must examine the threats against the organization and identify the most useful means to reduce the vulnerabilities associated with those threats to acceptable levels. Of course utility is not solely a measure of cost. There are often less costly, but more effective solutions available that the agency can select to meet security requirements. In making these choices security designers can benefit from the use of a utility scale that assimilates and compares one countermeasure against the other. For example, in Figure 22, FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks lists security countermeasures along a sliding scale based on three utility factors â protection provided, cost and effort required. Countermeasures appear on the scale moving from âLess Protection, Less Cost and Less Effort to Greater Protection, Greater Cost, and Greater Effort.â Note that the figure does not provide relative comparisons between the three utility factors, but does provide them for each of the factors individually. FigureÂ 22:Â CountermeasuresÂ ScaleÂ byÂ Protection,Â Cost,Â Effect.Â Source:Â Â FEMAÂ 430,Â Building,Â SiteÂ andÂ LayoutÂ DesignÂ GuidanceÂ toÂ MitigateÂ PotentialÂ TerroristÂ Attacks,Â 2007
63 TCRP project, F-21 Tools and Strategies for Eliminating Assaults Against Transit Operators, (published in 2017 as TCRP Research Report 193: Tools and Strategies for Eliminating Assaults Against Transit Operators) identifies additional approaches for describing and evaluating physical security countermeasures were identified. Table 8 below describes levels of security based on purpose and definition. Source information regarding the definitions is provided in the table. TableÂ 8:Â LevelsÂ ofÂ SecurityÂ Purpose Definition Source Prevention Those capabilities necessary to avoid, prevent, or stop a threatened or actual act DHS National Infrastructure Protection Plan NIPP (2013) Deterrence An activity, procedure, or physical barrier that reduces the likelihood of an incident, attack, or criminal activity Transit Agency Security and Emergency Management Protective Measures (FTA 2006) Detection The identification and validation of potential threat or attack that is communicated to an appropriate authority that can act Transit Agency Security and Emergency Management Protective Measures (FTA 2006) Mitigation The application of measure or measures to reduce the likelihood of an unwanted occurrence and/or its consequences DHS Risk Lexicon (2008) Response Capabilities necessary to save lives, protect property and the environment, and meet basic human needs after an incident has occurred DHS National Infrastructure Protection Plan NIPP (2013) Recovery The development, coordination, and execution of plans for impacted areas and operations Transit Agency Security and Emergency Management Protective measures (FTA 2006) Â Source:Â Â TCRPÂ ResearchÂ ReportÂ 193:Â ToolsÂ andÂ StrategiesÂ forÂ EliminatingÂ AssaultsÂ AgainstÂ TransitÂ Operators,Â 2017 Similarly, the F-21 research project contained a Countermeasures Rating Scale (Table 9) that lists the underlying description or definition of each of the rating categories. It should be noted that implementation costs for many of the countermeasures are difficult to measure, due to the variability in costs depending on system size, preexisting resources, and a variety of other factors. It is also recognized that overly-specific equipment/technology prices for individual countermeasures may quickly become outdated and reduce the usefulness of the guide. For these reasons, costs are presented as relative values.
64 TableÂ 9:Â CountermeasuresÂ RatingÂ ScaleÂ Â Source:Â Â TCRPÂ ResearchÂ ReportÂ 193:Â ToolsÂ andÂ StrategiesÂ forÂ EliminatingÂ AssaultsÂ AgainstÂ TransitÂ Operators,Â 2017 EASEÂ OFÂ USEÂ (NOMINALÂ SCALEÂ OFÂ DIFFICULTâ MODERATEâEASY)Â TRANSITÂ INDUSTRYÂ USEÂ (NOMINALÂ SCALEÂ OFÂ HIGHâMEDâ LOW)Â Â TIMEÂ TOÂ IMPLEMENTÂ (NOMINALÂ SCALEÂ OFÂ LONGâMEDIUMâ SHORT)Â LABORÂ INTENSIVEÂ (SCALEÂ OFÂ UPÂ TOÂ 3Â $S)Â COSTÂ TOÂ IMPLEMENTÂ (SCALEÂ OFÂ UPÂ TOÂ 3Â $S)Â EFFECTIVENESS:Â (SCALEÂ OFÂ UPÂ TOÂ 5Â STARS)Â Â DIFFICULTÂ RequiresÂ extensiveÂ effortÂ toÂ accomplishÂ HIGHÂ MoreÂ thanÂ twoâthirdsÂ ofÂ transitÂ agenciesÂ LONGÂ MoreÂ thanÂ oneÂ yearÂ Â $$$Â RequiresÂ extensiveÂ newÂ staffÂ orÂ makesÂ heavyÂ demandsÂ onÂ currentÂ humanÂ resourcesÂ $$$Â RequiresÂ extensiveÂ newÂ facilities,Â equipment,Â orÂ publicity,Â orÂ makesÂ heavyÂ demandsÂ onÂ currentÂ resourcesÂ ($2M+)Â Â $$Â RequiresÂ someÂ additionalÂ equipment,Â facilities,Â and/orÂ publicityÂ ($450KÂ âÂ $2M)Â Â $Â limitedÂ costsÂ forÂ equipment,Â facilities,Â and/orÂ publicityÂ (<$50KÂ âÂ $450K)Â â â â â â Â DemonstratedÂ toÂ beÂ effectiveÂ byÂ severalÂ highâqualityÂ evaluationsÂ withÂ consistentÂ resultsÂ Â â â â â Â DemonstratedÂ toÂ beÂ effectiveÂ inÂ certainÂ situationsÂ Â â â â Â LikelyÂ toÂ beÂ effectiveÂ basedÂ onÂ balanceÂ ofÂ evidenceÂ fromÂ highâ qualityÂ evaluationsÂ orÂ otherÂ sourcesÂ Â â â Â EffectivenessÂ stillÂ undetermined;Â differentÂ methodsÂ ofÂ implementingÂ thisÂ countermeasureÂ produceÂ differentÂ resultsÂ Â â Â LimitedÂ orÂ noÂ highâqualityÂ evaluationÂ evidenceÂ MODERATEÂ RequiresÂ someÂ effortÂ toÂ accomplishÂ MEDIUMÂ BetweenÂ oneâthirdÂ andÂ twoâthirdsÂ ofÂ transitÂ agenciesÂ MEDIUMÂ Â MoreÂ thanÂ threeÂ monthsÂ butÂ lessÂ thanÂ oneÂ yearÂ $$Â RequiresÂ someÂ additionalÂ staffÂ timeÂ EASYÂ RequiresÂ minimalÂ effortÂ toÂ accomplishÂ LOWÂ LessÂ thanÂ oneâthirdÂ ofÂ transitÂ agenciesÂ Â SHORTÂ ThreeÂ monthsÂ orÂ lessÂ $Â CanÂ beÂ implementedÂ withÂ currentÂ staff,Â perhapsÂ withÂ trainingÂ UNKNOWNÂ DataÂ notÂ availableÂ UNKNOWNÂ DataÂ notÂ availableÂ Â Â Â Â Â Â Â
65 Once the utility and relative costs of specific countermeasures have been established the agency should return to the concepts of systems approach, layered security and systems integration (discussed in Chapter 2, see also Figure 23) when deciding how to proceed towards reducing security vulnerabilities. There are certain security design techniques or technologies that are well suited to serve as âsolution setsâ capable of fulfilling security needs. Â FigureÂ 23:Â LayersÂ ofÂ Security.Â Source: FTA Security Design Considerations, 2004 Signs One well known rule of warfare that is applicable to homeland defense is that neither fences nor signs will deter or stop a determined enemy. Nonetheless security signs can play a very important role in the securing of transportation facilities, rights of way and critical infrastructure. They are relatively inexpensive, low maintenance and can serve as a deterrent to aggressor actions or tactics. Maintenance of a good security sign program also helps to create a working environment in which security is perceived to be taken seriously. Employees become aware of security requirements through well placed signs that display the status of restricted or controlled areas, or signs that limit or prohibit certain activities. The signs depicted in Figure 24 are approved by OSHA for use in the workplace. They represent a cross- section of security designs that cover both of these categories. Effective use of signs starts with creation of a sign plan. The plan is a written record that provides a framework for decision making regarding the installation, replacement, maintenance and budgeting for the program. It identifies each sign by type and legend and contains a site plan for placement and installation.
