Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
115 Appendix B Agency Practices Introductionâ¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦â¦..Â 116Â A.Â StateÂ TransportationÂ AgencyÂ PracticesÂ ...................................................................................Â 117Â 1.Â RiskÂ ManagementÂ andÂ RiskÂ AssessmentÂ .............................................................................Â 117Â 2.Â InfrastructureÂ ProtectionÂ andÂ ResilienceÂ ............................................................................Â 121Â 3.Â PhysicalÂ SecurityÂ CountermeasuresÂ ....................................................................................Â 124Â PreventionÂ .........................................................................................................................................Â 125Â DeterrenceÂ ........................................................................................................................................Â 125Â DetectionÂ ...........................................................................................................................................Â 127Â MitigationÂ ..........................................................................................................................................Â 127Â ResponseÂ andÂ RecoveryÂ ....................................................................................................................Â 129Â 4.Â CyberÂ SecurityÂ CountermeasuresÂ .......................................................................................Â 129Â 5.Â TrainingÂ andÂ ExercisesÂ .........................................................................................................Â 133Â B.Â PhysicalÂ andÂ CyberÂ SecurityÂ LegalÂ AuthoritiesÂ ........................................................................Â 138Â PublicÂ LawsÂ ..............................................................................................................................Â 139Â HomelandÂ SecurityÂ PresidentialÂ DirectivesÂ .............................................................................Â 142Â NationalÂ FrameworksÂ andÂ StrategiesÂ ......................................................................................Â 144Â C.Â OtherÂ AreasÂ ImpactingÂ PhysicalÂ andÂ CyberÂ SecurityÂ ...............................................................Â 150Â
116 Introduction NCHRP Report 525: Surface Transportation Security, Volume 14: Security 101: A Physical Security Primer for Transportation Agencies (2009) provided transportation managers and employees with an introductory-level reference document containing essential security concepts, guidelines, definitions, and standards. Since the guide was published there have been significant advances in transportation security approaches. As summarized in Fundamental Capabilities of Effective All-Hazards Infrastructure Protection, Resilience and Emergency Management for State DOTs (2015), the security domain has now expanded to include the complementary topics of infrastructure protection and system resiliency. Also, defending against the full spectrum of threats facing today'sâ transportation systems requires a more comprehensive approach encompassing cyber-physical systems security and cybersecurity aspects along with physical security. This section contains a summary of the review of practices in transportation agencies in meeting their security and infrastructure protection responsibilities, highlighting any significant changes since the initial guide was published.
117 A. State Transportation Agency Practices Recent guidance at the national level has been reshaping the focus and long-term direction of transportation agencies. Since the first edition of this guide was published, there is now an emerging focus on the complementary goals of infrastructure protection and resiliency as part of security and emergency management. Today there are even higher expectations for system performance and reliability and lower tolerance for delays. Small events pose threats of great consequences since the impact of any incident is magnified when a transportation network is operating at or past its capacity â as is the case in portions of many states as travel demand on their transportation networks grows. Hazards continue to evolve. Extreme weather, cyber incidents and other additional hazards need to be addressed as part of all hazards. In addition, the risk of natural and man-made events is growing more common due to many pressures including aging infrastructure. Todayâs transportation systems are integrated cyber and physical systems. There has been, and continues to be, significant deployment of new technologies to support DOT activities. 1. Risk Management and Risk Assessment Risk may be understood as the potential for unplanned adverse events to affect one or more transportation facilities in a way that causes unacceptable transportation system performance according to any or all of the agencyâs performance objectives. As noted in the first edition of Security 101, risk management is the appropriate starting point for any decision making. There have been a number of recent NCHRP reports that provide overviews and case studies describing how state DOTs are utilizing risk assessment and risk management techniques in their planning, operations, and program/project management. NCHRP PROJECT 20-24 (74) EXECUTIVE STRATEGIES FOR RISK MANAGEMENT BY STATE DOTS (2011) conducted a review of transportation, planning, and business management to identify risk management practices and emerging methods related to internal operations and program and project delivery. The study looked at DOT risk management practices at the enterprise, program, and project levels, but focused more on enterprise risk management. The project final report includes an overview of general risk management process and techniques as they apply to DOTs. NCHRP REPORT 706 USES OF RISK MANAGEMENT AND DATA MANAGEMENT TO SUPPORT TARGET- SETTING FOR PERFORMANCE-BASED RESOURCE ALLOCATION BY TRANSPORTATION AGENCIES (2011) focused on risk management to support funding decisions and prioritization of projects. Many, if not all, DOTs have conducted, and continue to conduct, vulnerability assessments of their critical assets. In general, risk is the product of likelihood and consequence. The steps in a Vulnerability Assessment as provided in the GUIDE TO HIGHWAY VULNERABILITY ASSESSMENT FOR CRITICAL ASSET IDENTIFICATION AND PROTECTION (AASHTO, 2002) are illustrated in Figure 1. As part of the Figure 1: Steps in Vulnerability Assessment.
