Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
102 For both physical security and cybersecurity, a vigilant workforce with shared values, beliefs, and behaviors engaging in and using security-enhancing practices on a daily basis can enhance the agencyâs security posture. Transportation agencies must practice prudent workforce manage- ment, promote security awareness, and instill knowledge, skills, and abilities into this important and invaluable asset through organization-wide awareness initiatives and training programs that target relevant segments of the agency workforce. The 2013 National Infrastructure Protection Plan (NIPP) calls for the strengthening of secu- rity and resilience for both physical and cyber critical infrastructure through the coordinated development and delivery of technical assistance, training, and education. NIPP 2013 also emphasizes âcontinuous learning and adaptationâ to learn from incidents and exercises and rapidly incorporate lessons learned. The transportation sector contributed to the NIPP vision and mission through implementing its sector vision of a âsecure and resilient transportation system, enabling legitimate travelers and goods to move without significant disruption of com- merce, undue fear of harm, or loss of civil liberties.â To achieve this vision, a primary goal of the Transportation Sector is security education, training, and awareness (DHS 2015a). This chapter emphasizes the role of the workforce by highlighting its contribution to physical security and cybersecurity culture. The chapter then focuses on workforce planning and aware- ness and training programs for physical security and cybersecurity personnel of state DOTs and transit agencies. Training delivery and evaluation issues and exercises, exercise types, and the Homeland Security Exercise and Evaluation Program (HSEEP) are discussed, and a comprehen- sive checklist for a full-scale exercise is provided. Building a Culture of Physical Security and Cybersecurity To maximize effectiveness of security initiatives, a security culture must be established. Culture-building requires a multifaceted approach, which includes the following initiatives from APTA (2012): ⢠Awareness initiatives; ⢠Training program; ⢠Assessment of threats; ⢠Reduction of the attack surface; ⢠Addressing threats, mitigations, software/firmware update process; ⢠Addressing monitoring and detection methodologies; ⢠Ability to be audited for compliance; and ⢠Change-management systems. C H A P T E R 5 Workforce Planning and Training/Exercises
Workforce Planning and Training/Exercises 103 The transportation agency workforce is the central element around which a security culture is built. Culture is shared values, beliefs, attitudes, and behaviors fueled by good basic practices and sustained awareness by all employees. Terrorism is and has been a significant concern for transit agencies, especially systems operat- ing in urban areas. After the terrorist attacks in New York City and Washington, D.C., on Sep- tember 11, 2001, and the attacks on rail transit systems in Madrid, Paris, London, and Mumbai, the transit industry ramped up efforts to establish a security culture. Since transit police and local police cannot be in all places at all times, transit agencies expanded their scope by employing transit employees and civilians to act as their eyes and ears. As emphasized in the 2012 APTA Recommended Practice on Security Awareness Training for Transit Employees, all employees, including contractors, contribute to security by their very presence and their alertness. Transit agencies, with the support of FTA and DHS/TSA and relevant legislation such as Section 1408, PL 110-53; 121 Stat. 266, implemented awareness training programs and campaigns. Transportation Sector activities highlighted in the 2015 Transportation Systems Sector- Specific Plan (TSSSP) (DHS 2015a) related to culture-building including training include provisions for cybersecurity, awareness training, and periodic exercises as a condition for receipt of security and resilience grants; developing exercise injects for highest threat scenarios; spe- cifically for cybersecurity, developing incentives by facilitating training opportunities, recogniz- ing industry achievements, certifying and confirming security measures as condition for grant awards, and promoting DHS voluntary initiatives. The First Observer Plus⢠Program (www.tsa.gov/firstobserver) trains surface transporta- tion professionals (highway, mass transit, over-the-road bus, school bus, trucking, truck rental, pipelines, parking workers, and transit police) to recognize and assess suspicious activity and report their observations. The following incident reporting hotlines were in use at the time of publication: ⢠âIf You See Something, Say Somethingâ¢â Campaign (dial 911); ⢠General Aviation Security HOTLINE (1-866-427-3287); ⢠TSA Contact Center (1-866-289-9673); ⢠DOT Report Safety Violations (1-888-DOT-SAFT (368-7238)); ⢠National Highway Traffic Safety Administration Hotline (1-888-DASH-2-DOT); ⢠U.S. Coast Guard National Response Center Hotline (1-800-424-8802); ⢠Americaâs Waterway Watch (877-24WATCH); and ⢠First Observer⢠Program (844-872-3778). These efforts help ensure that Transportation Sector workers and customers are continually aware and alert and are contributing to the creation of a security culture within transportation organizations and the sector. While state DOTs have not been at the forefront of security efforts, with the U.S.DOT having received co-sector-specific status and the development of the TSSSP, state DOTs and other sector partners are expected to follow TSSSP guidance on security and resilience. The 2015 AASHTOâs 4th Generation Strategic plan emphasizes the need to provide the DOT workforce with security and infrastructure protection information. AASHTO Fundamentals Guide also notes the importance of security awareness for the entire transportation workforce, describing the workforce as being âuniquely positioned to identify issues, problems, and deviations from the usual.â For cybersecurity as well, technology and process are important, but people are the most vulnerable element and a key component of a cybersecurity culture. Maintaining continuous cybersecurity awareness is a primary Transportation Sector goal (DHS 2015b) supported by
104 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies cross-sector, national-level NIST efforts such as the national public awareness campaign Stop. Think.ConnectTM; the National Initiative for Cybersecurity Careers and Studies (NICCS); and the National Initiative for Cybersecurity Education (NICE). The Cyber Information Sharing and Collaboration Program of the U.S. Computer Emergency Readiness Team (US-CERT) and Industrial Control Systems Computer Emergency Response Team (ICS-CERT) coordinates cyber information sharing and provides an incident hotline: 1-888-282-0870. National-level transportation-specific initiatives include the U.S.DOT Cybersecurity Action Team, which monitors, alerts, and advises the ITS and surface transportation communities of incidents and threats. The Transportation Systems Sector Cybersecurity Working Group is composed of gov- ernment, industry, and private-sector stakeholders. Physical Security and Cybersecurity Workforce A stable workforce contributes to the success of the agency security mission, goals, and objec- tives. Workforce planning, required to achieve this stability by determining future workforce needs and requirements, involves an understanding of threats, including emerging threats and current capabilities of their workforce. State DOTs have difficulty acquiring high-demand tech- nical skill sets due to lack of staffing resources as well as lack of clear career paths, and better opportunities in the private sector. Thus, outsourcing of technical activities is routine for many state DOTs. In fact, a 2015 U.S.DOT/FHWA white paper highlights the vital role of orga- nization and staffing including, staff development, recruitment, and retention in supporting effective transportation systems management and operations (TSM&O). Personnel retirement and turnover within the transportation industry have increased workload burdens of remain- ing employees and increased training demands for new hires replacing departing personnel (U.S.DOT/FHWA 2015, TRB 2014b). A May 2016 survey of the AASHTO TSM&O Subcom- mittee members and Operations Academy graduates revealed the top two recruitment and reten- tion issues of the 34 responding agencies were lack of existing training vs. emerging need, and the lack of a clear career path. Difficulties in recruitment related to salary competition and/or lack of required skills or certifications. Another finding included the difficulty most states were experiencing in filling key technical positionsâespecially in systems engineering, IT, and ITS device maintenanceâwith approximately half of responding states significantly dependent on consultants (AASHTO 2016). As demand for a more technical workforce increases, good workforce planning practices to manage the demand, promote a stable workforce, and alleviate these issues will be essential. Per- sonnel are the most expensive security countermeasure that may be implemented by a transpor- tation agency, and expansion of the workforce requires overcoming significant hurdles. Effective workforce planning will diminish turnover along with the concomitant need to recruit and train new personnel, and help agencies address budgetary constraint. The four key steps in workforce planning are (1) inventory the current workforce supply, including skills, abilities, and positions; (2) perform demand and supply analysis (demand anal- ysis involves determining what skill sets are needed to meet organizational goals and objectives; supply analysis determines who is actually doing what); (3) identify gaps to determine where current supply falls short in meeting expected demand, and perform gap analysis to identify needed actions to meet future workloads; and (4) create an implementation plan (DHS 2014). Workforce planning includes the strategic use of data and analysis tools. Tools such as the Capability Maturity Model (CMM), which originated in the software development industry, help organizations understand current workforce management capabilities of the organization. A CMM also allows for consistent evaluation and human capital decision-making. Each model helps a workforce planning segment or activity area evolve and reach a higher level by establishing
Workforce Planning and Training/Exercises 105 maturity levels. For instance, the National Initiative for Cybersecurity Education (NICE) CMM has three levels: limited, progressing, and optimizing. Their workforce planning activity areas are categorized into Process, Analytics; Integrated Governance; and, Skilled Practitioners and Enabling Technology. The CMM employs a three-step process: (1) gather data on qualitative CMM variables; (2) analyze data and determine current maturity levels by CMM key area; and (3) determine priority areas for increased maturity and develop action plans (DHS 2014). The 2014 DHS white paper also notes that workforce planning may be able to capture unusual changes in workload in a specific unit; the changes may indicate a cyber breach that would otherwise have been missed. A self-assessment framework for transportation agencies developed through the Second Strategic Highway Research Program (SHRP 2) helps agencies improve their TSM&O. In one framework, it provides âthe key features of quality management, organizational development, and business process reengineering.â The framework sees capability as a target, and improve- ments are identified, prioritized, and implemented in four clearly defined, âdoableâ stages: Performed, Managed, Integrated, and Optimizing. (AASHTO TSM&O website http://www. aashtotsmoguidance.org/) The AASHTO TSM&O website provides an online self-evaluation tool that identifies âkey program, process and institutional preconditionsâ to improve an agencyâs TSM&O and create action plans. The 2015 U.S.DOT/FHWA white paper Improving Transportation Systems Management and Operations (TSM&O) Capability Maturity Model Workshop addressed the need for support material for tackling state DOT workforce issues by identifying national activities that support improvements in organization and staffing. These activities included the following: ⢠Develop a TSM&O organization and staffing gap analysis tool for agencies to compare current operations with those needed to fulfill all desired functions; ⢠Poll state DOT senior TSM&O managers on key staff capacities needed and unmet; com- pare identified needs with training and educational opportunities and consider remediation actions to fill gaps; ⢠Develop a suite of core competencies with lists of helpful training, experiences, and resources for TSM&O managers; ⢠Review critical training deficiencies across all levels of TSM&O employees, and develop per- manent classes to address these deficiencies (for example, CITE or NHI courses); ⢠Review curricula of secondary and graduate schools related to TSM&O to identify key gaps and best practices to produce TSM&O-ready entry-level employees. The appendix to the white paper Steps to Implement Common Implementation Plan Priority Action for Organization and Staffing Dimension contains useful tips on implementing these pri- ority actions. The TCRP F-Series reports provide an excellent source of workforce literature focused primarily on the transit industry. In particular, TCRP Report 162: Building a Sustainable Workforce in the Public Transportation IndustryâA Systems Approach (TRB 2013b) provides information on 11 training and development strategies and implementation steps, along with sample programs implemented at specific agencies and professional capacity-building strategies that can complement an agencyâs training initiatives. Physical Security Workforce The labor costs associated with an agencyâs operating budget for security can exceed 90% to 92% of total annual expenditure. However, depending on the threats and unresolved vulner- abilities facing the organization, security personnel are often the most critical resource available
106 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies to reduce security-related risk. Unlike any other security countermeasure or technology, person- nel provide the one vital capability for which there is no substitutionâthe ability to comprehend and apply reason. Security personnel bring the capacity to perceive the true nature of a threat, recognize ongoing aggressor tactics, and connect the dots. When adequately armed or reinforced they can repel or overcome the use of deadly force by responding with equal or greater force to neutralize the threat or activity. This factor alone is predominant in both the homeland security and public safety contexts. Absent a response force, aggressors or criminals would quickly dis- regard other security countermeasures as irrelevant. Deciding on the necessity for security personnel or the extent to which forces should be deployed can be a significant challenge for security decision-makers and depends on the agencyâs risk profile and threat and vulnerability assessments. In general, transportation agency decision-makers have an initial spend-or-no-spend hurdle to clear in hiring and deploying security personnel. Clearing that hurdle will require significant interaction with local authorities to establish the level of protection and response to security incidents that can be expected. Assuming there is a budget, spending operating dollars on secu- rity labor can be an easy decision for the agency to make at the outset, but a much harder deci- sion to amend or withdraw. Those agencies who have previously deployed a security force can attest to the difficulties associated with eliminating a security presence even when that presence is no longer warranted. For this reason, any agency that has not yet made an investment in sustaining a security force should exercise great care in ensuring that the rationale for security personnel staffing is objective and consistent with both an established threat profile and other organizational needs and requirements. In the event the agency determines that a security force is not required, a periodic review of this decision should be made in conjunction with ensuing risk assessments performed. The agency should also work toward achieving a written plan of security operations that documents the public safety service level and response contemplated. When the transportation agency objectively determines that a security presence, beyond what is available from the localeâs public safety community, is necessary to protect the system and its users, there are a number of planning options that should be analyzed. Figure 5-1 is a flow diagram that depicts the decision points that should be considered. Questions include: ⢠Is there a need for a part-time or full-time security presence? ⢠Is there a need for a dedicated security force? ⢠Should the security force be proprietary or contracted? ⢠Should the security force be armed? ⢠Does the security force need arrest powers? The tradeoffs associated with these options have significant bearing on the transportation agencyâs overall security posture. At one end of the available choices is the deployment of unarmed, part-time security officers, with no arrest authority. At the other end is the fielding of a full-time, armed police department with powers of arrest. Where the agency falls on this deci- sion line will affect the capabilities of not just the security labor force but also the performance and effectiveness of all other integrated system security countermeasures. No matter what underlying qualitative factors drive the decision about fielding security personnel, the best way to make accurate staffing level determinations is through the use of quantitative analysis. There are two sets of quantifying data available: (1) security breachâ or crime incidentâbased information, including both calls for service and self-initiated incident responses; and (2) policy- and procedure-supported staffing deployment that is activity- and scenario-driven. Statistics regarding the occurrence of specific types of crimes or incidents is typically used to plan future crime control, security management, or risk reduction efforts. Most
Workforce Planning and Training/Exercises 107 Source: Countermeasures Assessment & Security Experts, LLC 2008. Figure 5-1. Transportation security force planning flowchart.