66 Â FigureÂ 24:Â SecurityÂ Signs.Â Source: http://www.safetysign.com In 2006 the U.S. Army Corps of Engineers updated its Sign Standards Manual EP 310-1-6a and EP 310-1-6b. The manual provides a Checklist of Sign Plan Elements that depicts the steps necessary to implement an effective sign plan. The checklist includes: (1) an inventory of existing signs and their condition, (2) collection or development of up to date pictorials, maps (optimally supported by GIS), diagrams, blueprints, or other representation of the area in need of protecting, (3) preparation of the site plan and sign layout materials, and (4) implementation of the plan in conformance with the guidelines established. Once the implementation plan has been accomplished a sign inspection and maintenance schedule should be incorporated into the process. And at this point a word of caution is appropriate. A budgeted coordinated sign replacement and maintenance schedule is necessary as a means for continuing to reinforce the message to transportation system users, employees and the public that the agency prioritizes security on its properties and facilities. Missing signs defeat the objectives of the security plan layout while damaged or vandalized security signs reflect badly on the agencyâs commitment to security. The Corps of Engineers recommends a formal inspection of security signs semiannually. The inspection should identify the need for signs requiring maintenance or replacement, signs that can be eliminated, and the need for additional signs. Vandalized, damaged, or missing signs should be repaired or replaced as quickly as possible. Emergency Telephones, Duress Alarms and Assistance Stations Historically emergency alert or alarm systems have been hardwired communications systems linked to security control centers. Telephone boxes, panic alarm buttons and intercom systems were typically
67 linked to central stations where dispatchers or monitoring personnel answered emergency calls and sent response personnel to the location to provide assistance. Today wireless technology has added new dimensions and capabilities for the security related use of these systems. For example, The State Transit Authority of Australia has a fleet of 1800 buses in the Sydney and Newcastle area. Every bus is outfitted with Automatic Vehicle Locator (AVL) technology, a âDriver Duress Alarmâ and a microphone that allows Authority central station personnel to hear what is transpiring on-board the vehicle when the driver activates the system. Technology has also expanded the recipient group for duress alarms to include first responders themselves who can be equipped to receive a location-specific pre-recorded voice message using the officerâs existing two-way radios. These systems by eliminating the monitoring station go between can greatly improve the response time for police or security personnel in the event of a security incident. Information can be sent close to simultaneously to the command center by digital data packet transmittal. Because of the high costs that can be associated with responding to duress alarms it is critical for transportation agencyâs considering the use of emergency alert alarm systems to conduct a thorough risk assessment to correctly establish the size and scope of the project. Once the needs assessment has been completed the best way to accomplish the countermeasures analysis is to engineer backwards from the response. Taking into account such variables as time, distance, day of the week and changes in staffing levels, police or security officer response capabilities, whether self-directed or through dispatch, should be examined to determine just how quickly help can arrive on scene. Next prospective communications access points for deployment of emergency alert or alarm systems should be compared with estimated response capabilities keeping in mind the potential time variation, and where applicable the routes and locations of agency rolling stock. If additional security assets are required to make the system viable they should be designed and planned for prior to implementation. A duress alarm or emergency communication system that typically goes unanswered for an extended or unreasonable length of time creates an untenable security operating condition that should be avoided. Under such circumstances alternative security countermeasures should be selected. Key Control and Locks It has been said that security starts and ends with closing the door and locking it. But in truth even the most expensive and well-constructed locking mechanism can be defeated if sufficient skill and enough time is available to the adversary or aggressor. According to the US Army Field Manual 19-30, Chapter 8 most key locks and conventional combination locks can be picked by an expert in a matter of minutes. More sophisticated manipulation resistant locks, locks with four or more tumblers, some interchangeable core systems, or relocking devices on safes or doors can provide an âappreciable increaseâ in difficulty but are still subject to compromise. Locks should be considered at best to be a deterrent and more plausibly as a delay device that does not completely restrict entry to a protected area. Locks are a widely used basic security countermeasure for protecting facilities, activities, personnel and property. They are present not only on doors, but on windows, gates, conveyances, interior offices, supply areas, filing cabinets and virtually all kinds of other storage containers or areas as well. As mentioned above locking hardware is designed to various levels of deterrence or entry delay. Performance standards for locks based on these capabilities exist through ANSI/BHMAA Series 156 and United Laboratories (UL) 1034, 437, 768,294, 2058 and 305. It is recommended that the agency consult with a professional locksmith for mechanical locks or security professional for
68 electromechanical or electromagnetic locks before spending security dollars on new hardware or upgrades. Because keys and locks are frequently the only countermeasure deployed to protect assets and infrastructure, managing key access is fundamental to effective control. Maintaining a good key control system can mean the difference between having a robust security program and a compromised unsecure operating environment. The starting point for establishing an effective key control program is the development of sound policy that is workable. The policy must be requirements based and commensurate with the necessary levels of protection that are appropriate for the location or setting. Obtaining user input into the design of the key control system can assist greatly at a later date when maintaining discipline associated with the system is important. Management of the system should be assigned to an individual designated as the Key Control Officer (KCO). This individual should be accountable for maintaining the integrity of the key control process by: (1) exercising approval authority over the acquisition and storage of all locks and keys, (2) providing oversight for the distribution of keys to agency employees, (3) conducting inspections and inventories, (4) maintaining the organizationâs key depository, (5) conducting investigations of key loss, and (6) establishing an official records maintenance system that serves as the control point for all agency activity. Frequently, an organization will be faced with a situation in which key control has previously been compromised either through a lack of attention to security or by the failure of one or more employees to comply with policy. When current conditions demand retooling the system and process the agency should create a key control annex to their physical security plan. The newly assigned KCO should conduct a comprehensive survey of all agency physical assets needing protection to establish a baseline key control plan that can return efficiency to the program. Under this program when a compromised key access point is identified locks should be replaced, recoded, or otherwise upgraded as a security plan priority. Fencing There are two main issues associated with the use of fencing as a protective barrier. The first is and clearly most important is placement. However, in the context of homeland security the