118 assessment, today it is important to not only understand the sensitivity of system assets, infrastructure and services to different types of events, but to also understand the interdependency of critical infrastructure and assets within the transportation system and also across other sectors. There are a number of methodologies associated with assessing transportation assets that incorporate a variety of risk models such as likelihood models, consequence models, delay/detour models and recovery consequence models. States are currently using different methods and models to evaluate risk. In the case of earthquakes, information is relatively well developed in the seismically vulnerable states. The same expertise and capabilities can serve not only in earthquakes, but also after other extreme events such as storm surge, wave action, and scour. Databases exist for floods, fires and other natural hazards. Threat and Hazard Identification and Risk Assessment (THIRA) THIRA, a foundation of the National Preparedness System, is a four-step risk assessment process that provides an understanding of risks and helps estimate capability requirements. The THIRA process (illustrated in Figure 2) standardizes the risk analysis process that emergency managers and homeland security professionals use and builds on existing local, state, tribal, territorial Hazard Identification and Risk Assessments by: ï· Broadening the threats and hazards considered to include human-caused threats and technological hazards. ï· Incorporating the whole community into the planning process, including individuals; families; businesses; faith-based and community organizations; nonprofit groups; schools and academia; media outlets; and all levels of government, including local, state, tribal, territorial, and federal partners. ï· Providing increased flexibility to account for community-specific factors. Figure 2: The THIRA Process 1. Identify Threats and Hazards of Concern: Based on a combination of experience, forecasting, subject matter expertise, and other available resources, identify a list of the threats and hazards of primary concern to the community. 2. Give the Threats and Hazards Context: Describe the threats and hazards of concern, showing how they may affect the community.
119 3. Establish Capability Targets: Assess each threat and hazard in context to develop a specific capability target for each core capability identified in the National Preparedness Goal. The capability target defines success for the capability. 4. Apply the Results: For each core capability, estimate the resources required to achieve the capability targets through the use of community assets and mutual aid, while also considering preparedness activities, including mitigation opportunities. Example: THIRA Template Table 1 illustrates one possibility for how to organize the information in THIRAs. Table 1: THIRA Template.
120 FWHA Framework for Vulnerability Assessment FHWA developed a Conceptual Model to use in conducting vulnerability and risk assessments of infrastructure to the projected impacts of global climate change. Based on the feedback and lessons learned in pilots with state DOTs, the Conceptual Model was revised and expanded into the Climate Change & Extreme Weather Vulnerability Assessment Framework summarized in Figure 3. Figure 3: FWHA Framework for Vulnerability Assessment. (Source: Assessing Vulnerability and Risk of Climate Change Effects on Transportation Infrastructure 2014)
121 2. Infrastructure Protection and Resilience Resilience is âthe ability to prepare and plan for, absorb, recover from and more successfully adapt to adverse eventsâ (DISASTER RESILIENCE: A NATIONAL IMPERATIVE, NATIONAL RESEARCH COUNCIL, 2012). DOTs are currently in the process of understanding the impact of shift in focus from protection of assets to resilience of systems. FHWA Resilience Pilot Study locations are shown in Figure 4. FHWA partnered with state departments of transportation (DOTs) and metropolitan planning organizations (MPOs) to conduct climate change and extreme weather vulnerability assessments of transportation infrastructure and to analyze options for adapting and improving resiliency. In 2010-2011, five pilot teams piloted a Conceptual Model to use in conducting vulnerability and risk assessments of infrastructure to the projected impacts of global climate change. Based on the feedback and lessons learned through the pilots, FHWA revised and expanded the model developed the Climate Change & Extreme Weather Vulnerability Assessment Framework (December 2012). In 2013-2105 nineteen pilot teams partnered with FHWA to assess transportation vulnerability and evaluate options for improving resilience using the Climate Change & Extreme Weather Vulnerability Assessment Framework (December 2012) and other resources for their analyses. Figure 4: FHWA Resilience Pilot Locations. Table 2 provides a summary description of the most recent FHWA resilience pilot projects.
