Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
113 Chapter 5 Workforce Planning and Training/Exercises For both physical security and cybersecurity, a vigilant workforce with shared values, beliefs, and behaviors engaging in and using security-enhancing practices on a daily basis can enhance the agencyâs security posture. Transportation agencies must practice prudent workforce management, promote security awareness and instill knowledge, skills, and abilities into this important and invaluable asset through organization-wide awareness initiatives and training programs that target relevant segments of the agency workforce. The 2013 National Infrastructure Protection Plan (NIPP) calls for the strengthening of Security and Resilience for both physical and cyber Critical Infrastructure through the coordinated development and delivery of technical assistance, training, and education. NIPP 2013 also emphasizes âcontinuous learning and adaptationâ to learn from incidents and exercises and rapidly incorporate lessons learned. The Transportation Sector contributes to the NIPP vision and mission through the implementation of its Sector vision of a âsecure and resilient transportation system, enabling legitimate travelers and goods to move without significant disruption of commerce, undue fear of harm, or loss of civil liberties.â To achieve this vision, a primary goal of the Transportation Sector is security education, training, and awareness. (2015 TS SSP) This chapter emphasizes the role of the workforce by highlighting its contribution to security and cybersecurity culture. This chapter then focuses on workforce planning and awareness and training programs for physical security and cybersecurity personnel of state DOTs and transit agencies. Training delivery and evaluation issues, and exercises, exercise types, and HSEEP are also discussed, and a comprehensive checklist for a full-scale exercise is provided. Building a Culture of Security and Cybersecurity To maximize effectiveness of security initiatives, a security culture must be established. Culture-building requires a multi-faceted approach which includes the following initiatives: ï· Awareness initiatives ï· Training program ï· Assessment of threats ï· Reduction of the attack surface ï· Addressing threats, mitigations, software/firmware update process ï· Addressing monitoring and detection methodologies ï· Ability to be audited for compliance ï· Change-management systems (APTA Recommended Practice, Part 2) However, it is believed that the transportation agency workforce is the central element around which a security culture is built. Culture is shared values, beliefs, attitudes, and behaviors fueled by good basic practices and sustained awareness by all employees. Terrorism is and has been a significant concern for transit agencies, especially systems operating in urban areas. After the terrorist attacks in New York City and Washington, D.C. on September 11, 2001 and the attacks on rail transit systems in Madrid, Paris, London, and Mumbai, the transit industry including transit agencies ramped up their efforts to establish a security culture. Since transit police and local police cannot be in all places at all times, transit agencies expanded their scope by employing transit employees and
114 civilians to act as their eyes and ears. As emphasized in the 2012 APTA Recommended Practice on Security Awareness Training for Transit Employees, all employees including contractors contribute to security by their very presence and their alertness. Transit agencies with the support of FTA and DHS/TSA and relevant legislation such as Section 1408, PL 110-53; 121 Stat. 266 implemented awareness training programs and campaigns. Transportation sector activities highlighted in the 2015 TS SSP related to culture-building including training include ï· Provisions for cybersecurity, awareness training, and periodic exercises as a condition for receipt of security and resilience grants ï· Developing exercise injects for highest threat scenarios ï· Specifically for cybersecurity, developing incentives by o Facilitating training opportunities; o Recognizing industry achievements; o Certifying and confirming security measures as condition for grant awards; and, o Promoting DHS voluntary initiatives. (2015 TS SSP) The First Observer Plusâ¢ Program (www.tsa.gov/firstobserver) trains surface transportation professionals (highway, mass transit, over-the-road bus, school bus, trucking, truck rental, pipelines, parking workers, and transit police) to recognize and assess suspicious activity, and report their observations. In addition, the following incident reporting hotlines have been established: ï· âIf You See Something, Say Somethingâ¢â Campaign (dial 911) ï· General Aviation Security HOTLINE (1-866-427-3287) ï· TSA Contact Center (1-866-289-9673) ï· DOT Report Safety Violations (1-888-DOT-SAFT (368-7238)) ï· National Highway Traffic Safety Administration Hotline (1-888-DASH-2-DOT) ï· USCG National Response Center Hotline (1-800-424-8802) ï· Americaâs Waterway Watch (877-24WATCH) ï· First Observerâ¢ Program (844-872-3778) These efforts help ensure that Transportation Sector workers and customers are continually aware and alert and are contributing to the creation of a security culture within transportation organizations and the sector. While state DOTs have not been at the forefront of security efforts, with the USDOT having received co- sector specific status and the development of the TS SSP, state DOTs along with other sector partners are expected to follow TS SSP guidance on security and resilience. The 2015 AASHTOâs 4th Generation Strategic plan emphasizes the need to provide the DOT workforce with security and infrastructure protection information. AASHTO Fundamentals Guide also notes the importance of security awareness for the entire transportation workforce describing the workforce as being âuniquely positioned to identify issues, problems, and deviations from the usual.â For cybersecurity as well, technology and process are important, but people are the most vulnerable element, and a key component of a cybersecurity culture. Maintaining continuous cybersecurity awareness is a primary Transportation Sector goal (2015 TS SSP) supported by cross-sector national-level NIST efforts such as the national public awareness campaign, Stop.Think.ConnectTM, the National Initiative for Cybersecurity Careers and Studies (NICCS) and the National Initiative for Cybersecurity Education (NICE). The US-CERT and Industrial Control Systems (ICS-CERT) Cyber Information Sharing and Collaboration Program coordinate cyber information sharing and provide an incident hotline: 1-888-282-
115 0870. National-level transportation-specific initiatives include the USDOT Cybersecurity Action Team which monitors, alerts and advises the ITS and surface transportation communities of incidents and threats; and the Transportation Systems Sector Cybersecurity Working Group (TSSCWG) comprised of government, industry, and private sector stakeholders. Physical Security and Cybersecurity Workforce A stable workforce contributes to the success of agency security mission, goals, and objectives. Workforce planning, required to achieve this stability by determining future workforce needs and requirements, involves an understanding of threats including emerging threats and current capabilities (KSAs) of their workforce. Because state DOTs have difficulty acquiring high-demand technical skillsets due to lack of staffing resources as well as lack of clear career paths and better opportunities in the private sector, outsourcing of technical activities is routine for many state DOTs. In fact, the 2015 FHWA White Paper highlights the vital role of Organization and Staffing including staff development, recruitment, and retention in supporting effective TSM&O. (USDOT/FHWA, Improving TSM&O Organization and Staffing, 2015) In addition, personnel retirement and turnover within the transportation industry have increased workload burdens on remaining employees and training demands for new hires replacing departing personnel. (FHWA White Paper, 2015, NCHRP Synthesis 468, TCRP F-series publications) A May, 2016 survey of the AASHTO TSM&O Subcommittee members and Operations Academy graduates revealed the top two recruitment and retention issues of the 34 responding agencies as: lack of existing training vs. emerging needs and the lack of a clear career path. Difficulties in recruitment related to salary competition and/or lack of required skills/certifications. Another finding included the difficulty most states were experiencing in filling key technical positions âespecially in systems engineering, IT and ITS device maintenance âwith approximately half of responding states significantly dependent on consultants. (White Paper No. 3: Recruitment, Retention and Career Development, National Operations Center of Excellence) As demand for a more technical workforce increases, good workforce planning practices to manage the demand, promote a stable workforce, and alleviate these issues will be essential. In addition, as noted in the section on Physical Security Forces, personnel are the most expensive security countermeasure that may be implemented by a transportation agency and expansion of the workforce requires significant hurdles to be overcome. Effective workforce planning will diminish turnover along with the concomitant need to recruit and train new personnel, and help agencies address budgetary constraints as well. The four key steps in workforce planning are as follows: 1. Inventory current workforce supply including skills, abilities, and positions. 2. Perform demand and supply analysis; demand analysis involves determining what skillsets are needed to meet organizational goals and objectives; supply analysis determines who is actually doing what. 3. Identify gaps to determine where current supply falls short in meeting expected demand, and perform gap analysis to identify needed actions to meet future workloads. 4. Create an implementation plan. (DHS Best Practices for Planning a Cybersecurity Workforce White Paper Version 2.0, 2014) Workforce planning includes the strategic use of data and analysis tools. Tools such as the Capability Maturity Model (CMM) which originated in the software development industry help organizations understand current workforce management capabilities of the organization. A CMM also allows for consistent evaluation and human capital decision-making. Each model helps a workforce planning segment or activity area evolve to a higher level by establishing maturity levels. For instance, the National Initiative for Cybersecurity Education (NICE) CMM has three levels - limited, progressing, and optimizing and workforce planning activity areas are categorized into Process, Analytics; Integrated Governance; and,
116 Skilled Practitioners and Enabling Technology. The following three-step process should be used to employ the CMM: 1. âGather data on qualitative CMM variables 2. Analyze data and determine current maturity levels by CMM key area 3. Determine priority areas for increased maturity and develop action plansâ (DHS Cybersecurity Capability Maturity Model White Paper, Version 1.0, 2014) The 2014 DHS White Paper also notes that workforce planning may be able to capture unusual changes in workload in a specific unit; the changes may indicate a cyber breach that would otherwise have been missed. A self-assessment framework for transportation agencies developed through the Second Strategic Highway Research Program (SHRP 2) helps improve their Transportation Systems Management and Operations (TSM&O). It is recognized as providing âthe key features of quality management, organizational development, and business process reengineeringâ in one framework. Also, capability is seen as a target and improvements are identified, prioritized, and implemented in âdoable,â four clearly defined stages â Performed, Managed, Integrated and Optimizing. (AASHTO TSM&O website http://www.aashtotsmoguidance.org/) The AASHTO TSM&O website provides an online self-evaluation tool that identifies âkey program, process and institutional preconditionsâ to improve an agencyâs TSM&O and create action plans. The 2015 FHWA Improving Transportation Systems Management and Operations (TSM&O) Capability Maturity Model Workshop White Paper addressed the need for support material for tackling state DOT workforce issues by identifying national activities to support improvements in organization and staffing. These activities included the following: ï· âDevelop a TSM&O organization and staffing gap analysis tool for agencies to compare current operations with those needed to fulfill all desired functionsâ ï· âPoll State DOT senior TSM&O managers on key staff capacities needed and unmet; compare identified needs with training and educational opportunities and consider remediation actions to fill gapsâ ï· âDevelop a suite of core competencies with lists of helpful training, experiences, and resources for TSM&O managersâ ï· âReview critical training deficiencies across all levels of TSM&O employees and develop permanent classes to address these deficiencies (for example, CITE or NHI courses)â ï· âReview curricula of secondary and graduate schools related to TSM&O to identify key gaps and best practices to produce âTSM&O-readyâ entry level employeesâ (FHWA Improving Transportation Systems Management and Operations (TSM&O) Capability Maturity Model Workshop White Paper, Table 7.1, 2015) The 2015 FHWA White Paper Appendix, Steps to Implement Common Implementation Plan Priority Action for Organization and Staffing Dimension also contains useful tips on implementing these priority actions. The TCRP FâSeries reports provide an excellent source of workforce literature focused primarily on the transit industry. In particular TCRP Report 162 â Building a Sustainable Workforce in the Public Transportation Industry â A Systems Approach, 2013 provides information on eleven training and development strategies and implementation steps along with sample programs implemented at specific agencies and Professional Capacity Building strategies that can complement an agencyâs training initiatives.
117 Physical Security Forces As shown previously in the Security Countermeasures Cost Scale (Chapter 2), the costs associated with deploying personnel are the most expensive security countermeasure a transportation agency can undertake. The labor costs associated with the agencyâs operating budget for security can exceed 90 to 92% of total annual expenditure. However depending on the threats and unresolved vulnerabilities facing the organization, security personnel are often the most critical resource available to reduce security-related risk. Unlike any other security countermeasure or technology, personnel provide the one vital capability for which there is no substitution â the ability to comprehend and apply reason. Security personnel bring the capacity to perceive the true nature of a threat, recognize on-going aggressor tactics, and connect the dots. When adequately armed or reinforced they can repel or overcome the use of deadly force by responding with equal or greater force to neutralize the threat or activity. This factor alone is predominating in both the homeland security and public safety context. Absent a response force aggressors or criminals would quickly disregard other security countermeasures as irrelevant. Deciding on the necessity for security personnel or the extent to which forces should be deployed can be a significant challenge for security decision makers and depend on the agencyâs risk profile and threat and vulnerability assessments. In general, transportation agency decision-makers have an initial â spend or no spend â hurdle to clear in security personnel hiring and deployment. To do so will require significant interaction with local authorities to establish the level of protection and response to security incidents that can be expected. Assuming there is budget, spending operating dollars on security labor can be an easy decision for the agency to make at the outset, but a much harder decision to amend or withdraw. Those agencies who have previously deployed a security force can attest to the difficulties associated with eliminating a security presence even when that presence is no longer warranted. For this reason any agency that has not yet made an investment in sustaining a security force should exercise great care in ensuring that the rationale for security personnel staffing is objective and consistent with both an established threat profile and other organizational needs and requirements. In the event that the agency determines that a security force is not required a periodic review of this decision should be made in conjunction with ensuing risk assessments performed. The agency should also work towards achieving a written plan of security operations that documents the public safety service level and response contemplated. When the transportation agency objectively determines that a security presence, beyond what is available from the localeâs public safety community, is necessary to protect the system and its users there are a number of planning options that should be analyzed. Figure 51 is a flow diagram that depicts the decision points that should be considered.
118 Â FigureÂ 51:Â TransportationÂ SecurityÂ ForceÂ PlanningÂ FlowÂ Chart Questions include: ï· Is there a need for a part-time or full-time security presence? ï· Is there a need for a dedicated security force? ï· Should the security force be proprietary or contracted?
119 ï· Should the security force be armed? ï· Does the security force need arrest powers? Obviously the tradeoffs associated with these options have significant bearing on the transportation agencyâs overall security posture. At one end of the available choices is the deployment of unarmed, part- time security officers, with no arrest authority. At the other end is the fielding of a full time, armed police department with powers of arrest. Where the agency falls on this decision line will impact on the capabilities of not just the security labor force but also the performance and effectiveness of all other integrated system security countermeasures. Irrespective of what underlying qualitative factors drive the decision about fielding security personnel, the best way to accurately make staffing level determinations is through the use of quantitative analysis. There are two different sets of quantifying data that are available, (1) security breach or crime incident based information including both calls for service and self-initiated incident responses, and (2) policy and procedure supported staffing deployment that is activity and scenario driven. Statistics regarding the occurrence of specific types of crimes or incidents is typically used to plan future crime control, security management or risk reduction efforts. Fortunately from the quality of service perspective most transportation agencies experience a low level of serious criminal incidents. Known as âPart 1 Crimesâ in conformance with FBI Uniform Crime Reporting (UCR) characterization criteria, crimes such as homicide, rape, robbery, aggravated assault, and arson occur so infrequently that the rate is often statistically insignificant from a crimes analysis standpoint. When the situation exists where quantifying serious crime data is inadequate to assist in establishing staffing levels, officer productivity data including total calls for service and self-initiated security or police officer activities should be used. For example calls for service to respond to complaints of trespassers on agency property can be totaled for a specific period. The calls can be broken down by location, time of day, day of week and other criteria. Then the information is measured against existing staffing levels and response times for responding security forces as a means to identify an acceptable security operating condition where risk is maintained within tolerable limits. (Assuming the agency establishes a 15-minute response to a trespass incident as acceptable risk, Table 15 depicts a staffing level of 20 officers would be required.) Trespass Incidents at Location Ã· Number of Security Officers = Response Time TableÂ 15:Â StaffingÂ LevelÂ forÂ TrespassÂ Incidents:Â Officers on Duty Trespass Incidents Response Time 10 50 30 minutes 15 50 22.5 minutes 20 50 15 minutes 30 50 7.5 minutes Self-initiated patrol activity associated with the security of parking lots or rest stops, maintenance facilities or other agency areas can be similarly documented and measured as a percentage using a ratio of patrol activity time calculated against total shift time. This data can then be aggregated to establish the agenciesâ acceptable risk goal as a total number. (Assuming data collection shows that 50% of officer time is spent performing patrol activity if the agency establishes a goal of 200 hours of shift time as acceptable risk, Table 16 depicts a staffing level of 50 officers would be required.)