108 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies transportation agencies experience a low level of serious criminal incidents. Known as Part 1 Crimes in conformance with FBI Uniform Crime Reporting criteria, crimes such as homicide, rape, robbery, aggravated assault, and arson occur so infrequently that the rate is often statisti- cally insignificant from a crimes analysis standpoint. When the situation exists where quantify- ing serious crime data is inadequate to assist in establishing staffing levels, officer productivity data, including total calls for service and self-initiated security or police officer activities, should be used. For example, calls for service to respond to complaints of trespassers on agency prop- erty can be totaled for a specific period. The calls can be broken down by location, time of day, day of week, and other criteria. Then the information is measured against existing staffing levels and response times for responding security forces, as a means to identify an acceptable security operating condition in which risk is maintained within tolerable limits. Assuming the agency establishes a 15-minute response to a trespass incident as acceptable risk, Table 5-1 shows a staffing level of 20 officers would be required. Trespass Incidents at Location ÷ Number of Security Officers = Response Time Self-initiated patrol activity associated with the security of parking lots or rest stops, mainte- nance facilities, or other agency areas can be similarly documented and measured as a percent- age using a ratio of patrol activity time calculated against total shift time. This data can then be aggregated to establish the agenciesâ acceptable risk goal as a total number. Assuming data collection shows that 50% of officer time is spent performing patrol activity, if the agency establishes a goal of 200 hours of shift time as acceptable risk, Table 5-2 shows a staffing level of 50 officers would be required. Patrol Activity Time ÷ Total Shift Time = % Patrol Activity per Officer By extending this concept of data collection productivity quantification to those security- related issues that are most important to agency security, planners can reasonably approximate how large the security force should be. It is worth repeating that other qualitative factors, such as existing assignments of security or police to a given location will also impact staffing deci- sions. These subjective criteria should be recognized as an inefficient, albeit sometimes neces- sary, method of allocating security forces. By assimilating threat assessment information into the productivity-driven quantification method, security planners can merge risk data with security operations data to minimize secu- rity vulnerabilities, while at the same time obtaining a reasonable approximation of security force workflow. For example, knowledge by the transportation agency that aggressor tactics Officers on Duty Trespass Incidents Response Time 10 50 30 minutes 15 50 22.5 minutes 20 50 15 minutes 30 50 7.5 minutes Table 5-1. Staffing level for trespass incidents. Total Officers Total Shift Time Patrol Activity Time Percentage 50 400 200 50% Table 5-2. Staffing level for patrol activity.
Workforce Planning and Training/Exercises 109 may include attempts to place IEDs at critical infrastructure points such as tunnel entrances, can result in periodic patrol checks at such locations. At the same time, security force response times can be measured by location, time of day, day of the week, and the like simply by treating the tunnel infrastructure check as a call for service. Assuming the agency establishes a 15-minute response to a tunnel check as acceptable risk, Table 5-3 shows a staffing level of 20 officers would be required. Critical Infrastructure Tunnel Checks ÷ Number of Security Officers = Response Time The time ratio data regarding self-initiated vulnerability reduction activities for the protec- tion of critical assets and infrastructure would be measured as well. Assuming data collection shows that 50% of officer time is spent performing vulnerability reduction activity if the agency establishes a goal of 200 hours of shift time as acceptable risk, Table 5-4 depicts a staffing level of 50 officers would be required. Vulnerability Reduction Activity Time ÷ Total Shift Time = % Vulnerability Reduction Activity per Officer Responding to trespass calls or performing tunnel checks would not be mutually exclusive patrol activities or vulnerability reduction activities. In fact, the transportation security force would integrate these activities as a means to optimize total security effectiveness. In terms of cybersecurity, several categories of roles in disparate departments and units (e.g., IT, engineering, operations, HR) need to be considered. Survey findings published in ACRP Report 140 (TRB 2015a) revealed that a cybersecurity program would require between 0.3â2.65 new full- time equivalents (FTEs) for the roles of chief information security officer, trainers, IT operations, IT infrastructure engineers, chief information officer, and application managers. The FTEs could be either new hires or external resources. Cybersecurity Workforce The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Frame- work or Workforce Framework (U.S. Department of Commerce 2017) promotes the develop- ment of a globally competitive cybersecurity workforce through the use of common terminology and seven high-level categories of cybersecurity functions: (1) analyze, collect, and operate, (2) investigate, (3) operate and maintain, (4) oversee and govern, (5) protect and defend, and Officers on Duty Tunnel Checks Response Time 10 50 30 minutes 15 50 22.5 minutes 20 50 15 minutes 30 50 7.5 minutes Table 5-3. Staffing level for tunnel checks. Total Officers Total Shift Time Vulnerability Reduction Activity Time Percentage 50 400 200 50% Table 5-4. Staffing level for vulnerability reduction activity.
110 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies (6) securely provision, 33 specialty areas, and 52 work roles. Each work role is comprised of cybersecurity tasks and knowledge, skills, and abilities (KSAs) required to complete the tasks. Agencies can describe any cybersecurity role or position through the use of the Workforce Framework and inventory their cybersecurity workforce to determine gaps in KSAs, thereby determining training and qualifications needs. The Workforce Framework also supplies other resources designed to help organizations establish cybersecurity career paths, credentialing, and training and education for their workforce. The Workforce Framework is accessible via the National Initiative for Cybersecurity Education (NICE) website https://www.nist.gov/itl/ applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework The 2015 Transportation Systems Sector (TSS) Cybersecurity goals include the following (DHS 2015b): ⢠Maintain continuous cybersecurity awareness; ⢠Improve and expand voluntary participation in cybersecurity efforts; ⢠Define the conceptual environment; ⢠Enhance intelligence and security information sharing; and ⢠Ensure sustained coordination and strategic implementation. A challenge for transportation agencies may be the requirement for transportation cyber specialists with an in-depth knowledge of both transportation and cybersecurity. High-level cybersecurity capabilities for state DOTs support these goals and include: ⢠Integrate cybersecurity decision-making into business processes and investments; ⢠Evaluate and manage agency-specific cyber risks; ⢠Implement industry standards and best practices; and ⢠Facilitate discussion and interaction between information technology, engineering, and oper- ational groups to ensure that all systems are adequately addressed. Coordinate cybersecurity and cyber incident response planning across the enterprise. With these goals in mind, the agency can consult the DHS Cybersecurity Workforce Develop- ment Toolkit, which provides extensive but straightforward guidance about workforce devel- opment. The toolkit recommends the following steps to develop the agencyâs cybersecurity workforce and high-performing teams: ⢠Prepare. Understand organizational readiness by reviewing and using the Cybersecurity Workforce Planning Capability Maturity Model (CMM). The CMM is a self-assessment tool to help agencies assess the maturity of their cybersecurity workforce planning capability. ⢠Plan. Explore risks by using the Cybersecurity Workforce Planning Diagnostic provided in the toolkit, and inventory cybersecurity workforce. Determine gaps by evaluating the organizationâs risk profile and workforce planning recommendations from the Workforce Planning Diagnostic against the results of the workforce inventory. These steps determine workforce needs (skills needed to meet workload). Gaps are addressed through hiring, outsourcing, changing the mix of positions and skills, or training existing workforce on needed skills. ⢠Build. Build the cybersecurity team by aligning the team and position descriptions, job tasks, and competencies to the Workforce Framework. This allows the identification of tasks that need to be added to meet the recommended skills list for each specialty area. Use the recruit- ment checklist provided in the toolkit. Establish an internal panel of decision-makers includ- ing representatives from senior management, human resources, cybersecurity management, and finance, and ensure the planning process is aligned with the agencyâs budgetary process to fund new positions and training. Also suggested is creating a program to develop future cybersecurity leaders.
Workforce Planning and Training/Exercises 111 ⢠Advance. Retain cybersecurity staff and develop career paths. The toolkit provides sample proficiency levelsâbeginner, intermediate, and advancedâand sample career paths that can be used as templates to develop the agencyâs cybersecurity career path for each level. See Table 5-5 for a cybersecurity career path template. Characteristics of high-performing cybersecurity teams identified in the toolkit include the following: ⢠Agile. Must be ready to change course and quickly resolve issues; ⢠Multifunctional. Must have diverse knowledge and skills; ⢠Dynamic. Must be able to respond to new threats by learning new skills and methodologies; ⢠Flexible. Must be able to shift priorities to meet daily challenges; and ⢠Informal. Must be flexible in terms of work hours and duties. The toolkit also describes how to identify, recruit, and retain quality cybersecurity professionals. Beginner Intermediate Advanced Experience & Credentials Degree OR Work Experience (_years) OR Certifications Experience & Credentials Degree OR Work Experience (_ years) OR Certifications Experience & Credentials Degree OR Work Experience (_ years) OR Certifications Technical Competencies & Skills/KSAs Competency 1 e.g., Info Security/Assurance - Skills needed e.g., skill in performing damage assessments Competency 2 - Skills needed . . . General Competencies - Skills needed e.g., critical thinking and analytical skills . . . Technical Competencies & Skills/KSAs Competency 1 e.g., Info Security/Assurance - Skills needed e.g., skill in performing damage assessments Competency 2 - Skills needed . . . General Competencies - Skills needed e.g., critical thinking and analytical skills . . . Technical Competencies & Skills/KSAs Competency 1 e.g., Vulnerabilities Assessment - Ability to identify systemic security issues - Knowledge of application vulnerabilities - Skills needed in the use of penetration testing tools/techniques Competency 2 - Skills needed . . . General Competencies - Skills needed e.g., critical thinking and analytical skills Training & Development Activities Sample Activity 1 e.g., Training Workshop Sample Activity 2 e.g., University Courses . . . Training & Development Activities Sample Activity 1 e.g., Joint Assignment Sample Activity 2 e.g., University Courses . . . Training & Development Activities Sample Activity 1 e.g., Professional Conferences Sample Activity 2 e.g., Government Courses . . . Source: Adapted from DHS 2016. Table 5-5. Cybersecurity career path template.