122 TableÂ 2:Â FHWAÂ ResilienceÂ PilotÂ Locations.Â PilotÂ ProjectÂ DescriptionÂ ArizonaÂ DOTÂ (ADOT)Â TheÂ ADOTÂ teamÂ conductedÂ aÂ studyÂ toÂ identifyÂ hotspotsÂ whereÂ highwaysÂ areÂ vulnerableÂ toÂ associatedÂ hazardsÂ fromÂ highÂ temperatures,Â drought,Â andÂ intenseÂ storms.Â TheÂ projectÂ focusedÂ onÂ theÂ interstateÂ corridorÂ connectingÂ Nogales,Â Tucson,Â Phoenix,Â andÂ Flagstaff,Â whichÂ includesÂ aÂ varietyÂ ofÂ urbanÂ areas,Â landscapes,Â bioticÂ communities,Â andÂ climateÂ zonesÂ andÂ presentsÂ aÂ rangeÂ ofÂ weatherÂ conditionsÂ applicableÂ toÂ muchÂ ofÂ Arizona.Â CaliforniaÂ DOTÂ (Caltrans),Â DistrictÂ 1Â TheÂ vulnerabilityÂ assessmentÂ approachÂ drewÂ fromÂ methodologiesÂ developedÂ byÂ FHWAÂ andÂ theÂ WashingtonÂ StateÂ DOTÂ 2010â2011Â climateÂ resilienceÂ pilotÂ project.Â TheÂ pilotÂ assessedÂ vulnerabilityÂ inÂ fourÂ countiesÂ byÂ scoringÂ assetÂ criticalityÂ andÂ potentialÂ impact.Â TheÂ pilotÂ identifiedÂ adaptationÂ optionsÂ atÂ fourÂ prototypeÂ locationsÂ ofÂ vulnerableÂ roadÂ segments.Â TheÂ CaltransÂ DistrictÂ 1Â teamÂ formalizedÂ theirÂ adaptationÂ methodologyÂ intoÂ aÂ toolÂ toÂ assistÂ withÂ theÂ evaluationÂ andÂ prioritizationÂ ofÂ adaptationÂ options.Â CapitalÂ AreaÂ MPOÂ (CAMPO)Â TheÂ CAMPOÂ teamÂ usedÂ aÂ dataÂ andÂ stakeholderâdrivenÂ approachÂ toÂ assessÂ risksÂ toÂ nineÂ criticalÂ assetsÂ fromÂ flooding,Â drought,Â extremeÂ heat,Â wildfire,Â andÂ ice.Â TheÂ projectÂ teamÂ conductedÂ aÂ criticalityÂ workshop,Â developedÂ localÂ climateÂ projections,Â andÂ performedÂ riskÂ assessmentsÂ forÂ eachÂ asset.Â ConnecticutÂ DOTÂ (CTÂ DOT)Â TheÂ CTDOTÂ teamÂ conductedÂ aÂ systemsâlevelÂ vulnerabilityÂ assessmentÂ ofÂ bridgeÂ andÂ culvertÂ structuresÂ fromÂ inlandÂ floodingÂ associatedÂ withÂ extremeÂ rainfallÂ events.Â TheÂ assessmentÂ includedÂ dataÂ collectionÂ andÂ fieldÂ review,Â hydrologicÂ andÂ hydraulicÂ evaluation,Â criticalityÂ assessmentÂ andÂ hydraulicÂ designÂ criteriaÂ evaluation.Â HillsboroughÂ MPOÂ Â TheÂ HillsboroughÂ MPOÂ teamÂ assessedÂ theÂ vulnerabilityÂ ofÂ selectÂ surfaceÂ transportationÂ assetsÂ toÂ seaÂ levelÂ rise,Â stormÂ surge,Â andÂ floodingÂ inÂ orderÂ toÂ identifyÂ costâeffectiveÂ riskÂ managementÂ strategiesÂ forÂ incorporationÂ intoÂ shortâtermÂ andÂ longâ rangeÂ transportationÂ planning.Â IowaÂ DOTÂ ToÂ evaluateÂ futureÂ floodÂ conditions,Â theÂ IowaÂ DOTÂ teamÂ developedÂ aÂ methodologyÂ toÂ integrateÂ climateÂ projectionsÂ ofÂ rainfallÂ withinÂ aÂ riverÂ systemÂ modelÂ toÂ predictÂ riverÂ floodÂ responseÂ toÂ climateÂ change.Â IowaÂ DOTÂ testedÂ thisÂ methodologyÂ inÂ twoÂ riverÂ basinsÂ toÂ evaluateÂ theÂ strengthsÂ andÂ weaknessesÂ ofÂ technologyÂ toÂ produceÂ scenariosÂ ofÂ futureÂ floodÂ conditions.Â TheyÂ alsoÂ analyzedÂ theÂ potentialÂ impactÂ ofÂ theÂ futureÂ floodsÂ onÂ sixÂ bridgesÂ toÂ evaluateÂ vulnerabilityÂ toÂ climateÂ changeÂ andÂ extremeÂ weatherÂ andÂ informÂ theÂ developmentÂ ofÂ adaptationÂ options.Â MaineÂ DOTÂ TheÂ MaineÂ DOTÂ teamÂ identifiedÂ transportationÂ assetsÂ thatÂ areÂ vulnerableÂ toÂ floodingÂ fromÂ seaÂ levelÂ riseÂ andÂ stormÂ surgeÂ inÂ sixÂ coastalÂ towns.Â TheÂ teamÂ developedÂ depthâ damageÂ functionsÂ andÂ adaptationÂ designÂ optionsÂ atÂ threeÂ ofÂ theÂ sitesÂ andÂ evaluatedÂ theÂ costsÂ andÂ benefitsÂ ofÂ theÂ alternativeÂ designÂ structures.Â MarylandÂ StateÂ HighwayÂ AdministrationÂ (MDSHA)Â TheÂ MDSHAÂ teamÂ developedÂ aÂ threeâtieredÂ vulnerabilityÂ assessmentÂ methodologyÂ andÂ GISÂ layersÂ ofÂ statewideÂ waterÂ surfacesÂ toÂ analyzeÂ vulnerabilityÂ toÂ seaÂ levelÂ rise,Â stormÂ surge,Â andÂ floodingÂ inÂ twoÂ counties.Â TheÂ teamÂ alsoÂ reviewedÂ designÂ strategies,Â bestÂ managementÂ practices,Â planningÂ standards,Â andÂ otherÂ waysÂ toÂ supportÂ theÂ adoptionÂ ofÂ adaptiveÂ managementÂ solutions.Â MassachusettsÂ DOTÂ (MassDOT)Â TheÂ MassDOTÂ teamÂ soughtÂ toÂ betterÂ understandÂ theÂ vulnerabilityÂ ofÂ theÂ Iâ93Â CentralÂ Artery/TunnelÂ systemÂ (CA/T)Â inÂ BostonÂ toÂ seaÂ levelÂ riseÂ andÂ extremeÂ stormÂ events.Â TheÂ teamÂ combinedÂ aÂ stateâofâtheâartÂ hydrodynamicÂ floodÂ modelÂ withÂ agencyâdrivenÂ knowledgeÂ andÂ prioritiesÂ toÂ assessÂ vulnerabilitiesÂ andÂ developÂ adaptationÂ strategies.Â Â MichiganÂ DOTÂ (MDOT)Â TheÂ MDOTÂ teamÂ conductedÂ aÂ climateâbasedÂ vulnerabilityÂ assessmentÂ ofÂ mostlyÂ MDOTâownedÂ andÂ âoperatedÂ transportationÂ infrastructure,Â includingÂ roads,Â bridges,Â pumpsÂ andÂ culverts.Â TheÂ assessmentÂ usedÂ GISÂ toÂ overlayÂ climateÂ projectionsÂ ontoÂ