120 Patrol Activity Time Ã· Total Shift Time = % Patrol Activity per Officer TableÂ 16:Â StaffingÂ LevelÂ forÂ PatrolÂ ActivityÂ Total Officers Total Shift Time Patrol Activity Time Percentage 50 400 200 50% By extending this concept of data collection productivity quantification to those security related issues that are most important to the agency security planners can reasonably approximate how large the security force should be. Itâs worth repeating that other qualitative factors such as prior existing assignments of security or police to a given location will also impact on staffing decisions. But these subjective criteria should be recognized as an inefficient, albeit sometimes necessary method of allocating security forces. By assimilating threat assessment information into the productivity driven quantification method discussed above security planners can merge risk data with security operations data to minimize security vulnerabilities while at the same time obtaining a reasonable approximation of security force workflow. For example, knowledge by the transportation agency that aggressor tactics may include attempts to place IEDâs at critical infrastructure points such as a tunnel entrances, can result in periodic patrol checks at such locations. Similar to the above trespassing checks security force response times can be measured by location, time of day, day of the week etcetera simply by treating the tunnel infrastructure check as a call for service. (Assuming the agency establishes a 15 minute response to a tunnel check as acceptable risk, Table 17 depicts a staffing level of 20 officers would be required.) Critical Infrastructure Tunnel Checks Ã· Number of Security Officers = Response Time TableÂ 17:Â StaffingÂ LevelÂ forÂ TunnelÂ ChecksÂ Officers on Duty Tunnel Checks Response Time 10 50 30 minutes 15 50 22.5 minutes 20 50 15 minutes 30 50 7.5 minutes The time ratio data regarding self-initiated vulnerability reduction activities for the protection of critical assets and infrastructure would be measured as well. (Assuming data collection shows that 50% of officer time is spent performing vulnerability reduction activity if the agency establishes a goal of 200 hours of shift time as acceptable risk, Table 18 depicts a staffing level of 50 officers would be required.) Vulnerability Reduction Activity Time Ã· Total Shift Time = % Vulnerability Reduction Activity per Officer TableÂ 18:Â StaffingÂ LevelÂ forÂ VulnerabilityÂ ReductionÂ ActivityÂ Total Officers Total Shift Time Vulnerability Reduction Activity Time Percentage
121 50 400 200 50% Obviously the response to trespass calls or performing tunnel checks as cited in the examples would not be mutually exclusive patrol activities or vulnerability reduction activities. In fact the transportation security force would integrate these activities together as a means to optimize total security effectiveness. In terms of cybersecurity, several categories of roles in disparate departments and units (e.g., IT, engineering, operations, HR) need to be considered. ACRP Report 170 survey findings revealed that a cybersecurity program would require between 0.3-2.65 new full time equivalents (FTEs) for the roles of Chief Information Security Officer, trainers, IT operations, IT infrastructure engineers, Chief Information Officer, and application managers. The FTEs may be either new hires or external resources. Cybersecurity Workforce The 2017 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (âWorkforce Frameworkâ) promotes the development of a globally competitive cybersecurity workforce through the use of common terminology and seven high-level categories of cybersecurity functions â Analyze, Collect and Operate, Investigate, Operate and Maintain, Oversee and Govern, Protect and Defend, and Securely Provision, 33 specialty areas, and 52 work roles. Each work role is comprised of cybersecurity Tasks and Knowledge, Skills, and Abilities (KSAs) required to complete the Tasks. Agencies can describe any cybersecurity role or position through the use of the Workforce Framework and inventory their cybersecurity workforce to determine gaps in KSAs, thereby, determining training and qualifications needs. The Workforce Framework also supplies other resources designed to help organizations establish cybersecurity career paths, credentialing, and training and education for their workforce. The Workforce Framework is accessible via the National Initiative for Cybersecurity Education (NICE) website https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework The 2015 Transportation System Sector (TSS) Cybersecurity goals include the following: ï· Maintain continuous cybersecurity awareness; ï· Improve and expand voluntary participation in cybersecurity efforts; ï· Define the conceptual environment; ï· Enhance intelligence and security information sharing; and ï· Ensure sustained coordination and strategic implementation A challenge for transportation agencies may be the requirement for transportation cyber specialists with an in-depth knowledge of both transportation and cybersecurity. High-level Cybersecurity Capabilities for state DOTs support these goals and include: ï· Integrate cybersecurity decision making into business processes and investments. ï· Evaluate and manage agency-specific cyber risks. ï· Implement industry standards and best practices. ï· Facilitate discussion and interaction between information technology, engineering, and operational groups to ensure that all systems are adequately addressed. Coordinate cybersecurity and cyber incident response planning across the enterprise. With these goals in mind, the agency can consult the DHS Cybersecurity Workforce Development Toolkit (âToolkitâ) which provides extensive but straightforward guidance about workforce development. The
122 Toolkit recommends the following steps to develop the agencyâs cybersecurity workforce and high- performing teams: ï· Prepare: Understand organizational readiness by reviewing and using the Cybersecurity Workforce Planning Capability Maturity Model (CMM). The CMM is a self-assessment tool to help agencies assess the maturity of their cybersecurity workforce planning capability. ï· Plan: Explore risks by using the Cybersecurity Workforce Planning Diagnostic provided in the Toolkit and inventory cybersecurity workforce. Determine gaps by evaluating the organizationâs risk profile and workforce planning recommendations from the Workforce Planning Diagnostic against the results of the workforce inventory. These steps determine workforce needs (skills needed to meet workload.) Gaps are addressed through hiring, outsourcing, changing the mix of positions and skills, or training existing workforce on needed skills. ï· Build: Build the cybersecurity team by aligning the cybersecurity team and position descriptions, job tasks, and competencies to the Workforce Framework. This allows the identification of tasks that need to be added to meet the recommended skills list for each specialty area. Use the recruitment checklist provided in the Toolkit. Establish an internal panel of decision makers including representatives from senior management, HR, cybersecurity management, and finance, and ensuring the planning process is aligned with the agencyâs budgetary process to fund new positions and training. Also suggested is creating a program to develop future cybersecurity leaders. ï· Advance: Retain cybersecurity staff and develop career paths. The Toolkit provides sample proficiency levels â beginner, intermediate, and advanced - and sample career paths that can be used as templates to develop the agencyâs cybersecurity career path for each level. (See Table 19 for a Cybersecurity Career Path Template) TableÂ 19:Â CybersecurityÂ CareerÂ PathÂ TemplateÂ (AdaptedÂ fromÂ DHSÂ CybersecurityÂ WorkforceÂ DevelopmentÂ Toolkit)Â Beginner Intermediate Advanced Experience & Credentials Degree OR Work Experience (_years) OR Certifications Experience & Credentials Degree OR Work Experience (_ years) OR Certifications Experience & Credentials Degree OR Work Experience (_ years) OR Certifications
123 Technical Competencies & Skills/KSAs Competency 1 e.g., Info Security/Assurance - Skills needed e.g., skill in performing damage assessments Competency 2 - Skills needed . . . General Competencies - Skills needed e.g., critical thinking and analytical skills . . . Technical Competencies & Skills/KSAs Competency 1 e.g., Info Security/Assurance - Skills needed e.g., skill in performing damage assessments Competency 2 - Skills needed . . . General Competencies - Skills needed e.g., critical thinking and analytical skills . . . Technical Competencies & Skills/KSAs Competency 1 e.g., Vulnerabilities Assessment - Ability to identify systemic security issues - Knowledge of application vulnerabilities - Skills needed in the use of penetration testing tools/techniques Competency 2 - Skills needed . . . General Competencies - Skills needed e.g., critical thinking and analytical skills Training & Development Activities Sample Activity 1 e.g., Training Workshop Sample Activity 2 e.g., University Courses . . . Training & Development Activities Sample Activity 1 e.g., Joint Assignment Sample Activity 2 e.g., University Courses . . . Training & Development Activities Sample Activity 1 e.g., Professional Conferences Sample Activity 2 e.g., Government Courses . . . Characteristics of high-performing cybersecurity teams identified in the Toolkit include the following: ï· Agile: must be ready to change course and quickly resolve issues ï· Multifunctional: must have diverse knowledge and skills ï· Dynamic: must be able to respond to new threats by learning new skills and methodologies ï· Flexible: must be able to shift priorities to meet daily challenges ï· Informal: must be flexible in terms of work hours and duties The Toolkit also describes how to identify, recruit, and retain quality cybersecurity professionals. The 2016 NCHRP Protection of Transportation Infrastructure from Cyber Attacks: A Primer (â2016 NCHRP Cybersecurity Primerâ) identified the following high-level user categories and training needs derived from the Cybersecurity Framework (Version 1.0, February 12, 2014): ï· All Users requiring access to electronic information or systems should be informed about agency cybersecurity policies and protocols and receive basic awareness content and âare the single most
124 important group of people who can help reduce unintentional errors and related information system vulnerabilities.â (NIST 800-16 Revision 1 Third Draft, 2014) ï· Third-Party Stakeholders include suppliers, vendors, partners, and customers. ï· Privileged Users are authorized and trusted to undertake functions ordinary users are not authorized to perform. ï· Managers and Senior Executives need to set an example by adhering to policies and protocols and stressing the importance of IT/Cybersecurity role-based training requirements. They also have important decision- making roles and responsibilities including resource and staff allocation. The Chief Information Officer (CIO) administers training and oversees personnel with IT/cybersecurity responsibilities. ï· Training Personnel deliver necessary training and education to achieve desired awareness levels, understanding of roles and responsibilities, and KSAs. Training personnel also manage and assess Awareness and Training programs along with individual courses and sessions. The Senior Agency Information Security Officer (SAISO) has tactical-level and implementation responsibility while the Cybersecurity Training Manager/Chief Learning Officer (CLO) is responsible for implementing specific role-based training. The Training Developer/Instructional Design Specialists partakes in producing role-based training materials. ï· IT/Cybersecurity Personnel such as system administrators and control system operators require specialized knowledge and partake in the design, development, evaluation, and procurement of systems and equipment. ï· Physical Security Personnel including in-house and external police and security and local law enforcement need to be aware of cybersecurity issues and impact of cyber breaches on physical assets and infrastructure as well as the consequences of physical breaches on IT systems. Security Experts, Consultants and Contractors In previous sections of this text recommendations have been made to transportation agencies regarding the need to utilize security professionals to assist in certain aspects of risk assessment, security planning and countermeasures identification. It is specifically recommended that security consultants be contracted to assist in the performance of security vulnerability assessment (SVA) and security plan development. Obtaining professional help in security workforce planning may also be appropriate. Security contractors should be retained to assist in security systems integration, particularly in connection with the selection and implementation of hardware and electronics such as intrusion detection, alarm systems, access control, and CCTV. Many times an organization will be hesitant to formalize a consulting arrangement with a security practitioner or firm. Unfortunately this hesitancy does not always make good business sense. Even the most professional in-house security department cannot be expected to be expert in all phases of security risk management, process and procedure, and security technology. Competent security consultants are available today to perform research, analyze conditions and develop comprehensive security programs that can reduce the risks associated with conducting transportation operations. Of course this assumes that the agency has identified the right consultant or consulting service. There are two main factors to be evaluated when selecting professional security consulting assistance, (1) review of the documented qualifications of the security firm and (2) the backgrounds of the individuals who will be performing the security work. In the best of all worlds the agency will be able to identify a security firm with a successful record of past contracted employments performing work in the specific transportation sector and discipline, e.g. rail, highway or transit. In addition the security firmâs leading experts will be available and on the team assigned to conduct the security work contemplated. A word of caution is appropriate regarding the hiring of security contractors. There is a difference between hiring an independent security consultant and accepting security ârecommendationsâ from a manufacturer or retailerâs representative. Independent consultants can be called upon to provide objective opinions without bias or predetermination. Salespersons, especially those with high technology products, are usually limited in
125 approach and biased towards the company they work for. Overemphasis of guards, alarms or surveillance systems can cause an unnecessary drain on operating and capital budgets when the proper solution is the integrated balancing of security policy and procedure with the other countermeasures in the agencyâs toolkit. Interestingly, organizations have a tendency to more readily accept proposals from security salespeople and contractors than from outside security consultants. For cybersecurity, roles and tasks requiring a high cybersecurity skill level such as conducting vulnerability assessments, transportation agencies will likely find it cost effective to outsource the work and/or procuring commercial-off-the-shelf software and hardware rather than expanding their workforce to acquire the capability to develop proprietary cybersecurity software and systems. Also, while some agencies do have the capability to develop in-house training programs and software, agencies with minimal resources will need to rely more heavily on external resources. In fact, a May, 2016 survey of the AASHTO TSM&O Subcommittee members and Operations Academy graduates revealed of the 34 responding agencies approximately half were dependent on consultants to fill technical functions. Security Committees Similar to safety, security in a transportation agency is a âtop-downâ organizational activity. This is because executives must support cross-disciplinary functions for the activities to succeed. By supporting important agency functions leadership drives the prioritization of work to comport with the direction provided. Unfortunately, security as a function within an agency is often deemphasized until an incident occurs. Managers because of their lack of familiarity with the subject matter can be reluctant to broach the issue of security. Then when an incident happens impromptu crisis thinking can intrude into disciplined managerial decision making, causing âknee jerkâ reactions that defeat security planning and preparedness. To overcome this tendency it is vital that the senior management of an organization play an active role in determining the course of the security related activities of the agency. As stated in the AASHTO Managing Catastrophic Transportation Emergencies: A Guide for Transportation Executives, âEstablishing the capability to manage and direct all-hazards transportation emergency response and recovery effectively, irrespective of the incident type, demands pre-planning, resourcing and staging of assets, and internal coordination and coordination with other affected external agencies, companies, groups, and personnel.â It is recommended that the chief executive establish a senior advisory group consisting of executives from various departments who are designated oversight authority for system wide security. This senior committee should meet on a regular basis to establish direction and develop strategic level security policies and guidelines. The agency should also involve front line and mid-management level employees in security. Representative individuals from across the agency should be selected to serve as security coordinators and as participants in security committees. Where the agency maintains a dedicated security force, department coordinators should be responsible for day to day security interface and liaison. In those agencies without a dedicated security force a committee of department security coordinators should be empowered with the authority to manage security activities system wide. There are three key areas of program coordination: ï· To deploy a broad based system wide security management process that identifies, tracks and responds to all security threats, vulnerabilities and occurrences. ï· To maintain a workplace where security incidents are routinely reported and every staff and operating department contribute to security improvements. ï· To promote security awareness and communications throughout the organization.