112 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies NCHRP Web-Only Document 221/TCRP Web-Only Document 67: Protection of Transpor- tation Infrastructure from Cyber Attacks: A Primer (TRB 2015, modified 2016) identified the following high-level user categories and training needs derived from the Cybersecurity Frame- work (NIST 2014a): ⢠All users requiring access to electronic information or systems should be informed about agency cybersecurity policies and protocols and receive basic awareness content, and âare the single most important group of people who can help reduce unintentional errors and related information system vulnerabilitiesâ (NIST 2014a). ⢠Third-party stakeholders include suppliers, vendors, partners, and customers. ⢠Privileged users are authorized and trusted to undertake functions ordinary users are not authorized to perform. ⢠Managers and senior executives need to set an example by adhering to policies and protocols and stressing the importance of IT/cybersecurity role-based training requirements. They also have important decision-making roles and responsibilities, including resource and staff allocation. The chief information officer administers training and oversees personnel with IT/cybersecurity responsibilities. ⢠Training personnel deliver necessary training and education to achieve desired awareness levels, understanding of roles and responsibilities, and KSAs. Training personnel also manage and assess awareness and training programs along with individual courses and sessions. The senior agency information security officer has tactical-level and implementation respon- sibility, while the cybersecurity training manager/chief learning officer is responsible for implementing specific role-based training. The training developer/instructional design spe- cialist produces role-based training materials. ⢠IT/cybersecurity personnel, such as system administrators and control system operators, require specialized knowledge and participate in the design, development, evaluation, and procurement of systems and equipment. ⢠Physical security personnel, including in-house and external police and security and local law enforcement, need to be aware of cybersecurity issues and the impact of cyber breaches on physical assets and infrastructure as well as the consequences of physical breaches on IT systems. Security Experts, Consultants and Contractors Transportation agencies need security professionals to assist in certain aspects of risk assess- ment, security planning, and countermeasures identification. It is specifically recommended that security consultants be contracted to assist in performing security vulnerability assessment (SVA) and security plan development. Obtaining professional help in security workforce plan- ning may also be appropriate. Security contractors should be retained to assist in security sys- tems integration, particularly in connection with selecting and implementing hardware and electronics such as intrusion detection, alarm systems, access control, and CCTV. Many times an organization will hesitate to formalize a consulting arrangement with a security practitioner or firm, but this hesitancy does not always make good business sense. Even the most profes- sional in-house security department cannot be expected to be expert in all phases of security risk management, process and procedure, and security technology. Competent security consul- tants can perform research, analyze conditions, and develop comprehensive security programs that can reduce the risks associated with conducting transportation operations. Of course, this assumes that the agency has identified the right consultant or consulting service. Two main factors should be evaluated when selecting professional security consulting assis- tance: (1) the documented qualifications of the security firm and (2) the backgrounds of the
Workforce Planning and Training/Exercises 113 individuals who will be performing the security work. In the best of all worlds, the agency can identify a security firm with a successful record of past contracted employments performing work in the specific transportation sector and discipline, e.g., rail, highway, or transit. In addi- tion, the security firmâs leading experts will be available and on the team assigned to conduct the contracted security work. A word of caution is appropriate regarding the hiring of security con- tractors. There is a difference between hiring an independent security consultant and accepting security ârecommendationsâ from a manufacturer or retailerâs representative. Independent consultants can be called upon to provide objective opinions without bias or predetermination. Salespersons, especially those with high-technology products, are usually limited in approach and biased toward their company. Overemphasis on guards, alarms, or surveillance systems can cause an unnecessary drain on operating and capital budgets when the proper solution is the integrated balancing of security policy and procedure with other countermeasures in the agencyâs toolkit. Interestingly, organizations have a tendency to more readily accept proposals from security salespeople and contractors than from outside security consultants. For cybersecurity roles and tasks such as conducting vulnerability assessments, which require a high level of skill, transportation agencies will likely find it cost-effective to out- source the work and/or procure commercial off-the-shelf software and hardware rather than expand their workforce to develop proprietary cybersecurity software and systems. While some agencies do have the capability to develop in-house training programs and software, agencies with minimal resources will need to rely more heavily on external resources. In a 2016 survey of the AASHTO TSM&O Subcommittee members and Operations Academy graduates, of 34 responding agencies approximately half were dependent on consultants to fill technical functions. Security Committees Like safety, security in a transportation agency is a top-down organizational activity. Execu- tives must support cross-disciplinary functions for activities to succeed. By supporting impor- tant agency functions, leadership drives the prioritization of work to comport with the agencyâs direction. Unfortunately, security within an agency is often deemphasized until an incident occurs. Managers, because of their lack of familiarity with the subject matter, can be reluctant to broach the issue of security. Then when an incident happens, impromptu crisis thinking can intrude into disciplined managerial decision-making, causing knee-jerk reactions that defeat security planning and preparedness. To overcome this tendency it is vital that an orga- nizationâs senior management organization play an active role in determining the course of the agencyâs security-related activities. As stated in Managing Catastrophic Transportation Emergencies: A Guide for Transportation Executives, âEstablishing the capability to manage and direct all-hazards transportation emergency response and recovery effectively, irrespec- tive of the incident type, demands pre-planning, resourcing and staging of assets, and internal coordination and coordination with other affected external agencies, companies, groups, and personnelâ (AASHTO 2015b). It is recommended that the chief executive establish a senior advisory group consisting of executives from various departments who are designated oversight authority for system-wide security. This senior committee should meet on a regular basis to establish direction and develop strategic security policies and guidelines. The agency should also involve frontline and mid-management employees in security. Representative individuals from across the agency should be selected to serve as security coordinators and participants in security committees. Where the agency maintains a dedicated security force, department coordinators should be responsible for day-to-day security interface and liaison. In those agencies without a dedicated
114 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies security force, a committee of department security coordinators should be empowered with the authority to manage security activities system wide. There are three key areas of program coordination: ⢠Deploy a broad based, system-wide security management process that identifies, tracks, and responds to all security threats, vulnerabilities, and occurrences. ⢠Maintain a workplace in which security incidents are routinely reported and every staff and operating department contributes to security improvements. ⢠Promote security awareness and communications throughout the organization. Coordination and Mutual Aid A cybersecurity event can have far-reaching consequences and may require coordination with other state or federal agencies and regional organizations. Understanding what agencies and organizations may be involved and building strong relationships with those entities before an event happens is important. As part of emergency response, state DOTs use mutual aid agree- ments and plans with other states and organizations to provide and receive resources. Mutual aid operational plans should include a schedule of training and exercises for validating plan design, concept, implementation and communications, logistics, and administrative structure. Inter- jurisdictional and interagency training and exercises are particularly useful for preparing for larger and more complex disasters and emergencies that require effective coordination among transportation agencies. Physical Security and Cybersecurity Awareness and Training The success of agency security initiatives depends on an aware and well-trained workforce. Police and security personnel cannot be in all places at all times. Transportation employees, particularly frontline employees, can act as the eyes and ears of law enforcement and expand their reach. Therefore, it is imperative that transportation personnel are aware of security and cybersecurity risks and threats, and know what to do to protect themselves, passengers, the pub- lic, and agency property and infrastructure in case of a security threat. While security awareness pertains to everyone and serves to focus attention on security, train- ing prepares personnel for their roles. Mid- and high-level personnel must ensure that the agency has a systematic method to identify, assess, report, track, and respond to security threats, vulner- abilities, and incidents. They require role-specific training in addition to awareness training in such topics as risk management, vulnerability assessment, and planning for resiliency. Exercises provide opportunity for personnel to practice what they have learned and help validate, main- tain, and improve training, plans, policies, procedures, and practices. Typically, the sequence of activities involves (a) security awareness, (b) training individuals on tasks, (c) training teams on integrated tasks, and (d) exercises. The FTA Security and Emergency Preparedness Action Items for Transit Agencies: A Resource Document for Transit Agencies (2014) includes security and emergency response training as action item number 5, and a public security and emergency awareness program as action item number 7. Definitions According to the AASHTO Fundamentals report, the purpose of security awareness is to focus attention on security. It differs from security training, in that security awareness informs and draws attention to a security issue, but security training teaches the skills necessary to improve
Workforce Planning and Training/Exercises 115 security (AASHTO 2015a). The report defines training as an act, method, or process of instruc- tion; to teach so as to make fit, qualified, or proficient. Before implementing a security awareness and training program, an agency should be cog- nizant of the training requirements in its security and preparedness plans; the results of its risk assessment and threat/hazard and vulnerability assessments; and DHS, DOT, FHWA, FTA, and other external requirements, standards, and regulations. The agency should seek to incorporate security and cybersecurity activities into its daily operations and training to the greatest pos- sible extent so that security becomes a part of the daily routine (TRB 2014a). The awareness and training plan should include a multiphase training curriculum, differ- entiate training activity by audience and objectives, have an implementation plan specifying delivery methods and schedule/timeline, and design calendar initiatives to keep personnel actively engaged in security, individual training and program evaluation and improvement procedures, and resource requirements. The plan should also ensure that training, drills, and contact lists are kept up to date. A security awareness and training program should do the following: ⢠Centralize dissemination and promotion of security information and awareness and train- ing products (policy and procedures reminders, security alerts and updates, employee hand- books, tip cards); ⢠Identify employee security training needs and system-wide research and site surveys to identify security weaknesses; ⢠Create training solutions to address vulnerabilities and deficiencies; and ⢠Maintain training records, materials, and procedures to handle security-sensitive information. Security-related training topics encompass understanding of plans, procedures, and mea- sures for prevention, protection, mitigation, response, and recovery. Topics should include the following Prevention and protection measures ⢠Background investigations ⢠Revenue vehicle security inspections ⢠Nonrevenue vehicle security inspections ⢠Random inspections of carry-on items ⢠Physical security inspections and site surveys using principles of crime prevention through environmental design ⢠Employee travelâdomestic and international ⢠Operator assault protective measures ⢠Other on-board and off-board personnel assault protective measures ⢠Random counterterrorism measures ⢠Safe mail and package handling ⢠Security requirements of event services ⢠Security requirements of major capital projects ⢠Theft prevention measures ⢠Vendor and contractor security ⢠Workplace violence Plans and procedures ⢠Active threat plans ⢠Bomb threat and unattended item management ⢠Chemical, biological, and radiological threats, including contagious viruses
116 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies ⢠COOPs and contingency plans ⢠Document control of security-critical systems and facilities ⢠Emergency employee and public communications ⢠Emergency smoke ventilation in tunnels ⢠Information- and intelligence-gathering and -sharing procedures ⢠IT and communications systems plans ⢠Mutual aid ⢠Regional coordination plans and requirements ⢠Response to increased threat condition levels ⢠Sensitive security information (SSI) designation, markings, and control ⢠Shelter of transit vehicles and nonrevenue equipment during emergencies ⢠Threat and vulnerability identification, assessment, and resolution procedures (APTA 2013a; FTA 2014) NCHRP Research Report 931: A Guide to Emergency Management at State Transportation Agencies, Second Edition identifies useful information on creating training and exercise programs (TRB 2019). In particular, PREPARE Phase 12: Administer Training Programs and Section 6 on training provide detailed recommendations on creating and implementing agency training and exercise programs, multiagency training and exercises, and evaluating training and exer- cises. Key points when establishing training programs include the following: ⢠In general, training activities should proceed from individuals to intra-agency team train- ing to interagency and interjurisdictional exercises, with activities becoming progressively complex. ⢠After each training session, provide a chance for learners to reflect on and then apply their training. ⢠NIMS/ICS should be used for all training. ⢠Training should be ârelevant, interactive, and specific.â Instructor-student and student- stude nt interactions promote learning. Chances for participants to share experience and knowledge should be provided. ⢠A training needs assessment can determine the required types of training, certifications, and credentialing by function or position. The Exercise Handbook: What Transportation Security and Emergency Preparedness Leaders Need to Know to Improve Emergency Preparedness contains useful recommendations regarding training and exercises, and provides a background on andragogy or adult learning, noting that adult learners should be âactive, self-directed participants in their own learningâ and instructors should acknowledge and draw upon learnersâ wealth of professional experiences (MTI 2014). Physical Security Awareness and Training Because of their continued presence in and on agency properties or conveyances, employees are uniquely positioned to identify issues, problems, and deviations from what is usual. Employees of transportation agencies are a critical resource for maintaining a safe and secure operating environment. They represent an omnipresent team of experienced people who are knowledgeable and insightful about the daily work of the agency, as well as the normal operating and environmental conditions of the workplace. Similar to safety, regardless of size or risk, trans- portation agencies at minimum should implement a security awareness program that enables all personnel to contribute to the security of the operating environment. In a nutshell, â[s]ecurity is everybodyâs businessâ (TRB 2014a). For example, in response to a bomb threat in an administrative area, an office worker is better equipped to find a suspicious item or package in his or her workplace than first responders,
Workforce Planning and Training/Exercises 117 who lack familiarity with the surroundings. Frontline employees perform work in stations, on vehicles, or on roadways or rights of way and, as such, are often the first to observe something is wrong. But transportation agencies cannot assume that employees will focus on security issues, understand the security risk, know how to respond to the threat, and report it in a timely and appropriate manner without appropriate awareness training. The AASHTO 4th Generation Strategic Plan aims to enhance state DOT awareness of security and emergency management topics. Key prevention capabilities of state DOTs in the AASHTO Fundamentals Guide comprise security awareness issues (AASHTO 2015a). NCHRP Report 793: Incorporating Transportation Security Awareness into Routine State DOT Operations and Training project survey results revealed that 60% of the 31 responding agencies required or encouraged transportation security training (TRB 2014a). Awareness activities focus attention on physical and cybersecurity issues, reinforce behaviors, and help personnel retain basic information. In addition, as noted in the AASHTO Fundamentals Guide (2015a), attention should be given to supporting agency business needs and processes (e.g., vehicles and maintenance facilities, and transportation management centers). Some programs fail or are only moderately effective because of a lack of organizational readiness. The fundamental capabilities required to support organizational readiness for implementing a security awareness program are: ⢠Management supportâSecurity is a top-down organizational activity. ⢠Reporting structureâDetermine what gets reported to whom, and determine when and how to contact an external law enforcement agency; âwhatâ includes who, what, where, when, and details of involved persons, objects, or vehicles. ⢠Awareness behaviorsâDetermine which areas and awareness behaviors need emphasis. Areas may include agency vehicles, stations, critical infrastructure, and control center/IT operations. Behaviors related to physical security may include recognizing and reporting indicators of crime or terrorism (trespassing, surveillance, theft, vandalism, sabotage); recognizing and reporting unusual or unattended objects; and recognizing and reporting unusual or suspicious people or activities. Behaviors related to cybersecurity include follow- ing basic security policies and procedures; removing unnecessary applications and functions from systems; and changing default configuration options and passwords. ⢠Integration and documentation of security proceduresâIntegrate security awareness proce- dures with existing security procedures, and document them. ⢠Leveraging existing organizational relationships with law enforcementâIf applicable, use existing emergency reporting procedures when contacting law enforcement (TRB 2014a). Examples of physical security awareness material and training are provided in Figures 5-2, 5-3, and 5-4. State Departments of Transportation According to the 2015 AASHTO Fundamental Capabilities of Effective All-Hazards Infra- structure Protection, Resilience, and Emergency Management (â2015 AASHTO Fundamentals Guideâ), state DOTs should prepare employees for their roles, ensure their understanding of plans, and provide an opportunity to test plans and validate the training. The guide helps state DOTs accomplish this by identifying their fundamental and necessary capabilities. These capabilities help inform security awareness and training needs and content. The Training and Exercise capability states that the workforce should be trained on their roles and practice what they have learned. Roles and responsibilities are defined in the agencyâs security plans and preparedness plans, as are training and exercise requirements and schedules.
118 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: TSA 2015. Figure 5-3. âIf You See Something, Say Somethingâ¢â campaign materials. Source: FBI 2000. Figure 5-2. FBI advisory.
Workforce Planning and Training/Exercises 119 Plans include workplace violence plans, emergency action plans (EAPs), active shooter plans, emergency communications and evacuation plans, other occupational health and safety plans and procedural documents, and lessons learned from exercises or incidents. Cross-cutting capa- bilities in addition to Training and Exercises include Planning and Public Information. Key Training and Exercise Capabilities The following Training and Exercise Capabilities identified in the 2015 AASHTO Fundamen- tals Guide are minimum capabilities for the state DOT. ⢠Ensure that DOT employees receive training to prepare them for their roles and that they are able to practice what they have been taught to increase the effectiveness of the training. ⢠Incorporate security awareness into existing training, such as in new or existing employee training, including position-specific training where relevant. For example, Texas DOT incor- porates security awareness information into bridge inspector training, highlighting the need to be vigilant and pass along information. ⢠Keep training, drills, and contact lists up to date. ⢠Identify lessons learned through an after-action report, and incorporate recommendations into existing plans and procedures. Key Planning Capabilities ⢠Use an all-hazards approach. ⢠Integrate security into planning. ⢠Ensure consistency with national planning programs. ⢠Coordinate planning for agency-wide consistency. ⢠Coordinate with regional partner plans and processes. ⢠Maintain support and participation from the top (critical). ⢠Ensure adequate distribution of plans. ⢠Review and update plans regularly. Key Public Information Capabilities ⢠Make sure that effective communications mechanisms and people are in place so the agency can communicate regularly and competently to all stakeholders. ⢠Maintain clear and streamlined communications, with coordination and a cooperative atti- tude among all process stakeholders. Source: TSA 2015. Figure 5-4. First Observer Plus⢠video training.