123 assetÂ informationÂ fromÂ MDOT'sÂ existingÂ assetÂ managementÂ databaseÂ toÂ helpÂ identifyÂ locationsÂ andÂ infrastructureÂ thatÂ mayÂ beÂ atÂ risk.Â MinnesotaÂ DOTÂ (MnDOT)Â TheÂ MnDOTÂ teamÂ conductedÂ aÂ vulnerabilityÂ assessmentÂ ofÂ bridges,Â culverts,Â pipes,Â andÂ roadsÂ parallelingÂ streamsÂ toÂ floodingÂ inÂ twoÂ districts.Â BasedÂ onÂ theÂ vulnerabilityÂ assessmentÂ results,Â theyÂ developedÂ facilityâlevelÂ adaptationÂ optionsÂ forÂ twoÂ selectedÂ culvertsÂ programmedÂ forÂ replacement.Â UsingÂ damageÂ andÂ economicÂ lossÂ estimatesÂ associatedÂ withÂ flashÂ floodingÂ asÂ wellÂ asÂ costÂ estimatesÂ forÂ alternativeÂ engineeringÂ designsÂ theÂ teamÂ identifiedÂ theÂ mostÂ costâeffectiveÂ optionsÂ underÂ aÂ rangeÂ ofÂ climateÂ scenarios.Â MetropolitanÂ TransportationÂ CommissionÂ (MTC)Â TheÂ MTCÂ teamÂ refinedÂ aÂ previousÂ vulnerabilityÂ assessmentÂ withÂ additionalÂ seaÂ levelÂ riseÂ mappingÂ andÂ hydraulicÂ analysis.Â UsingÂ theÂ revisedÂ vulnerabilityÂ data,Â theÂ projectÂ teamÂ developedÂ aÂ comprehensiveÂ suiteÂ ofÂ adaptationÂ strategiesÂ forÂ threeÂ focusÂ areas,Â andÂ throughÂ aÂ systematicÂ evaluationÂ process,Â theyÂ selectedÂ fiveÂ adaptationÂ strategiesÂ forÂ furtherÂ development:Â livingÂ leveesÂ (inÂ twoÂ locations),Â anÂ offshoreÂ breakwater,Â aÂ drainageÂ study,Â andÂ mainstreamingÂ climateÂ changeÂ riskÂ intoÂ transportationÂ agenciesÂ planningÂ processes.Â NorthÂ CentralÂ TexasÂ CouncilÂ ofÂ GovernmentsÂ (NCTCOG)Â TheÂ NCTCOGÂ teamÂ assessedÂ theÂ vulnerabilityÂ ofÂ existingÂ andÂ plannedÂ transportationÂ infrastructureÂ inÂ theÂ DallasâFortÂ WorthÂ region,Â whereÂ extremeÂ weatherÂ eventsÂ willÂ addÂ anÂ additionalÂ stressÂ onÂ theÂ transportationÂ systemÂ inÂ theÂ rapidlyÂ growingÂ region.Â NewÂ YorkÂ StateÂ DOTÂ (NYSDOT)Â TheÂ NYSDOTÂ teamÂ assessedÂ theÂ vulnerabilityÂ ofÂ theÂ transportationÂ systemÂ toÂ changesÂ inÂ precipitationÂ inÂ theÂ ruralÂ LakeÂ ChamplainÂ Basin.Â TheÂ teamÂ developedÂ aÂ benefitsÂ valuationÂ approachÂ toÂ helpÂ decisionâmakersÂ prioritizeÂ infrastructureÂ andÂ assessÂ whenÂ toÂ undertakeÂ culvertÂ replacementsÂ consideringÂ social,Â economic,Â andÂ environmentalÂ factors.Â TheyÂ evaluatedÂ vulnerability,Â criticalityÂ andÂ risk,Â andÂ developedÂ aÂ methodÂ toÂ applyÂ anÂ environmentalÂ benefitsÂ multiplierÂ toÂ eachÂ culvert.Â Â OregonÂ DOTÂ (ODOT)Â TheÂ ODOTÂ teamÂ engagedÂ maintenanceÂ andÂ technicalÂ staffÂ andÂ utilizedÂ assetÂ dataÂ toÂ assessÂ theÂ vulnerabilityÂ ofÂ highwayÂ infrastructureÂ inÂ twoÂ coastalÂ countiesÂ toÂ extremeÂ weatherÂ eventsÂ andÂ higherÂ seaÂ levels.Â BasedÂ onÂ theÂ resultsÂ ofÂ theÂ vulnerabilityÂ assessment,Â theÂ pilotÂ conductedÂ furtherÂ analysisÂ ofÂ specificÂ adaptationÂ sites,Â options,Â andÂ benefitsÂ andÂ costsÂ forÂ fiveÂ priorityÂ stormÂ andÂ landslideÂ hazardÂ areas.Â OptionsÂ analyzedÂ rangedÂ fromÂ âdoÂ nothingâÂ scenariosÂ toÂ optionsÂ forÂ increasedÂ operationsÂ andÂ maintenanceÂ andÂ optionsÂ withÂ significantÂ constructionÂ andÂ engineeringÂ requirements.Â Â SouthÂ FloridaÂ TheÂ SouthÂ FloridaÂ teamÂ focusedÂ onÂ aÂ fourâcountyÂ regionÂ inÂ conductingÂ aÂ detailedÂ geospatialÂ analysisÂ toÂ calculateÂ vulnerabilityÂ scoresÂ forÂ âregionallyÂ significantâÂ roadÂ andÂ passengerÂ railÂ infrastructure.Â TheÂ studyÂ alsoÂ recommendedÂ waysÂ forÂ partnerÂ agenciesÂ toÂ incorporateÂ theÂ vulnerabilityÂ resultsÂ intoÂ theirÂ normalÂ decisionâmakingÂ processes.Â TennesseeÂ DOTÂ (TDOT)Â TheÂ TDOTÂ teamÂ conductedÂ anÂ extremeÂ weatherÂ vulnerabilityÂ assessmentÂ ofÂ transportationÂ infrastructureÂ acrossÂ theÂ state.Â TheÂ projectÂ teamÂ compiledÂ aÂ statewideÂ inventoryÂ ofÂ theÂ mostÂ criticalÂ transportationÂ infrastructureÂ andÂ usedÂ historicalÂ andÂ projectedÂ climateÂ andÂ weatherÂ dataÂ asÂ wellÂ asÂ stakeholderÂ feedbackÂ toÂ developÂ rankingsÂ ofÂ theÂ vulnerabilityÂ ofÂ criticalÂ transportationÂ assetsÂ toÂ projectedÂ temperatureÂ andÂ precipitationÂ changesÂ andÂ otherÂ extremeÂ weatherÂ events.Â WashingtonÂ StateÂ DOTÂ (WSDOT)Â TheÂ WSDOTÂ teamÂ examinedÂ adaptationÂ optionsÂ inÂ theÂ SkagitÂ RiverÂ Basin,Â anÂ areaÂ ofÂ theÂ stateÂ identifiedÂ inÂ anÂ earlierÂ assessmentÂ asÂ highlyÂ vulnerableÂ toÂ flooding.Â AdaptationÂ optionsÂ centeredÂ onÂ 11Â vulnerableÂ roadÂ segmentsÂ inÂ theÂ studyÂ area.Â OptionsÂ includedÂ activeÂ trafficÂ management,Â detourÂ routes,Â basinâwideÂ floodÂ easements,Â andÂ culvertÂ improvements.Â WesternÂ FederalÂ LandsÂ HighwayÂ TheÂ WFLHD/ADOT&PFÂ teamÂ assessedÂ threeÂ uniqueÂ climateÂ changeÂ issuesÂ inÂ theÂ stateÂ ofÂ Alaska.Â InÂ Kivalina,Â theÂ pilotÂ consideredÂ theÂ impactÂ ofÂ theÂ lossÂ ofÂ seaÂ ice,Â seaÂ levelÂ
124 DivisionÂ (WFLHD)Â andÂ theÂ AlaskaÂ DOTÂ andÂ PublicÂ FacilitiesÂ (ADOT&PF)Â rise,Â andÂ windÂ onÂ shorelineÂ erosionÂ ofÂ theÂ coastalÂ runway.Â InÂ IglooÂ CreekÂ andÂ alongÂ theÂ DaltonÂ Highway,Â theÂ pilotÂ consideredÂ theÂ impactsÂ ofÂ increasedÂ temperatureÂ (resultingÂ inÂ permafrostÂ melt)Â andÂ increasedÂ precipitationÂ onÂ landslidesÂ andÂ pavementÂ cracking.