grade or strength of fencing materiel is a close second. Consideration must also be given towards the substitution of other types of protective barriers in applications where fencing has traditionally been used (see below). It is important that the transportation agency look at the design aspects of both placement and strength of materiel in concert to determine how the use of fencing countermeasures can positively impact on risk reduction efforts. Fencing can be used for various purposes in security. Predominate among these is the use of fencing to serve as a deterrent or delaying factor. When deployed in this way terms such as perimeter line, controlled access zone and layered defense apply. Perimeter line describes the outermost line of defense for an area being protected. Controlled access zone describes attempts to limit access to the more immediate area being protected. The applicability of fencing in these configurations is apparent. For example a fence can be used to form the outermost perimeter line. Fencing, or more generally protective barriers used in conjunction with layered defense principals present a much broader range of security applications. FEMA 430, Site and Urban Design for Security presents a three layer model for the protection of a building against attack. Under this approach the objective is to âcreate a defense in depth by creating cumulative successive obstacles that must be penetratedâ¦penetration of the perimeter leads only to further defense systems that must be overcome.â
69 Â FigureÂ 25:Â UseÂ ofÂ FencingÂ asÂ aÂ SecurityÂ CountermeasureÂ withÂ DefensiveÂ Layers.Â Source: FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks, 2007. In Figure 25 the use of fencing as a security countermeasure in conjunction with the first and second defensive layers can be observed. Under this configuration the greater the distance between the building exterior and the perimeter line the better. This âopen spaceâ concept of security affords designers the opportunity to use an array of different security countermeasures to defend the organizations assets, including line of sight observation, video surveillance, motion detection, or other intrusion detection technologies. It is also at this point that the second main issueâ fencing material can be illustrated. This is because fencing can actually be used to take security planners beyond deterrence and into prevention. Depending on the deployment and K Certification class of fencing material there are certain aggressor tactics that can be completely defeated. Primarily the threats that can be prevented are explosives mitigation related and involve barrier related interception of the threat at a point that creates sufficient stand-off distance to absorb dangerous explosive blast levels. K Certification anti-ram standards originated at the Department of State. The rating is determined from perpendicular barrier impact results of a truck weighing 15,000lb (6810kg) striking the barrier straight on. To meet the standard the truckâs cargo bed cannot penetrate the barrier by more than 1 meter. Table 10 and Figure 26 depict the vehicle and crash ratings associated with the truck striking the barriers at speeds of 30mph, 40mph and 50mph. TableÂ 10:Â VehicleÂ andÂ CrashÂ RatingsÂ
70 Â FigureÂ 26:Â TruckÂ StrikingÂ Barrier. Source: FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks, 2007Â Figure 27 depicts a crash rated fence that according to the manufacturer can be reinforced with an integrated cable to system to meet K8 standards. Â FigureÂ 27:Â CrashâratedÂ Fence. Source: FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks, 2007
71 Figure 28 represents a schematic example of a cable barrier deployable as a means for fencing reinforcement. Â FigureÂ 28:Â CableÂ BarrierÂ DeployableÂ asÂ aÂ MeansÂ forÂ FencingÂ Reinforcement. Source: DOD Handbook: Selection and Application of Vehicle Barriers, MIL_HDBK: 1013/14, 1999. Protective Barriers Consistent with the discussion above it is useful to recognize that fences are but one type of protective barrier available to security designers. Other types of barriers include anti-ram vehicle barriers categorized as either passive or active. The alarming growth in the use of vehicles - rented, stolen or easily available large motor vehicles - as ramming instruments in direct attacks on pedestrians and similar gatherings of persons is an emerging threat requiring greater resiliency and focus on temporary and permanent barriers blocking pedestrian traffic areas from vehicular intrusion. Anti-ram barrier effectiveness is based on a formula: KE = MvÂ² 2 (Source: FEMA 426 Building Design for Homeland Security, 2004) Where M is the mass of the vehicle and v is the velocity at the time of impact. Passive barriers are fixed countermeasures that include bollards (concrete filled steel pipe), reinforced street furniture, concrete walls, planters and berms.
72 Â FigureÂ 29:Â BarriersÂ asÂ Countermeasures Source: FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks, 2007 Active barriers are movable or retractable in some way to allow passage when authorized. These can include retractable bollards, crash beams, rotating wedge systems, or rising barricades. See Figures 29, 30, 31, and 32. Â FigureÂ 30:Â RetractableÂ Bollards,Â CrashÂ Beams. Source: FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks, 2007.
73 Â FigureÂ 31:Â MobileÂ WedgeÂ Barrier. Source: FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks, 2007 Â FigureÂ 32:Â RisingÂ Barricade.Â Source: FEMA 430, Building, Site and Layout Design Guidance to Mitigate Potential Terrorist Attacks, 2007 Landscape Design Natural barriers such as trees or water can be used effectively to reduce vulnerabilities. In addition, actual site planning for protected areas can be security minded with landscape design serving the dual purposes of aesthetics and function. See Figure 33.
74 Â FigureÂ 33:Â ProposalÂ forÂ theÂ ReâDesignÂ ofÂ theÂ WashingtonÂ MonumentÂ Grounds.Â Source: Michael Van Vandenburgh and Associates Protective Lighting Security professionals, emergency response personnel and safety practitioners universally extol the value of manufactured light as a means to protect people and property from harm or unreasonable risk of injury. Used as a security countermeasure during hours of darkness protective lighting can even create an operating environment that provides better security than in the daytime. This can occur when security designers use capabilities such as glare projection to reduce the ability of an adversary to see the inside of a protected area. Protective lighting objectives include the following: ï· Adherence to acceptable industry standards for outdoor protective lighting levels as promulgated by the Illuminated Engineering Society of North America (IESNA) or the guidelines of the New Buildings Instituteâs Advanced Lighting Guidelines, 2003 Edition ï· Illumination of all exterior points within the perimeter of the protected area, including walkways, vehicle entranceways, fence lines and critical structures or assets ï· Non-transgressing illumination of approach areas to the perimeter line ï· Deterrence of aggressor attempts at entry to protected areas ï· Support for other security countermeasures such as video surveillance cameras, motion activated sensors, or security forces ï· Resistance to tampering, vandalism, neutralization or defeat Similar to other measures protective lighting security planning requires thoughtful and careful study to ensure that the benefits of the program are maximized. In particular because of the open access nature of the environment prospective dual use aspects of lighting should be examined for potential integration into mainstream transportation operations. And vice versa the security applicability of agency lighting configurations should be factored into operational planning and decision making. Planners should also determine the upgrade prospects of the existing lighting system. Taking advantage of opportunities to retrofit existing lighting systems (luminaries) can improve lighting quality, reduce electricity usage, and extend time between required maintenance and replacement, while simultaneously providing environmental benefits such as improved security or safety.
