National Academies Press: OpenBook

Security 101: A Physical and Cybersecurity Primer for Transportation Agencies (2019)

Chapter: Chapter 6 Infrastructure Protection and Resilience

« Previous: Chapter 5 Workforce Planning and Training/Exercises
Page 166
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 166
Page 167
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 167
Page 168
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 168
Page 169
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 169
Page 170
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 170
Page 171
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 171
Page 172
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 172
Page 173
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 173
Page 174
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 174
Page 175
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 175
Page 176
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 176
Page 177
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 177
Page 178
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 178
Page 179
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 179
Page 180
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 180
Page 181
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 181
Page 182
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 182
Page 183
Suggested Citation:"Chapter 6 Infrastructure Protection and Resilience." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 183

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

166 Chapter 6 Infrastructure Protection and Resilience The USA Patriot Act of 2001 (42 U.S.C. 5195c(e)) defined “critical infrastructure" as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience (2013) was issued to ensure that critical infrastructure be secure and able to withstand and rapidly recover from all hazards. It defined security as reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of natural or manmade disasters. It recognized that “Critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets and to determine effective strategies to make them more secure and resilient”. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery. Proactive infrastructure protection requires the ability to identify, deter, detect, disrupt, and prepare for threats and hazards; reducing vulnerabilities of critical assets, systems, and networks; and mitigating the potential consequences to critical infrastructure of incidents or adverse events that do occur. Departments of Transportation (DOTs) have a significant role in infrastructure protection. DOTs have the responsibility for controlling access to critical components, conducting risk and vulnerability assessments, and taking action to mitigate the effects of those risks and vulnerabilities. Transportation employees and contractors are the best positioned to know what is usual and unusual, and can help their agency protect its employees, information, data, networks and facilities. The general concept of resilience has existed for decades in transportation. In recent years due to the numerous major disasters, high profile incidents and system failures, it has emerged as a critical topic in transportation. Resilience can be defined as “the ability to prepare and plan for, absorb, recover from, or more successfully adapt to adverse events” (Disaster Resilience: A National Imperative, National Research Council, 2012). The AASHTO Standing Committee on Research (SCOR) in 2016 highlighted what this means for transportation, “When we speak of resilience in the transportation sense, we mean the ability of the transportation system to recover and regain functionality after a major disruption or disaster.” There is a need for a resilience approach in all activities that are the responsibility of the transportation community. As stated in Understanding Transportation Resilience: A 2016–2018 Roadmap (AASHTO 2016), “The development of a new strategy based on resilience includes a broad range of options to help manage risks and recover from system disruptions. In this new paradigm, resilience … offers instead an overarching strategy that includes risk management, protection, and preparedness as complementary strategies to prevent attacks and to identify and ward off additional threats; adaptation, recovery, and other post-disruption strategies to restore normal transportation services…” Figure 58 from the 2013 National Infrastructure Protection Plan illustrates the relationship between security and resilience.

167   Figure 58: Relationship between Security and Resilience. Source: NIPP 2013 The transportation operating environment creates significant challenges for infrastructure protection and security planners charged with determining which of the agency’s assets require protection and adaptations to increase resilience. This chapter frames the question for decision-makers and then summarizes some of the methods used to prioritize critical assets. Later sections address the specifics of building and facilities, bridges and tunnels and rolling stock. Although the application of resiliency engineering in the transportation sector is still being developed, TRB cooperative research projects have produced a wealth of resilience-related studies, products, guidelines, and effective practices. Applying multiple security measures in consecutive layers, often referred to as concentric layers of security, is the basic risk mitigation approach to all security systems. Planning for security in layers is based on the security industry concept of the “Four Ds” (deter, detect, defend, and defeat). With respect to resilience, two characteristics of a security system should be considered: redundancy and continuity. The resilience of the security system requires an ongoing effort to ensure it is maintained and adjusted as circumstances change. Critical Infrastructure Designation: Physical and Cyber Assets The critical infrastructure of a transportation agency includes the people, property and information assets that are required to enable the organization to exec-ute its primary responsibilities, activities and functions. But deciding what assets or infrastructure are critical is not always as easy as it might seem. In the case of information systems the designation of “CIIP” (Critical Information Infrastructure Protection) has developed as a subset of the more widely-known concept of Critical Infrastructure Protection (CIP).