126 Coordination and Mutual Aid A cybersecurity event can have far-reaching consequences and may require coordination with other state or federal agencies and regional organizations. Understanding what agencies and organizations may be involved and building strong relationships with those agencies or organizations before an event happens is important. As part of emergency response, state DOTs provide and receive resources through mutual aid to/from other states and organizations using mutual aid agreements and mutual aid plans. Mutual aid operational plans should include a schedule of training and exercises for validation of plan design, concept, implementation and communications, logistics, and administrative structure. Interjurisdictional and interagency training and exercises are particularly useful for preparation for larger and more complex disasters and emergencies that require effective coordination among transportation agencies. Physical Security and Cybersecurity Awareness and Training The success of agency security initiatives depends on an aware and well-trained workforce. Police and security personnel cannot be in all places at all times. However, transportation employees, particularly frontline employees, can act as the eyes and ears of law enforcement and expand their reach. Therefore, it is imperative that transportation personnel are aware of security and cybersecurity risks and threats, and know what to do to protect themselves, passengers, the public, and agency property and infrastructure in case of a security threat. While security awareness pertains to all employees/everyone and serves to focus attention on security, training prepares personnel for their roles. Mid- and high-level personnel must ensure that the agency has a systematic method in which security threats, vulnerabilities, and incidents are identified, assessed, reported, tracked, and responded to. They require role-specific training in addition to awareness training in such topics as risk management, vulnerability assessment, and planning for resiliency. (2011 Lowrie, et al) Exercises provide opportunity for personnel to practice what they have learned and also help validate, maintain and improve training, plans, policies, procedures, and practices. Typically, the sequence of activities involves a) Security Awareness, b) Training individuals on tasks, c) Training teams on integrated tasks, and d) Exercises. The TSA/FTA Security and Emergency Management Action Items for Transit Agencies include Security and Emergency Response Training as action item #5 and Public Security and Emergency Awareness program as action item #7. Definitions The 2015 AASHTO Fundamentals Report definitions of Awareness and Training are as follows: ï· Security Awareness: The purpose of security awareness is to focus attention on security. It differs from security training, in that security awareness informs and draws attention to a security issue, but security training teaches the skills necessary to improve security. ï· Training: An act, method, or process of instruction; to teach so as to make fit, qualified, or proficient. Before implementing a security awareness and training program, the agency should be cognizant of the training requirements in its security and preparedness plans, the results of its risk assessment and its threat/hazard and vulnerability assessments, DHS, DOT, FHWA, FTA, and other external requirements, standards, and regulations. The agency should also seek to incorporate security and cybersecurity activities into its daily operations and training to the greatest possible extent so that security becomes a part of the daily routine. (2014 NCHRP Report 793: Incorporating Transportation Security Awareness into Routine State DOT Operations and Training)
127 The awareness and training plan should include a multiphase training curriculum, differentiate training activity by audience and specify objectives, have an implementation plan specifying delivery methods and schedule/timeline, and calendar initiatives designed to keep personnel actively engaged in security, individual training and program evaluation and improvement procedures, and resource requirements. The plan should also ensure that training, drills, and contact lists are kept up to date. Additional elements of a security awareness and training program include the following: ï· Centralized dissemination and promotion of security information and awareness and training products (policy and procedures reminders, security alerts and updates, employee handbooks, tip cards) ï· Identification of employee security training needs and systemwide research and site surveys to identify security weaknesses ï· Creation of training solutions to address vulnerabilities and deficiencies ï· Maintenance of training records and materials and procedures to handle Security Sensitive information Security-related training topics encompass understanding of plans, procedures, and measures for Prevention, Protection, Mitigation, Response and Recovery. Topics should include the following: ï· Prevention and Protection Measures o Conducting Background Investigations o Conducting Revenue Vehicle Security Inspections o Conducting Nonrevenue Vehicle Security Inspections o Conducting Random Inspections of Carry-On Items o Conducting Physical Security Inspections and CPTED Site Surveys o Employee Travel â domestic and international o Operator Assault Protective Measures o Other On-Board and Off-Board Personnel Assault Protective Measures o Random Counterterrorism Measures o Safe Mail and Package Handling o Security Requirements of Event Services o Security Requirements of Major Capital Projects o Theft Prevention Measures o Vendor and Contractor Security o Workplace Violence ï· Plans and Procedures o Active Threat Plans o Bomb Threat and Unattended Item Management o Chemical, biological, and radiological threats including contagious viruses o Continuity of Operations and Contingency Plans o Document Control of security-critical systems and facilities o Emergency Employee and Public Communications o Emergency Smoke Ventilation in Tunnels o Information and Intelligence gathering and sharing procedures o IT and Communications Systems Plans o Mutual Aid o Regional Coordination Plans and Requirements o Responding to Increased Threat Condition Levels o Sensitive Security Information designation, markings and control o Shelter of Transit Vehicles and Nonrevenue Equipment During Emergencies o Threat and vulnerability identification, assessment and resolution procedures (2013 APTA Recommended Practice on Security Planning for Public Transit, TSA/FTA Security and Emergency Management Action Items for Transit Agencies)
128 The NCHRP 20-59(51)B A Guide to Emergency Management at State Transportation Agencies, Second Edition identifies useful information on the creation of training and exercise programs. In particular, PREPARE Phase 12: Administer Training Programs and Section 6 on Training provide detailed recommendations on creating and implementing agency training and exercise programs, multiagency training and exercises, and evaluating training and exercises. Key points to keep in mind when establishing training programs include the following: ï· In general, training activities should proceed from individuals to intraâagency team training to interagency and interjurisdictional exercises, with activities becoming progressively complex. ï· After each training session, provide a chance for learners to reflect on and then apply their training. ï· NIMS/ICS should be used for all training. ï· Training should be ârelevant, interactive and specific.â Instructorâstudent and studentâstudent interactions promote learning. Also, chances for participants to share experience and knowledge should be provided. ï· A training needs assessment can determine the required types of training, certifications, and credentialing by function or position. The 2014 MTI Report 12-08 Exercise Handbook also contains useful recommendations regarding training and exercises, and provides a background on andragogy or adult learning, noting that adult learners should be âactive, self-directed participants in their own learningâ and instructors should acknowledge and draw upon their wealth of professional experiences. Physical Security Awareness and Training Because of their continued presence in and on agency properties or conveyances employees are uniquely positioned to identify issues, problems and deviations from what is usual. The employees of transportation agencies are a critical resource for maintaining a safe and secure operating environment. They represent an omnipresent team of experienced people who are knowledgeable and insightful about the daily work of the agency as well as the normal operating and environmental conditions of the workplace. Similar to safety, regardless of size or risk transportation agencies at minimum should implement a security awareness program that enables all personnel to contribute to the security of the operating environment. In a nutshell, â[s]ecurity is everybodyâs business.â (2014 NCHRP Report 793) For example, in response to a bomb threat in an administrative area, an office worker is better equipped to find a suspicious item or package in his or her workplace than first responders who lack familiarity with the surroundings. Frontline employees perform work in stations, on vehicles, or on roadways or right of ways and, as such, are often the first to observe that something is wrong. But transportation agencies cannot assume that employees will focus upon security issues, understand the security risk, know how to respond to the threat, and report them in a timely and appropriate manner without appropriate awareness training. AASHTO 4th Generation Strategic Plan aims to enhance state DOT awareness of security and emergency management topics, and Key Prevention Capabilities of state DOTs in the 2015 AASHTO Fundamentals Guide comprise security awareness issues. The NCHRP 20-59(43) Incorporating Transportation Security Awareness Into Routine State DOT Operations And Training project survey results revealed that 60% of the 31 responding agencies required or encouraged transportation security training. Awareness activities focus attention on physical and cybersecurity issues, reinforce behaviors, and help personnel retain basic information; in addition, as noted in the 2015 AASHTO Fundamentals Guide, attention should be given to supporting agency business needs and processes (e.g., vehicles and maintenance facilities, and transportation management centers.) Some programs fail or are only moderately
129 effective because of a lack of organizational readiness. The fundamental capabilities required to support organizational readiness for the implementation of a security awareness program are: ï· Management support â security is a top-down organizational activity ï· Reporting structure â determine what gets reported to whom, and determine when and how to contact an external law enforcement agency; âwhatâ includes who, what, where, when, and details of involved persons, objects, or vehicles. ï· Awareness behaviors â determine which areas and awareness behaviors need emphasis. Areas may include agency vehicles, stations, critical infrastructure, control center/IT operations and behaviors related to physical security may include recognizing and reporting indicators of crime or terrorism (trespassing, surveillance, theft, vandalism, sabotage), recognizing and reporting unusual or unattended objects, recognizing and reporting unusual or suspicious people or activities. Behaviors related to cybersecurity include following basic security policies and procedures, removing unnecessary application and functions from systems, and changing default configuration options and passwords. ï· Integration and documentation of security procedures â integrate security awareness procedures with existing security procedures, and document them. ï· Leveraging existing organizational relationships with law enforcement â if applicable, use existing emergency reporting procedures when contacting law enforcement. (2014 NCHRP Report 793, 2016 NCHRP Cybersecurity Primer) Selected examples of physical security awareness material and training are provided in Figure 52, Figure 53, and Figure 54.
130 Â FigureÂ 52:Â FBIÂ Advisory.Â Source: Federal Bureau of InvestigationÂ FigureÂ 53:Â "IfÂ YouÂ SeeÂ Something,Â SayÂ Somethingâ¢"Â CampaignÂ Materials.Â Source:Â TransportationÂ SecurityÂ Administration
131 Â FigureÂ 54:Â FirstÂ ObserverÂ Plusâ¢Â VideoÂ Training.Â Source:Â TransportationÂ SecurityÂ Administration State Departments of Transportation This section describes the state DOT roles, responsibilities, and training requirements. According to the 2015 AASHTO Fundamental Capabilities of Effective AllâHazards Infrastructure Protection, Resilience, and Emergency Management (â2015 AASHTO Fundamentals Guideâ), state DOTs should prepare DOT employees for their roles, ensure their understanding of plans, and provide an opportunity to test plans and validate the training. The Guide helps state DOTs accomplish this by identifying their fundamental and necessary capabilities. These capabilities help inform security awareness and training needs and content. The Training and Exercise capability states that the workforce should be trained on their roles and practice what they have learned. (Roles and responsibilities are defined in the agencyâs security plans and preparedness plans as are training and exercise requirements and schedules. Plans include workplace violence plans, Emergency Action Plans, active shooter plans, emergency communications and evacuation plans, other occupational health and safety plans and procedural documents, and as noted in the fourth Training and Exercise capability topic, from lessons learned from exercises or incidents.) Cross-cutting capabilities in addition to Training and Exercises include Planning and Public Information. Key Training and Exercise Capabilities The following Training and Exercise Capabilities identified in the 2015 AASHTO Fundamentals Guide are minimum capabilities for the state DOT. ï· Ensure that DOT employees receive training to prepare them for their roles and that they are able to practice what they have been taught to increase the effectiveness of the training. ï· Incorporate security awareness into existing training, such as in new or existing employee training, including position-specific training where relevant. For example, Texas DOT incorporates security awareness information into bridge inspector training, highlighting the need to be vigilant and to pass along information. ï· Keep training, drills, and contact lists up to date. ï· Identify lessons learned through after action report and incorporate recommendations into existing plans and procedures. Key Planning Capabilities ï· Use an all-hazards approach.