120 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies ⢠Communicate regularly and often. ⢠Be proactive by releasing relevant and related public data. ⢠Leverage all appropriate communication means such as social media sites and web-based and mobile technology. ⢠Provide 24/7 travel information and timely alerts and warnings. ⢠Coordinate public information and establish procedures to ensure that DOT âspeaks with one voiceâ and releases consistent information to the public and the media. Key Operational Coordination Capabilities ⢠Establish internal agency communications protocols. ⢠Integrate and synchronize actions of participating organizations and jurisdictions to ensure unity of effort. ⢠Enhance and maintain NIMS-compliant command, control, and coordination structures to stabilize the incident and transition to recovery. ⢠Collaborate with all relevant local and regional partners. ⢠Establish clear lines and modes of communication among partner organizations and jurisdictions. ⢠Coordinate with appropriate local, regional, and national partners such as nongovernment organizations. Key Prevention Capabilities ⢠All transportation employees contribute to security and prevention. ⢠Establishing security awareness of all employees can support prevention. ⢠Because of their constant presence on agency premises, employees are uniquely positioned to identify issues, problems, and deviations from the usual. ⢠Security and safety are centrally led activities. ⢠Focus security awareness on supporting business needs and processes such as critical infra- structure, DOT vehicles and maintenance facilities, and transportation management centers. ⢠Establishing a reporting structure in advanceâwhom to tell and how to describe something suspiciousâis critical to a security awareness program. Key Protection Capabilities ⢠Incorporate risk management and risk assessment, plans and strategies, and countermeasures and adaptations. ⢠Understand the sensitivity of system assets, infrastructure, and services to different types of events. ⢠Understand interdependency of critical infrastructure. ⢠Integrate asset protection with broader transportation planning efforts, such as identifica- tion of long-term transportation capacity needs. ⢠Consider countermeasures to address possible vulnerabilities such as access control and system hardening for both physical and cyber security. Key Mitigation Capabilities ⢠Conduct vulnerability assessments to identify known and unknown risks, present and future. ⢠Identify key dependencies and interdependencies, including mapping potential cascading effects from potential infrastructure disruptions.
Workforce Planning and Training/Exercises 121 ⢠Monitor likely problem areas and explore mitigation/resiliency strategies to minimize impact. Examine activities to reduce asset loss or human consequences (such as injuries or fatalities). ⢠Collaborate with regional partners and stakeholders. ⢠Consider applicable standards and best practices for mitigation plans and incorporating resil- ience into asset and system design. ⢠Identify mitigation approaches such as seismic retrofitting, elevation changes, and flood proofing. Determine whether adaptations such as environmental buffers can be incorporated into the infrastructure design to mitigate the effects of natural disasters. Response and Recovery Security is generally considered the phase leading up to and until responders arrive. However, according to the 2014 National Strategy for Transportation Security (NSTS) Report to Congress, response and recovery preparedness, as well as prevention, for a security event such as a terror- ist attack should be emphasized (NSTS 2014). The report recommends response training for chemical and biological threats for frontline transit employees and participation in local security exercises to ensure familiarity with plans, procedures, and capabilities. In addition, during an active threat incident, knowing how to respond can be a lifesaver. Understanding proper docu- mentation procedures is also important for reimbursement purposes for major disasters and emergencies. Further, since any phase can be impacted by a security incident, security issues should be addressed during emergency response and recovery phases as well. State DOT emergency preparedness training and exercise needs for response and recovery planning including the importance of NIMS and ICS training are discussed at length in NCHRP Research Report 931: A Guide to Emergency Management at State Transportation Agencies (TRB 2019). Additional Training Needs Additional security-related training needs include training required for security equipment or technology or personal protective equipment. The following topics are also pertinent to cer- tain categories of agency employees: agency risk and vulnerability assessments, building/facility security, bridge and tunnel security, security design/crime prevention through environmental design, regional or state plans and/or legislative mandates and standards (e.g., the NIMS train- ing standard) and grant requirements. Large-scale exercises and planned events usually involve multiple agencies and require training. The events are also an opportunity for personnel to practice what they have learned. As noted earlier, there is a need for transportation cyber specialists who have an in-depth grasp of both transportation and cybersecurity issues, and understand existing and emerging cyber-physical dependencies and concomitant risks. Hence, cross-training between IT and engineering/operations/ICS functions and between cybersecurity and physical security func- tions will promote better understanding of interdependencies and vulnerabilities and enhance preparedness against mutual threats. Active threats including active shooter, edged weapons, vehicle ramming, and flash mobs are becoming a concern for transportation agencies. These active threats often last a short period of time and end before the arrival of law enforcement. Immediate response is necessary for survival, and preparing the workforce for active threat incidents is vital. As more attention is placed on resilience, transportation agencies will be under increased pressure to institute resiliency/sustainability measures. Understanding resiliency with respect
122 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies to security and cybersecurity will be an important training topic for transportation employees, especially staff of metropolitan planning organizations (MPOs). MPO staff will require training on security and cybersecurity planning as well as new resiliency and reliability planning factors introduced in the 2015 FAST Act. Specialized training is needed for DOT transit grant managers in administering federal and state transit grants. Safety and security are topics included in NCHRP Web-Only Document 203: Curriculum for New State DOT Transit Grant Managers in Administering Federal and State Transit Grants (TRB 2014c). Further, AASHTOâs Managing Catastrophic Transportation Emergencies Guide (2015b) stresses the importance of involving the CEO of transportation agencies in training and exercises. The CEO of the state DOT is responsible for the agencyâs emergency operations plan, training and exercise program, and COOPs. COOPs helps ensure that agencies will be able to continue essen- tial functions during an emergency. The 2013 FEMA Continuity Guidance Circular 1: Conti- nuity Guidance for Non-Federal Governments (States, Territories, Tribes, and Local Government Jurisdictions) offers continuity training and exercise specifications and guidance for non-federal government entities. Transit Agencies Since the terrorist attacks of September 11, 2001, and on the rail transit systems in Madrid, Paris, London, and Mumbai, the transit industry has been creating security awareness campaigns and training resources adaptable by transit agencies to their systems. For instance, the Metropol- itan Transit Authority developed the successful âIf You See Something, Say Something®â security awareness campaign and delivered it using a variety of information dissemination techniques and media, including video, posters, and television and radio advertisements. Subsequently, âIf You See Something, Say Somethingâ transitioned into a national security awareness program, the Transit Watch program initiated in 2003 by the FTA that was operated as a partnership with APTA, ATU, and DHS. APTA Recommended Practice on Security Awareness Training for Transit Employees (2012) provides minimum guidelines for security awareness training and baseline training. The recom- mended practice is applicable to transit agencies of all sizes or modes, and stresses the signifi- cance of involving the entire workforce, including certain contract employees, to avoid the gaps and vulnerabilities that could otherwise be created. Required learning objectives for APTAâs security awareness programs include the following: ⢠Security awarenessâUnderstand the need for security awareness, transit priorities, and importance of security for transit systems. Explain the importance of and ability to recognize the difference between normal, suspicious, and dangerous activity. Define roles and immediate actions to respond to dangerous activity. ⢠Threats and vulnerabilities to the transit systemâRisk management concept, identifying threats/vulnerabilities/consequences, and identifying countermeasures. ⢠Security concernsâRecognizing transit crimes, defining terrorism, and recognizing terrorist activity. ⢠All transit employeesâ roles in security awareness. A basic security awareness training program example curriculum outline includes: ⢠System Security Awareness for Transportation Employees, NTI; ⢠Terrorist Awareness Recognition and Training, NTI;
Workforce Planning and Training/Exercises 123 ⢠Transit Response to Bus or Rail Hijackings Seminar, TSI; ⢠Active shooter scenario training, various; and ⢠Shelter-in-place training, various. Exploring the Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area found the following best practices for passenger security awareness campaigns, which are also applicable to employee awareness initiatives: emulate existing campaigns (to save on agency resources); use multiple media; use consistent branding and messaging; use simple, actionable messages (without scaring passengers) (MTI 2010). Awareness delivery techniques selected by the agency depend on audience, content/message length and complexity, training frequency, and available resources. NCHRP Report 793: Incor- porating Transportation Security Awareness into Routine State DOT Operations and Training (TRB 2014a) highlights communications strategies for awareness messages that employ exist- ing delivery vehicles, including the following: ⢠Senior management can include security awareness in all of their communications to their employees. ⢠Managers and supervisors can talk about security at meetings and events. ⢠Security topics can be discussed at the small unit level. ⢠Awareness messages may be attached to regular agency newsletters, emails, paychecks, reports, and the like, or disseminated through posters, reminder sheets, and employee wallet cards. ⢠Security awareness can be incorporated via short modules into new or existing training, or into position-specific training. Or, employees may be directed to the FEMA or DHS training materials (TRB 2014a). The 2012 APTA Recommended Practice on Security Awareness Training for Transit Employees cites the following key training topics in addition to security awareness: ⢠Behavioral awarenessâThe ability to identify suspicious behaviors can help personnel alert law enforcement and prevent an incident from occurring. ⢠SurveillanceâBeing able to recognize and report surveillance activities such as taking photos of a transit facility can prevent an attack. ⢠Response proceduresâKnowing how to respond to security events can save lives; for instance, knowing what to do in an active shooter situation can help personnel survive and also help their coworkers and the injured survive. ⢠Self-protectionâSelf-defense training with and without tools is discussed in TCRP Synthesis 93: Practices to Protect Bus Operators from Passenger Assault (2011). Because significant injury may occur in a matter of minutes, self-defense training and tools can help protect operators against assault. At the same time, agencies perceive liability issues linked to self-defense tools and have not generally issued them to operators. The synthesis, however, identified one tran- sit agency that provided a self-defense tool (pepper gel) to their operators and another that offered training on pepper spray. Agencies were more likely to provide self-defense training without self-defense tools. Transportation agencies should also consider providing transportation managers and employees with a working knowledge of security concepts, guidelines, nomenclature, and processes. Such follow-on security training programs should emphasize helping personnel attain better under- standing of (1) the nature of threats against the agency, (2) the methods and strategies available to minimize or reduce those threats and, (3) the implementation process for improving security. Employee knowledge of the underlying rationale for deploying security countermeasures will go a long way toward ensuring that an appropriate level of risk reduction becomes a part of the agencyâs operations.
124 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Role-specific training will vary based on position or function and will include detailed infor- mation on threats, vulnerabilities, and countermeasures specific to the function, immediate actions based on threat type, and service continuity and restoration procedures. For bus opera- tors, for example, the following topics may comprise their security training curriculum: ⢠Threats, vulnerabilities, and countermeasures; ⢠Pre-trip inspection; ⢠Vehicle securement; ⢠Fare enforcement; ⢠Customer assistance; ⢠Self-protection against active threats; ⢠Emergency evacuation and shelter-in-place procedures; ⢠Fire suppression; ⢠Panic button and emergency communications; ⢠Customer communications/verbal de-escalation; ⢠Interacting with responders/how to handle on-scene investigations; and ⢠Service continuity and restoration. The following training topics are included in Section 1408 of Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act), Public Law 110-53; 121 Stat. 266 (U.S. Government 2007): ⢠Determination of the seriousness of any occurrence or threat; ⢠Crew and passenger communication and coordination; ⢠Use of personal protective devices and other protective equipment; ⢠Appropriate responses to defend oneself, including using nonlethal defense devices; ⢠Evacuation procedures for passengers and employees, including individuals with disabilities and the elderly; ⢠Training related to behavioral and psychological understanding of, and responses to, terrorist incidents, including the ability to cope with hijacker behavior, and passenger responses; ⢠Live situational training exercises regarding various threat conditions, including tunnel evacuation procedures; ⢠Recognition and reporting of dangerous substances and suspicious packages, persons, and situations; ⢠Understanding security incident procedures, including procedures for communicating with governmental and nongovernmental emergency response providers and for on-scene inter- action with them; ⢠Operation and maintenance of security equipment and systems; and ⢠Other security training activities that the DHS secretary deems appropriate. Preparing Training for Proposed Rule While it may be difficult for transit agencies to immediately include all topics listed in a training program, the FY2017 Transit Security Grant Program states that security plans should contain a strategy and timeline for conducting Section 1408 training. Section 1408 is currently in the National Proposed Rule Making stage; TSA has solicited comments on Security Training for Surface Transportation Employees (81 FR 91336). The proposed rule would apply to public transportation and passenger railroads in the eight regions with the highest transit-specific risk (approximately 46 systems) and AMTRAK; over-the-road bus owner/operators providing fixed-route service to/through/from the highest-risk urban areas (approximately 202 owner/ operators); and Class I freight railroad carriers, railroads transporting rail security-sensitive materials through identified high-threat urban areas, and railroads with other higher-risk rail operations.