Â Â 3. Physical Security Countermeasures This section discusses the many of the tools and countermeasures used to improve the security of critical infrastructure and facilities, and other areas. Physical security countermeasures include signs; emergency telephones, duress alarms, and assistance stations; key controls and locks; protective barriers; protective lighting; alarm and intrusion detection systems; electronic access control systems; and surveillance systems and monitoring. For nonpublic spaces, access control, perimeter security, intrusion detection systems, and other similar types of technology are deployed to protect facilities from external losses. In facilities that are open to the public, security personnel or possibly surveillance systems are the primary means of providing protection. TCRP REPORT 180 POLICY AND SECURITY PRACTICES FOR SMALL- AND MEDIUM-SIZED PUBLIC TRANSIT SYSTEMS (2015) explores the current state of practice and identifies potential security countermeasures that could be deployed by both of these sizes of transit agencies. TCRP F-21 TOOLS AND STRATEGIES FOR ELIMINATING ASSAULTS AGAINST TRANSIT OPERATORS (2017) provides an overview of countermeasures - ranging from policing, personnel, and training to technology, information management, policy, and legislation - that can be considered as a means to prevent, deter, detect, mitigate, respond to or recover from an attempt or actual assault upon a transit operator. In contemplating the appropriate level of security, it is important to take into account the purpose and benefits of the various types of security countermeasures that are available. Security can be designed to prevent, deter, detect, mitigate, respond to, or recover from an incident. Security spans the continuum from prevention through response and recovery. Table 3 below provides definitions of the levels of security. TableÂ 3:Â LevelsÂ ofÂ Security.Â SecurityÂ LevelÂ DefinitionÂ PreventionÂ ThoseÂ capabilitiesÂ necessaryÂ toÂ avoid,Â prevent,Â orÂ stopÂ aÂ threatenedÂ orÂ actualÂ act.Â DeterrenceÂ AnÂ activity,Â procedure,Â orÂ physicalÂ barrierÂ thatÂ reducesÂ theÂ likelihoodÂ ofÂ anÂ incident,Â attack,Â orÂ criminalÂ activity.Â Â DetectionÂ TheÂ identificationÂ andÂ validationÂ ofÂ potentialÂ threatÂ orÂ attackÂ thatÂ isÂ communicatedÂ toÂ anÂ appropriateÂ authorityÂ thatÂ canÂ act.Â MitigationÂ TheÂ applicationÂ ofÂ measureÂ orÂ measuresÂ toÂ reduceÂ theÂ likelihoodÂ ofÂ anÂ unwantedÂ occurrenceÂ and/orÂ itsÂ consequences.Â Â ResponseÂ CapabilitiesÂ necessaryÂ toÂ saveÂ lives,Â protectÂ propertyÂ andÂ theÂ environment,Â andÂ meetÂ basicÂ humanÂ needsÂ afterÂ anÂ incidentÂ hasÂ occurred.Â
125 SecurityÂ LevelÂ DefinitionÂ RecoveryÂ TheÂ development,Â coordination,Â andÂ executionÂ ofÂ plansÂ forÂ impactedÂ areasÂ andÂ operations.Â Â The following sections contain summary information on effective security countermeasures by continuum category. Prevention There are relatively few security measures available to prevent events from occurring on transportation systems. Transportation conveyances, in general, are public open access vehicles available for use by an unrestricted general population. With the exception of no-fly lists, individuals who represent security risks are not pre-identified or barred from riding because their propensity to action is generally unknown. Often, there is no screening for weapons or dangerous implements prior to boarding. Riders are placed in close proximity to one another. In summary, the openness of transportation systems makes them virtually unprotectable using modern physical security technology. See Figure 5. Figure 5: A selection of prevention countermeasures with varying visibility, cost, and ease of implementation. Deterrence Deterrence is largely a matter of reducing exposure to potential harm, or influencing how the attacker or offender interprets the risk of apprehension or personal loss. Security-related technologies can greatly reduce both the perceived window of opportunity and the potential impact of incidents. Figure 6 provides a summary of the most relevant countermeasures and approaches related to deterrence. PREVENTION PoliceÂ Personnel ProtectiveÂ Barriers BarringÂ Systems
126 Figure 6: A selection of procedures, activities, and physical interventions with deterrent effects. Example: Code of Conduct for Transit Passengers: Charlotte Area Transit System Charlotte released a Ridersâ Code of Conduct, which notes the following acts are prohibited on a CATS or LYNX vehicle: ï· Smoke or carry any lighted tobacco product or expel the residue of any other tobacco product including chewing tobacco ï· Consume any alcoholic beverage or possess an open container of any alcoholic beverage ï· Engage in disruptive, disturbing behavior including: loud conversation, profanity or rude insults, or operating any electronic device used for sound without an earphone(s) ï· Take any animal onto a vehicle unless its purpose is to assist a person with a disability or in training activities ï· Carry, possess or have within immediate access any dangerous weapon ï· Possess or transport any flammable liquid, combustible material or other dangerous substance such as gasoline, kerosene or propane ï· Litter ï· Vandalize the vehicle or station platform by writing, marking, scribbling, defacing or causing damage to the vehicle or platform facilities in any manner ï· Beg by forcing yourself upon another person ï· Excrete any bodily fluid or spit upon or at another person on the vehicle or station platform ï· Possess, use or sell any controlled substance ï· Lying down on seats, benches or tables at stations and bus stops ï· Standing, sitting or lying within 2 feet of the edge of the rail station platforms except for boarding and exiting the light rail vehicle ï· Skating or skateboarding on station platforms ï· Trespassing upon any area not open to the public and posted as such Deterrence SurveillanceÂ Systems PublicÂ AddressÂ SystemsÂ andÂ Signage AwarenessÂ Training LegislationOnboardÂ Security PassengerÂ CodesÂ ofÂ Conduct PhysicalÂ Barriers