132 ï· Integrate security into planning. ï· Ensure consistency with national planning programs. ï· Coordinate planning for agency-wide consistency. ï· Coordinate with regional partner plans and processes. ï· Maintain support and participation from the top (critical). ï· Ensure adequate distribution of plans. ï· Review and update plans regularly Key Public Information Capabilities ï· Make sure that effective communications mechanisms and people are in place so that the agency can communicate regularly and competently to all stakeholders. ï· Maintain clear and streamlined communications, with coordination and a cooperative attitude among all process stakeholders. ï· Communicate regularly and often. ï· Be proactive by releasing relevant and related public data. ï· Leverage all appropriate communication means such as social media sites and web-based and mobile technology. ï· Provide 24/7 travel information and timely alerts and warnings. ï· Coordinate public information and establish procedures to ensure that DOT âspeaks with one voiceâ and releases consistent information to the public and the media Key Operational Coordination Capabilities ï· Establish internal state transportation agency communications protocols. ï· Integrate and synchronize actions of participating organizations and jurisdictions to ensure unity of effort. ï· Enhance and maintain NIMS-compliant command, control, and coordination structures to stabilize the incident and transition to recovery. ï· Collaborate with all relevant local and regional partners. ï· Establish clear lines and modes of communication among partner organizations and jurisdictions. ï· Coordinate with appropriate local, regional, and national partners such as non-government organizations Key Prevention Capabilities As noted earlier, Prevention capabilities revolve around security awareness initiatives which have been included in the Awareness portion of this Section. The Prevention capabilities listed in the 2015 AASHTO Guide include: ï· All transportation employees contribute to security and prevention. ï· Establishing security awareness of all employees can support prevention. ï· Because of their constant presence on agency premises, employees are uniquely positioned to identify issues, problems, and deviations from the usual. ï· Security and safety are centrally led activities. ï· Focus security awareness on supporting business needs and processes such as critical infrastructure, DOT vehicles and maintenance facilities, and transportation management centers. ï· Establishing a reporting structure in advanceâwhom to tell and how to describe something suspiciousâis critical to a security awareness program Key Protection Capabilities
133 The Protection capabilities focus on risk management, assessment, and countermeasures. These capabilities were discussed in earlier Sections of this Guide. Specialized training and education can help pertinent elements of the workforce attain each of these capabilities. â¢ Includes risk management and risk assessment, plans and strategies, and countermeasures and adaptations. â¢ Understand the sensitivity of system assets, infrastructure, and services to different types of events. â¢ Understand interdependency of critical infrastructure. â¢ Integrate asset protection with broader transportation planning efforts, such as identification of long-term transportation capacity needs. â¢ Consider countermeasures to address possible vulnerabilities such as access control and system hardening for both physical and cybersecurity. Key Mitigation Capabilities Mitigation capabilities identified in the 2015 AASHTO Fundamentals Guide include: ï· Conduct vulnerability assessments to identify known and unknown risks, present and future. ï· Identify key dependencies and interdependencies, including mapping potential cascading effects from potential infrastructure disruptions. ï· Monitor likely problem areas and explore mitigation/resiliency strategies to minimize impact. Examine activities to reduce asset loss or human consequences (such as injuries or fatalities). ï· Collaborate with regional partners and stakeholders. ï· Consider applicable standards and best practices for mitigation plans and for incorporating resilience into asset and system design. ï· Identify mitigation approaches such as seismic retrofitting, elevation changes, and flood proofing. Determine whether adaptions such as environmental buffers can be incorporated into the infrastructure design to mitigate the effects of natural disasters. Response and Recovery Security is generally considered the phase leading up to and until responders arrive. However, according to the 2014 National Strategy for Transportation Security (NSTS): Report to Congress, response and recovery preparedness against a security event such as a terrorist attack should be emphasized as well as attack prevention. The report recommends response training for Chemical and Biological Threats for frontline transit employees and participation in local security exercises to ensure familiarity with plans, procedures, and capabilities. In addition, during an active threat incident, knowing how to respond can be a lifesaver. Understanding proper documentation procedures is also important for reimbursement purposes for major disasters and emergencies. Further, since any phase can be impacted by a security incident, security issues should be addressed during emergency response and recovery phases as well. State DOT emergency preparedness training and exercise needs for response and recovery planning including the importance of NIMS and ICS training are discussed at length in the 2017 NCHRP 20-59(51)B A Guide To Emergency Management At State Transportation Agencies. Additional Training Needs Additional security-related training needs include training required for security equipment or technology or personal protective equipment. The following topics are also pertinent to certain categories of agency employees: agency risk and vulnerability assessments, building/facility security, bridge and tunnel security, security design/crime prevention through environmental design, regional or state plans and/or legislative mandates and standards (e.g., the National Incident Management System (NIMS) training standard) and
134 grant requirements. Large-scale exercises and planned events usually involve multiple agencies and require training. The events are also an opportunity for personnel to practice what they have learned. As noted earlier, there is a need for transportation cyber specialists who have an in-depth grasp of both transportation and cybersecurity issues, and understand existing and emerging cyber-physical dependencies and concomitant risks. Hence, cross-training between IT and engineering/operations/Industrial Control Systems functions and between cybersecurity functions and physical security functions will promote better understanding of interdependencies and vulnerabilities and enhance preparedness against mutual threats. In addition, active threats including active shooter, edged weapons, vehicle ramming, and flash mobs are becoming a concern for transportation agencies. These active threats often last a short period of time and end before the arrival of law enforcement; hence, as immediate response is necessary for survival, preparing the workforce for active threat incidents is vital. As more attention is placed on resilience, transportation agencies will be under increased pressure to institute resiliency/sustainability measures. Understanding resiliency with respect to security and cybersecurity will be an important training topic for transportation employees, in particular, MPO staff. MPO staff will require training on security and cybersecurity planning as well as new resiliency and reliability planning factors introduced in the FAST Act. There is also a need for specialized training for DOT transit grant managers in administering federal and state transit grants. Safety and security are topics included in the 2014 NCHRP Web-only Document 203: Curriculum for New State DOT Transit Grant Managers in Administering Federal and State Transit Grants. Further, AASHTOâs Managing Catastrophic Transportation Emergencies Guide stresses the importance of involving the CEO of transportation agencies in training and exercises. The CEO of the state DOT is responsible for the agencyâs EOP, training and exercise program, and continuity of operations plan. Continuity of operations plans help ensure that agencies will be able to continue essential functions during an emergency. The 2013 FEMA Continuity Guidance Circular 1 for nonâfederal governments provides continuity training and exercise specifications and guidance. Transit Agencies As described earlier, after September 11, 2001 and the terrorist attacks on rail transit systems in Madrid, Paris, London, and Mumbai, the transit industry has been creating security awareness campaigns and awareness training resources adaptable by transit agencies to their systems. For instance, the MTA developed the successful âIf You See Something, Say SomethingÂ®â security awareness campaign and delivered it using a variety of information dissemination techniques and media including video, posters, TV and radio advertisements. Subsequently, âIf You See Something, Say SomethingÂ®â transitioned into a national security awareness program, the Transit Watch program initiated in 2003 by the FTA that was operated as a partnership with APTA, ATU and DHS. APTA Recommended Practice on Security Awareness Training for Transit Employees (2012) provides minimum guidelines for security awareness training and baseline training. The Recommended Practice is applicable to transit agencies of all sizes or modes, and stresses the significance of involving the entire workforce including certain contract employees to avoid the âgaps and vulnerabilitiesâ that could otherwise be created. Required learning objectives for Security Awareness programs include: ï· Security awareness
135 o Understand the need for security awareness, transit priorities, and importance of security for transit systems o Explain the importance of and ability to recognize the difference between normal, suspicious and dangerous activity o Define roles and immediate actions to respond to dangerous activity ï· Threats and vulnerabilities to the transit system â risk management concept, identifying threats/vulnerabilities/consequences, and identifying countermeasures ï· Security concerns â recognizing transit crimes, defining terrorism and recognizing terrorist activity ï· Recognizing, reacting, reporting and responding to transit crime and terrorism activities ï· All transit employeesâ roles in security awareness A basic security awareness training program example curriculum outline includes: ï· System Security Awareness for Transportation Employees, NTI ï· Terrorist Awareness Recognition and Training, NTI ï· Transit Response to Bus or Rail Hijackings Seminar, TSI ï· Active Shooter Scenario Training, Various ï· Shelter in Place Training, Various The 2010 MTI study on Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area found the following best practices for passenger security awareness campaigns which are also applicable to employee awareness initiatives: ï· Emulate existing campaigns (to save on agency resources) ï· Use multiple media ï· Use consistent branding and messaging ï· Use simple, actionable messages (without scaring passengers) Awareness delivery techniques selected by the agency depend on audience, content/message length and complexity, training frequency, and available resources. NCHRP Report 793 highlights communications strategies for awareness messages that employ existing delivery vehicles; they include the following: ï· Senior management can include security awareness in all of their communications to their employees. ï· Managers and supervisors can talk about security at meetings and events. ï· Security topics can be discussed at the small unit level. ï· Awareness messages may be attached to regular agency newsletters, emails, paychecks, reports, etc. or disseminated through posters, reminder sheets, and employee wallet cards. ï· Security awareness can be incorporated via short modules into new or existing training, or into position-specific training. Or, employees may be directed to the FEMA or DHS training materials. NCHRP Report 793, Section 4 (2014) The 2012 APTA Recommended Practice on Security Awareness Training cites the following key training topics in addition to security awareness: ï· Behavioral awareness â the ability to identify suspicious behaviors can help personnel alert law enforcement and prevent an incident from occurring. ï· Surveillance - being able to recognize and report surveillance activities such as taking photos of a transit facility can prevent an attack.
136 ï· Response procedures â knowing how to respond to security events can save lives; for instance, knowing what to do in an active shooter situation can help personnel survive and also help their co- workers and the injured to survive as well. ï· Self-protection - self-defense training with and without tools is discussed in the 2011 TCRP Synthesis 93 Practices to Protect Bus Operators from Passenger Assault. Because significant injury may occur in a matter of minutes, self-defense training and tools can help protect operators against assault. At the same time, agencies perceive liability issues linked to self-defense tools and have not generally issued them to operators. The Synthesis, however, identified one transit agency which provided a self-defense tool (pepper gel) to their operators and another which offered training on pepper spray. Agencies were more likely to provide self-defense training without self-defense tools. Transportation agencies should also consider providing transportation managers and employees with a working knowledge of security concepts, guidelines, nomenclature and processes. The emphasis of such follow-on security training programs should be to help personnel attain better understanding of (1) the nature of threats against the agency, (2) the methods and strategies available to minimize or reduce those threats and, (3) the implementation process for improving security. Employee knowledge of the underlying rationale for deploying security countermeasures will go a long way towards ensuring that an appropriate level of risk reduction becomes a part of the agencyâs operations. Role-specific training will vary based on position or function and will include detailed information on threats, vulnerabilities, and countermeasures specific to the function, immediate actions based on threat type, and service continuity and restoration procedures. For bus operators, for example, the following topics may comprise their security training curriculum. ï· Threats, vulnerabilities, and countermeasures ï· Pre-trip inspection ï· Vehicle securement ï· Fare enforcement ï· Customer assistance ï· Self-protection against active threats ï· Emergency evacuation and shelter-in-place procedures ï· Fire suppression ï· Panic button and emergency communications ï· Customer communications/verbal de-escalation ï· Interacting with responders/how to handle on-scene investigations ï· Service continuity and restoration The following training topics are included in Section 1408 of the âImplementing Recommendations of the 9/11 Commission Act of 2007â (9/11 Commission Act), Public Law 110-53; 121 Stat. 266 (August 3, 2007): ï· Determination of the seriousness of any occurrence or threat ï· Crew and passenger communication and coordination ï· Use of personal protective devices and other protective equipment ï· Appropriate responses to defend oneself, including using nonlethal defense devices ï· Evacuation procedures for passengers and employees, including individuals with disabilities and the elderly ï· Training related to behavioral and psychological understanding of, and responses to, terrorist incidents, including the ability to cope with hijacker behavior, and passenger responses ï· Live situational training exercises regarding various threat conditions, including tunnel evacuation procedures
137 ï· Recognition and reporting of dangerous substances and suspicious packages, persons, and situations ï· Understanding security incident procedures, including procedures for communicating with governmental and nongovernmental emergency response provides and for on scene interaction with such emergency response providers ï· Operation and maintenance of security equipment and systems ï· Other security training activities that the (DHS) Secretary deems appropriate. While it may be difficult for transit agencies to immediately include all topics listed in its training program, the FY2017 Transit Security Grant Program states that security plans should contain a strategy and timeline for conducting Section 1408 training. Section 1408 is currently in the National Proposed Rule Making stage; TSA has solicited comments on Security Training for Surface Transportation Employees (81 FR 91336). The proposed rule would apply to: ï· Public transportation and passenger railroads in the eight regions with the highest transit-specific risk (approximately 46 systems) and Amtrak. ï· Over-the-road bus owner/operators providing fixed-route service to/through/from the highest-risk urban areas (approximately 202 owner/operators.) ï· Class I freight railroad carriers, railroads transporting Rail Security-Sensitive Materials through identified High Threat Urban Areas, and railroads with other higher-risk rail operations. The proposed rule would require these entities to: ï· âDevelop security training programs to enhance and sustain the capability of their security-sensitive employees to observe, assess, and respond to security incidents as well as to have the training necessary to implement their specific responsibilities in the event of a security incident. ï· Submit the required security training program to TSA for review and approval. ï· Implement the security training program and ensure all existing and new security-sensitive employees complete the required security training within the specified timeframes for initial and recurrent training. ï· Maintain records demonstrating compliance and make the records available to TSA upon request for inspection and copying. ï· Appoint security coordinators and alternates-who will be accessible to TSA 24 hours per day, 7 days per week-and transmit contact information for those individuals to TSA (an extension of current 49 CFR part 1580 requirements). ï· Report significant security incidents or concerns to TSA (an extension of current 49 CFR part 1580 requirements). ï· Review and update security training programs as necessary to address changing security measures or conditions.â Also, training specifically identified as being required through the transit agencyâs security assessments should be included in security plans. Transit Police Training Larger transit agencies have in-house transit police and/or security personnel. These officers may receive specialized training such as Behavioral Assessment Training, Counterterrorism Training, and Hazmat training. Officers required to use explosives detection technology or canine or radiological or chemical detection devices require appropriate training. Large transit systems have conducted random bag inspections and passenger security inspections â officers assigned to perform inspections will need training. Transit police with Special Weapons and Tactics (SWAT) Teams need to deliver specialized training to team members on equipment and techniques. Transit police also deploy high visibility foot and vehicle patrols as well as plainclothes officers to combat crime and terrorism. These patrol officers should be
138 provided with appropriate training on patrol techniques. Police departments employing any other law enforcement technique or special equipment or technology should provide training to their officers along with opportunities such as drills and exercises for them to practice what they have learned. Security and Cybersecurity Awareness Resources The transportation industry, its associations such as AASHTO and APTA, research organizations including the Transportation Research Board (TRB), educational institutions and government agencies such as DHS/TSA, DOT, DOJ, FHWA, FTA and CDC have developed a significant body of security awareness information important to the transportation sector. For instance, TRBâs National Cooperative Highway Research Program (NCHRP) Report 525: Surface Transportation Security, Volume 7: System Security Awareness for Transportation Employees is a CD-based interactive multimedia training course designed to help transportation employees, supervisors, and managers define their roles and responsibilities in transportation system security, recognize suspicious activities and objects, observe and report relevant information, and minimize harm to themselves and others. Course modules focus on system security, reducing vulnerability, suspicious activity, suspicious objects, top priorities, and preparation. NCHRP Report 793: Incorporating Transportation Security Awareness into Routine State DOT Operations and Training highlights the importance of security awareness for all state DOT employees and contractors. Through a flexible âcampaignâ approach, the Guide outlines techniques to integrate all-hazards security awareness concepts and reminders into routine state DOT operations, maintenance, and training. A selection of available information resources useful for physical and cybersecurity awareness and initiatives is provided on the next page.