168 The initial sets of questions that must be answered are definitional. Should the agency use operational importance as its criteria? If so, what does that mean? Is it importance to business continuity, quality of service, or maybe the bottom line? What about the contribution of the asset to the mission? Factoring in resilience, are alternatives available to using the asset does that make it non-critical? And what about the assets repair (or recovery) time or cost? If the asset can be replaced quickly or at low cost does that affect its criticality? Other questions that need answering are about perspective. Should the agency decide what is critical based on threat assessments or target attractiveness? Are the adversaries or aggressor’s eyes the right viewpoint? What about customer perceptions of security? Or perhaps even government agencies? Is national significance or the symbolic value of an asset an appropriate factor for consideration by transportation officials? Is there a viable alternative? These questions and many more confront security planners who are attempting to effectively balance the actual security needs of an organization against the wide array of sometimes countervailing opinions. Ultimately, most transportation agencies should take the “ownership view” which “examines information on ownership of assets, including the owner/operator’s decision structure, policies, and procedures, and recognizes those assets owned by the same entity as an integrated system.” Taking this approach to critical infrastructure identification yields the following list of assets for surface transportation systems. The AASHTO Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection, May 2002 contained a table listing Critical Transportation Assets. Effective Practices For The Protection Of Transportation Infrastructure From Cyber Incidents (2016) outlined the components of highway operational systems including the related cyber systems. Table summarizes the physical and cyber assets identified in these two documents. Table 24: Critical Transportation Assets and Cyber Systems  INFRASTRUCTURE FACILITIES EQUIPMENT and SYSTEMS PERSONNEL  Arterial Roads  Interstate Roads  Bridges  Overpasses  Barriers  Roads Upon Dams  Tunnels  Chemical Storage Areas  Fueling Stations  Headquarters Buildings  Maintenance Stations/Yards  Material Testing Labs  Ports of Entry  District/Regional Complexes  Traffic Management Centers  Rest Areas  Road/Weather Monitoring Systems  Traffic Management Systems  Signal & Variable Messaging Systems  HVAC and Tunnel Ventilation Systems  Vehicles  Communications and Traveler Information Systems  Hazardous Materials  Contractors  Employees  Vendors  Visitors

169  Storm Water Pump Stations  Toll Booths  Traffic Operations Centers  Vehicle Inspection Stations  Weigh Stations Source: Adapted from AASHTO Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection, May 2002 Similarly, assets for transit and rail are identified in the FTA publication, Transit Security Design Considerations – Final Report, November 2004. Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents (2016), which outlined the components of transit operational systems including the related cyber systems. See Figure 59.   Figure 59: Transit Assets and Cyber Systems Transit Agency Assets 1. Transit Stations – facilities used for boarding and alighting of transit passengers, and fare collection; they can be below-grade, at-grade, or elevated. Their high profile, large volumes of pedestrian traffic, and central locations integrated with surrounding uses, make them likely targets for terrorist attack. 2. Transit Stops – usually smaller and more open than transit stations. They are typically on public land, where passengers can board buses and light rail vehicles; these include everything from elaborate shelters to mere signposts. Transit agencies often lack control over these sites, which, combined with their high level of accessibility, makes them difficult to secure against attack. 3. Administrative Facilities and Operations Control Centers (OCCs) – used for the operations and administration of the transit system and may be co-located on a site with non-transit uses. Although