127 The Ridersâ Code of Conduct was adapted from Charlotte Code Sec. 15-272 and 15-273. As of the publication of TCRP Report 180, violations of this code could be enforced by a fine of $50 or by arrest. Local laws, regulations, or ordinances such as the Charlotte Code (as mentioned above) can provide a basis for creating a code of conduct for users of state DOT assets. Detection There are technology measures such as video/audio surveillance, sensors, and other tools that can support detection when a potential incident is imminent. Detection and assessment of transportation systems has been enhanced by rapidly developing technologies providing digitized data acquisition, storage and transmission along with structural diagnostics, i.e. monitoring of structures by sensitive instruments measuring temperature, displacement, acceleration, and other significant performance indicators during regular service. A number of remote, in-situ, or portable monitoring/damage detection techniques have become available for use in post-event assessment such as sensors, sonar, ground-breaking radar, satellite imagery and unmanned aerial vehicles. These new capabilities are not fully explored and utilized by state DOTs today. Figure 7 provides a summary of the most relevant countermeasures and approaches. Figure 7: Detection tools for identifying and interrupting incidents range from more affordable sensors and alarms to complex security staffing plans and tracking systems. Mitigation Measures to reduce the likelihood of an assault or to minimize the consequences of an incident include policy, such as security plans, technology measures such as smart components and sensors; and awareness and training. Figure 8 provides a summary of the most relevant countermeasures and approaches to mitigate incidents. Detection IncidentÂ ResponceÂ Plan TwoâwayÂ RadioÂ /Â MobileÂ BroadbandÂ Communicat ions RemoteÂ Sensors TelemetryÂ Systems AntiâtheftÂ Devices IntelligenceÂ Sharing Based on experimental evidence and numerical simulation results gathered during the research for NCHRP REPORT 645: BLAST-RESISTANT HIGHWAY BRIDGES: DESIGN AND DETAILING GUIDELINES,
128 guidelines for highway bridge columns were developed. The research found that one of the best ways to mitigate damage was to increase the standoff distance with physical deterrents such as bollards, security fences, and vehicle barriers. When standoff distance is not available, the design and detailing provisions as described in the guidelines should be met. . Figure 8: A selection of mitigation countermeasures. Example: Red Kite Training Program for Conflict Management SEPTA This training program is designed to help employees to be more aware and to show more understanding for individuals (the customers) by allowing them to understand self-importance, to show respect and to see the human factor, allowing them to focus on de-escalating potential problems before they happen. Operators participate in their training while learning that they have choices in every interaction and how they can create a shift that can disarm a potentially difficult situation. This internationally used training model uses trauma-informed crisis management as a means to de-escalate violence with those who have experienced it. Program tenets include a belief that teaching public-service workers the effects of trauma and how to de-escalate violence is the key to community safety. In terms of physical security, simple and aggravated assaults against operators can harm those operators physically and emotionally. TCRP Report 180 notes that even spitting attacks have resulted in drivers Mitigation IncidentÂ ResponseÂ Plan PhysicalÂ Barriers AutomaticÂ AssessmentÂ Systems ElectronicÂ SignsTraining RealÂ TimeÂ IncidentÂ Surveillance ImmediateÂ Response