75 In this regard although relatively inexpensive when compared to other security strategies lighting plans also require a continuing strong commitment to maintenance and upkeep. Agencies must budget costs for cleaning and replacement of luminaries on a scheduled basis. Fortunately as alluded to above, there are different types of lighting systems that can help to reduce the overall costs associated with upkeep while at the same time improving the efficiency of the lighting output, measured luminance (footcandles or lux). There are three principal sources of light in common use today, (1) Incandescent Lamps, (2) Fluorescent Lamps and, (3) High-Intensity Discharge (HID) Lamps. All three types convert electrical energy into light or radiant energy. Compared to other light sources, incandescent lights are low in cost, have a relatively short life and provide low efficiency in lumens per watt of electrical energy. Fluorescent lamps provide longer life and higher lamp efficiency. High-Intensity Discharge Lamps come in different varieties. They Include Mercury Vapor Lamps known for their long life and good efficiency, Metal Halide Lamps with a much shorter lamp life that vapor but with an efficiency rating about 50 percent higher, and High Pressure Sodium (HPS) Lamps with both longer life and a high lumen efficiency. HPS Lamps are used where efficiency is the most important factor. See Table 11. TableÂ 11:Â LampÂ Type,Â LifeÂ andÂ Efficiency.Â Type of Lamp Lamp Life Lamp Efficiency Incandescent 500 â 4000 hours 17 â 22 Lumens Per Watt Fluorescent 9,000 â 17,000 hours 67 â 100 Lumens Per Watt HID Mercury Vapor Metal Halide High Pressure Sodium 24,000+ hours 6,000 hours 24,000 hours 31 â 63 Lumens Per Watt 80 â 115 Lumens Per Watt 80 â 140 Lumens Per Watt Source: Adapted from NFPA 730 Guide for Premises Security, 2006 Luminaries (consisting of a complete lighting unit, lamp, housing, and power supply connectivity) are categorized in four general types: (1) Floodlight Luminaries, (2) Street Light Luminaries, (3) Fresnel Lens Luminaries, and (4) Search Light Luminaries. Floodlights are designed to project to distant points therefore their use in homeland defense is vital. They are used to illuminate perimeter fence lines, critical facilities or high priority assets. Both incandescent and HID lamps are used in floodlight luminaries. Street Lights are used to illuminate large areas. They are also used in entranceways. Mercury Vapor lamps are widely used in street lighting because of their long life. Fresnel Lens Luminaries are directional high glare units that project a fan shaped light beam approximately 180 degrees in the horizontal and 15 to 30 degrees in the vertical. They are used in homeland defense to protect high security locations where transgressing light will not impact on the neighboring community. Search Lights provide a powerful concentrated beam distribution. They are usually incandescent ranging in diameter of reflection from 12 to 24 inches and watts from 250 to 3000. Search Lights are often portable, used to augment fixed lighting at a given location. Alarm Systems Alarms have the ability to detect the occurrence of many different types of incidents such as intrusion, smoke or fire, temperature change, gas, or water flow rates, as well as a full range of other emergency conditions. Their basic physical security application however, relates principally to intrusion detection. It should be noted that the functionality of alarms is also applicable to chemical, biological, and radiological sensors albeit more complex depending on the technology associated with the types of sensors.
76 Intrusion detection alarm systems are an important countermeasure in the security planning toolkit. Their main purpose is to work as a force multiplier that allows for the more efficient use of staffing by reducing the number of security personnel required to patrol or monitor a protected area. Indeed assuming that a response force is within reasonable proximity alarm systems can completely eliminate the need for a dedicated security patrol force. The versatility of alarm systems also facilitates their use as a substitute for other security countermeasures that are not viable because of safety concerns or operational requirements or use as a supplemental security measure capable of adding an additional layer of security to protect critical assets. The main elements of an intrusion detection alarm system include the sensors, the alarm processor, the monitoring system, and the communications architecture that connects these elements. The components of an alarm system include: ï· Main Control Unit ï· Keypad ï· Input Devices (Sensors) ï· Transformer ï· Power Supply ï· Telecommunications ï· Output Devices An alarm system can be âhard wired,â meaning that the system uses wires to connect all input and output devices to the main control unit, or âwireless,â using radio waves or RF to transmit intrusion alarms. Some systems today, known as hybrids, use a combination of both hard wired and wireless signal carrying methods to communicate intrusion or status. The physical security deployment of intrusion detection systems usually occurs in conjunction with other security countermeasures such as natural and manmade barriers, access control systems and other sensor technologies. For an intrusion detection alarm system to be effective there must be both an active or passive monitoring capability and a security or law enforcement personnel response team capacity. Sensors are the input mechanism associated with alarm systems. A good way to categorize intrusion sensors is to describe them as interior or exterior: Â FigureÂ 34:Â InteriorÂ IntrusionÂ SensorsÂ âÂ ApplicationsÂ Index.Â (Source: SAVER Summary; Handbook of Intrusion Detection Sensors, 2004 http://www.dhs-saver.info
77 Interior sensors perform one of three functions: (1) detection of an intruder approaching or penetrating a secured boundary, such as a door, wall, roof, floor, vent, or window; (2) detection of an intruder moving within a secured area, such as a room or hallway; and (3) detection of an intruder moving, lifting, or touching a particular object. See Figure 34. Â FigureÂ 35:Â ExteriorÂ IntrusionÂ SensorsÂ âÂ ApplicationsÂ Index.Â Source: SAVER Summary; Handbook of Intrusion Detection Sensors, 2004 http://www.dhs-saver.info Exterior sensors detect intruders crossing a perimeter or boundary or entering a protected zone. While many interior sensors should not be exposed to weather, exterior sensors must be able to withstand outdoor weather conditions. Exterior sensors have a higher nuisance alarm rate than their interior counterparts and a lower probability of detection, primarily because of uncontrollable environmental factors. See Figure 35. There are many different types of sensors used in intrusion detection alarm systems. (See above) These sensors detect through sound, vibration, motion, electrostatic and/or light beams. Determining which sensors to deploy in response to security vulnerability depends on both operational considerations and technological limitations. Operationally this includes issues such as the hours of operation of the facility, the presence of system users, staff or other personnel, the value of material, equipment or other critical assets and the response time of security forces. Technology issues can include concerns about radio and electrical interference, sound levels, weather and climate, or other environmental factors. It is recommended that the agency seek professional security assistance in planning for intrusion detection alarm systems. Electronic Access Control Systems Access control systems perform the task of limiting or restricting the access of personnel or vehicles either into or out of a controlled zone or area. The technology deployed can be basic or complicated depending on the needs and requirements of the resource or area to be protected. Systems can be stand alone to control access to a single entry point or multi-portal computer based, capable of controlling access to hundreds of doors and managing thousands of identification credentials.