170 most administrative facilities are not open to the public and can therefore maintain stricter access control, they have a critical role in the transit system and have value as strategic targets. 4. Vehicle Maintenance Facilities – used for the repair and storage of transit vehicles; they include vehicle garages, yards, and repair facilities. They often contain a large number of assets to be protected, including some high-risk elements such as fuel storage areas or containers. Maintenance facilities can be designed to allow transit vehicles and maintenance staff to enter and exit freely, while preventing access by unauthorized vehicles and people. 5. Elevated Structures – all above-grade bridges and track structures, including pedestrian bridges and overpasses. Their high visibility and structural complexity present particular challenges to securing them against terrorist attack. 6. Tunnels – used for the passage of transit vehicles underground and, in limited cases, underwater. They are more secure when designed to prevent unauthorized access from passenger platforms and at-grade entrances, while allowing transit vehicles to pass freely. Proper design can also facilitate evacuation in an emergency. 7. Right-of-Way, Track, and Signals – includes all land and equipment dedicated to the movement of transit vehicles between stations. Like tunnels, a design goal is to allow transit vehicle movement while preventing access by unauthorized people or vehicles 8. Remote and Unmanned Structures – all other physical assets. This category includes power substations and communications relays, and the like, which are not necessarily located on rights-of- way or in stations. These may be owned or controlled by other agencies or companies. Design features that take into account their remote locations and lack of consistent or continuous staff presence can improve their security. 9. Control and SCADA systems - provides real-time monitoring of train movements and can also provide automatic train protection or ATP, automatic train operation or ATO, automatic train regulation or ATR, and automatic train supervision or ATS. 10. Communications Systems - includes CCTV, radio, intercom, public address, security, and copper and fiber optic data transmission systems. They may or may not be connected to other systems. Automatic Vehicle Location (AVL) systems are used in conjunction with Computer-Aided Dispatch (CAD) systems to locate and more efficiently manage transit bus and demand response vehicle fleets. The primary elements of the AVL system include an on-board computer, GPS, and mobile data communications. 11. Security Monitoring and Detection Systems - intrusion/access control includes CCTV’s, perimeter detection, and card access. Threat monitoring/detection systems include Fire Detection, Elevating Devices Monitoring, Tunnel Drainage Monitoring, Gas and Pathogen Monitoring, and Seismic Monitoring. Source: Adapted from FTA publication, Transit Security Design Considerations 2004 The identification of critical infrastructure should be accomplished during the preliminary stages of risk assessment. However, the transportation agency would be well served to continuously conduct criticality reviews to become better informed about on-going security needs. Questioning assumptions about definition and perspective can yield substantial benefits in terms of both security efficiency and performance. Methods to Rate and Prioritize Critical Assets There are as many different approaches to performing the criticality analysis as there are available risk and vulnerability assessment methodologies. But regardless of the method undertaken the basic steps remain the same – inventory, factor, valuate, rank order and prioritize. The process of critical infrastructure identification begins with the development of an inventory, an “all-inclusive list” so to speak that sufficiently describes the character of the agency’s assets. Care should be taken to ensure that the assets are properly delineated into distinct individual elements of infrastructure as opposed to division into component parts, systems or subsystems.

171 Mainstreaming Transportation Hazards and Security Risk Management: CAPTA Update and Implementation can support the evaluation and prioritization of asset risk management. Use of the methodology and associated CAPTool can assist in the development of a list of “most critical” assets based on consequences of loss in the presence of relevant threats and hazards. In addition, the tool can provide a list of potential countermeasures for reducing vulnerability and improving resilience of critical assets along with a rough order of magnitude cost estimate for implementing selected countermeasures According to the FHWA Recommendations for Bridge and Tunnel Security, AASHTO Blue Ribbon Panel on Tunnel and Bridge Security there are many component parts, systems and subsystems associated with a suspension and cable-stayed highway bridge, e.g., suspender ropes, stay cables, tower leg, orthotropic steel deck, reinforced and pre-stressed bridge decks, cable saddle, approach structures, connections, anchorage and piers. Even though some parts of the bridge structure may be harder to replace than others, ergo more critical, breaking down critical infrastructure into these subparts will add confusion and a lack of clarity to the definitional capture of critical assets. Once each asset has been delineated the categories of personnel (human), property (physical) or information (cyber) can be used to group the individual elements so that the second “factoring” aspect of the critical infrastructure identification process can be accomplished. Factors can refer to any number of important issue areas so long as they are relevant to the agency performing the analysis. Some sample areas include;  casualty impact - the potential for loss or serious injury to human life  business continuity - the extent to which loss or serious damage to the asset would adversely impact the ability of the agency to continue to operate  economic impact - the extent to which loss or serious damage to the asset would affect the viability of business going forward  replacement cost - the capital investment required to replace the asset  replacement downtime – the length of time before the asset can be returned to service  redundancy – availability of alternate for use in the event the asset is lost  symbolic importance – national significance of the asset The third part of the identification process is the establishment of relative “values” that indicate the importance of the assets to the operations of the agency. Generally, a numerical scale is used to compare the relative values. Table 25 illustrates relative value in the center column. This table also provides an overview of steps 1-3 in the critical infrastructure identification process.

172 Table 25: Critical Asset Value  Source: AASHTO Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection, May 2002 The final step in the process is the rank ordering and prioritization of critical assets. Table 26 from the FHWA Recommendations for Bridge and Tunnel Security, AASHTO Blue Ribbon Panel on Tunnel and Bridge Security presents the following illustrative example of bridge and tunnel critical asset prioritization. Note the inclusion of a “risk reduction score,” achieved through a form of algebraic analysis of the factoring and relative value steps of the process. Table 26 also contains a ROM, (rough order of magnitude) cost column that presents the security designer with an economic cross reference.