129 needing to take paid leave. In addition, the report also notes, âbesides the potential physical harm to people, a repeated pattern of aggravated assaults may instill a culture of fear in a transit agency in which passengers are afraid to use the system or operators are afraid to come to work. Damage to property and scheduling may also occur as a result of an aggravated assault.â Response and Recovery There are numerous types of countermeasures that can support the maintenance of an effective response program for incidents. Many of these measures are low cost and/or low effort, consisting of policy responses, awareness and training, security planning, or coordination with local authorities. Figure 9 provides a summary of the most relevant countermeasures and approaches to respond to and recover from incidents. ResponseÂ andÂ Recovery WaiversÂ andÂ EmergencyÂ Â Legislation PostÂ IncidentÂ ActionÂ Steps Training,Â DrillsÂ Â andÂ Exercises ImmediateÂ Actions SecurityÂ Â CommunicationsÂ Training CoordinationÂ &Â Collaboration TaskÂ Forces Figure 9: Response and Recovery Countermeasures
130 4. Cyber Security Countermeasures NIST Computer Security Division's Computer Security Resource Center (CSRC) facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. The CSRC is the primary gateway for gaining access to NIST computer security publications, standards, and guidelines plus other useful security-related information. NIST has published over 300 Information Security guides that include Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NIST IR). Most commonly referenced NIST publications include: PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER ATTACKS: A PRIMER (2016), a joint product of two Transportation Research Board Cooperative Research Programs, provides transportation organizations basic reference material concerning cybersecurity concepts, guidelines, definitions and standards. The primer delivers fundamental strategic, management and planning information associated with cybersecurity and its applicability to transit and state department of transportation operations. The primer presents fundamental definitions and rationales that describe the principles and practices that enable effective cybersecurity risk management. The goals of the primer are to: increase awareness of cybersecurity as it applies to highway and public transportation; plant the seeds of organizational culture change; address those situations where the greatest risks lie; and provide industry- specific approaches to monitoring, responding to and mitigating cyber threats. Individual chapters address: myths of cybersecurity; risk management, risk assessment and asset evaluation; plans and strategies, establishing priorities, organizing roles and responsibilities; transportation operations cyber systems; countermeasures; training; and security programs and support frameworks. APTA STANDARDS DEVELOPMENT PROGRAM RECOMMENDED PRACTICE: SECURING CONTROL AND COMMUNICATIONS SYSTEMS IN TRANSIT ENVIRONMENTS, PARTS I, II AND IIIA (2010 â 2015), addresses the importance of control and communications security to a transit agency and presents recommended approaches for securing communications and control systems. Parts IIIb and IIIc are anticipated in the future. Example: San Francisco Municipal Transportation Authority (SFMTA) Ransomware Event In November 2016, SFMTA experienced a ransomware attack that encrypted SFMTAâs information systems. The impact on physical control systems was minimized because SFMTA used a segmentation approach to separate operational control and communications systems from other IT systems and disconnected their fare gates and ticket vending machines systems from the network. Cybersecurity is a growing issue for all organizations, including airports. ACRP Report 140: Guidebook on Best Practices for Airport Cybersecurity (2015) provides resources for airport managers and IT staff to reduce or mitigate inherent risks of cyberattacks on technology-based systems. Traditional IT infrastructure such as servers, desktops, and network devices are covered along with increasingly sophisticated and interconnected industrial control systems, such as baggage handling, temperature control, and airfield lighting systems. Example: Chicago Air Traffic Control Center Fire On September 26, 2014, Federal Aviation Administrationâs (FAA) Air Route Traffic Control facility outside of Chicago shut down over 91,000 mi2 of airspace due to a massive fire set by a disgruntled
131 contractor. Thousands of travelers and flights were disrupted nationwide. The FAA and air traffic control minimized the disruption by using air traffic control centers in other locations. The contractor could easily overcome the existing security systems, since he held access privileges, highlighting the need for system redundancy and adaptability of processes and personnel. This example also illustrates the importance of coordinated programs for physical, cyber, and personnel security. Executive Order (EO) 13636, âImproving Critical Infrastructure Cybersecurity,â February 2013, directed National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary cybersecurity framework for reducing risks for critical infrastructure. The resulting Framework for Improving Critical Infrastructure Cybersecurity was released in 2014. Recognizing that a âone size fits allâ methodology for implementation of the framework is impractical, the Transportation Security Administration, Department of Transportation, United