78 Prior to implementing an access control system the agency should have a well-defined understanding of the threats and vulnerabilities that need to be addressed. In addition sensitivity to several other factors is important. These include: ï· the nature and tempo of activity in and around the protected area ï· the size of the authorized population ï· variation in degrees of accessibility in terms of access levels and time ï· the physical characteristics of the area being protected ï· limitations or restrictions caused by the nature of the operating environment ï· climate and weather conditions affecting system operations ï· staffing, training and support levels available for operation and maintenance of the system ï· the availability of security forces to respond to a report of an unauthorized entry Protecting transportation agency operations and assets can be a difficult proposition. Because of the open and ubiquitous nature of the operating environment it is not always possible for the movements of people to be controlled. In fact inappropriate screening of system users may create an untenable level of inconvenience that results in the loss of customers. Similarly, an agency whose employees are confronted with unnecessary and overly time consuming access control regimens will at best suffer a loss of productivity through queuing or at worst have the system itself be compromised by activities such as door propping. Access control performance must correspond to the needs of the organization by being responsive to throughput requirements, defined as âthe measure of the number of authorized persons or vehicles that can process through an ingress or egress point within a period of time.â (SAVER Summary; Handbook of Intrusion Detection Sensors, 2004 http://www.dhs-saver.info) Important towards accomplishing acceptable throughput is the accurate identification of controlled or restricted areas through a rigorous determination of what locations, assets or resources need protection. The difference between the two is based on the necessity of access. Controlled area access should be limited to persons who have official business within the area. Restricted area admittance is should be limited to personnel assigned to work in the particular area, or other personnel who have been expressly cleared and authorized. Other individuals entering restricted areas should be accompanied at all times by an authorized individual. The following criteria can assist in defining agency controlled areas or restricted areas: ï· operating areas critical to the continued operation or provision of services ï· locations where uncontrolled access would interfere or disrupt personnel in the performance of their duties ï· storage areas that contain valuable equipment or materials ï· locations where operations can result in the existence of hazardous or unsafe conditions ï· office areas where sensitive or confidential information is located ï· command and control areas that house critical functions There are four main elements of an access control system, (1) access control barriers, (2) access control verification or identification equipment, (3) access control panels and (4) the communications structure that connects these elements together. The system must also possess the means of communicating either directly or indirectly through human interface with response security forces. Access control barriers are identification based, requiring the person or vehicle requesting access to possess some form of information or technology that can be read by the system. Electronic systems are computer controlled with access determinations made through the query of an authorized user database.
79 FigureÂ 36:Â CipherÂ AccessÂ ControlÂ Barrier: FigureÂ 37:Â TokenâbasedÂ DropÂ ArmÂ BarrierÂ System Source: SAVER Summary; Handbook of Intrusion Detection Sensors, 2004 http://www.dhs-saver.info Figure 36 is representative of a âcipherâ access control barrier widely used for access control in areas that require frequent entry by authorized users. The cipher lock controls access using information the individual knows (a combination). Figure 37 represents a token-based drop arm barrier system used to supplement security personnel at the vehicle entranceway to a controlled area. The vehicle contains some form of a readable proximity sticker such as a bar code or other device that automatically lifts the drop arm barrier once the authorized user database has been interrogated. There are many types of access control system barriers and perhaps even more identification methods. (See also keys and locks and protective barriers above). In fact there are at least nine different card-encoding technologies available including better known technologies such as magnetic stripe or proximity. Today âsmart cardâ technology and even biometric systems are becoming more and more prevalent. Smart card technology is a term used to describe a single card that performs more than one function such as access control as well as photographic identification. Access control related biometric technology differs from cipher in which the individual seeking entry knows authorizing information and from token which is based on something the individual possess that is read by the barrier. As shown in the Figure 38 biometric technology is based on who the individual is.
80 FigureÂ 38:Â BiometricÂ TechnologiesÂ IncludingÂ IrisÂ Recognition,Â FingerprintÂ Identification,Â VoiceÂ RecognitionÂ andÂ PalmÂ PrintÂ Identification.Â Source: Adapted from National Science and Technology Council (NSTC) Subcommittee on Biometrics http://www.biometricscatalog.org/NSTCSubcommittee) TCRP Report 86, Volume 4 Intrusion Detection for Public Transportation Facilities Handbook provides a useful overview level checklist to assist in sizing or engineering an access control system. However this list should only be used in conjunction with the assistance of security professionals that specialize in the design and implementation of access control systems. Establishing an integrated access control system can be a complex project. It involves both short term and long term issues of design, maintenance, continued operation, training and testing. Access control systems can also be quite expensive and costs are easy to underestimate. Expenditures associated with system infrastructure can quickly climb as the organizations needs grow and mature. Security planners should contemplate access control implementation based on life cycle costs and multi- year capital planning. See Table 12. Â
81 TableÂ 12:Â ChecklistÂ ForÂ SizingÂ orÂ EngineeringÂ anÂ AccessÂ ControlÂ SystemÂ Source: TCRP Report 86, Volume 4 Intrusion Detection for Public Transportation Facilities Handbook Surveillance Systems and Monitoring More and more every day CCTV (Closed Circuit Television) is being deployed as a security countermeasure for both homeland security and crime prevention purposes. The general public has for the
82 most part accepted the presence of video cameras in public places as a routine part of their daily coming and goings. Videos systems can now be observed in use in facilities such as banks, shopping centers, transportation facilities, casinos, gas stations, convenience stores and stadiums. Outdoor surveillance cameras are being mounted in downtown districts in major cities, highways, parks and recreation areas and even at intersections where traffic violators are being caught on film running red lights. The term CCTV is synonymous with surveillance technology and has come to be used as a generic descriptor for video systems. Originally the term was used to differentiate between broadcast television and private video networks. In general CCTV is a system of one or more video cameras that are connected in a closed circuit or loop. The cameras provide input images to a television monitor for viewing. Depending on security objectives the CCTV system may also include a recording and playback capability. See Figure 39. Â FigureÂ 39:Â SaverÂ HighlightÂ CCTV.Â Source: SAVER Highlight, CCTV Technology 2005 http://www.dhs-saver.info) Effectively integrating CCTV into a transportation agencyâs security program demands that planners exercise a high level of conceptual understanding of the capabilities of the technology and its ability to meet organizational requirements and needs. Video systems do not provide any form of denial of attack or delay in response to aggressor tactics or actions. CCTV systems are passive countermeasures. They present no physical barrier, nor do they control access or reduce exposure to dangerous conditions. In the strictest sense CCTV seeks to deter aggressor actions or targeting through an increase in the aggressorsâ perceived risk of capture or his belief in the successful interdiction and prevention of an attack. Recognition of this circumstance means that to effectively deploy CCTV as a deterrent requires aggressor knowledge of the presence of the system. In addition the aggressor must believe that the CCTV system will indeed prevent or reduce the likelihood of success. See Figure 40 and Figure 41.