Workforce Planning and Training/Exercises 125 The proposed rule would require these entities to do the following: ⢠Develop security training programs to enhance and sustain the capability of their security- sensitive employees to observe, assess, and respond to security incidents as well as to have the training necessary to implement their specific responsibilities in the event of a security incident. ⢠Submit the required security training program to TSA for review and approval. ⢠Implement the security training program and ensure all existing and new security-sensitive employees complete the required security training within the specified timeframes for initial and recurrent training. ⢠Maintain records demonstrating compliance and make the records available to TSA upon request for inspection and copying. ⢠Appoint security coordinators and alternates who will be accessible to TSA 24 hours per day, 7 days per week and transmit contact information for those individuals to TSA (an extension of current 49 CFR Part 1580 requirements). ⢠Report significant security incidents or concerns to TSA (an extension of current 49 CFR Part 1580 requirements). ⢠Review and update security training programs as necessary to address changing security mea- sures or conditions. Training specifically identified as required through the transit agencyâs security assessments also should be included in security plans. Transit Police Training Larger transit agencies have in-house transit police and/or security personnel. These officers may receive specialized training such as behavioral assessment, counterterrorism, and Hazmat training. Officers who are required to use explosives detection technology or canine or radio- logical or chemical detection devices require appropriate training. Large transit systems have conducted random bag inspections and passenger security inspections; officers assigned to per- form inspections will need training. Transit police with Special Weapons and Tactics (SWAT) teams need to deliver specialized training to team members on equipment and techniques. Transit police also deploy high-visibility foot and vehicle patrols as well as plainclothes officers to combat crime and terrorism. These patrol officers should be provided with appropriate train- ing on patrol techniques. Police departments employing any other law enforcement technique or special equipment or technology should provide training to their officers, along with oppor- tunities such as drills and exercises for them to practice what they have learned. Security and Cybersecurity Awareness Resources The transportation industry, its associations such as AASHTO and APTA, research organi- zations including TRB, educational institutions, and government agencies such as DHS/TSA, DOT, DOJ, FHWA, FTA and CDC have developed a significant body of security awareness information important to the transportation sector. For instance, NCHRP Report 525: Surface Transportation Security, Volume 7: System Security Awareness for Transportation Employees is a CD-based, interactive multimedia training course designed to help transportation employees, supervisors, and managers define their roles and responsibilities in transportation system secu- rity, recognize suspicious activities and objects, observe and report relevant information, and minimize harm to themselves and others (TRB 2006b). Course modules focus on system secu- rity, reducing vulnerability, suspicious activity, suspicious objects, top priorities, and prepara- tion. NCHRP Report 793: Incorporating Transportation Security Awareness into Routine State DOT Operations and Training highlights the importance of security awareness for all state DOT
126 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies employees and contractors (TRB 2014a). Through a flexible âcampaignâ approach, the guide outlines techniques to integrate all-hazards security awareness concepts and reminders into routine state DOT operations, maintenance, and training. Cybersecurity Awareness and Training The 2012 Transportation Roadmap (DHS/NCSD/CSSP 2012) created by the Volpe Center and industry stakeholders seeks to build a âculture of cybersecurityâ that includes an ICS cyber- security governance model and a cybersecurity awareness training program. The roadmapâs goal is the merging and integration of cybersecurity and ICS, along with a cybersecurity culture in which cybersecurity best practices are a way of life. Under this plan the IT unit protects infor- mation assets and addresses information security issues, while engineering operations typically address ICS and other operations systems security. While traditionally these groups have been isolated from each other, now the growing cyber-physical threats and incorporation of connec- tivity, IT protocols, and remote access capabilities into operations systems necessitate effective coordination and communication between units, as well as between units and physical security functions. The NIST Cybersecurity Framework (2014a) highlights awareness and training as a key compo- nent of the PROTECT function, in which the organizationâs personnel and partners are provided cybersecurity awareness education and adequately trained to perform their information-securityâ related responsibilities. The 2015 TSSSP promotes workforce learning through inclusion of cybersecurity training in security and resilience plans as a condition for receipt of security and resilience grants. The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Frame- work (U.S. Department of Commerce 2017) includes awareness and training as important counter measures. The framework recommends that âthe organizationâs personnel and part- ners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.â The key underlying principle is that all users, including contract employees with access to the agencyâs network and computer systems, need awareness educa- tion, while certain positions require role- or responsibility-specific training. Cybersecurity Awareness Content Cybersecurity awareness training content typically covers agency policies and procedures, rules of behavior for use of IT systems and networks, good practices, threats and counter- measures, and reporting procedures. More specifically, NIST-recommended topics include: ⢠Understanding agency policy on agency mobile phone and tablet security/use; ⢠Understanding agency policy on personal mobile phone and tablet security/use; ⢠Ability to recognize potential threats including social engineering attempts; ⢠Ability to differentiate between real and fake messages; ⢠Ability to respond appropriately and report an incident; ⢠Knowing when and how to report an incident; ⢠Understanding record-keeping procedures; ⢠Understanding effective password management techniques; and ⢠Understanding the implications of security breaches (NIST 2014b; NIST 2003). Awareness content should be refreshed and updated on a regular basis, incorporating the latest threat and incident information and alerts. Examples of cybersecurity awareness content are provided in Figure 5-5 and Figure 5-6.
Workforce Planning and Training/Exercises 127 Source: DHS n.d.b. Figure 5-5. Cybersecurity STOP. THINK. CONNECT.⢠awareness material. Source: Data Privacy Day 2018. Figure 5-6. Data Privacy Day campaign material.
128 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Cybersecurity Awareness Delivery Specific NIST recommendations on awareness delivery mechanisms include the following: ⢠Posters, do-and-donât lists, or checklists ⢠Screensavers and warning banners/messages ⢠Newsletters ⢠Desk-to-desk alerts ⢠Agency-wide email messages ⢠Videotapes ⢠Web-based sessions ⢠Computer-based sessions ⢠Teleconferencing sessions ⢠In-person, instructor-led sessions ⢠IT security days or similar events ⢠âBrown bagâ seminars ⢠Pop-up calendar with security contact information, monthly security tips, etc. ⢠Mascots ⢠Crossword puzzles ⢠Awards programs (Section 5.2, NIST SP 800-50, 2003) Cybersecurity Training Content The NIST Cybersecurity Framework (2014a) identifies key high-level cybersecurity functions and related training topics. Assistance in implementing the framework is found in Transporta- tion Systems Sector Cybersecurity Framework Implementation Guidance (DHS 2015b) and NIST resources and guidance. The cybersecurity content provided in the 2016 NCHRP Cybersecurity Primer and its appendix may serve as the basis for cybersecurity training. Two efforts of note are the National Initiative for Cybersecurity Careers and Studies (NICCS) and the National Initiative for Cybersecurity Education (NICE). NICCS is a national resource on cybersecurity awareness, education, careers, and workforce development opportunities. Previously developed cybersecurity courses or modules can also be accessed via this resource. Access NICCS at http://niccs.us-cert.gov NICE is being led by NIST with the cooperation of more than 20 federal departments and agencies. The goal of NICE is a national cybersecurity education program for the development and use of sound cyber practices by federal employees, civilians, and students, and includes the following three components: ⢠Component 1: National Cybersecurity Awareness, lead agency DHS; ⢠Component 2: Formal Cybersecurity Education, co-lead agencies Department of Education and National Science Foundation; and ⢠Component 3: Cybersecurity Workforce, lead agencies DHS, Office of Personnel Manage- ment, Department of Defense, and Department of Labor. State DOT and transit cybersecurity guidelines and recommended practices are included in the 2016 NCHRP Cybersecurity Primer. Cybersecurity Training Delivery Various training delivery methods, ranging from computer-based training to classroom training to exercises, are available to transportation agencies. The methods implemented by
Workforce Planning and Training/Exercises 129 the agency will depend on agency size, geographic dispersion of the workforce, staff schedules, training content and objectives, budget, and predilections of the organizations. Training implementation is difficult, especially for frontline personnel. NCHRP Synthe- sis 468: Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance and Operations Field Personnel identified the two key training delivery issues for frontline personnelâscheduling and limited budget (TRB 2015c). Delivery of training to frontline personnel, whose schedules are usually inflexible, requires overtime or âbackfillâ pay expenditures. Additional challenges identified were lack of qualified training staff, personnel turnover, distance issues, senior management issues, inadequate facilities and other resources, and insufficient information about available training. Transit agencies face training delivery challenges as well. As mentioned in TCRP Report 180: Policing and Security Practices for Small- and Medium-Sized Public Transit Systems, smaller agencies in particular have signifi- cant budgetary constraints that limit their ability to implement awareness initiatives, includ- ing training (TRB 2015e). Solutions include computer-based training and in-person training. While in-person training is always synchronous in nature and requires scheduling, computer-based training can be either synchronous or asynchronous. The advantages of computer-based training are many. Training is easily accessible wherever there is internet. Certain types of computer-based training are accessible without internet con- nection, and some training is also available through mobile smartphone and tablet applications. Training that is available on demand alleviates scheduling constraints and allows personnel to learn during their breaks or downtime, when it is convenient for them. Training platforms now offer automated record-keeping and progress-tracking, lessening administrative requirements. Advances in online training technologies allow for increased interactivity between participants and the learning tool or instructor. Because of these factors, therefore, there is greater confidence in using computer-based delivery methods for technical training (Shaffer 2016). Still, the quality and level of interaction provided by computer-based training can vary, and students must have self-discipline to avoid distractions. Agencies must also be aware that some frontline or field personnel may not be familiar with computers and may require basic PC skills training prior to taking computer-based training. Computer-based training identified and discussed in NCHRP Synthesis 468 (TRB 2015c) included the following: ⢠Online (synchronous) training with live instructors. Online training with live instructors (e.g., webinars) is a synchronous method of training. Software that facilitates the delivery of webinars; facilitation of student-instructor and student-student interaction; and recordings of training sessions are available. ⢠Asynchronous training. Self-paced training without the presence of live instructors, asynchro- nous training requires self-discipline but can still be interactive and maintain trainee interest and attention. Examples include YouTube videos and prepackaged CDs and DVDs. ⢠Computer simulations and virtual exercises. Full-scale exercises can cost hundreds of thou- sands of dollars, but a virtual exercise can be conducted at a fraction of the cost. Computer simulations and virtual exercises immerse participants in realistic environments, allow real- time interaction, and can be delivered using web-based or non-web-based technologies. Recently, interactive games have been developed to give stakeholders simulated experience with response and recovery. While facilitation and scheduling are typically required, some provide on-demand learning features for individual players and, hence, can be both synchro- nous and asynchronous. ⢠Just-in-time training (JITT). JITT is used to train personnel on specific skills not needed on a continuous basis. While JITT is not always computer-based, agencies have noted a preference for computer-based training to deliver this type of training.