139 Security Awareness Information Resources 1. AASHTO National Operations Center of Excellence https://transportationops.org/ 2. Recommended Practices: Security Awareness Training for Transit Employees, American Public Transportation Association 2012 http://www.apta.com/resources/standards/Documents/APTA-SS-SRM-RP-005-12.pdf 3. DHS If You See Something, Say Somethingâ¢ print materials and video and audio awareness items in English and Spanish https://www.dhs.gov/see-something-say-something/campaign-materials 4. DHS Bomb Threat Checklist. http://emilms.fema.gov/is906/assets/ocso-bomb_threat_samepage-brochure.pdf 5. DHS Counter-IED Awareness Products https://www.dhs.gov/counter-ied-awareness-products a. Awareness cards and posters b. DHS-DOJ Bomb Threat Stand-off Guide c. DHS Bomb Threat Checklist d. DHS-DOJ Bomb Threat Guidance e. DHS Vehicle Inspection Guide and Video f. Vehicle-Borne IED Identification Guide: Parked Vehicles g. First Responder Support Tools 6. Transportation Security Administration (TSA) https://www.tsa.gov/for-industry/surface- transportation a. Employee Guide to System Security - Commuter Bus (Pocket Guide) b. Employee Guide to System Security - Commuter Rail (Pocket Guide) c. Employee Guide to System Security - Heavy Rail(Pocket Guide) d. Employee Guide to System Security - Light Rail(Pocket Guide) e. System Security Awareness for Transit Employees (CD) â also available in Spanish f. The Mark (DVD) g. Warning Signs - (DVD) h. Visible Intermodal Prevention and Response (Pamphlet) i. Motor Coach (Pocket Guide) j. Trucking (Pocket Guide) k. Highway Infrastructure (Pocket Guide) l. School Bus (Pocket Guide) m. Hazmat Motor Carrier Security Action Item Training (Brochure) n. First Observer: School Transportation Security Training (School Bus and School Transportation) available with Spanish subtitles o. First Observer: Operation Secure Transport (Motorcoach) available with Spanish subtitles p. School Transportation Security Awareness q. Hazmat Motor Carrier: Security self-assessment training r. IED Detection and Recognition for Railroad Employees (CD) s. On the Tracks: Rail Sabotage Awareness and Reporting (CD) t. On the Tracks: Rail Sabotage Awareness and Reporting (Poster) u. On the Tracks: Rail Sabotage Awareness and Reporting (Brochure) v. Security Awareness for Passenger Vessel Employees (CD) w. VBIED/IED Recognition/Response for Passenger Vessels and Terminals (CD) x. Crowd Control for Passengers Vessels and Terminals (CD) y. Maritime Terrorism and Hijacking Situations (CD)
140 z. Screening Procedures (CD) aa. Terminal and Vessel Evacuation Procedures (CD) 7. First Observer Plusâ¢ Program âmultiple modes https://www.tsa.gov/for-industry/firstobserver 8. Federal Transit Administration (FTA) Transit Agency Security and Emergency Management Protective Measures (CD) 9. National Transit Institute Guides www.ntionline.com a. Employee Guide to All-Hazards Awareness and Preparedness b. Employee Guide to Preventing Workplace Violence c. Infectious Disease Awareness and Prevention d. Emergency Preparedness Guide for Transit Employees: On the Job and At Home 10. FEMA National Training and Education Division (NTED) https://www.frstrespondertraining.gov/content.do 11. FEMA Training Operations Course Catalog https://www.frstrespondertraining.gov/webforms/pdfs/gt_catalog.pdf 12. FEMA Emergency Management Institute (EMI) 13. http://training.fema.gov/is/ a. Workplace Security Awareness (IS-906) b. Active Shooter: What You Can Do (IS-907) c. Surveillance Awareness: What You Can Do (IS-914) d. Critical Infrastructure Security: Theft and DiversionâWhat You Can Do (IS-916) e. Workplace Violence Awareness Training 2014 (IS-106.14) f. Protecting Critical Infrastructure Against Insider Threats (IS-915) 14. MTI National Transportation Security Center of Excellence (NTSCOE) Exploring the Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area, 2010 15. Transportation Safety Institute http://www.tsi.dot.gov/ 16. Rural Domestic Preparedness Consortium (RDPC) 17. http://www.ruraltraining.org/training/courses/ 18. Federal Bureau of Investigation (FBI) Guide to Concealable Weapons, Federal Bureau of Investigation (FBI) 2003 http://www.cutr.usf.edu/security/reports.htmÂ 19. ATF Bomb Threat Checklist ATF 1613.1, Bureau of Alcohol Tobacco and Firearms June 1997 http://www.state.tn.us/homelandsecurity/bomb_checklist.pdfÂ 20. Improvised Explosive Device (IED) Safe Standoff Distance Cheat Sheet, US Army National Ground Intelligence Center 21. Terrorist Bomb Threat Stand-Off Card, (Pocket Guide) Technical Support Working Group http://www.cttso.gov/?q=node/243 22. Best Practices for Safe Mail Handling, DHS Interagency Committee September 2006 23. Biological Attack Human Pathogens, Biotoxins, and Agricultural Threats, National Academy of Sciences 2004 www.nae.edu/nae/pubundcom.nsf/weblinks/CGOZ- 642P3W?OpenDocumentÂ 24. Chemical Attack Warfare Agents, Industrial Chemicals, and Toxins, National Academy of Sciences 2004 www.nae.edu/nae/pubundcom.nsf/weblinks/CGOZ-642P3W?OpenDocumentÂ 25. Nuclear Attack, National Academy of Sciences 2004 www.nae.edu/nae/pubundcom.nsf/weblinks/CGOZ-642P3W?OpenDocumentÂ 26. Radiological Attack Dirty Bombs and Other Devices, Academy of Sciences 2004 www.nae.edu/nae/pubundcom.nsf/weblinks/CGOZ-642P3W?OpenDocument 27. Worker Training in a New Era: Responding to New Threats, Department of Health and Human Services NIOSH October 2002 28. Dirty Bombs Fact Sheet, United States Nuclear Regulatory Commission March 2003 29. Dirty Bombs â Fact Sheet, Department of Health and Human Services, Centers for Disease Control and Prevention (CDC) July 2003 PDF http://www.cdc.govÂ 30. What You Should Do To Prepare For and Respond to Chemical, Radiological, Nuclear and Biological Terrorist Attacks, RAND Corporation 2003
141 31. National Cooperative Highway Research Program (NCHRP) Report 525: Surface Transportation Security Volume 1, Responding to Threats: A Field Personnel Manual, 2004 www.trb.org/TRB/publications/Publications.asp 32. NCHRP Report 793, National Cooperative Highway Research Program Incorporating Transportation Security Awareness into Routine State DOT Operations and Training, 2014 33. NCHRP Report 525: Surface Transportation Security Volume 7 â System Security Awareness for Transportation Employees, 2005 34. http://www.trb.org/Main/Blurbs/154638.aspx 35. NCHRP 20-59(51)B Draft Interim Report: A Guide to Emergency Management at State Transportation Agencies, Second Edition, 2017 36. NCHRP Synthesis 468: Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance and Operations Field Personnel, 2015 37. Transit Cooperative Research Program (TCRP) Report 86, Public Transportation Security, Volume 5: Security-Related Customer Communications and Training for Public Transportation Providers 38. TCRP F-21 Tools And Strategies For Eliminating Assaults Against Transit Operators, 2017 39. TCRP Report 180: Policing and Security Practices for Small- and Medium-Sized Public Transit Systems, 2015 40. TCRP Synthesis 80, Transit Security Update: A Synthesis of Transit Practice http://onlinepubs.trb.org/onlinepubs/tcrp/tcrp_syn_80.pdf 41. TCRP Report 86, Volume 9, Guidelines for Transportation Emergency Training Exercises 42. What You Should Do to Prepare for and Respond to Chemical, Radiological, Nuclear and Biological Terrorist Attacks, RAND Corporation, 2003. http://www.rand.org/pubs/monograph_reports/MR1731z2.html 43. DHS ICS-CERT Control Systems Security Program (CSSP) and Virtual Learning 44. Portal https://ics-cert-training.inl.gov/ 45. Federal Virtual Training Environment (free on-demand training) 46. https://niccs.us-cert.gov/training/federal-virtual-training-environment-fedvte 47. TSA Surface Transportation Cyber Toolkit 48. https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit 49. NCHRP Protection of Transportation Infrastructure from Cyber Attacks: A Primer Transportation Systems Sector Cybersecurity Framework Implementation Guidance http://nap.edu/23516 50. Airport Cooperative Research Program (ACRP) Report 140 Guidebook on Best Practices for Airport Cybersecurity, 2015 51. http://trbcybersecurity.erau.edu/resources/acrp_rpt_140.pdf 52. National Institute of Standards and Technology (NIST) offers many relevant resources and standards including the following Special Publications 53. SP 800-16 A Role-Based Model for Federal Information Technology/Cybersecurity Training, Revision 1 (Third Draft, 2014) 54. SP 800-50 Building an Information Technology Security Awareness and Training Program (2003) 55. SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (2006) 56. 2017 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework 57. https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce- framework 58. American Public Transportation Association Recommended Practices: Securing Control and Communications Systems in Transit Environments a. Part I: Elements, Organization and Risk Assessment/Management b. Part II: Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones c. Part III: Attack Modeling Security Analysis White Paper
142 Cybersecurity Awareness and Training The 2012 Transportation Roadmap created by DHS, Volpe Center, and industry stakeholders seeks to build a "culture of cybersecurityâ that includes an Industrial Control Systems (ICS) cybersecurity governance model and a cybersecurity awareness training program. The desired end state of this Roadmap is the merging and integration of cybersecurity and ICS along with a cybersecurity culture in which cybersecurity best practices are a way of life. The IT unit protects information assets and will address information security issues while engineering operations will typically address ICS and other operations systems security. While traditionally these groups have been isolated from each other, the growing cyber-physical threats and incorporation of connectivity, IT protocols and remote access capabilities into operations systems necessitate effective coordination and communication between the units as well as between the units and physical security functions. In the 2014 NIST Cybersecurity Framework as well, Awareness & Training is highlighted as a key component of the PROTECT function. The category is described as the organizationâs personnel and partners are provided cybersecurity Awareness education, and adequately trained to perform their information security related duties and responsibilities. The 2015 TS SSP promotes workforce learning through inclusion of cybersecurity training in security and resilience plans as a condition for receipt of security and resilience grants. The 2017 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework includes Awareness and Training as an important countermeasure. The Workforce Framework recommends that âthe organizationâs personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.â The key underlying principle is that all users including contract employees with access to the agencyâs network and computer systems need awareness education while certain positions require role- and/or responsibility-specific training. Cybersecurity Awareness Content Cybersecurity Awareness training content typically covers agency policies and procedures, rules of behavior for use of IT systems and networks, good practices, threats and countermeasures, and reporting procedures. More specifically, NIST-recommended topics include: â¢ Understanding agency policy on agency mobile phone and tablet security/use â¢ Understanding agency policy on personal mobile phone and table security/use â¢ Ability to recognize potential threats including social engineering attempts â¢ Ability to differentiate between real and fake messages â¢ Ability to respond appropriately and report an incident â¢ Knowing when and how to report an incident â¢ Understanding record-keeping procedures â¢ Understanding effective password management techniques â¢ Understanding the implications of security breaches (NIST SP 800-16, NIST SP 800-50) Awareness content should be refreshed and updated on a regular basis incorporating latest threat and incident information and alerts. Examples of cybersecurity awareness content are provided in the Figure 55 and Figure 56.
143 FigureÂ 55:Â CybersecurityÂ STOP.Â THINK.Â CONNECT.â¢Â AwarenessÂ MaterialÂ (https://stopthinkconnect.org)
144 Â FigureÂ 56:Â DataÂ PrivacyÂ DayÂ CampaignÂ Material.Â Staysafeonline.Org/DataâPrivacyâDay.Â Cybersecurity Awareness Delivery Specific NIST recommendations on Awareness delivery mechanisms include the following: ï· Posters, âdo and donât lists,â or checklists ï· Screensavers and warning banners/messages ï· Newsletters ï· Desk-to-desk alerts ï· Agency wide e-mail messages ï· Videotapes ï· Web-based sessions ï· Computer-based sessions ï· Teleconferencing sessions ï· In-person, instructor-led sessions ï· IT security days or similar events ï· âBrown bagâ seminars ï· Pop-up calendar with security contact information, monthly security tips, etc. ï· Mascots ï· Crossword puzzles ï· Awards programs (Section 5.2, NIST SP 800-50, 2003) Cybersecurity Training Content The 2014 NIST Cybersecurity Framework identifies key high-level cybersecurity functions and related training topics. Assistance in implementing the Framework is found in Transportation Systems Sector -- Cybersecurity Framework Implementation Guidance and NIST resources and guidance. The cybersecurity content provided in the 2016 NCHRP Cybersecurity Primer may serve as the basis for Cybersecurity training. Selected resources for training content are also provided later in this Section and in
145 the Appendix of the Primer. Two national initiatives of note are the National Initiative for Cybersecurity Careers and Studies (NICCS) and The National Initiative for Cybersecurity Education (NICE). ï· The National Initiative for Cybersecurity Careers and Studies (NICCS) is a national resource on cybersecurity awareness, education, careers, and workforce development opportunities. Previously developed cybersecurity courses or modules can also be accessed via this resource. Access NICCS at http://niccs.us-cert.gov ï· The National Initiative for Cybersecurity Education (NICE) is being led by NIST with the cooperation of 20+ federal departments and agencies. The goal of NICE is a national cybersecurity education program for the development and use of sound cyber practices by federal employees, civilians, and students, and includes the following three components: o Component 1: National Cybersecurity Awareness (Lead: Department of Homeland Security (DHS)) o Component 2: Formal Cybersecurity Education (Co-Lead Department of Education (DoED) and National Science Foundation (NSF)) o Component 3: Cybersecurity Workforce (Lead: DHS, OPM, DoD, DOL) State DOT and transit cybersecurity guidelines and recommended practices are included in the 2016 NCHRP Cybersecurity Primer. Training Delivery Various training delivery methods ranging from computer-based training to classroom training to exercises are available to transportation agencies. The methods implemented by the agency will depend on agency size, geographic dispersion of the workforce, staff schedules, training content and objectives, budget, and predilections of the organizations. Training implementation is difficult, especially for frontline personnel. The 2015 NCHRP Synthesis Report 468 on Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance & Operations Field Personnel identified the two key training delivery issues for frontline personnel â scheduling and limited budgets. Delivery of training to frontline personnel whose schedules are usually inflexible requires overtime or âbackfillâ pay expenditures. Additional challenges identified were lack of qualified training staff, personnel turnover, distance issues, senior management issues, inadequate facilities and other resources, and insufficient information about available training. Transit agencies face training delivery challenges as well. As mentioned in the 2015 TCRP Report 180 Policy and Security Practices for Small- and Medium-Sized Public Transit Systems, smaller agencies, in particular, have significant budgetary constraints limiting their ability to implement awareness initiatives including training. Solutions include computer-based training and in-person training. While in-person training is always synchronous in nature and requires scheduling, computer-based training can be either synchronous or asynchronous. Computer-based training solutions - The advantages of computer-based training are many. They are easily accessible wherever there is internet. Certain types of computer-based training are accessible without internet connection, and some training is also available through mobile smartphone and tablet applications. Training that is available on demand alleviate scheduling constraints and allow personnel to learn during their breaks or downtime when it is convenient for them. Training platforms now offer automated recordkeeping and progress-tracking lessening administrative requirements, and advances in online training technologies allowing for increased interactivity between participants and the learning tool or instructor, Therefore, there is greater confidence in using computer-based delivery methods for technical training. (Shaffer, 2016) Still, the quality and level of interaction provided by computer-based training can vary,
146 and students must have self-discipline to avoid distractions. Agencies must also be aware that some frontline or field personnel may not be familiar with computers and may require basic PC skills training prior to taking computer-based training. Computer-based training identified and discussed in the 2015 NCHRP Synthesis 468 included the following: ï· Online (synchronous) training with live instructors: Online training with live instructors (e.g., webinars) is a synchronous method of training. Software that facilitates the delivery of webinars, facilitation of student-instructor and student-student interaction, and recordings of training sessions is readily available. ï· Asynchronous training: Self-paced training without the presence of live instructors, asynchronous training requires self-discipline but can still be interactive and maintain trainee interest and attention. Examples include YouTube videos and prepackaged CDs and DVDs. ï· Computer simulations and virtual exercises: Full-scale exercises can cost hundreds of thousands of dollars but a virtual exercise can be conducted at a fraction of the cost. Computer simulations and virtual exercises immerse participants in realistic environments, allow real-time interaction, and can be delivered using web-based or non-web-based technologies. Recently, interactive games have been developed to give stakeholders simulated experience with response and recovery. While facilitation and scheduling are typically required, some provide on-demand learning features for individual players and, hence, can be both synchronous and asynchronous. ï· Just-in-time training (JITT): JITT is used to train personnel on specific skills not needed on a continuous basis. While JITT is not always computer-based, agencies have noted a preference towards computer-based training for delivery of this type of training. Face-to-face training solutions identified and discussed in the 2015 NCHRP Synthesis 468 included the following: ï· Field crew meetings: Field crew meetings, regularly scheduled meetings at the district level, can be a cost-effective solution to the provision of training. ï· Interjurisdictional and interagency training and exercises: These are useful for preparation for larger and more complex disasters and emergencies that require effective coordination among transportation agencies; public safety agencies; and private and nonprofit organizations. ï· Joint training: Combining similar training topics can alleviate scheduling challenges and enhance intra-agency communications by providing personnel from different divisions or units an opportunity to interact. For instance, Texas DOT included security awareness in its bridge inspector training. ï· Train-the-trainer (TTT): TTT training leverages resources by training one or more in-house trainers or otherwise qualifed personnel who then provide the training to other personnel. This strategy is especially useful to train large numbers of personnel in a relatively short time. ï· Planned events, incidents, and exercises: Because disasters do not happen regularly, planned events, incidents, and exercises are excellent opportunities for personnel to practice what they have learned. After-action reports and lessons learned for planned events, exercises, and major incidents and disasters can identify additional training needs and gaps for individual feld personnel and teams, and provide useful training content and scenarios. ï· Classroom training: Classroom training [including training via closed circuit television (CCTV), video teleconferencing (VTC), and Voice over Internet Protocol (VoIP)] is a synchronous, high- quality, and interactive training method. The instructor can use various media and technology options to facilitate learning and maintain participant interest. Advantages and disadvantages of these training methods are summarized in Table 20 below.