83 Â FigureÂ 40:Â OvertÂ CCTVÂ Camera.Â Source: US DOJ, Video Surveillance of Public Places by Jerry Ratcliffe, 2006 Â FigureÂ 41:Â OvertÂ CCTVÂ Camera.Â Source: US DOJ, Video Surveillance of Public Places by Jerry Ratcliffe, 2006 CCTV also serves a second almost equally important role as a security tool capable of greatly improving the performance and responsiveness of security forces and intrusion detection systems, including alarm and access control. By adding video surveillance to these systems an agency can remotely monitor and assess security conditions during a security incident. In fact currently available advanced video surveillance
84 technologies can further expand the effectiveness of video monitoring. Switchers that permit operators to select between video images, multiplexers that facilitate simultaneous viewing, and new video analytic capabilities are in use to aid operators by directing their attention to priority images. Technology such as facial recognition software and thermal imaging systems can further increase the value of video surveillance. See Figure 42. FigureÂ 42:Â ThermalÂ ImagingÂ CameraÂ andÂ Photo.Source: SAVER Summary; Closed Circuit Television Technology Handbook 2006 http://www.dhs-saver.info) In 2007 the American Public Transportation Association (APTA) published The Selection of Cameras, Digital Recording Systems, Digital High Speed Train-lines and Networks for use in Transit related CCTV Systems, as a part of its IT Standards Program Recommended Practice (RP) Series. APTA IT-RP-001-07 V1.2 is a valuable technical resource for transportation agencies considering implementation or upgrading of CCTV systems. The document covers the selection and use of cameras for CCTV at stations as well as on moving transportation conveyances such as buses or train cars. Recording devices and backbone architecture for support of CCTV are discussed in detail. In its overview section the APTA RP states: âThis level of quality is intended to facilitate the requirements of the systems design through a formal âSystems Requirement Specificationâ (SRS) allowing the systems to be designed for every day safety and security requirements as well as revenue protection and anti-crime and anti-terrorist applications requiring the identification of unknown people and objects depicted within images and allow systems to be designed to meet the 4 industry accepted categories known as Detect, Monitor, Identify and Recognize.â The industry accepted categories of Detect, Monitor Identify and Recognize are used by APTA to frame the functional requirements of CCTV systems. Specifications are based on image resolution criteria that are dependent upon the security purpose and usage for the video system. Figure 43 provides a comparison of screen size image projections for these categories.
85 Â FigureÂ 43:Â ScreenÂ SizeÂ ImageÂ Projections.Â Source: APTA, The Selection of Cameras, Digital Recording Systems, Digital High Speed Train- lines and Networks for use in Transit related CCTV Systems; draft 2007 Operational context and applicability for each of the categories is provided in Table 13.
86 TableÂ 13Â OperationalÂ ContextÂ andÂ ApplicabilityÂ Source: APTA, The Selection of Cameras, Digital Recording Systems, Digital High Speed Train-lines and Networks for use in Transit related CCTV Systems; draft 2007 And finally Figure 44 provide a pictorial differentiation between the categories by focusing on image resolution requirements for successful âidentificationâ of a suspect. The photographic
87 images in the bottom two pictures are cropped, enlarged and enhanced from the photos immediately above them. Â FigureÂ 44Â Left:Â ClosedâcircuitÂ TelevisionÂ ImageÂ LikelyÂ toÂ beÂ SuitableÂ forÂ PersonalÂ Identification.Â Right:Â ClosedâcircuitÂ TelevisionÂ ImageÂ UnlikelyÂ toÂ beÂ SuitableÂ forÂ PersonalÂ Identification.Â Source: APTA, The Selection of Cameras, Digital Recording Systems, Digital High Speed Train-lines and Networks for use in Transit related CCTV Systems; draft 2007Â The determination of image resolution requirements is perhaps the most important aspect of CCTV system design. Without usable images security personnel would be are unable to discharge their responsibilities. However the costs attributable to CCTV design can increase exponentially when security planners overreach the system capabilities to meet criteria that serve no objective purpose. This problem extends not just to image quality but also to the functionality of the other component parts of video systems. CCTV design should start with a needs and requirements analysis based on the findings the agencyâs risk assessment. Activity driven performance functions should be identified that articulate each vulnerability or security objective that the CCTV system should address.
88 Cybersecurity Countermeasures There are countermeasures and approaches that transportation agencies can utilize to reduce risks and mitigate impacts of cyber incidents. Significant work has been accomplished in cybersecurity, especially in the areas of IT/network security and most recently in control system (ICS) cybersecurity. The National Institute of Standards and Technology (NIST), the Federal Information Processing Standards (FIPS), with transportation specific guidance available from APTA and FHWA, have developed recommended practices and standards. There are international standards and recommendations from the International Organization for Standardization (ISO), the Information Systems Audit and the Control Association (ISACA), and Control Objectives for Information and related Technology (COBIT). Security working groups such as the Computer Security Incident Response Team (CSIRT) and the Computer Emergency Response Team (CERT), and ICS CERT, which responds to breaches of cybersecurity, have compiled resources of recommended practices that can be applied across all industries. This section provides high-level approaches to reduce vulnerabilities and mitigate impacts of incidents and an overview by category, of specific areas to address as part of cybersecurity. There are some countermeasure resources that provide comprehensive guidance and recommendations for a broad range of risks. For example, The Critical Controls for Effective Cyber Defense (COBIT, 2013) is consensus list of the best techniques that âreflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive and deep knowledge about current threats. These experts come from multiple agencies of the U.S. Department of Defense, Nuclear Laboratories of the U.S. Department of Energy, the U.S. Computer Emergency Readiness Team of the U.S. Department of Homeland Security, the United Kingdom's Centre for the Protection of Critical Infrastructure, the FBI and other law enforcement agencies, the Australian Defense Signals Directorate and government and civilian penetration testers and incident handlers.â Figure 45 summarizes of the critical controls best practices, ranked by effectiveness in mitigating incidents. The controls are broken into four groups: (1) those that address operational conditions that are âactively targeted and exploitedâ, (2) those that address known âinitial entry pointsâ, (3) those that âreduce the attack surface, address known propagation techniquesâ and mitigate the impact of an incident, and (4) those related to âoptimizing, validating and managingâ.
89 Â FigureÂ 45:Â SummaryÂ ofÂ CriticalÂ ControlsÂ BestÂ Practices.Â Source:Â COBIT As part of the Critical Controls, five "quick winsâ or the "First Five" were identified. These controls have been found to be âthe most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations.â The "First Five" address: 1. Software white listing 2. Secure standard configurations 3. Application security patch installation 4. System security patch installation 5. Ensuring administrative privileges are not active while browsing the web or handling email Recommended practices for cybersecurity typically are grouped into categories. For example, the NIST Cybersecurity Framework includes the following under Protection: ï· Access Control ï· Awareness and Training ï· Data Security and Information Protection ï· Protective Technology Other categorizations also highlight ï· Cyber Hygiene ï· Boundary Defense and Network Separation ï· Configuration Management Cyber Hygiene Common cyber hygiene practices include: 1. Encouraging staff to follow basic security policies and procedures.