130 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Face-to-face training solutions identified and discussed in 2015âs NCHRP Synthesis 468 include the following: ⢠Field crew meetings. Field crew meetings, regularly scheduled meetings at the district level, can be a cost-effective solution to providing training. ⢠Interjurisdictional and interagency training and exercises. These are useful to prepare for larger and more complex disasters and emergencies that require effective coordination among transportation agencies, public safety agencies, and private and nonprofit organizations. ⢠Joint training. Combining similar training topics can alleviate scheduling challenges and enhance intra-agency communications by providing personnel from different divisions or units an opportunity to interact. For instance, Texas DOT included security awareness in its bridge inspector training. ⢠Train-the-trainer (TTT). TTT training leverages resources by training one or more in-house trainers or otherwise qualified personnel, who then provide the training to other personnel. This strategy is especially useful to train large numbers of personnel in a relatively short time. ⢠Planned events, incidents, and exercises. Because disasters do not happen regularly, planned events, incidents, and exercises are excellent opportunities for personnel to practice what they have learned. After-action reports and lessons learned can identify additional training needs and gaps for individual field personnel and teams, and provide useful training content and scenarios. ⢠Classroom training. Classroom training, including training via CCTV, video teleconferencing, (VTC), and Voice over Internet Protocol (VoIP), is a synchronous, high-quality, and inter- active training method. The instructor can use various media and technology options to facilitate learning and maintain participant interest. Table 5-6 summarizes the advantages and disadvantages of these training methods. Whatever the method, it is important to make the training as interactive and relevant to the audience as possible. The trend toward increasing use of computer-based training methods may be due to a combi- nation of resource constraints and improvements in computer-based training and platforms. Research conducted by the U.S. Department of Labor Employment and Training Administra- tion (ETA) on technology-based training and services found a prevalence of blended delivery options in use by state and local stakeholders and acknowledged the value of technology-based training. The research authors, however, warned that more or sooner may not necessarily be better with respect to technology-based training, due to issues including infrastructure costs and technological skills of the workforce (U.S. DOL 2016). Other professional capacity-building methods supplement training to improve reten- tion and mainstream security. According to the 2016 AASHTO SCOTSEM Transportation and Emergency Management Survey results, a mix of capacity-building methods including print and electronic training materials and webinars were favored over conferences and peer exchanges. Resources Training can be provided via in-house trainers, contractors or contracted courses at agency- selected locations, or train-the-trainer. State or local law enforcement or the state emergency management agency may offer complimentary training. However, even in-house training or complimentary training by another provider requires resources to meet backfill or overtime expenses. In addition, provision of training to all personnel can be costly even if the cost per
Workforce Planning and Training/Exercises 131 Field Crew Meetings Advantages Meetings are brief and are held on a regular basis at a location/time convenient to field personnel. Meetings are focused and relevant to field crew. Hands-on training is possible. Field personnel can practice a procedure or skill. Disadvantages None Just-in-Time Training Advantages High retention of training content Cost-effective Disadvantages Personnel are not provided the opportunity to practice a skill or process before its real-life application. Taking the time to train personnel may delay the response effort. Training personnel in an emergency situation when their level of stress is high may hinder the learning process. Interjurisdictional and Interagency Training and Exercises Advantages Opportunity for face-to-face interactions with peers from other response agencies through these exercises is essential preparation for larger and more complex events. The training helps prepare agencies and their field personnel understand the ICS structure, their roles and responsibilities within the structure, and how they should integrate with personnel from other entities for these events Disadvantages Scheduling difficulties may impede the ability of a large percentage of field personnel to attend these sessions. Joint Training Advantages Scheduling difficulties may be mitigated by delivering emergency training in conjunction with another related topic. Intra-agency interaction and communications may be facilitated. Disadvantages Emergency component may need to be shortened or modified. Asynchronous TrainingâComputer-based Training Without Live Instructors Advantages Alleviates the need to schedule training in advance. Allows 24-hour access to the material. Some on-demand services offer automated recordkeeping and trainee progress-tracking. Disadvantages Lack of ability to interact with other students and instructor limits learning. Student distraction may be more likely. Self-direction is needed. Asynchronous TrainingâPrepackaged DVDs and CDs Advantages Allows trainers to select appropriate videos or CD or DVD packages that are the best value for their needs. The packages usually focus on a particular topic and contain a variety of tools. Disadvantages When VTC, CCTV, or Skype technology is used, technology-related issues can arise and connectivity and quality of the transmission may be inconsistent. Training videos and packages on CD ROMs and DVDs are not on-demand; the training must be scheduled. Interaction with instructors and other trainees is limited.Cost-effective because many trainees may view the content typically for a fixed cost. Online on-demand training may charge the agency per trainee. With VTC, CCTV, or Skype technology, it is possible to present the content to multiple locations Train-the-Trainer Advantages Cost-effective way to leverage limited resources. Alleviates need to hire additional training staff or consultants. Disadvantages Content dilution could be possible as additional training tiers are added. Table 5-6. Training delivery methodsâadvantages and disadvantages. (continued on next page)
132 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies employee is low. Agencies should consider applying to federal grants to cover training costs. Grant programs include the following: ⢠Transit Security Grant Program; ⢠Intercity Bus Security Grant Program; ⢠Intercity Passenger Rail Program; and ⢠Port Security Grant Program. Additional grant programs may be identified through the Catalog of Federal Domestic Assistance. Integrating security awareness and training into routine activities and training as a means of leveraging resources is emphasized in NCHRP Report 793 (2014a). The report provides Planned Events, Incidents Advantages Planned events and incidents are good opportunities to practice coordination, communications, resource mobilization, and traffic management/control strategies. Traffic incidents happen daily and provide many opportunities for practice. Disadvantages (Incidents) There is no guarantee that a series of minor incidents, aside from traffic accidents, will occur prior to a disaster. Incidents, even minor ones, have more risk associated with them; for instance, a minor traffic accident could become a multi-car crash with many fatalities and injuries. Computer-Assisted Simulations Advantages A large, geographically dispersed audience can be reached. Allows identification of weaknesses or resource deficiencies in training, plans, procedures, and policies. Allows the participation and interaction of key personnel in different geographic regions. Improves individual performance, organizational communication, and coordination. Dangerous scenarios may be simulated safely. May or may not be web-based. Disadvantages Good PC and internet skills are necessary for learners to gain full advantage of training. In remote locations or other areas, bad or no internet access can hinder training. Unforeseen connection problems may arise during training. If on the hostâs end, training may be interrupted. Bandwidth issues may cause delay or disruption. May lack realism, and may not provide a true test of capabilities in an emergency situation. For synchronous simulations, scheduling can be a problem. Classroom Training Advantages Can present up-to-date information. Summarizes materials from various sources. Can adapt the material to student backgrounds and interests. Highlights important concepts and materials. Instructor enthusiasm can motivate students and enhance learning (McKeachie and Svinicki 2013). Disadvantages Reduced development of problem-solving skills and interaction among students if sufficient interaction opportunities are not provided. Scheduling difficulties. Cost of the training and travel, including time. (Scheduling and travel issues may be alleviated through the use of VTC, VoIP, or similar technology.) Online Training with Live Instructors Advantages Cost is lower vs. classroom training. Disadvantages Training must be scheduled in advance. Training is standardized. Training can be provided anywhere with web access. Trainees may be distracted. Ability to monitor student progress may be limited. Access to a PC and internet are required. Familiarity with the internet and basic PC skills are required. Source: TRB 2015c. Table 5-6. (Continued).
Workforce Planning and Training/Exercises 133 integration methods and approaches. Further, physical and cybersecurity workforce devel- opment initiatives can be integrated into existing workforce development programs, such as internship or apprenticeship programs and tuition reimbursement programs. Partnerships with other state DOTs or transit agencies; state agencies, including state emergency manage- ment and homeland security agencies; colleges and universities; local technical assistance, tribal technical assistance, or rural technical assistance program centers; and unions and other organizations or memberships in professional organizations can also be leveraged to provide training and exercises. NCRRP Report 2: A Guide to Building and Retaining Workforce Capacity for the Railroad Industry (TRB 2015d) notes that on-the-job training creates positive training experiences and recommends leveraging high numbers of retiring personnel by creating a culture of preceptorship and mentoring to address urgent knowledge transfer needs. Agencies should also take advantage of training technologies to facilitate their training pro- grams and activities. Examples of useful technologies include: ⢠Learning management system or LMS. Allows delivery of training, tracking of user training and testing, and documentation of completed training; ⢠Tablets/mobile devices (e.g., iPads, smartphones). Allows delivery of module-based train- ing to field personnel in diverse locations; some applications function with or without the internet; and ⢠Virtual training/exercise systems. Can provide immersive learning experiences at a low cost. Transportation Emergency Response Application (TERA) is an example of this type of train- ing, simulating real-world scenarios and delivering individual and team training and simu- lation exercises for command-level roles. TERA is a transportation-specific version of the Emergency Management Staff Trainer (EMST), a robust training and exercise system. The TRB Cooperative Research Programs along with the National Guard Bureau sponsored development of training simulation scenarios for no-license-fee systems. The transit sce- narios include active shooter, flood, hurricane, earthquake, power outage, and hazardous materials. While the flood scenario is currently the only scenario that includes DOT roles, research is in progress to develop additional DOT, transit, and airport scenarios. Transpor- tation emergency management professionals may register for TERA for free at www.tera. train-emst.com. Training Evaluations Training evaluations can determine the value of training by assessing whether learning has occurred; whether learning was applicable to job performance or other behaviors affecting results; whether the learning was applied to the job; and, if it was, whether there was positive impact on performance or other job-related behaviors. Evaluations, along with use of perfor- mance indicators, also help agencies continually improve the training process and better allocate scarce resources. The U.S. Office of Personnel Management Training Evaluation Field Guide (2011) emphasizes evaluationâs important role in ensuring that training positively affects agency mission and out- comes. The OPM guide uses the New World Kirkpatrick Four LevelsTM to offer a structured way in which agencies can evaluate their training programs. The original Kirkpatrick training evaluation method was composed of four levels: (1) Reaction, (2) Learning, (3) Behavior, and (4) Results. Cybersecurity tests can evaluate the operability of new and existing systems or components, including specific cybersecurity measures and cybersecurity plans. Unannounced tests such as social engineering tests can assess employee cybersecurity behavior and habits and identify personnel who require additional cybersecurity training.
134 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The Homeland Security Workforce Assessment Act, signed into law in December 2014, requires DHS to assess its cybersecurity workforce and create a strategy âto enhance the readi- ness, capacity, training, recruitment and retention of its cybersecurity workforce.â Elements of the strategy developed through this legislation may help state DOTs and transit agencies address their cybersecurity workforce needs. A mixture of qualitative and quantitative mea- sures to evaluate progress in these activities appears in the 2015 Transportation Systems Sector- Specific Plan (TSSSP). Assessment tools such as the DHS Cyber Resilience Review, the DHS CSET, Transportation Systems Sector Cybersecurity Framework Implementation Guidance, and the Department of Energy Capability Maturity Model can help organizations evaluate their capabilities and vulner- abilities, and identify areas requiring increased or additional training. The Transportation Sys- tems Sector Cybersecurity Framework Implementation Guidance recommends the use of maturity models for the implementation of the Cybersecurity Framework by setting internal benchmarks and assessing various aspects of cybersecurity (DHS 2015b). The model outputs help agencies understand their cybersecurity posture and areas of opportunity, including training and aware- ness and workforce management. One of the main purposes of exercises is evaluation of indi- viduals, teams, equipment, facilities, functions, plans, policies, and procedures. Evaluation of Awareness Initiatives The MTI Study on Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area (2010) revealed that transit agencies generally do not evaluate their security aware- ness programs for effectiveness but suggests several performance metrics that can be used to do so. To evaluate the effectiveness of campaigns, the study recommends measuring the level of marketing effort, an output measure and using easy-to-track indicators, passenger surveys, or tracking methods already in place. The metrics in the study, shown in Table 5-7, are focused on passenger awareness but would also apply to employee awareness initiatives. Exercises Exercises not only support training objectives by providing personnel the opportunity to practice what they have learned in training and identifying weak performers and training gaps, but can fulfill many other objectives related to an agencyâs security mission. The 2015 AASHTO Fundamentals Report defines an exercise as: An instrument to train for, assess, practice, and improve performance in prevention, protection, response, and recovery capabilities in a risk-free environment. Exercises can be used for: testing and validating poli- cies, plans, procedures, training, equipment, and interagency agreements; clarifying and training personnel in roles and responsibilities; improving interagency coordination and communications; identifying gaps in resources; improving individual performance; and identifying opportunities for improvement. NIPP (DHS 2013) emphasizes âcontinuous learning and adaptationâ through a call to action to learn and adapt during and after exercises and incidents, and to rapidly incorporate lessons learned into technical assistance, training, and education programs. Drills, for instance, are a common form of exercise for state DOT field personnel and are used to provide training on specialized equipment or a specific procedure such as emergency evacuation. Exercises are categorized as discussion-based exercises and operations-based. Discussion- based exercisesâseminars, workshops, tabletop exercises (TTXs), and gamesâhelp partici- pants develop as well as understand their roles and responsibilities with respect to new plans,
Workforce Planning and Training/Exercises 135 policies, agreements, and procedures. Operations-based exercisesâdrills, functional exercises (FEs), and full-scale exercises (FSEs)âare conducted in a simulated operational environment and âvalidate plans, policies, agreements, and procedures; clarify roles and responsibilities; and identify resource gapsâ (FEMA 2013c). As shown in Figure 5-7, planning and training requirements for conducting the exercises increase as one proceeds from discussion-based exercises to operations-based exercises. Agency resource requirements increase progressively as well. Key attributes of each exercise type, including purpose, player action, duration, real-time play, and scope, are summarized in Table 5-8. The advantages and disadvantages of discussion-based and operations-based exercises are summarized in Table 5-9. TTXs and drills are action item number 8 in the TSA/FTA Security and Emergency Manage- ment Action Items for Transit Agencies. Another exercise type, the facilitated exercise model, was introduced by Mineta Trans- portation Institute (MTI) and is a type of modified full-scale activity. This model employs a scenario but divides response actions into learning stations, each of which requires an incident action plan and full-scale actions based on the plan (MTI 2014). Goals 1. Increase Awareness 2. Provide Tools for Action: Contact Agency Staff âDonât Touch, Move Awayâ 3. Encourage Involvement & Alertness: Give Them Permission to Report. Make Them Feel Comfortable About Reporting. Ways to MeasureGoal Achieved if/Campaign is Effective if... Passengers Have Seen the Messages Track Number of Security Reports Analyze Security Reports Customer Service Police Field Interview cards Dispatch Center Outcome Measure: Passenger Survey Track website page counts and videos viewed Add a security reporting category to dispatch center data collection Outcome Measure: Level and Types of Media: Number and Distribution of Posters, Car Cards Frequency of Audio Announcements Website Information Educational Video Output Measure: Track Number of customer calls, comments, feedback about any issue in Outcome Measure: Passengers Understand the Messages Passengers Follow the Directions Correctly Increased Passenger Engagement/Involvement in the System. Increased Interaction Between Passengers and Transit Personnel. Increased Reports of Security Issues to Security Staff, Station Agents, or Other Transit Employees Source: MTI 2010. Table 5-7. Metrics of the 2010 MTI Study on Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area.
Source: DHS 2013. Operations-Based Workshops Tabletops Planning/Training Games Drills Functional Exercises Full-Scale Exercises C ap ab ili ty Seminars Discussion-Based Figure 5-7. Security exercise types by planning/ training requirements. Source: DHS 2013. Player Action Duration Real-Time Play? Scope Discussion- Based Exercises Familiarize participants with or develop new plans, policies, agreements, and procedures; focuses on strategic, policy issues. Notional; actions are imaginary or hypothetical Rarely exceeds 8 hours No Varies Seminar Provide overview of authorities, strategies, plans, policies, procedures, protocols, resources, concepts and ideas. Develop or make changes to plans/procedures. Assess interagency/inter-jurisdictional operations. N/A 2-5 hours No Multi- or Single- agency Workshop Achieve specific goal/product (e.g, SOPs, EOPs, COOPs, or mutual aid agreements.) Compared to seminars, increased interaction and focused on product development. N/A 3-8 hours No Multi-agency/ Single function Tabletop Exercise (TTX) Discussion of hypothetical emergency; validate plans and procedures, assess systems, increase awareness through collaborative problem-solving. Notional 4-8 hours No Multi-agency/ Multiple functions Game Simulation of operations involving team competition; depict actual or notional situations; explore decision-making process and its consequences. Notional / Actual 2-5 hours No Multi-agency/ Multiple functions Operations- Based Exercises Validate plans, policies, agreements, and procedures; clarify roles and responsibilities; and identify resource gaps. Notional; actions are imaginary or hypothetical Hours, days, or weeks (depends on exercise purpose, type, scope) Yes Varies Drill Validate a single function or capability on equipment, procedures, or skills in a single agency. Actual 2-4 hours Yes Single-agency/ Single function Functional Exercise (FE) Validate and evaluate capabilities, multiple functions, sub-functions, or groups of functions; focus is on management, command and control staff and functions. Command staff actions are actual; movement of other staff, equipment, or adversaries is simulated. 4-8 hours or several days or weeks Yes Multiple functional areas/ Multiple functions Full-Scale Exercise (FSE) Most realistic, complex and resource-intensive exercise type; involve multiple agencies, jurisdications, and organizations. Validate numerous elements of plans, policies, procedures, and agreements. Actual One full day or several days or weeks Yes Multi-agency/ Multiple functions Utility/Purpose Table 5-8. Security exercise description of purpose.