147 TableÂ 20:Â TrainingÂ DeliveryÂ MethodsÂ âÂ AdvantagesÂ andÂ DisadvantagesÂ Field Crew Meetings Advantages Meetings are brief and are held on a regular basis at a location/time convenient to field personnel. Meetings are also focused and very relevant to field crew. Hands-on training is possible. Field personnel can practice a procedure or skill. Disadvantages None Just-in-Time Training Advantages High retention of training content Cost-effective Disadvantages Personnel are not provided the opportunity to practice a skill or process before its real-life application. Taking the time to train personnel may delay the response effort. Training personnel in an emergency situation when their level of stress is high may hinder the learning process. Interjurisdictional and Interagency Training and Exercises Advantages Opportunity for face-to-face interactions with peers from other response agencies through these exercises is essential preparation for larger and more complex events. They will also help prepare agencies and their field personnel understand the ICS structure, their roles and responsibilities within the structure, and how they should integrate with personnel from other entities for these events Disadvantages Scheduling difficulties may impede the ability of a large percentage of field personnel to attend these sessions. Joint Training Advantages Scheduling difficulties may be mitigated by delivering emergency training in conjunction with another related topic. Intra-agency interaction and communications may be facilitated. Disadvantages Emergency component may need to be shortened or modified. Asynchronous Training - Computer-based Training without Live Instructors Advantages Alleviates the need to schedule the training in advance. Allows 24-hour access to the material. Some on demand services offer automated record keeping and trainee progress tracking. Disadvantages Lack of ability to interact with other students and instructor limits learning Student distraction may be more likely Self-direction is needed. Asynchronous Training - Prepackaged DVDs and CDs Advantages Allows trainers to select appropriate training videos or CD or DVD training packages that is the best value for their needs. The packages usually focus on a particular topic and contain a variety of tools. Cost-effective because many trainees may view the content typically for a fixed cost. Online on-demand training may charge the agency per trainee. Disadvantages When VTC, CCTV, or SKYPE technology is used, technology related issues can arise and connectivity and quality of the transmission may be inconsistent. Training videos and packages on CD ROMs and DVDs are not âon-demand;â the training needs to be scheduled.
148 With VTC, CCTV, or SKYPE technology, it is possible to present the content to multiple locations Interaction with instructors and other trainees is limited. Train-the-Trainer Advantages Cost-effective way to leverage limited resources. Alleviates having to hire additional training staff or consultants. Disadvantages Content dilution could be possible as additional training tiers are added. Planned Events, Incidents Advantages Both planned events and incidents are good opportunities to practice coordination, communications, resource mobilization, and traffic management/control strategies. Traffic incidents happen daily and provide many opportunities for practice. Disadvantages (Incidents) There is no guarantee that a series of minor incidents, aside from traffic accidents, will occur prior to a disaster. Incidents, even minor ones, have more risk associated with them; for instance, a minor traffic accident could become a multicar crash with many fatalities and injuries. Computer-Assisted Simulations Advantages A large, geographically dispersed audience can be reached. Allows identification of weaknesses or resource deficiencies in training, plans, procedures, and policies. Allows the participation/interaction of key personnel in different geographic regions. Improves individual performance, organizational communication, and coordination. Dangerous scenarios may be simulated safely. May or may not be web-based. Disadvantages Good PC and Internet skills necessary for learners to gain full advantage of training. In remote locations or other areas bad or no Internet access can hinder training. Unforeseen connection problems may arise during training. If on the hostâs end, training may be interrupted. Bandwidth issues may cause delay or disruption. May lack realism, and may not provide a true test of capabilities in an emergency situation. For synchronous simulations, scheduling can be a problem. Classroom Training Advantages Can present up-to-date information. Summarizes materials from various sources. Can adapt the material to student backgrounds and interests. Highlights important concepts and materials. Instructor enthusiasm can motivate students and enhance learning (McKeachie and Svinicki 2013) Disadvantages Reduced development of problem-solving skills and interaction among students if sufficient interaction opportunities are not provided. Scheduling difficulties Cost of the training and travel, including time. (Scheduling and travel issues may be alleviated through the use of VTC, VoIP, or similar technology.) Online Training with Live Instructors Advantages Cost is lower vs. classroom training. Training is standardized. Disadvantages Training must be scheduled in advance.
149 Training can be provided anywhere with web access. Trainees may be distracted. Ability to monitor student progress may be limited. Access to a PC and Internet are required. Familiarity with the Internet and basic PC skills are required. (Source: 2015 NCHRP Synthesis 468) Whatever the method, it is important to make the training as interactive and relevant to the audience as possible. The trend towards increasing use of computer-based training methods may be due to a combination of resource constraints and improvements in computer-based training and platforms. Research conducted by the U.S. Department of Labor Employment and Training Administration (ETA) on technology-based training and services found a prevalence of blended delivery options in use by state and local stakeholders and acknowledged the value of technology-based training. The research authors, however, warned that more or sooner may not necessarily be better with respect to technology-based training due to issues including infrastructure costs and technological skills of the workforce. (U.S. DOL ETA Training and Employment Notice on Release and Availability of a Final Report, Exploring the Role and Adoption of Technology-Based Training and Employment Services, March 18, 2016) Other professional capacity building methods supplement training to improve retention and mainstream security. According to the 2017 AASHTO SCOTSEM Transportation and Emergency Management Survey results, a mix of capacity-building methods including print/electronic training materials and webinars were favored over conferences and peer exchanges. Resources Training can be provided via in-house trainers, contractors or contracted courses at agency-selected locations, or train-the-trainer. State or local law enforcement or the state EMA may offer complimentary training. However, even in-house training or complimentary training by another provider requires resources to meet backfill or overtime expenses. In addition, provision of training to all personnel can be costly even if the cost per employee is low. Agencies should therefore consider applying to federal grants to cover training costs. Grant programs include the following: ï· Transit Security Grant Program ï· Intercity Bus Security Grant Program ï· Intercity Passenger Rail Program ï· Port Security Grant Program Additional grant programs may be identified through the Catalog of Federal Domestic Assistance. To leverage resources, integration of security awareness and training into routine activities and training is emphasized in 2014 NCHRP Report 793. The report also provides integration methods and approaches. Further, physical and cybersecurity workforce development initiatives can be integrated into existing workforce development programs such as internship or apprenticeship programs and tuition reimbursement programs. Partnerships with other state DOTs or transit agencies, state agencies including state Emergency Management and Homeland Security agencies, colleges, universities, LTAP/TTAP or RTAP centers, unions, other organizations or memberships in professional organizations can also be leveraged to provide training and exercises. The 2015 NCRRP Report 2 A Guide to Building and Retaining Workforce Capacity for the Railroad Industry notes that on-the-job training creates positive training experiences and
150 recommends creating a culture of preceptorship and mentoring to address urgent knowledge transfer needs created by the high numbers of retiring personnel. Agencies should also take advantage of training technologies to facilitate their training programs and activities. Examples of useful technologies include: ï· Learning management system or LMS â allows delivery of training, tracking of user training and testing, and documentation of completed training ï· Tablets/mobile devices (e.g., iPads, smartphones) â allows delivery of module-based training to field personnel in diverse locations; some applications function with or without the internet ï· Virtual training/exercise systems - as noted earlier, virtual training can provide immersive learning experiences at a low cost. Transportation Emergency Response Application (TERA) is an example of this type of training which simulates real-world scenarios and delivers individual and team training and simulation exercises for command-level roles. TERA is a transportation-specific version of the Emergency Management Staff Trainer (EMST), a robust training and exercise system. The TRB Cooperative Research Programs along with the National Guard Bureau sponsored development of training simulation scenarios for no-license-fee systems. The Transit Scenarios included: active shooter, flood, hurricane, earthquake, power outage, and hazardous materials. While the flood scenario is currently the only scenario which includes DOT roles, research is in progress to develop additional DOT scenarios along with additional transit and airport scenarios. Transportation emergency management professionals may register for TERA for free at www.tera.train-emst.com. Training Evaluations Training evaluations can determine the value of training by assessing whether learning has occurred; whether learning was applicable to job performance or other behaviors affecting results; whether the learning was applied to the job; and, if it was, whether there was positive impact on performance or other jobârelated behaviors. Evaluations along with use of performance indicators also help agencies continually improve the training process and better allocate scarce resources. The 2011 U.S. Office of Personnel Management (OPM) Training Evaluation Field Guide stresses evaluationâs important role in ensuring that training positively affects agency mission and outcomes. The Guide uses the New World Kirkpatrick Four LevelsTM to offer a structured way in which agencies can evaluate their training and training programs. The original Kirkpatrick training evaluation method had been comprised of the following four levels: Level 1: Reaction, Level 2: Learning, Level 3: Behavior, and Level 4: Results. Cybersecurity tests can evaluate the operability of new and existing systems or components including specific cybersecurity measures and cybersecurity plans. Unannounced tests such as social engineering tests can assess employee cybersecurity behavior and habits. Personnel requiring additional cybersecurity training can be identified through this process. The Homeland Security Workforce Assessment Act which was signed into law December, 2014 requires DHS to assess its cybersecurity workforce and create a strategy âto enhance the readiness, capacity, training, recruitment and retention of its cybersecurity workforce.â Elements of the strategy developed through this legislation may be useful in helping state DOTs and transit agencies address their cybersecurity workforce needs. Also, a mixture of qualitative and quantitative measures has been identified in the 2015 TS SSP to evaluate progress on these activities. Assessment tools such as the DHS Cyber Resilience Review, the DHS CSET, Transportation Systems Sector Cybersecurity Framework Implementation Guidance, and the Department of Energy Capability Maturity Model can help organizations evaluate their capabilities and vulnerabilities, and identify areas requiring increased or additional training. The TSS Cybersecurity Implementation Guidance recommends
151 the use of maturity models for the implementation of the Cybersecurity Framework by setting internal benchmarks and assessing various aspects of cybersecurity. The model outputs help agencies understand their cybersecurity posture and areas of opportunity including training and awareness and workforce management. As described in the following section, one of the main purposes of exercises is evaluation of individuals, teams, equipment, facilities, functions, plans, policies, and procedures. Evaluation of Awareness Initiatives The 2010 MTI Study on Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area revealed that transit agencies do not generally evaluate their security awareness programs for effectiveness but suggests several performance metrics that can be used by transit agencies to determine the value of their programs. In evaluating the effectiveness of campaigns, the study recommends: â¢ Measuring the level of marketing effort, an output measure â¢ Using easy to track indicators â¢ Passenger surveys â¢ Use tracking methods already in place The metrics in the study, shown in Table 21, are focused on passenger awareness but would be applicable to employee awareness initiatives as well. TableÂ 21:Â 2010Â MTIÂ StudyÂ onÂ EffectivenessÂ ofÂ TransitÂ SecurityÂ AwarenessÂ CampaignsÂ inÂ theÂ SanÂ FranciscoÂ BayÂ AreaÂ MetricsÂ (Source: Table 2 Outcome Indicators and Possible Measurements for Security Campaign, Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area, MTI, 2010)
152 Exercises Exercises not only support training objectives by providing personnel the opportunity to practice what they have learned in training and identify weak performers and training gaps but can fulfill many other objectives related to an agencyâs security mission. The 2015 AASHTO Fundamentals Report defines Exercises as follows: ï· Exercise: An instrument to train for, assess, practice, and improve performance in prevention, protection, response, and recovery capabilities in a risk-free environment. Exercises can be used for: testing and validating policies, plans, procedures, training, equipment, and interagency agreements; clarifying and training personnel in roles and responsibilities; improving interagency coordination and communications; identifying gaps in resources; improving individual performance; and identifying opportunities for improvement. NIPP 2013 emphasizes âcontinuous learning and adaptationâ through a call to action to learn and adapt during and after exercises and incidents, and to rapidly incorporate lessons learned into technical assistance, training, and education programs. Drills, for instance, are a common form of exercise for state DOT field personnel and are used to provide training on specialized equipment or a specific procedure such as emergency evacuation. Exercises are categorized into Discussion-based exercises and Operations-based exercises. Discussion- based exercises (seminars, workshops, tabletop exercises (TTXs), and games) help participants develop as well as understand their roles and responsibilities with respect to new plans, policies, agreements, and procedures. Operations-based exercises - drills, functional exercises (FEs), and full-scale exercises (FSEs) â are conducted in a simulated operational environment and âvalidate plans, policies, agreements, and procedures; clarify roles and responsibilities; and identify resource gaps.â (Page 2-5, HSEEP, 2013) As shown in Figure 57, planning and training requirements for conducting the exercises increase as one proceeds from discussion-based exercises to operations-based exercises. As may be surmised, agency resource requirements increase progressively as well. Â FigureÂ 57:Â SecurityÂ ExerciseÂ TypesÂ byÂ Planning/TrainingÂ Requirements.Â Source:Â Â DHSÂ HomelandÂ SecurityÂ ExerciseÂ andÂ EvaluationÂ ProgramÂ GuidanceÂ DocumentsÂ (HSEEPÂ Vol#Â I,Â II,Â III,Â IV,Â andÂ V