90 ï· Not giving out user names, passwords, or other access codes to anyone. ï· Not opening e-mails or attachments from strangers. ï· Not installing or connecting any personal software or hardware to organizationâs network or hardware without permission. ï· Making passwords complex and changing passwords regularly (every 45-90 days). ï· Keeping anti-virus software current. Regularly downloading and installing vendor security "patches". ï· Following Bring-Your-Own-Device (BYOD) and mobile device management (MDM) security practices. 2. Removing unnecessary applications and functions from systems. ï· Reducing or removing general purpose services/interfaces. ï· Using application specific-least functionality interfaces. ï· Reducing static open file exchanges (shared folders). ï· Eliminating hidden hubs. 3. Changing default configuration options and passwords such as manufacturer or vendor's default passwords. Access Control Access control involves maintaining secure access to assets and associated facilities, limiting it to authorized users, processes, or devices, and to authorized activities and transactions. Cybersecurity access control cannot be easily separated from physical security. Inadequate physical security can put cyber assets in jeopardy. Physical damage can compromise cyber assets. This section only addresses the cyber components of access control. Access Control Basics ï· Use strong passwords and change default passwords often. ï· Restrict physical access to the network and remote devices. ï· Disable unused ports and services on ICS devices after testing to assure this will not impact ICS operation. ï· Restrict user privileges to only those that are required to perform each personâs job (i.e., establish role-based access control and configure role based on principle of least privilege). ï· Consider the use of two-factor authentication methods for accessing privileged accounts or systems. ï· Consider using separate authentication mechanisms and credentials for users of the TMS system network and corporate network. ï· When remote access is required, consider deploying two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access. Be prepared to operate without remote access if required. Control System Considerations ï· Apply appropriate access controls to all field devices such as ramp/gate/signal controllers, dynamic messaging signs, switches, and signaling devices. ï· Secure remote access channels, e.g. place remote devices on private networks if possible. ï· Disable telnet, webpage, and web LCD interfaces if not needed. Effective access control includes applying the concept of least-privilege. Every program and every user of the system should operate using the least set of privileges necessary to complete the job. It is also
91 recommended to place controls between network segments, if possible, to limit congestion and cascading effects which will mitigate the effects of an incident that does occur. In addition, it is important to identifying controls to minimize the consequences from human error and other unintentional incidents such as equipment failure. Data Security and Information Protection Transportation agencies have a broad range of data collected and stored on their networks. Along with traffic control and system data, there is personally identifiable information (PII) of employees, contractors and often, customers. Agencies may have credit card information and a few, those which have responsibility for the state Department of Motor Vehicles (DMV) have extensive customer personal information. Data security means that information and records (data) are managed consistent with the organizationâs risk strategy to protect the confidentiality (preserving authorized restrictions on information access and disclosure), integrity (guarding against improper information modification or destruction), and availability (ensuring timely and reliable access to and use of information) of information. NIST SP800-53 Recommended Security Controls for Federal Information Systems and Organizations includes an extensive catalog of management, operational and technical security controls that can be applied to transportation agencies as well. Data Security and Information Protection Basics ï· Protect data-at-rest and data-in-transit with encryption, when possible. Move data between networks using secure, authenticated, and encrypted mechanisms. Perform an annual review of algorithms and key lengths in use for protection of sensitive data. ï· Implement protections against data leaks and loss. Data Loss Protection controls are policy based and include classifying sensitive data, identifying sensitive data across the agency, enforcing data security controls, and on-going reporting and auditing to ensure policy compliance. ï· Ensure that data assets are formally managed throughout removal, transfers, and disposition. Backups of data and information are conducted, maintained, and tested periodically. Data is destroyed according to security policy. ï· Adequate data capacity is maintained to ensure availability. ï· Review cloud provider security practices for data protection. ï· Integrity checking mechanisms are used to verify software, firmware, and information integrity. ï· The development and testing environment(s) are separate from the production environment. ï· Control System Considerations ï· Communications protocols used in control systems environments are different from IT protocols. ï· Available computing resources (including CPU time and memory) are limited, so may not have enough memory and computing resources to support addition of security capabilities. ï· Some of the operating systems and applications running on ICS may not operate correctly with commercial off-the-shelf IT cybersecurity solutions. In some instances, vendor license and service agreements may not allow third-party cybersecurity solutions. ï· Encryption capabilities, error logging and password protection may not be available. Boundary Defense and Network Separation Protecting the boundaries of systems and separating networks are critical to cybersecurity. The edges of systems â for many reasons â are the most vulnerable spots. Implementing technical defenses such as
92 firewalls are a common recommended practice. A strong system of network firewalls includes an external firewall to protect from unauthorized persons trying to get into the network and internal firewalls to wall off different departments/divisions. Those areas that contain the most critical applications and sensitive or valuable information should have particularly robust protections from each other. As many sources have noted, firewalls are not complete solutions. There are coverage and accuracy issues that have to be considered, along with the likelihood that individual components have direct or wireless connections to the Internet through unknown or unapproved channels. For example, printers on the network may have wireless connections. For SCADA and control system networks, the connections between remote field devices, e.g. remote access units (RTU) or programmable logic controllers (PLC), to the master terminal unit (MTU) are of primary concern. Firewalls between MTUs and RTUs are critical in any system architecture. However, because commercial firewalls do not generally support SCADA protocols, SCADA protocols and the types of ports using the protocols have to be identified and opened in the firewalls for the system. Unfortunately, security experts have long known that one of the great vulnerabilities in a network is the inadvertent opening of ports that can be attacked. Providing adequate network segmentation between control and business networks is another recommended practice. Segmentation should be risk-based, separating information and systems of different levels of criticality. In some transportation systems, physical isolation of one network from another or air gapping, has been considered as a security technique. In the past, transportation systems may have been closed proprietary systems protected by âair gapsâ and âsecurity by obscurityâ, but over time isolated systems shifted to more connected systems including connectivity to safety-critical control systems found in vehicles and in Advanced Traffic Management Systems. In addition, due to the human factor there is no true air gap. Users can, and often do create, a connection through external devices (using USB sticks, thumb drives, laptop connections, VPN, DVDs, etc.). MARTA as part of a cybersecurity system assessment, defined cybersecurity zones, critical components, and communication conduits with corresponding Security Assurance Levels (SALs) based on an evaluation of the consequences of a successful cyberattack. (For more information, see MARTA Case Study at the end of this chapter.) Typical highway transportation system network and recommendations including firewalls, network separation, and intrusion detection systems are illustrated in Figure 46 and Figure 47.