173 Table 26: Bridge and Tunnel Critical Asset Prioritization  Source: FHWA Recommendations for Bridge and Tunnel Security, AASHTO Blue Ribbon Panel on Tunnel and Bridge Security, 2003 Building Security There is a vast body of knowledge and information available from federal government departments and agencies about the protection of buildings. The government has gone a long way towards establishing comprehensive building security standardization requirements and criteria for federal facilities. The work began in earnest on April 20, 1995, one day after the bombing of the Alfred P. Murrah Building in Oklahoma City, when the President directed the Department of Justice (DOJ) to assess the vulnerability of federal office buildings in the United States, particularly to acts of terrorism and other forms of violence.

174 Within two months DOJ completed the study and published its report, “Vulnerability Assessment of Federal Facilities,” containing “minimum security standards” intended for use in all federally occupied facilities. The standards were based on DOJ security level criteria that basically considered occupancy, volume of public content, building size and agency mission. In October of 1995, Executive Order (E.O) 12977 was signed by the President “to establish policies for security in and protection of federal facilities and to provide a permanent body to address continuing government-wide security for federal facilities.” The E.O. established the Interagency Security Committee (ISC) with member agencies including DOJ, DOS, DOL, DOT, GSA, DOD, DOE, HHS, and EPA. ISC security standards have been developed to better match the necessary level of protection to the level of risk. The Facility Security assessment now considers additional such as symbolism, the threat to the tenants and mission criticality. In addition there is now a recognition that security needs to be balanced against other factors including cost. “In most facilities, it is neither common to find anything close to perfect security nor is perfect security an economically feasible objective.” (Source: Best Practices for Working with Lessors: An Interagency Security Committee Guide). A Facility Security Level matrix, shown in Table 27, was developed that is comprised of five equally weighted security evaluation factors with corresponding points of 1, 2, 3, or 4 allocated for each factor. Recognizing that the criteria cannot capture all of the circumstances that could be encountered, the Standard includes a sixth factor—intangibles—that allows consideration of other factors unique to the facility.

175 Table 27: Facility Security Level Matrix  Source: The Risk Management Process: An Interagency Security Committee Standard, 2016 The current standards address six general areas of security and supplied compliance requirements for countermeasures in:  Site—including the site perimeter, site access, exterior areas and assets, and parking;  Structure—including structural hardening, façade, windows, and building systems;  Facility Entrances—including employee and visitor pedestrian entrances and exits, loading docks, and other openings in the building envelope;  Interior—including space planning and security of specific interior spaces;  Security Systems—including intrusion-detection, access control, and CCTV camera systems; and  Security Operations and Administration—including planning, guard force operations, management and decision making, and mail handling and receiving. For natural hazards (e.g., earthquakes, floods, winds, grassland and forest fires) and building fire hazards (technological accidents), information is available in building codes, industry standards, and FEMA guidelines. For manmade hazards, the ISC as well as other federal agencies have published a significant number of building security standards documents for federal facilities. Figure 60 presents a list of available information resources although in some cases a specific request for the documents must be made to the respective federal agency.

176 Building Security Standards and Resources 1. ISC Security Design Criteria for New Federal Office Buildings and Major Modernization Projects, ISC May 2001 2. ISC Security Standards for Leased Space, ISC 2004 3. Standard Guide for Developing a Cost-Effective Risk Mitigation Plan for New and Existing Constructed Facilities: E 2506 – 06 ASTM Committee on Standards, Copyright © 2006 ASTM International www.astm.org 4. GSA Facilities Standards for the Public Buildings Service General Services Administration March 2005 http://www.gsa.gov 5. DoD Minimum Antiterrorism Standards for Buildings (Unified Facilities Criteria UFC 4-010-01) Department of Defense October 2003 www.wbdg.org/ccb/DOD/UFC/ufc_4_010_01.pdf 6. Risk Management Process for Federal Facilities: An ISC Standard, 2016 https://www.hsdl.org/?abstract&did=797952 7. Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings (DHS BIPS 07) refreshes FEMA 426, Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings. The manual identifies new ways to blunt the damage and limit casualties from various attacks. It also offers a new way to understand infrastructure resiliency and assess risk. 8. Items Prohibited from Federal Facilities: An ISC Standard 9. Security Specialist Competencies: An ISC Guideline [PDF] 10. U.S. Department Of Veterans Affairs Physical Security Design Manual For Mission Critical Facilities, 2015 11. FEMA 430, Site and Urban Design for Security: Guidance against Potential Terrorist Attacks, 2007 12. Best Practices and Key Considerations for Enhancing Federal Facility Security and Resilience to Climate-Related Hazards, 2015 13. Best Practices for Working with Lessors: An ISC Guide, 2014 https://www.dhs.gov/sites/default/files/publications/ISC-Best-Practices-for-Working-with- Lessors-1st-Edition-508.pdf 14. Best Practices for Armed Security Officers in Federal Facilities,2013 15. Violence in the Federal Workplace: A Guide for Prevention and Response, 2013 https://www.dhs.gov/sites/default/files/publications/ISC%20Violence%20in%20%20the%20Fede ral%20Workplace%20Guide%20April%202013.pdf 16. Occupant Emergency Programs: An ISC Guide, 2013 https://www.dhs.gov/sites/default/files/publications/ISC%20- Occupant%20Emergency%20Programs%20Guide%20FINAL_508_0.pdf 17. Best Practices for Managing Mail Screening and Handling Processes: A Guide for the Public and Private Sectors, 2012 18. Planning and Response to an Active Shooter: An Interagency Security Committee Policy and Best Practices Guide, 2015 19. DoD Security Engineering Facilities Planning Manual (Draft) UFC 4-020-01 Department of Defense March 2006 www.wbdg.org/ndbm/DesignGuid/pdf/Final%20Draft_UFC_4-020-01.pdf Figure 60: Building Security Standards and Resources Summarizing the available standards and other building security guidelines suggests that the following potential areas of vulnerability should be reviewed for possible implementation of security countermeasures: Pedestrian Entranceways Vehicular Access and Circulation Parking Garages Public Toilets and Service Areas