Workforce Planning and Training/Exercises 137 The interaction that takes place among peers can lead to learning. Feedback obtained from after-action reports, debriefings, and hot washes can be beneficial in identifying additional training needs of individuals and groups. Lessons learned from the exercises can become the basis for future training content and scenarios. Operations-Based Exercises - Drills Advantages Disadvantages When training on a specific function, activity, or equipment is required, drills provide hands-on experiential learning. Provides a sense of urgency to develop alternatives and make decisions without the possibility of serious consequences. In-house trainers may have more credibility since they have specific experience relating to the subject being taught and the job site. Procedural and policy gaps can be identified. May avoid comprehension problems related to literacy/language deficiencies. Providing hands-on training to a large number of individuals can be time-consuming and costly. Scheduling drills can be difficult due to the following constraintsâavailability of the field personnel, the instructor, and the facility or equipment. Variables differ based on the individual, so guaranteed outcomes are difficult. Personality differences between the instructor or mentor and the worker may cause issues. Operations-Based Exercises - Functional Exercises Advantages Disadvantages When training and practicing on a capability or function(s), experiential learning in a realistic setting will facilitate the retention of the knowledge and skills needed by trainees. After-action reports, debriefings, and hot washes can identify units and individuals that would benefit from additional training. Lessons learned from the exercises can become the basis for future training content and scenarios. Arranging and scheduling FEs can be difficult and time-consuming. Operations-Based Exercises - Full-Scale Exercises Advantages Highly realistic, complex situations are presented to personnel. After-action reports, debriefings, and hot washes can identify units and individuals that would benefit from additional training. Lessons learned from the exercises can become the basis for future training content and scenarios. Disadvantages Significant coordination, preparation, resources, and time are required Source: TRB 2015c. Discussion-Based Exercises (Tabletops, Games, Workshops, Seminars) Advantages Disadvantages Various scenarios can be addressed in a safe, non-stressful environment. It is less costly than operations-based exercises. Cost could be an issue if the exercise is held at a location that is difficult to access. Discussion-based exercises do not provide the realism that operations-based methods provide. Table 5-9. Advantages and disadvantages of discussion-based and operations-based exercises.
138 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Further information on exercise types, their differentiating features, their development and conduct, and evaluation methods can be obtained from the 2013 Homeland Security Exercise and Evaluation Program (HSEEP), the 2015 NCHRP Synthesis 468 and the 2017 NCHRP 20-59(51)B Final Report and the 2014 MTI Exercise Handbook. NIST SP 800-84 highlights the Tabletop Exer- cise (TTX), a discussion-based exercise held in a classroom setting, and an FE, an operations- based exercise. The NIST SP 800-84 Appendix A includes sample documentation for a TTX, and Appendix B provides the sample documentation, including sample scenarios and exercise injects for a functional exercise. NIST SP 800-84 appendices provide relevant AAR templates, forms, and information on the conduct of tests, tabletop exercises, and functional exercises. The exercise evaluation process should yield important insights into strengths and weaknesses of agency plans, protocols, technologies, facilities, and participants as well as other observations and recommendations. These insights are documented in an after-action report, and corrective actions such as updates to security plans and additional training are identified and incorporated into an improvement plan. Homeland Security Exercise and Evaluation Program The 2013 Homeland Security Exercise and Evaluation Program (HSEEP) provides a common approach to exercise program management, design and development, conduct, evaluation, and improvement planning. The 2013 APTA Recommended Practice on Transit Incident Drills and Exercises (1st Revision) recommends the use of HSEEP and states that transit agencies should develop exercise programs based on risk assessments and findings from previous exercises. These recommendations also state that transit agencies should conduct HSEEP-compliant exercises annually in accordance with TSA/FTA guidelines; conduct exercises in accordance with agency system security pro- grams and its emergency management plan, integrating regional partners as appropriate; and coordinate and participate in regional exercises. The fundamental principles of HSEEP include a focus on capability-based objectives and exercise priorities informed by risk, guidance of the exercise program and individual exercises by elected and appointed officials, integration of the whole community where appropriate, and use of common methodology. HSEEP principles also include a progressive planning approach with exercises temporally increasing in complexity, and alignment of exercises using a common set of priorities and objectives. In addition, HSEEP emphasizes the development of a multiyear Training and Exercise Plan to schedule and coordinate the delivery of training and exercise activities. The HSEEP Exercise Cycle contains the following four elements: (1) exercise design and development, (2) conduct, (3) evaluation, and (4) improvement planning. The APTA Recommended Practice on Transit Incident Drills and Exercises (1st Revision) (APTA 2013b) stresses the importance of the exercise planning team, which âdesigns, devel- ops, conducts and evaluates exercisesâ and selects exercise objectives and develops scenarios and documentation. Exercise objectives are particularly important, should be risk based and aligned to core capabilities, as they drive all other aspects of exercise development, including scenario selection. 2013 HSEEP recommends that exercise objectives be SMART: simple, mea- surable, achievable, realistic, and task-oriented. Scenario development requires careful planning as well since the effective use of scenario- developed data sets can help the agency develop policy and procedures and even make staff- ing level deployment decisions. Scenarios are narratives or timelines used in operations-based exercises and TTXs. Sources of scenarios include National Planning Scenarios, Public Trans- portation System Security and Emergency Preparedness Planning Guide, and the 2014 MTI
Workforce Planning and Training/Exercises 139 Report 12-08 Exercise Handbook annex, which includes an example scenario for a SCADA fail- ure for mass transit system. The following scenario was used in an active shooter training and exercise by the TSA Inter modal Security Training and Exercise Program (I-STEP), held at a 2016 conference of the AASHTO Special Committee on Transportation Security and Emergency Management (SCOTSEM). Box 5-1. TSA Intermodal Security Training and Exercise Program Active Shooter Training and Exercise The TSA Intermodal Security Training and Exercise Program (I-STEP) held an active shooter training and exercise for state DOTs at the AASHTO SCOTSEM conference in Tucson, Arizona on August 23, 2016. The training and exercise addressed Prevention, Protection, Response Mission Areas; Interdiction and Disruption, Physical Protective Measures; Environmental Response/Health and Safety Core Capabilities; and, included the following components: 1. A TSA presentation on industry security efforts, ongoing initiatives, and active shooter resources/tools; 2. An active shooter training presented by the Pima County Sheriffâs Office; and 3. A live active shooter drill put on by the Pima County Regional Special Weapons and Tactics (SWAT) Team. The purpose was âto provide insight into how law enforcement may respond to an active shooter incident (e.g., priorities, capabilities, actions), as well as expectations law enforcement may have of state Department of Transportation (DOT) employees and how those employees may be able to assist them in their response.â More specifically, the training and exercise addressed the following three objectives: 1. Discuss law enforcement and state DOT employee actions, considerations, and expectations that could help prevent, protect against, or mitigate an active shooter situation. 2. Discuss countermeasures and policies that state DOTs could implement to prevent, protect against, or mitigate an active shooter situation in/on their facilities/infrastructure. 3. Discuss and demonstrate methods to protect the health and safety of state DOT employees facing an active shooter situation. In addition to AASHTO SCOTSEM member organizations, participating stakeholders included DHS Southern Border Joint Task ForceâWest, DHS TSA, Arizona DOT, Northwest Fire District, Pima County Sheriffâs Office, and Pima County Regional SWAT Team. Component 1 consisted of presentations on the following topics: ⢠Ongoing TSA and Industry Security Initiatives; ⢠Securing Transportation Assets & OperationsâMitigation Strategies for Highway Modes; and ⢠Active Shooter Resources and Tools (www.dhs.gov/active-shooter-preparedness) Component 2 was delivered by the Pima County Sheriffâs Office. The key points were the mentality of active shooters and their desire to kill as many as possible, and that active shooter events are unpredictable, dynamic, and may end before the arrival of law enforcement. Recommended state DOT personnel actions included: ⢠What to do prior to an incidentâcreate a flexible plan to reach safety, be aware of the surroundings; ⢠Actions to take if the active shooter is outside the building; ⢠Actions to take if they are inside the building; ⢠Information to provide 911; (continued on next page)
140 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies ⢠What to expect and do when police arrive; and ⢠Emergency care tips. Pre-incident planning by the state DOT included creation of an emergency action plan (EAP) and crisis kits, training and exercises, and site assessments. Exercise Drill Scenario The drill scenario for Component 3 was as follows: State DOT employees are attending a public hearing on a reconstruction project to address safety and other issues; opposition has been strong due to impacts on private residential and commercial property and on protected wetlands, waters, and animals; threats to disrupt the public hearing have been made. Live Exercise Drill The drill proceeded as follows: Exercise observers are placed inside the building. A disgruntled individual enters the building with an assault rifle and starts firing. Observers are moved outside the building and view the SWAT team arriving and entering the building. Observers reenter the building and view the actions of the shooter and SWAT team. The active shooter proceeds from room to room until he reaches the hearing room. The SWAT team searches for the active shooter. Observers are placed in the hearing room to view the resolution of the conflict (the SWAT team kills the shooter). Observers are then moved outside to watch fire and EMS responders arrive, evacuate occupants, and treat injuries as the SWAT team provides protection. A final Q&A session is held with the observers. Exercise Results/Analysis and Next Steps For each objective, strengths including best practices and areas for improvement were identified. For the first objective, a best practice was state DOTs having EAPs for active shooter situations; an area for improvement was that mass transit is a âsoft targetâ for active shooters. For the second objective, a best practice was awareness that creating chaos can distract the shooter; an area for improvement was that attendees were uncertain regarding what arms-bearing individuals should do during an active shooter situation. For the third objective, a best practice was outreach to local law enforcement agencies, which are typically willing to help provide state DOTs with active shooter preparedness and training; an area for improvement was that some DOT employees believed there were no hiding areas in their facilities. Areas for improvement included root cause analyses and options for consideration. The following possible next steps identified were TSA development of an active shooter training program for state DOTs using this exercise scenario and content, and state DOTs requesting active shooter training from their local law enforcement. Source: TRB 2013c. Box 5-1. TSA Intermodal Security Training and Exercise Program (Continued)
Workforce Planning and Training/Exercises 141 Box 5-2. Subway Bombing and Active Shooter Scenario Exercises and drills are expensive and require all participants to be present in the same location at the same time. Hence, the TCRP A-36 project produced a simulation guided experiential learning tool to provide âtraining and exercise for command-level roles in the transit agency emergency operations center in relation to mitigating transit-specific emergencies and supporting state and local emergency management authorities in natural or manmade disaster incidents.â The tool, called Transportation Emergency Response Application or TERA, is a transportation-specific version of the Emergency Management Staff Trainer (EMST), a robust training and exercise system. One of the scenarios developed for the project combines a subway bombing with active shooter. The outline of the scenario is provided here. Scenario Description A man enters a central subway station, boards a train, and exits at the next station. He leaves explosives on the train, and they detonate within 10 minutes of his exiting the subway system. The man fires on emergency responders when they attempt to enter the second station until the attacker is eliminated 30 minutes later. Local law enforcement initially closes the area within a mile of the bombed stations to all street traffic. Service Disruption ⢠Transportation: All subway service must be shut down. Bus service will also cease until the following day. The decision of how soon to offer subway service remains open. Downtown streets are closed to all traffic for the first day. Most streets reopen on the second day, except those within a block of the damaged stations (in central locations). ⢠Emergency Medical Services: Emergency responders are unable to reach the people injured by the bomb at the second station until protective shielding arrives, delaying response by 10 to 15 minutes. This affects 30 people. Transit Authority Tasks ⢠Preservation of the lives of employees and passengers; ⢠Asset preservation; ⢠Sorting through confusing and conflicting reports; ⢠Initiating a system-wide shutdown; ⢠Assessing damage to facilities; ⢠Providing higher levels of security; ⢠Preparing a long-term plan for replacing subway service during repairs; and ⢠Providing psychological support to employees This project has been expanded to address and incorporate state DOT, rail, and aviation scenarios, and TERA training has been delivered to multiple transit agencies and state DOTs. Casualties: 6 fatalities, 150 injured, 20 require hospitalization Infrastructure damage: 1 subway line and 2 subway stations damaged Evacuations/displaced persons: None Contamination: None Economic impact: Minor Potential for multiple events: None Recovery time: 1 to 2 months