153 Key attributes of each exercise type including purpose, player action, duration, real-time play, and scope are summarized in Table 22. TableÂ 22:Â SecurityÂ ExerciseÂ DescriptionÂ ofÂ PurposeÂ Source: DHS Homeland Security Exercise and Evaluation Program, 2013and and DHS Homeland Security Exercise and Evaluation Program Guidance Documents (HSEEP Vol# I, II, III, IV, and V)Â The advantages and disadvantages of discussion-based and Operations- based exercises by exercises type are summarized in Table 23. TableÂ 23:Â AdvantagesÂ andÂ DisadvantagesÂ ofÂ DiscussionâbasedÂ andÂ operationsâÂ BasedÂ ExercisesÂ Discussion-Based Exercises (Table-tops, Games, Workshops, Seminars) Advantages Disadvantages Player Action Duration Real-Time Play? Scope Discussion- Based Exercises Familiarize participants with or develop new plans, policies, agreements, and procedures; focuses on strategic, policy issues. Notional; actions are imaginary or hypothetical Rarely exceeds 8 hours No Varies Seminar Provide overview of authorities, strategies, plans, policies, procedures, protocols, resources, concepts and ideas. Develop or make changes to plans/procedures. Assess interagency/inter-jurisdictional operations. N/A 2-5 hours No Multi- or Single- agency Workshop Achieve specific goal/product (e.g, SOPs, EOPs, COOPs, or mutual aid agreements.) Compared to seminars, increased interaction and focused on product development. N/A 3-8 hours No Multi-agency/ Single function Tabletop Exercise (TTX) Discussion of hypothetical emergency; validate plans and procedures, assess systems, increase awareness through collaborative problem-solving. Notional 4-8 hours No Multi-agency/ Multiple functions Game Simulation of operations involving team competition; depict actual or notional situations; explore decision-making process and its consequences. Notional / Actual 2-5 hours No Multi-agency/ Multiple functions Operations- Based Exercises Validate plans, policies, agreements, and procedures; clarify roles and responsibilities; and identify resource gaps. Notional; actions are imaginary or hypothetical Hours, days, or weeks (depends on exercise purpose, type, scope) Yes Varies Drill Validate a single function or capability on equipment, procedures, or skills in a single agency. Actual 2-4 hours Yes Single-agency/ Single function Functional Exercise (FE) Validate and evaluate capabilities, multiple functions, sub-functions, or groups of functions; focus is on management, command and control staff and functions. Command staff actions are actual; movement of other staff, equipment, or adversaries is simulated. 4-8 hours or several days or weeks Yes Multiple functional areas/ Multiple functions Full-Scale Exercsie (FSE) Most realistic, complex and resource-intensive exercise type; involve multiple agencies, jurisdications, and organizations. Validate numerous elements of plans, policies, procedures, and agreements. Actual One full day or several days or weeks Yes Multi-agency/ Multiple functions Utility/Purpose
154 ï· Various scenarios can be addressed in a safe, non-stressful environment. ï· It is less costly than Operations-Based Exercises. ï· The interaction that takes place among peers can lead to learning. ï· Feedback obtained from AARs, debriefings, and hot washes can be beneficial in identifying additional training needs of individuals and groups. ï· Lessons learned from the exercises can become the basis for future training content and scenarios. ï· Cost could be an issue if the exercise is held at a location that is difficult to access. ï· Discussion-Based exercises do not provide the realism that Operations-Based methods provide. Operations-Based Exercises - Drills Advantages Disadvantages ï· When training on a specific function, activity or equipment is required, drills provide hands-on experiential learning. ï· Provides a sense of urgency to develop alternatives and make decisions without the possibility of serious consequences. ï· In-house trainers may have more credibility since they have specific experience relating to the subject being taught and the job site. ï· Procedural and policy gaps can be identified. ï· May avoid comprehension problems related to literacy/language deficiencies. ï· Providing hands-on training to a large number of individuals can be time-consuming and costly. ï· Scheduling drills can be difficult due to the following constraints â availability of the field personnel, the instructor, and the facility or equipment. ï· Variables differ based on the individual, so guaranteed outcomes are difficult. ï· Personality differences between the instructor or mentor and the worker may cause issues. Operations-Based Exercises - Functional Exercises Advantages Disadvantages ï· When training and practicing on a capability or function(s), experiential learning in a realistic setting will facilitate the retention of the knowledge and skills needed by trainees. ï· After Action Reports, debriefings and hot washes can identify units and individuals that would benefit from additional training. However, see âNote on identifying units and individualsâ below. ï· Lessons learned from the exercises can become the basis for future training content and scenarios. ï· Arranging and scheduling FEs can be difficult and time-consuming. Operations-Based Exercises - Full Scale Exercises Advantages Disadvantages Source: 2015 NCHRP Synthesis 468 The TSA/FTA Security and Emergency Management Action Items for Transit Agencies highlight TTXs and drills as action item #8. Another exercise type, the facilitated exercise model, was introduced by Mineta Transportation Institute (MTI) and is a type of modified full-scale activity. This model employs a scenario but divides response
155 actions into learning stations each of which requires an incident action plan and full-scale actions based on the plan. (2014 MTI Report 12-08 Exercise Handbook) Further information on exercise types, their differentiating features, their development and conduct, and evaluation methods can be obtained from the 2013 Homeland Security Exercise and Evaluation Program (HSEEP), the 2015 NCHRP Synthesis Report 468 and the 2017 NCHRP 20-59(51)B Final Report and the 2014 MTI Exercise Handbook. NIST SP 800-84 highlights the Tabletop Exercise (TTX), a Discussion- based exercise held in a classroom setting and a Functional Exercise (FE), an Operations-based exercise. The NIST SP 800-84 Appendix A includes sample documentation for a TTX and Appendix B provides the sample documentation including sample scenarios and exercise injects for a Functional Exercise. NIST SP 800-84 Appendices provide relevant AAR templates, forms, and information on the conduct of tests, Tabletop Exercises, and Functional Exercises In addition, the exercise evaluation process should yield important insights into strengths and weaknesses of agency plans, protocols, technologies, facilities, and participants as well as other observations and recommendations. These insights are documented in the After Action Report and corrective actions such as updates to security plans and additional training are identified and incorporated into the Improvement Plan. Homeland Security Exercise and Evaluation Program (HSEEP) The 2013 Homeland Security Exercise and Evaluation Program (HSEEP) provides a common approach to exercise program management, design and development, conduct, evaluation, and improvement planning. The 2013 APTA Recommended Practice on Transit Drills and Exercises (1st Revision) recommends the use of HSEEP and states that transit agencies should develop exercise programs based on risk assessments and findings from previous exercises. The 2013 APTA Recommended Practice also states that transit agencies should conduct HSEEP compliant exercises annually in accordance with TSA/FTA guidelines, conduct exercises in accordance with agency system security programs and its emergency management plan integrating regional partners as appropriate, and coordinate and participate in regional exercises. The fundamental principles of HSEEP include a focus on capabilityâbased objectives and exercise priorities informed by risk, guidance of the exercise program and individual exercises by elected and appointed officials, integration of the whole community where appropriate, and use of common methodology. HSEEP principles also include a progressive planning approach with exercises temporally increasing in complexity, and alignment of exercises using a common set of priorities and objectives. In addition, HSEEP emphasizes the development of a Multiâyear Training and Exercise Plan (TEP) to schedule and coordinate the delivery of training and exercise activities. The HSEEP Exercise Cycle contains the following four elements: 1) exercise design and development, 2) conduct, 3) evaluation, and 4) improvement planning. 2013 APTA Recommended Practice on Transit Drills and Exercises (1st Revision) stresses the importance of the Exercise Planning Team which âdesigns, develops, conducts and evaluates exercisesâ and selects exercise objectives, develops scenarios and documentation. Exercise objectives are particularly important, should be risk-based and aligned to core capabilities as they drive all other aspects of exercise development including scenario selection. 2013 HSEEP recommends that exercise objectives be SMART - simple, measurable, achievable, realistic, and task-oriented. Scenario development requires careful planning as well since the effective use of scenario developed data sets can help the agency to develop policy and procedure and even make staffing level deployment decisions. Scenarios are narratives or timelines and used in Operationsâbased exercises and TTXs. Sources of scenarios include National Planning Scenarios, Public Transportation System Security and Emergency Preparedness Planning Guide, and the 2014 MTI Report 12-08 Exercise Handbook annex which includes
156 an example scenario for a SCADA failure for mass transit system. Also, see the highlighted TSA I-STEP case study for a description of the scenario used in the Active Shooter Training and Exercise held at an AASHTO SCOTSEM conference in 2016. TSA Intermodal Security Training and Exercise Program (I-STEP) Active Shooter Training and Exercise The Transportation Security Administrationâs (TSA) Intermodal Security Training and Exercise Program (I-STEP) held an Active Shooter training and exercise for State DOTs at the AASHTO SCOTSEM conference in Tucson, Arizona on August 23, 2016. The training and exercise addressed the Prevention, Protection, Response Mission Areas; Interdiction and Disruption, Physical Protective Measures, Environmental Response/Health and Safety Core Capabilities; and, included the following components: 1. A TSA presentation on industry security efforts, ongoing initiatives, and active shooter resources/tools; 2. An active shooter training presented by the Pima County Sheriffâs Office; and 3. A live active shooter drill put on by the Pima County Regional Special Weapons and Tactics (SWAT) Team. The purpose was âto provide insight into how law enforcement may respond to an active shooter incident (e.g., priorities, capabilities, actions), as well as expectations law enforcement may have of state Department of Transportation (DOT) employees and how those employees may be able to assist them in their response.â More specifically, the training and exercise addressed the following three objectives: 1. Discuss law enforcement and state DOT employee actions, considerations, and expectations that could help prevent, protect against, or mitigate an active shooter situation. 2. Discuss countermeasures and policies that state DOTs could implement to prevent, protect against, or mitigate an active shooter situation in/on their facilities/infrastructure. 3. Discuss and demonstrate methods to protect the health and safety of state DOT employees facing an active shooter situation. In addition to AASHTO SCOTSEM member organizations, participating stakeholders included DHS Southern Border Joint Task Force â West, DHS TSA, Arizona DOT, Northwest Fire District, Pima County Sheriffâs Office, and Pima County Regional SWAT Team. Component 1 consisted of presentations on the following topics: ï· Ongoing TSA and Industry Security Initiatives ï· Securing Transportation Assets & Operations â Mitigation Strategies for Highway Modes ï· Active Shooter Resources and Tools (www.dhs.gov/active-shooter-preparedness) Component 2 was delivered by the Pima County Sherriffâs Office. The key points emphasized in Component 2 of the training/exercise was the mentality of active shooters and their desire to kill as many as possible, and that active shooter events are unpredictable, dynamic, and end before the arrival of law enforcement. Recommended state DOT personnel actions included: ï· What to do prior to an incident - create a flexible plan to reach safety, be aware of the surroundings ï· Actions to take if the active shooter is outside the building ï· Actions to take if they are inside the building ï· Information to provide 911 ï· What to expect and do when police arrives ï· Emergency care tips
157 Pre-Incident planning by the state DOT were noted as including creation of an Emergency Action Plan (EAP) and crisis kits, training and exercises, and site assessments. Exercise Drill Scenario The drill scenario for Component 3 was described as follows: State DOT employees are attending a public hearing on the reconstruction project to address safety and other issues of the section, opposition has been strong due to impacts on private residential and commercial property and on protected wetlands, waters, and animals; threats to disrupt the public hearing have been made. Live Exercise Drill The drill proceeded as follows: Exercise observers are placed inside the building. A disgruntled individual enters the building with an assault rifle and starts firing. Observers are moved outside the building and view the SWAT team arriving and entering the building. Observers reenter the building and view the actions of the shooter and SWAT team. The active shooter proceeds from room to room until he reaches the hearing room. The SWAT team searches for the active shooter. Observers are placed in the hearing room to view the resolution of the conflict (the SWAT team kills the shooter.) Observers are then moved outside to view fire and EMS responders arrive, evacuate occupants and treat injuries as the SWAT team provides protection. A final Q&A session is held with the observers. Exercise Results/Analysis and Next Steps For each objective, strengths including best practices and areas for improvement were identified. For the first objective, a best practice was state DOTs having emergency action plans (EAPs) for active shooter situations; an area for improvement was that mass transit is a âsoft targetâ for active shooters. For the second objective, a best practice was awareness that creating chaos can distract the shooter; an area for improvement was that attendees were uncertain regarding what arms-bearing individuals should do during an active shooter situation. For the third objective, a best practice was outreach to local law enforcement agencies which are typically willing to help provide state DOTs with active shooter preparedness and training; an area for improvement was that some DOT employees believed there were no hiding areas in their facilities. Areas for improvement included root cause analyses and options for consideration. The following possible next steps identified were TSA development of an active-shooter training program for state DOTs, using this exercise scenario and content and State DOTs requesting active shooter training from their local law enforcement.