177 Refuge Collection Sites Loading Docks Shipping and Receiving Areas Stairwells Public Corridors Equipment and Maintenance Spaces Mailrooms Lobbies and Waiting Areas Roofs Water Supply Air Intakes Fuel Storage Areas Utility Feeds Elevators General Office Space Dining Facilities Retail Areas Computer Rooms In addition the following systems or sub-systems should be considered for protective measures: Mechanical Engineering Electrical Ventilation Fire Protection Communications Emergency Power Structural Lighting Entry Control Physical Security Electronic Security Information Technology Command and Control BIPS 06/FEMA 426: Reference Manual to Mitigate Potential Terrorist Attacks against Buildings, 2nd Edition (2011) provides an updated version of risk assessment techniques, a new concept on infrastructure resiliency, and identifies new protective measures and emerging technologies to protect the built environment. Of course transportation agencies have unique types of buildings and facilities that will demand vulnerability reduction solutions that are atypical. For example, a toll facility on an interstate highway will likely require an extensive level of structural hardening, shielding, stress bearing systems and anti-ram barriers either to protect the toll plaza, collectors and vehicle occupants from an explosives blast, or to mitigate its effects. Similarly, a transit or commuter train that enters the building envelope of an underground train station creates risk vulnerability and exposure elements for building occupants through any number of different threat scenarios. As has been recommended throughout this text, agencies must specifically address such uniqueness in their operating environment when making security improvements. Buildings such as warehouses, car shops, maintenance facilities, plants and industrial areas, dispatch centers and fuel depots all have the potential to demand specialized individual security countermeasures or solution sets. The Department of Homeland Security's (DHS) Science and Technology Directorate (S&T) has produced the Building and Infrastructure Protection Series: Designing Buildings to Withstand Almost Anything, aimed at engineers, architects, building owners, city planners, and emergency managers. The series - seven documents, four software applications, one website, and one training course - makes available government, industry, and academic research on designs and materials to make buildings and tunnels terror-resistant and terror-resilient. Bridge and Tunnel Security The U. S. surface transportation sector is a vast and open series of roadways, skyways, tracks, rails, pedestrian walkways, bike paths and other routes that facilitate the travel of people and goods throughout the country. These routes are connected and interconnected by a system of bridges and tunnels that are engineered to traverse difficult terrain or geography, shorten travel distances or simply improve the journey of system users.