93 Â FigureÂ 46:Â TypicalÂ TransportationÂ SystemÂ NetworkÂ withÂ Countermeasures Â FigureÂ 47:Â TypicalÂ TransportationÂ SystemÂ NetworkÂ withoutÂ Countermeasures It is critical to be aware of how and what systems are connected in agency networks. For example, it is not uncommon to connect HVAC equipment to the rest of the network. The access for the 2013 Target credit card breach was through the HVAC system. After the Target incident, an estimate was made of vulnerable HVAC systems and over 55000 internet connected systems were found. Most may not even be aware the
94 HVAC system can be found through the web and may not be paying attention to the connections it has to other systems on the network. Configuration Management Transportation networks, and especially traffic control systems and field devices, require active configuration and maintenance. As delivered from manufacturers and resellers, default configurations from the manufacturers and vendors are designed for easy deployment, not for security. Network devices may have open services and ports and support for older (vulnerable) protocols. Not only must the systems and devices be secured upon installation, their ongoing management and maintenance needs to be secured as well, and must be capable of managing changes and adapting to new vulnerabilities or the emergence of new threats. Secure standard configurations one of the COBIT Critical Controls First Five or five "quick winsâ - âthe most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations.â NIST 800-82 Guide to Industrial Control Systems (ICS) Security summarized the âmost successful method for securing control systemsâ is to gather industry recommended practices and draw on wealth of information available from standards organizational activities. Configuration Management Basics ï· Create and maintain a baseline configuration of information technology and control systems. ï· Follow strict configuration management. Security configuration of devices should be documented, reviewed, and approved as consistent with agency cybersecurity policy. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. ï· All new configuration rules should be documented and recorded in a configuration management system, with a specific business reason for each change and an expected duration of the need. ï· Verify standard device configurations to detect changes. All alterations to such files should be automatically reported to cybersecurity personnel. ï· Restrict access to configuration settings and ensure the configuration change control processes are in place. ï· Build and maintain a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this secure image should be integrated into the organization's change management processes. Control System Considerations ï· Negotiate contracts to buy systems configured securely out of the box. ï· Security settings of IT products should be set to the most restrictive mode consistent with control system operational requirements. ï· Ensure that all modifications to control system network meet security requirements identified in risk assessment and mitigation plans. Bring Your Own Device (BYOD) Recommended Security Practices Replicating traditional cybersecurity policies to address mobile devices and other employee or contractor owned consumer devices â known as Bring Your Own Devices (BYOD) â may be impractical, if not difficult. Privacy is a major concern in consumer owned devices, which raises the issues of separating
95 agency data from private data. Applying controls to the data rather than the device may be a more practical solution. Bring-Your-Own-Device Cybersecurity Basics ï· Assess and document risks in information security (operating system compromise due to malware, device misuse, and information spillover risks); operations security (personal devices may divulge information about a user when conducting specific activities in certain environments) and transmission security (protections to mitigate transmission interception). ï· Consider data sensitivity when reviewing apps in use and conducting a risk assessment. Clarify ownership of the apps and data. ï· Identify permitted and supported devices to prevent introduction of malicious hardware and firmware. Recommend an approach to content storage (e.g. cloud vs. device). ï· Controls should be applied to the data rather than the device. Set operational principles on the use of allowed cloud services. ï· Define content applications that are required, allowed, or banned and consider use of mobile device management (MDM) and mobile application management (MAM) enterprise systems to enforce policies. ï· Address app compatibility issues (e.g., accidental sharing of sensitive information due to differences in information display between platforms) ï· Keep policies and processes up to date. Employee agreements that address wiping personal and corporate data must be active, not passive, with signatures and human resource record. Monitoring and Detection Many resources have cited the importance of monitoring, logging, and analyzing successful and attempted intrusions to systems/networks as a critical component of cybersecurity. These elements are essential to âestablishing a continuing process for security improvementâ. APTA Recommended Practice: Securing Control and Communications Systems in Rail Transit Environments Part II includes a companion concept to Defense-in-Depth - Detection-in- Depth, a âway to detect that an intruder has gained accessâ. The Practice recommends that detection methods be created for each zone and defensive layer. It is recommended that anomalies, successful and attempted intrusions, and accidental and unintended incidents be logged and analyzed as part of an ongoing cybersecurity process. Common monitoring and detection challenges have been identified: ï· There is too much data to analyze. ï· Too many alerts and false positives occur to effectively identify problems and issues. ï· There is incomplete visibility of network and endpoints. ï· Any deficiencies in monitoring, logging and analysis provide opportunities for network compromises and security incidents. Intrusions can be hidden, and are commonly hidden â the average time to detect data breaches and/or a malicious insider is over 200 days. Even when incidents are detected, without protected and complete logging records it is difficult to determine the details of the incident and what effects it has on the network and systems. Poor or nonexistent log analysis processes allow intrusions such as APTs for months or years without anyone in the organization knowing about it, even though the evidence may be recorded in unexamined log files.
96 Metropolitan Atlanta Rapid Transit Authority (MARTA) The Metropolitan Atlanta Rapid Transit Authority (MARTA) operates heavy rail, bus transit, and paratransit services. MARTAâs heavy rail system is comprised of four lines including two lines serving the Hartsfield Jackson Airport; its bus operations encompass 91 routes covering one thousand route-miles. MARTA, the ninth largest U.S. transit system in terms of unlinked passenger trips, provided 135 million trips in 2012. (2014 APTA Public Transportation Fact Book) MARTA used information generated by the CSETÂ® tool along with APTAâs Recommended Practice Part 2 to conduct cybersecurity gap analysis and risk assessment. The Cybersecurity Evaluation Tool (CSETÂ®) developed by DHSâs Control Systems Security Program assists agencies and asset owners in assessing their cybersecurity practices through a series of detailed questions about components, architecture, policies, and procedures. CSETâs Four-Step Process is shown in the diagram below: Â FigureÂ 48:Â CSETÂ FourÂ StepÂ Process In December, 2012, the DHS conducted a two-day onsite consultation and assisted MARTA in using CSET. Based on MARTAâs answers to questions on the consequences of a successful cyber attack, Security Assurance Levels (SALs) were determined by the tool. Depending on the SAL, a cybersecurity level to protect against a worst-case scenario was then established. Each component received gap and priority ratings, and on-site and off-site SAL ratings. A network diagram created with the assistance of the tool helped MARTA staff visualize the criticality of network components and define cybersecurity zones, critical components, and communication conduits. ICS Administrative-level results were reported in the following Table:
97 ICS Administrative-level Access Control results identified gaps and were matched with APTA controls. They were then analyzed according to Availability, Probability, and Severity. The result of the assessment was a 300+ page report with high-level recommendations and observations. MARTA has been prioritizing the recommendations with the assistance of APTA. Recommendation implementation challenges were due to difficulty in replacing or retrofitting legacy systems, and agency resource constraints. MARTAâs high-level timeline for its train control and SCADA cybersecurity is shown below: Â FigureÂ 49:Â MARTAÂ CybersecurityÂ HighâLevelÂ Timeline Â Â