142 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Exercise Types The two major categories of exercises described in HSEEP are discussion-based exercises and operations-based exercises. ⢠Discussion-based exercisesâseminars, workshops, tabletop exercises, and gamesâare less costly and time-consuming than operations-based exercises. Discussion-based exercises use a facilitator to direct discussions. They help familiarize and/or train participants on or develop plans, policies, agreements, procedures, and training. ⢠Operations-based exercisesâdrills, FEs, and FSEsâare more realistic and conducted in real- time and help assess plans, procedures, personnel, technologies, and equipment. The key differences between discussion- and operations-based exercises are size and scope. For example, a tabletop exercise is a facilitated desktop discussion during which key person- nel discuss scripted hypothetical scenarios in a classroom or other fixed setting. Full-scale exercises are multidisciplinary, multiagency field simulations that utilize role players, con- trollers, and other forms of logistical support to actively work through mock hypotheticals designed to resemble one or more real-life actual conditions. Table 5-8 contains brief descriptions of each exercise type, and Table 5-9 lists advantages and disadvantages by exercise type. NIPP recommends designing exercises âto reflect lessons learned and test corrective actions from previous exercises and incidents, address both physical and cyber threats and vulnerabilities, and evaluate the transition from steady state to incident response and recovery effortsâ (DHS 2013). Supporting actions and recommendations for implementing exercises in the 2017 NCHRP 20-59(51)B Final Report and the 2014 MTI Exercise Handbook include involving all stakeholders, including disabled and other functional needs persons, in individual exercises, particularly evacuation scenarios; ensuring documentation of exercise activities; establishing a safety plan; developing and disseminating after-action reports (AARs) and the Improvement Plan (IP) or Corrective Action Plan to all stakeholders; tracking corrective actions and incorpo- rating findings into the agencyâs training and exercise program, plans, and procedures; and analyzing performance trends and results across exercises and taking necessary action. Figure 5-8 is a full-scale exercise checklist compiled from the four key sources of exercise guidance. Training and Exercise Practices State DOT security training practices are included in NCHRP Report 793: Incorporating Trans- portation Security Awareness into Routine State DOT Operations and Training (TRB 2014a). Survey results revealed that 60% of the 31 responding agencies required or encouraged trans- portation security training. The current transportation security training involved âIf You See Something, Say Somethingâ security awareness training, NIMS/ICS emergency response train- ing, TIMS training, and HazMat Training, where appropriate. The 2017 NCHRP 20-59(51)B: Final Report and the 2015 NCHRP Synthesis 468 also provide numerous training and exercise practices of transportation agencies. The 2017 AASHTO SCOTSEM State Transportation Security and Emergency Management Survey, undertaken in conjunction with the NCHRP 20-59(51)C Research Support for Imple- menting Security, Emergency Management and Infrastructure Protection at State Transportation Agencies, described the current thinking by DOTs about methods that would best result in effective mainstreaming of security into their agencies. The survey findings indicated that, in
Workforce Planning and Training/Exercises 143 Figure 5-8. Full-scale exercise checklist. Exercise Initiation Identify drivers/purpose (e.g., grant requirement). Identify stakeholders. Identify funding streams. Identify exercise scope (agency, jurisdictions, participants). Identify scenario restrictions. Identify labor/union restrictions. Establish charter. Identify exercise director. Identify internal and external restrictions. Identify HSEEP compliance issues. Seek input from elected and appointed officials, the Training and Exercise Plan, and other sources. Exercise Design and Development Establish the exercise planning team, design team, evaluation team, and controller team and identify team leaders. Assign planning team members to additional exercise roles as needed. Select exercise objectives and core capabilities for each objective; adhere to the SMART guidelines. Develop the exercise planning timeline with milestones. Hold key meetings: Concept and Objectives Meeting Initial Planning Meeting (important) Master Scenario Events List (MSEL) Meeting Midterm Planning Meetings Final Planning Meeting (important) Develop the exercise scenario. Create documentation: Exercise Plan for Players and Observers Controller and Evaluator Handbook for Controllers and Evaluators Master Scenario Events List for Controllers, Evaluators, and Simulators Extent of Play Agreement for Exercise Planning Team Exercise Evaluation Guides for Evaluators Participant Feedback Form for all Participants Coordinate logistics Ensure that the (who, what, when, where, how) questions have been adequately addressed. Identify and determine number of players, actors (mock victims), and volunteers. Determine role of media in exercise planning and conduct. Select appropriate, realistic site with sufficient space for exercise play and equipment. Develop site plan layoutâlocations of ingress, egress, traffic routes, etc. Develop site set-up/tear-down plan. Determine appropriate number of victims and types of injuries. Create a resources listâincluding actors, props, supplies, portable toilets, fuel, vehicles, communications, and equipment. Create a communications plan. Create a safety plan and address safety issues. Designate safety officer. Develop a safety plan. Assess field location and weather. Include safety in pre-exercise items (e.g., briefings). Designate team members responsible for safety specific to their discipline. Address any legal liability issues. Establish and test emergency call-off procedures. (continued on next page)
144 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Exercise Conduct Plan for exercise conduct and control. Plan for exercise evaluation. Select lead evaluator. Define evaluation team requirements and structure. Assess exercises on the task level, organization level, and mission level. targets, and critical tasks. Recruit, train, and assign evaluators. Develop evaluation documentation including exercise-specific details, evaluator team organization/assignments/locations, evaluator instructions, and evaluation tools. Conduct a pre-exercise briefing to confirm roles, responsibilities, and assignments and any changes. Prepare for exercise play. Mark exercise areas and materials. Check/set up facility and equipment. Deliver exercise documentation. Deliver briefings to evaluators and controllers before day of the exercise. Deliver briefings to actors/victims upon check-in. Manage the exercise. Initiate exercise check-in process. Initiate exercise play. Controllers monitor and control exercise flow, provide data and injects, and respond to player resource requests. SimCell staff simulates any needed activity or staff not present. Evaluators observe and document exercise play and player responses using the Exercise Evaluation Guides. Missed objectives are discussed with controllers. Document exercise play through photos and videos. Terminate the exercise play. Perform wrap-up activities. Debrief exercise planning team and collect feedback from team members. Debrief and collect feedback from controllers/evaluators. Conduct âHot Washâ forum involving all participants for each functional area to identify exercise strengths and areas for improvement. Collect participant feedback using feedback forms during Hot Wash. Evaluation/After-Action Report/Improvement Plan Analyze data. Identify strengths and areas for improvement. Report exercise outcomes. Exercise sponsor/director obtains and reviews exercise outcomes from documentationâC/E feedback forms and debriefing, Hot Wash, and participant feedback forms. Prepare the draft AAR and IP and distribute to exercise participants and officials for input. Ensure the IP contains corrective actions, responsible parties, target dates, budgets, and reporting procedures for actions taken. Link each improvement item in the IP to a core capability. Ensure each improvement item has a target date and is assigned to an organization. Hold an After-Action Meeting for participants to discuss and obtain additional feedback on the AAR and IP. Develop and share AAR and IP with stakeholders. Remember to document the AAR process. Track corrective actions to completion. Incorporate AAR and IP findings into plans, procedures, training and exercises. Analyze trends and results across exercises and take any necessary action to support continuous improvement of the agencyâs training and exercises program and other security initiatives. Sources: HSEEP 2013; Prepare 12 Administer Training Programs; NCHRP 20-59(51)B Draft Final Report 201x; MTI 2014; TRB 2006d. Develop the Exercise Evaluation Guide, which includes objectives, core capabilities, Figure 5-8. (Continued).
Workforce Planning and Training/Exercises 145 general, DOTs preferred using a mix of classroom and online training, and classroom training for interagency rather than for intra-agency training. HSEEP offers substantial exercise planning guidance, and conformance to it is required for many preparedness and homeland security grants. However, results of the 2017 AASHTO SCOTSEM State Transportation Security and Emergency Management Survey Results, with a response rate of 65%, revealed that almost 80% of respondents were aware of HSEEP but only 41% use it. TCRP Report 180: Policing and Security Practices for Small- and Medium-Sized Public Tran- sit Systems (TRB 2015e) included survey findings of the current state of practice in small and medium-sized transit systems and identified potential security countermeasures. Transit agency security measures, programs, and countermeasures including training are also discussed in TCRP F-21 Tools and Strategies For Eliminating Assaults Against Transit Operators (2017), TCRP Synthesis 80: Transit Security Update (2010), and TCRP Synthesis 93: Practices to Protect Bus Operators from Passenger Assault (2011). Active Shooter Spotlight Active shooting events have been increasing in frequency and severity. Between 2000 and 2013, 160 active shooter incidents occurred, resulting in 486 deaths and 557 injuries. The inci- dent rate for the initial 7 years of the study period was 6.4 per year; this rate rose to 16.4 per year for the last 7 years. About 70% of incidents were over within 5 minutes, and 60% ended prior to the arrival of law enforcement. With regards to event location, 46% occurred in businesses, 24% in schools, and 10% in government properties according to A Study of Active Shooter Incidents, 2000â2013, by Texas State University and the FBI (2014). Because many active threat situations last a short period of time and end before police arrive, immediate response to the threat is necessary for survival. To enhance the preparedness of agency personnel, state transportation agencies should provide basic active shooter training. To ease scheduling difficulties, training can be integrated with existing training programs on workplace violence and emergency training. Active shooter preparedness plans are used as the basis for development of training. Plans identify roles and responsibilities and address needs of functional needs persons, and include the plan activation process, emergency notification systems and process, communications, inci- dent plan, evacuation plan and procedures, training and exercises, and post-incident recovery for employees and for operations. The ISC guide Planning and Response to an Active Shooter for federal facilities recommends conducting an assessment of the facility and needs and capabili- ties of the personnel, so that optimal actions can be determined and incorporated into the pre- paredness plan and into training and exercises (Interagency Security Committee 2015). Strong partnerships with local law enforcement who will respond to an incident are essential for pre- paredness, including input on plans and procedures and training and exercises. Typical active shooter training content includes: ⢠Introduction to the active shooter threat; ⢠How to prepare for an active shooter incident (e.g., awareness of surroundings and exit routes); ⢠How to report an incident (who and how to contact and what to report); ⢠How to respond to the threat; the ârun, hide, fightâ concept is a federally endorsed tech- nique; and ⢠What to do when law enforcement arrives. This topic is important because civilians may not realize that the initial objective of law enforcement is to stop the attacker, not help victims.
146 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Also, civilians may not know how to react in the presence of police and mistakenly act in a suspicious or threatening manner. Exercises offer participants a chance to experience an active shooter scenario in a safe set- ting and learn how to interact with and support law enforcement. Inclusion of security, local law enforcement, and other responders in exercises/drills would be advisable, so that they may become familiar with the facility and provide feedback on shelter locations and evacuation routes. As stated in the 2015 ISC Guide on Planning and Response to an Active Shooter, âit is absolutely essential to reinforce the classroom or online instruction with realistic exercises.â The guide emphasizes the importance of including people with access or functional needs in the exercises and pre-designating assembly locations for them. The guide also suggests includ- ing notification procedures, communications, accessible egress points, response to specific assembly areas in exercises, and the identification of workers with valid EMS, police, or fire credentials. It should be noted that recent efforts have started focusing on training workers in medical response, particularly hemorrhage control. The Joint Committee to Create a National Policy to Enhance Survivability from Mass Casualty Shooting Events, for instance, highlighted the importance of hemorrhage control in saving lives and elevating the roles of the uninjured or minimally injured public, EMS/Fire/Rescue, and trauma care, as has recent ISC guidance. In addition, agencies should train supervisors to help personnel manage the emotional and psychological as well as medical consequences of active threat events, and conduct thorough post-incident evaluations to identify lessons learned and implement any necessary corrective actions. Case Study Illinois DOT Active Shooter Training (Source: Active Shooter in the Workplace, Sergeant Mark RobertsâHPD) Active shooter training is provided to Illinois DOT personnel by local law enforcement free of charge. Training objectives include: ⢠Define various shooting situations. ⢠List measures that can be employed to reduce the effectiveness of an active shooter. ⢠Describe actions that can be expected from responding law enforcement officers. ⢠Safety tips. Training begins with a discussion of active shooter events and introduces active shooting types, differentiating active shooter from barricaded suspect and hostage situations and noting that the latter two situations can transition into active shooter. Active shooter situations can also turn into hostage situations when police arrive. The key characteristics of an active shooter situation are: ⢠Suspects actively killing and/or causing serious, life-threatening bodily injury to multiple victims with the primary objective of mass murder. ⢠Immediate risk of death and injury. ⢠Difficulty containing the threat due to the assailantâs lack of regard for personal safety. (continued on next page)
Workforce Planning and Training/Exercises 147 Personnel can proactively enhance their preparedness through Awareness, Preparation, and Reporting Problems or Suspicious Persons. The training describes actions to take based on locationâin a break room or office, in an auditorium or other large room, in a hallway. For instance, in a break room or office, personnel should secure the door and silence their cell phones. In a hallway, personnel should find an unsecured room but not a restroom and should not run down a long hallway. In a large room or auditorium, personnel should head toward an exit. When outside, personnel should place their hands on their heads and move toward police. If trapped with an active shooter, personnel should not take any action that may provoke the shooter and follow the shooterâs instructions as long they are not shooting. The training emphasizes the use of oneâs own judgment as to whether to run, stay, or fight the attacker. If running, the training recommends running in a zigzag manner. According to the training, the following information should be reported to the police during an active shooter situation: ⢠Number of persons at the facility. ⢠Number of injuries. ⢠Information about the shooter, including location, number of shooters, race, gender, clothing color and style, backpack, physical features, types of weapons, and any explosives. Police response, what to do, and what not to do are covered comprehensively in the training. The training states that law enforcement will seek to stop the assailant and consider everyone to be a suspect. Therefore, it is important to follow instructions, keep hands visible, not to run toward police, and not make sudden moves. It is also important to stay in secured rooms or areas until police are ready to evacuate personnel. Also, they will typically not attend to injuries until the threat has been neutralized. A minimum of annual refresher training is recommended. Case Study Illinois DOT Active Shooter Training (Continued) Conclusion Because security threats are constantly evolving, transportation agencies must take strategic, proactive action to address them in a well thought-out manner and must keep apprised of changing federal standards, guidance, and best practices. Emerging threats deserving attention include the increased integration of the cyber and physical security worlds. The merging of the two worlds mean cross-training and information sharing between and among IT and ICS staff and cybersecurity and physical security person- nel are necessary to increase understanding of interdependencies and consequences of various attack scenarios. Retention and recruitment issues along with budgetary constraints have been creating work- force development and training challenges for transportation agencies. By instituting effective workforce planning practices, agencies can address these issues to achieve a more stable and productive security and cybersecurity workforce.