178 While the infrastructure of the entire route is an important part of transportation agency security planning, bridges and tunnels by virtue of their engineering, placement or cost often are among the most critical assets of the agency. Land based bridges are also integral to the maritime sector because they cross over the Nation’s waterways thereby affecting the movement of ships and other vessels particularly on inland rivers. Protecting bridges and tunnels can be complicated. Referring once again to the FHWA Recommendations for Bridge and Tunnel Security, AASHTO Blue Ribbon Panel on Tunnel and Bridge Security the following comment is observed: “Among the 600,000 bridges in the United States, preliminary studies indicate that there are approximately 1,000 where substantial casualties, economic disruption, and other societal ramifications would result from isolated attacks. Additionally, the U.S. transportation system includes 337 highway tunnels and 211 transit tunnels; many are located beneath bodies of water, and many have limited alternative routes due to geographic constraints.” Such a vast number of bridge and tunnel structures interspersed throughout the nation’s landscape points out the difficulty associated with the creation of a workable security protection scheme; particularly when the remoteness, inaccessibility and reduced visibility of many of these structures has been factored in. However, just looking at the extent of the assets “makes the case” that rigorous critical infrastructure identification processes are clearly justified. It is apparent that the security planning tasks in this regard are daunting, exacerbated by the fact that there are also various types of bridge or tunnel structures each with engineering design characteristics that can be completely different one from the other. Bridge Security Guidance and Resources  FHWA Framework for Improving Resilience of Bridge Design (Report No. FHWA-IF-11-016, January 2011) Recognizing that addressing security concerns and potential failures during design is a much less costly approach, the framework that can be employed by bridge designers during the design process that can help to minimize bridge failures while in service and/or during construction. It was developed to provide bridge designers with a tool for identifying potential failure mechanisms by highlighting design considerations that could reduce failures that might not be readily apparent in current design specifications.  NCHRP Report 645 Blast-Resistant Highway Bridges: Design and Detailing Guidelines (2010) contains general design guidance and a simplified design procedure for blast-resistant reinforced concrete bridge columns.    NCHRP 20-07/Task 378 Assessing Risk For Bridge Management, 2016 focused on developing guidelines for a data-driven risk assessment at the bridge and structure level that considered risks from natural and man-made hazards. The methodology and proposed guidelines produced support the state DOTs’ focus on risk-based asset management.  FHWA Bridge Security Design Manual (2017) provides state-of-the-art guidance on bridge- specific security planning, extreme loading phenomenology and characterization, and protective design strategies for vulnerability assessments of existing bridges, resilient design of new bridge construction, and emergency planning efforts.  TSA Comparative Analysis of Assessed Bridges (Nov 2015) indicates for nine most-common bridge construction types the most vulnerable structural element, recommended mitigation method and cost of such mitigation. Note that the Report is identified as Sensitive Security Information (SSI) but is available on a "need to know" basis for those persons validly associated with bridge security and construction. Goethals Bridge Example

179 In June, 2017 the new Goethals Bridge opened to traffic. The bridge has twin spans connecting Staten Island, NY, and Elizabeth, NJ across the Arthur Kill strait. The original bridge, one of the first constructed by the Port Authority of New York and New Jersey, was retired and incrementally demolished, to make way for one of the two new spans. The replacement bridge constructed directly south of the original bridge provides three 12- foot-wide lanes in each direction replacing the two narrow 10-foot-wide lanes, a 10-foot-wide sidewalk/bikeway along the northern edge of the New Jersey-bound roadway, and a central corridor between the eastbound and westbound roadway decks, sufficient to accommodate potential transit service. The new bridge provides improved safety and reliability by meeting current geometric design, structural integrity, security and seismic standards. The bridge also includes post-Sandy resilience recommendations such raised approach roadways to prevent overtopping and installed fender systems to deflect debris. Goethals Bridge has closed circuit television surveillance, dynamic message signs, variable speed limit signs, vehicle detection, and lane-use control signals. State-of-the-art smart bridge technology provides continuous electronic monitoring of bridge structures using a network of sensors at critical points to monitor traffic and structural integrity. The sensors can spot potentially serious problems before they might be apparent to an inspector, as well as help determine how the bridge behaves under heavy traffic, in severe weather conditions and during other potentially hazardous situations. It also utilizes Roadway Weather Information Systems, which collect environmental data such as wind speed, visibility, and pavement temperature. A Traffic Detection System provides traffic alerts that allow emergency services to quickly plan a response for any incident. PANYNJ has a public website for the new bridge with several webcams that show multiple views of the project. FHWA’s 2015 Specifications for National Tunnel Inventory categorizes the multiple systems that contribute to the overall functionality and the safety of tunnels as follows:  Structural systems: These systems make up the primary structure of the tunnel or support its equipment and include the walls, roof, ceiling slabs, roof beams, portals, invert slabs, slabs on- grade, cross-passageways, equipment supports, joints, and gaskets.  Civil systems: These systems consist of the wearing surface, traffic barriers, and pedestrian railings.  Mechanical systems: These systems consist of the ventilation system, drainage system, emergency generator system, and flood gates. The ventilation and drainage systems contain fans, fan motors, pumps, pump motors, pump controllers, piping, and drains. The emergency generator system includes a generator, fuel storage tank, fuel day tanks, exhaust air louvers, damper actuator, generator control equipment, and conduits.  Electrical systems: These systems include the tunnel’s electrical distribution and emergency distribution systems. The electrical distribution system includes switchgear, motor control centers, starters, transformers, transfer switches, panel boards, conduits, raceways, and electrical outlets/receptacles. The emergency distribution system consists of uninterruptable power supply, batteries, and battery charging equipment.  Lighting systems: These systems include the tunnel and emergency lighting systems. Both of these systems consist of light fixtures, fixture supports, bulb housings, lenses, light switches, junction boxes, wiring, conduit, cable, sensors, and controllers.  Fire/life safety/security systems: These systems consist of fire detection, fire protection, emergency communication, and operations and security systems. Fire detection systems consist of control panels, initiating devices (heat and smoke detectors, pull-stations, etc.), notification appliances (strobes, horns, etc.), wiring, conduit, and cable.