158 Subway Bombing and Active Shooter Scenario Source: 2013 TCRP Web-only Document 60/NCHRP Web-only Document 200 Command-Level Decision Making for Transit Emergency Managers Exercises and drills are expensive and require all participants to be present in the same location at the same time. Hence, the TCRP A-36 project produced a simulation guided experiential learning tool to provide âtraining and exercise for commandâlevel roles in the transit agency emergency operations center in relation to mitigating transitâspecific emergencies and supporting state and local emergency management authorities in natural or manmade disaster incidents.â The tool called Transportation Emergency Response Application or TERA is a transportation-specific version of the Emergency Management Staff Trainer (EMST), a robust training and exercise system. One of the scenarios developed for the project combines a subway bombing with active shooter. The outline of the scenario is provided below: Casualties 6 fatalities, 150 injured, 20 require hospitalization Infrastructure Damage 1 subway line and 2 subway stations damaged Evacuations / Displaced Persons None Contamination None Economic Impact Minor Potential for Multiple Events None Recovery Time 1 to 2 Months Scenario Description A man enters a central subway station, boards a train, and exits at the next station. He leaves explosives on the train, which detonates within 10 minutes of his exiting the subway system. The man fires upon emergency responders when they attempt to enter the second station until the attacker is eliminated 30 minutes later. Local law enforcement initially closes the area within a mile of the bombed stations to all street traffic. Service Disruption ï· Transportation: All subway service must be shut down. Bus service will also cease until the following day. The decision of how soon to offer subway service remains open. Downtown streets are closed to all traffic for the first day. Most streets reopen on the second day, except those within a block of the damaged stations (in central locations). ï· Emergency Medical Services: Emergency responders are unable to reach the people injured by the bomb at the second station until protective shielding arrives, delaying response by 10 to 15 minutes. This affects thirty people. Transit Authority Tasks ï· Preservation of the lives of employees and passengers
159 ï· Asset preservation ï· Sorting through confusing and conflicting reports ï· Initiating a system-wide shutdown ï· Assessing damage to facilities ï· Providing higher levels of security ï· Preparing a long-term plan for replacing subway service during repairs ï· Providing psychological support to employees This project has been expanded to address and incorporate state DOT, rail, and aviation scenarios as well and TERA training has been delivered to multiple transit agencies and state DOTs. Exercise Types The two major categories of exercises described in HSEEP are discussionâbased exercises and operations- based exercises. ï· Discussionâbased exercises â seminars, workshops, tabletop exercises (TTXs), and games â are less costly and timeâconsuming than Operationsâbased exercises. Discussionâbased exercises use a facilitator to direct discussions. They help familiarize and/or train participants on or develop plans policies, agreements, procedures, and training. ï· Operationsâbased exercises â drills, FEs, and FSEs â are more realistic and conducted in realâtime and help assess plans, procedures, personnel, technologies, and equipment. The key difference between âdiscussionâ and âoperationsâ based exercises is size and scope. For example, a tabletop exercise is a facilitated desktop discussion during which key personnel discuss scripted hypothetical scenarios in a classroom or other fixed setting. Full scale exercises, on the other hand, are multidisciplinary, multiagency field simulations that utilize role players, controllers and other forms of logistical support to actively work through mock hypotheticalâs designed to resemble one or more real life actual conditions. Table __ and __ contain brief descriptions of each exercise type, and Table __ provides advantages and disadvantages by exercise type. With regards to exercise design, the 2013 NIPP recommends designing exercises âto reflect lessons learned and test corrective actions from previous exercises and incidents, address both physical and cyber threats and vulnerabilities, and evaluate the transition from steady state to incident response and recovery efforts.â (p. 26, 2013 NIPP) Supporting actions and recommendations for implementing exercises in the 2017 NCHRP 20-59(51)B Final Report and the 2014 MTI Exercise Handbook include involving all stakeholders including disabled and other functional needs persons in individual exercises, particularly evacuation scenarios; ensuring documentation of exercise activities; establishing a safety plan; developing and disseminating After Action Reports (AARs) and the Improvement Plan or Corrective Action Plan to all stakeholders; tracking corrective actions and incorporating findings into the agencyâs training and exercise program, plans and procedures; and, analyzing performance trends and results across exercises and take necessary action. A Full-Scale Exercise Checklist compiled from the four key sources of exercise guidance is presented below. Exercise Initiation Identify drivers/purpose (e.g., grant requirement) Identify stakeholders Identify funding streams
160 Identify exercise scope (agency, jurisdictions, participants) Identify scenario restrictions Identify labor/union restrictions Establish charter Identify exercise director Identify internal and external restrictions Identify HSEEP compliance issues Seek input from elected and appointed officials, the Training and Exercise Plan, and other sources. Exercise Design and Development Establish the exercise planning team, design team, evaluation team, controller team and identify team leaders. Assign planning team members to additional exercise roles as needed. Select exercise objectives and core capabilities for each objective; adhere to the SMART guidelines. Develop the exercise planning timeline with milestones. Hold key meetings: Concept and Objectives Meeting Initial Planning Meeting (important) Master Scenario Events List (MSEL) Meeting Midterm Planning Meetings Final Planning Meeting (important) Develop the exercise scenario. Create documentation: Exercise Plan for Players and Observers Controller and Evaluator Handbook for Controllers and Evaluators Master Scenario Events List for Controllers, Evaluators, and Simulators Extent of Play Agreement for Exercise Planning Team Exercise Evaluation Guides for Evaluators Participant Feedback Form for all participants Coordinate logistics Ensure that the (who, what, when, where, how) questions have been adequately addressed Identify and determine number of players, actors (mock victims) and volunteers Determine role of media in exercise planning and conduct Select appropriate, realistic site with sufficient space for exercise play and equipment. Develop site plan layout â locations of ingress, egress, traffic routes, etc. Develop site set-up/tear-down plan Determine appropriate number of victims and types of injuries Create a resources list â including actors, props, supplies, portable toilets, fuel, vehicles, communications, and equipment Create a communications plan Create a safety plan and address safety issues Designate safety officer Develop a safety plan Assess field location and weather
161 Include safety in pre-exercise items (e.g., briefings) Design team members responsible for safety specific to their discipline Address any legal liability issues Establish and test emergency call-off procedures Plan for exercise conduct and control Plan for exercise evaluation Select lead evaluator Define evaluation team requirements and structure Assess exercises on the task level, organization level, and mission level. Develop the Exercise Evaluation Guide which include objectives, core capabilities, targets, and critical tasks Recruit, train, and assign evaluators Develop evaluation documentation including exerciseâspecific details, evaluator team organization/assignments/locations, evaluator instructions, and evaluation tools Conduct a preâexercise C/E briefing to confirm roles, responsibilities, and assignments and any changes Exercise Conduct Prepare for exercise play Mark exercise areas and materials Check/set-up facility and equipment Deliver exercise documentation Deliver briefings to evaluators and controllers before day of the exercise Deliver briefings to actors/victims upon check-in Manage the exercise. Initiate exercise check-in process. Initiate exercise play. Controllers monitor and control exercise flow, provide data and injects, and respond to player resource requests. SimCell staff simulates any needed activity or staff not present. Evaluators observe and document exercise play and player responses using the Exercise Evaluation Guides. Missed objectives are discussed with controllers. Document exercise play through photos and videos. Terminate the exercise play. Perform wrap-up activities Debrief exercise planning team and collect feedback from team members. Debrief exercise controllers/evaluations and collect feedback from controllers/evaluators. Conduct âHot Washâ forum involving all participants for each functional area to identify exercise strengths and areas for improvement. Collect participant feedback using feedback forms during Hot Wash.
162 Evaluation/After-Action Report/Improvement Plan Analyze data. Identify strengths and areas for improvement. Report exercise outcomes. Exercise sponsor/director obtains and reviews exercise outcomes from documentation - C/E feedback forms and debriefing, hotwash, and participant feedback forms. Prepare the draft AAR and Improvement Plan (IP) to exercise participants and officials for input. Ensure the IP contains corrective actions, responsible parties, target dates, budgets, and reporting procedures for actions taken. Link each improvement item in the IP to a core capability. Ensure each improvement item has a target date and is assigned to an organization. Hold an AfterâAction Meeting for C/Es and exercise participants to discuss and obtain additional feedback on the AAR and IP. Develop and share AAR and IP with stakeholders. Remember to document the AAR process. Track corrective actions to completion. Incorporate AAR and IP findings into plans, procedures, training and exercises. Analyze trends and results across exercises and take any necessary action to support continuous improvement of the agencyâs training and exercises program and other security initiatives. Sources: 2013 HSEEP; Prepare 12 Administer Training Programs; 2017 NCHRP 20-59(51)B Draft Final Report, 2014 MTI Exercise Handbook, and Full Scale Exercise Checklist, TCRP Report 86, Volume 9, Guidelines for Transportation Emergency Training Exercises Training and Exercise Practices State DOT security training practices are included in the NCHRP 20-59(43) Incorporating Transportation Security Awareness Into Routine State Dot Operations and Training survey results revealed that 60% of the 31 responding agencies required or encouraged transportation security training. The current transportation security training involved âIf You See Something, Say Somethingâ program related security awareness training, NIMS/ICS emergency response training, TIMS training, and HazMat Training, where appropriate. The 2017 NCHRP 20-59(51)B Final Report and the 2015 NCHRP Synthesis 468 also provide numerous training and exercise practices of transportation agencies. The 2017 AASHTO SCOTSEM State Transportation Security and Emergency Management Survey, undertaken in conjunction with the NCHRP 20-59(51)C Research Support for Implementing Security, Emergency Management and Infrastructure Protection at State Transportation Agencies, described the current thinking by DOTs about methods that would best result in effective mainstreaming of security into their agencies. The survey findings indicated that, in general, DOTs preferred using a mix of classroom and online training, and classroom training for interagency rather than for intra-agency training. Regarding HSEEP use, while HSEEP offers substantial exercise planning guidance and conformance to it is required for many preparedness and homeland security grants, the 2017 AASHTO SCOTSEM State Transportation Security and Emergency Management Survey Results with a response rate of 65% revealed that almost 80% of respondents were aware of HSEEP but only 41% use it. TCRP Report 180: Policing and Security Practices for Small- and Medium-Sized Public Transit Systems (2015) included survey findings of the current state of practice in small and medium sized transit systems and identified potential security countermeasures. Transit agency security measures, programs, and countermeasures including training are also discussed in TCRP F-21 Tools And Strategies For Eliminating
163 Assaults Against Transit Operators (2017), TCRP Synthesis 80: Transit Security Update (2010), and TCRP Synthesis 93: Practices to Protect Bus Operators from Passenger Assault (2011). Active Shooter Spotlight Active shooting events have been increasing in frequency and severity. Between 2000 and 2013, 160 active shooter incidents occurred and resulted in 486 deaths and 557 injuries. The incident rate for the initial seven years of the study period was 6.4 per year; this rate rose to 16.4 per year for the last seven years. About 70% of incidents were over within five minutes, and 60% ended prior to the arrival of law enforcement. With regards to event location, 46% occurred in businesses, 24% in schools, and 10% in government properties. (Blair, J. Pete, and Schweit, Katherine W. (2014). A Study of Active Shooter Incidents, 2000 - 2013. Texas State University and Federal Bureau of Investigation, U.S. Department of Justice, Washington D.C. 2014.) Because many active threat situations last a short period of time and end before police arrive, immediate response to the threat is necessary for survival. To enhance the preparedness of agency personnel, basic Active Shooter training should be provided by state transportation agencies. To ease scheduling difficulties, training can be integrated with existing workplace violence and emergency training programs. Active shooter preparedness plans are used as the basis for development of training. Plans identify roles and responsibilities and address needs of functional needs persons; and include the plan activation process, emergency notification systems and process, communications, incident plan, evacuation plan and procedures, training and exercises, and post Incident Recovery for employees and for operations. The 2015 ISC Guide on Planning and Response to an Active Shooter for federal facilities recommends conducting an assessment of the facility and needs and capabilities of the personnel so that optimal actions can be determined and incorporated into the preparedness plan and into training and exercises. Strong partnerships with local law enforcement who will be responding to an incident are essential for preparedness including input on plans and procedures and training and exercises. Typical active shooter training content includes: ï· Introduction to the active shooter threat ï· How to prepare for an active shooter incident (e.g., awareness of surroundings and exit routes) ï· How to report an incident (who and how to contact and what to report) ï· How to respond to the threat; the ârun, hide, fightâ concept is a federally-endorsed technique. ï· What to do when law enforcement arrives â this topic is important because civilians may not realize that the initial objective of law enforcement is to stop the attacker, not help victims. Also, civilians may not know how to react in the presence of police and mistakenly act in a suspicious or threatening manner. Exercises offer participants a chance to experience an active shooter scenario in a safe setting and learn how to interact with and support law enforcement. Inclusion of security, local law enforcement, and other responders in exercises/drills would be advisable so that they may become familiar with the facility and provide feedback on shelter locations and evacuation routes. As stated in the 2015 ISC Guide on Planning and Response to an Active Shooter, âit is absolutely essential to reinforce the classroom or on-line instruction with realistic exercises.â The Guide emphasizes the importance of including persons with access or functional needs in the exercises and having pre-designated assembly locations for them. The Guide also suggests including notification procedures, communications, accessible egress points, response to specific assembly areas in exercises, and the identification of workers with valid EMS, police or fire credentials. A case study of the Transportation Security Administrationâs (TSA) Intermodal Security Training and Exercise Program (I-STEP) Active Shooter training and exercise for State DOTs held at the AASHTO
164 SCOTSEM conference in Tucson, Arizona on August 23, 2016 was presented earlier. The Illinois DOTâs Active Shooter Training case study is presented in the highlighted section below: CASE STUDY - Illinois DOT Active Shooter Training (Source: Active Shooter In the Workplace, Sergeant Mark Roberts â HPD) Active shooter training is provided to Illinois DOT personnel by local law enforcement free of charge. Training objectives include: ï· Define various shooting situations ï· List measures that can be employed to reduce the effectiveness of an active shooter ï· Describe actions that can be expected from responding law enforcement officers ï· Safety tips Training begins with a discussion of active shooter events and introduces active shooting types, differentiating active shooter from barricaded suspect and hostage situations and noting that the latter two situations can transition into active shooter. Active shooter situations can also turn into hostage situations when police arrive. According to the training, the key characteristics of an active shooter situation are: ï· Suspects actively killing and/or causing serious, life-threatening bodily injury to multiple victims with the primary objective of mass murder ï· Immediate risk of death and injury ï· Difficulty containing the threat due to the assailantâs lack of regard for personal safety Personnel can proactively enhance their preparedness through Awareness, Preparation, and Reporting Problems or Suspicious Persons. The training describes actions to take based on location â in a break room or office, in an auditorium or other large rooms, in a hallway. For instance, in a break room or office, personnel should secure the door and silence their cell phones. In a hallway, personnel should find an unsecured room but not a restroom and should not run down a long hallway. In a large room or auditorium, personnel should head towards an exit. When outside, personnel should place their hands on their heads and move towards police. If trapped with an active shooter, personnel should not take any action that may provoke the shooter and follow the shooterâs instructions as long they are not shooting. The training emphasizes the use of oneâs own judgment as to whether to run, stay, or fight the attacker. If running, the training recommends running in a zig zag manner. According to the training, the following information should be reported to the police during an active shooter situation: ï· Number of persons at the facility ï· Number of injuries ï· Information about the shooter including location, number of shooters, race, gender, clothing color and style, backpack, physical features, types of weapons, and any explosives Police response and what to do, what not to do are covered comprehensively in the training. The training states that law enforcement will seek to stop the assailant and consider everyone to be a suspect. Therefore, it is important to follow instructions, keep hands visible, not to run towards police and not make sudden moves. It is also important to stay in secured rooms or areas until police are ready to evacuate personnel. Also, they will typically not attend to injuries until the threat has been neutralized. A minimum of annual refresher training is recommended.
165 It should be noted that recent efforts have started focusing on training workers in medical response, particularly hemorrhage control. The Joint Committee to Create a National Policy to Enhance Survivability From Mass Casualty Shooting Events, for instance, highlighted the importance of hemorrhage control in saving lives and elevating the roles of the uninjured or minimally injured public, EMS/Fire/Rescue, and trauma care as has recent ISC guidance. In addition, agencies should train supervisors to help personnel manage the emotional and psychological as well as medical consequences of active threat events, and conduct thorough post-incident evaluations to identify lessons learned and implement any necessary corrective actions. Conclusion Because security threats are constantly evolving, transportation agencies need to take strategic, proactive action to address them in a well thought out manner and must keep apprised of changing federal standards, guidance, and best practices as well. Emerging threats deserving attention include the increased integration of the cyber and physical security worlds. The merging of the two worlds mean cross-training and information sharing between and among IT and ICS staff and cybersecurity and physical security personnel are necessary to increase understanding of interdependencies and consequences of various attack scenarios. Also, retention and recruitment issues along with budgetary constraints have been creating workforce development and training challenges for transportation agencies. By instituting effective workforce planning practices, agencies can address these issues to achieve a more stable and productive security and cybersecurity workforce. Â Â