180  Emergency communication systems include communication devices [intercom, public address, emergency override frequency modulation (FM) radio rebroadcast, private emergency radios, cell phones, receivers, wiring, exchange devices, signs, controllers, speakers, and audio input equipment].  Tunnel operations and security systems include communication equipment (closed-circuit television (CCTV) cameras, telephones, radios, etc.). Figure 61 is a sketch representation of four different types of transportation tunnels each with unique engineering characteristics that likely would call for specific individual countermeasures or countermeasures solution sets.   Figure 61: Transportation Tunnel Types. Source: NCHRP Report 525: Volume 12 – Making Transportation Tunnels Safe and Secure,  2006 A discussion of bridge and tunnel security issues presents an excellent opportunity to further explain concepts of security strategy in terms goals and objectives. In the text Making the Nation Safer, several overarching goals categories for countering terrorism were identified:  Predict: Intelligence and surveillance of targets and means  Prevent: Disrupt networks, contain threats  Protect: Harden targets, immunize populations  Interdict: Frustrate attacks, manage crisis  Response & Recovery: Mitigate damage, expedite cleanup  Attribute: Identify attacker to facilitate response These overlapping goals have been drawn differently in other publications, e.g., “prevention, detection, deterrence, response and mitigation” or the four D’s – “deter, detect, deny, and defend.” Nonetheless, a significant part of the purpose and underlying message of these goals is that certain tactics can either

181 prevent an attack against a given target, or positively influence the target selection of an aggressor, or perhaps disrupt such an attack in progress. In fact because of the catastrophic potential that could result from a successful attack against some key bridge or tunnel assets, front end efforts to defend against the loss can become an even higher priority. Primarily, vulnerability reduction countermeasures focused towards the defense of bridges and tunnels should include visible signs of security such as fencing, lights, surveillance systems and rapid response by security forces. The objective is to present a potential adversary with a perception that his attack will be unsuccessful or that he will be captured. Note that perhaps more importantly, the absence of such visible signs of security may induce target selection by an adversary. In particular the approaches to critical bridges or tunnels and the undetected opportunity time, or “time on target” that an aggressor can acquire are factors that deserve thoughtful security planning. For example, the approach on both sides of a critical underwater tunnel portal entrance could be lined with high security anti-ram fencing for an extended distance to prevent vehicle breach, say one-half mile. Lighting, audible alarms, surveillance and intrusion detection systems could be deployed in tandem so that any attempted access to the portal on foot would require the aggressor to walk or run for an extended time just to reach a mission sensitive location. Responding security forces or officers on directed patrol capable of disrupting or interdicting the attack would add a final layer of protection for the asset. Time on target has additional ramifications for bridge and tunnel security. For example, an aggressor with sufficient time can improve the payload and blast effect of an IED by attaching or even drilling into a bridge’s critical structural elements, e.g., cable anchors, box girders and cable towers. Notwithstanding the stated requirement that transportation agencies must perform rigorous critical asset identification, it is accurate to presume that a recommendation for extensive security countermeasures for bridges and tunnels is somewhat incongruous with preceding commentary about the vast and expansive number of such assets in the U.S. One additional recommendation – maximizing portability in bridge and tunnel security countermeasures deployment, may assist in overcoming this security planning dilemma. By establishing one or more portable countermeasures solution sets containing deployable sensors, cameras, alarms and other perimeter protection devices security designers can prioritize security equipment utilization through temporary placements at critical bridge or tunnel locations. A deployment of this type would serve as a temporary security force multiplier capable of alerting responders of a potential security breach. The placement decision would be based on threat information/intelligence or tactical or strategic considerations. NCHRP Report 816 Guide for the Preservation of Highway Tunnel Systems (2015) provides a catalog of highway tunnel preservation actions, (2) quantify the benefits of tunnel preservation actions, (3) provide decision-making tools to optimize tunnel preservation actions, and (4) develop a method to determine appropriate levels of funding and staffing to achieve agency-selected goals and performance measures Tunnel Security Guidance and Resources 1. 2015 FHWA Tunnel Operations, Maintenance, Inspection, and Evaluation Manual (TOMIE Manual) 2. Tunnel Security for Public Transit (APTA SS-SIS-RP-16-15, 2015) offers best practices in the development of security for transit tunnels and the application and the implementation of security design considerations where applicable. This document outlines the structure of tunnels, potential threats and measures to enhance the security of these structures. Additionally, it recommends

182 technologies, policies and procedures, coupled with the operational aspects for securing tunnels from potential threats. 3. Making Transportation Tunnels Safe and Secure,” Transit Cooperative Research Program, Report 86, Vol. 12. 4. Risk Management for Terrorist Threats to Bridges and Tunnels,” Federal Highway Administration (FHWA)/U.S. Army Corps of Engineers (USCOE), 2008. 5. Integrated Rapid Visual Screening Series (IRVS) for Tunnels,” Department of Homeland Security (DHS), 2011. 6. Best Practices for Implementing Quality Control and Quality Assurance for Tunnel Inspections, NCHRP 20-07/Task 261 7. Design Fires in Road Tunnels, NCHRP Project 20-05, Synthesis Topic 41-05 8. Tunnel Operations, Maintenance, Inspection and Evaluation (TOMIE) Manual, 9. FHWA DTFH61-07-D 00004 10. High Speed Nondestructive Testing Methods for Mapping Voids, Debonding, Delaminations, Moisture, and Other Defects Behind or Within Tunnel Linings, SHRP2 R06(G) 11. Recommended AASHTO LRFD Tunnel Design and Construction Specifications, NCHRP 12-89, FY 2011, ongoing 12. National Fire Protection Association, “Standard for Road Tunnels, Bridges, and Other Limited Access Highways,” Publication 502, 2011. 13. Technical Security Working Group (TSWG), “Best Practices for Bridges and Tunnels,” TSWG Contract Number N4175-05-R-4828, accessed Jan. 31, 2013. Rolling Stock and Vehicles Transportation vehicle security today comprises two main areas; (1) the safety and protection of vehicle operators, (2) safety and protection of vehicle passengers or occupants and (3) avoiding the use of the conveyance as a weapon of destruction or mass destruction (WMD).  In this first area the major potential threats include: (1) improvised explosives devices (IED), (2) armed assault against the driver or passengers, and (3) chemical, biological or radiological attack. In addition there have been known instances of counterfeit transportation vehicles being used in drug trafficking and other criminal activities. Fake vehicles have been loaded with drugs for transport. Some states have also found that criminal organizations have tried to place illegal substances under DOT vehicles left overnight to allow the transport the substances. Motor coaches, vans and buses in general are an attractive target (and sometimes weapon) of terrorists and criminal because of the ease with which they can penetrate security barriers and the large-scale damage they can inflict on people and infrastructure. In addition they are plentiful and routinely arouse no suspicion given the access they have to structures and activity centers. The American Bus Association issued a Member Alert on vehicle ramming in August, 2017. There are a variety of ways the vehicles may be obtained such as through an insider threat where an authorized driver carries out or facilitates the attack and by hijacking where an attacker gains control of the vehicle by force. The TSA recommends vigilance and preparedness to prevent the use of commercial vehicles in terrorist attacks. Commercial vehicle owners and operators should alert their staff to possible theft or hijacking of vehicles by would-be attackers and the importance of reporting suspicious activities to appropriate authorities.

183 WMD had assumed much greater importance post 9-11. There is still a need to protect against an aggressor use of their own supplied vehicles, but also against the commandeering of a vehicle transporting hazardous loads or the conversion of the transportation agencies own rolling stock. According to the FTA, lessons learned from prior events suggest that the following security strategies will help protect the vehicle fleet:  Limit the ability to place or hide explosives on or under vehicle  Improve the ability to see into and out of vehicle  Reduce the damage that would result from an explosion  Reduce the damage that would result from a fire  Reduce the damage that would result from contaminants  Enhance emergency egress through doors and windows  Protect the driver from physical threat  Network the vehicle with the Operation Control Center  Enable communications between the vehicle operator and passengers  Secure the vehicle from theft/unauthorized operations These issues have been well recognized by transportation agencies and homeland security professionals from government and industry, who have sought to find ways to improve the security of conveyances while in-transit or when housed or stored at facilities.

Next: Chapter 7 Homeland Security Laws, Directives, and Guidance »
Security 101: A Physical and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing, and can impact not only data, but the control systems - like tunnel-ventilation systems - operated by transportation agencies.

This update, a pre-publication draft of NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies, provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!