States Coast Guard, and Transportation Systems Sector (TSS) stakeholders organized to create implementation guidance of greatest relevance to the TSS. The TSS Cybersecurity Framework Implementation Guidance, published in 2015, provides guidance, resource direction, and a directory of options to assist a transportation agency or organization in adopting the NIST Framework. The implementation guidance can be used by organizations to do the following: â¢ Characterize their current and target cybersecurity posture. â¢ Identify opportunities for evolving their existing cybersecurity risk management programs. â¢ Recognize existing sector tools, standards, and guidelines that may support framework implementation. â¢ Assess and communicate their risk management approach to both internal and external stakeholders. Example: Utah Transit Authority Cybersecurity Program UTA, a medium-sized transit agency with about 2,500 employees, serves six counties or about 1,600 square miles and 80% of the stateâs population. UTAâs infrastructure and assets consist of the following: â¢ 6,206 active bus stops â¢ 520 buses, 123 paratransit, 441 vans, 70+ Support â¢ 146 Light Rail Cars, 18 locos, 53 Commuter Rail Cars â¢ 90 miles of commuter rail track. 16 commuter rail stations, 50 light rail stations UTAâs cybersecurity program is comprised of a cybersecurity monitoring strategy, a systematic decision- making process for selecting and implementing countermeasures, SCADA rail cybersecurity and cybersecurity layers. UTAâs cybersecurity program is based on best practices and is effective in protecting UTAâs SCADA and rail control systems, and its IT and enterprise systems. UTAâs cybersecurity monitoring strategy effectively manages its cyber security threats and vulnerabilities. Discussed in the case study are its monthly monitoring system used by the IT unit and Security Incident Reporting tools UTAâs decision-making process to initiate a cyber security project proceeds as follows: First, there is a risk assessment process which identifies possible security enhancement measures. For each decision cycle, several of UTAâs many systems undergo the risk assessment process. Second, a committee ranks these measures based on certain high-level factors. While the CTO is responsible for overall cyber security for UTA, the UTA Security Administrator makes the final decisions on whether or not to proceed with the
132 selected projects. This decision process occurring several times a year results in implementation of 10-30 cyber security measures. To protect data connections between traffic control, SCADA, and data systems, IT worked with rail operations units to implement cybersecurity systems. They constantly scan the systems for viruses and unusual activity. The case study includes a presentation of Defense in Depth corporate policies. UTAâs layers of security begin with corporate policies and progresses to physical security, perimeter security, internal network security, host security and application/data security. Cyber-Physical Security Cybersecurity cannot be easily separated from physical security. Physical and cyber systems in transportation have become increasingly colocated and functionally dependent on one another. Inadequate physical security can put cyber assets in jeopardy. Physical damage can compromise cyber assets. Evidence of intrusion into physical assets, especially control system cabinets, devices or terminals, communications devices or networks, is an indicator for a suspected cyber breach. Along with more obvious damage or telltale evidence of intrusion and unreconciled door and/or cabinet alarms, inexplicable loss or behavior of communications links or behavior of control system devices could be indications of physical security breaches. Policies and practices for responding to physical security breaches need to also address cybersecurity, and incorporate considerations that a cyber-related incident may have also occurred. Benefits and Needs for an Integrated Approach to CyberâPhysical Security for Transportation, (Zimmerman and Dinning, 2017) published in Transportation Research Circular E-226: Transportation Systems Resilience: Preparation, Recovery, and Adaptation (Transportation Research Board, 2017), provides an overview of cyber and physical systems, gives examples of effective security approaches, and includes transportation case studies. The authors identify four challenges: ï· Redundancy and backup systems, that are needed to mitigate impacts of disruptions, should be part of continuity of operations plans, and require training, management, and close oversight. ï· Because cyber and physical systems, and their respective security system products, are specified and purchased independently from different sources, a systems approach to acquisitions should be used that includes security and resilience in system specifications. Where possible, product designs should address both cyber and physical security. ï· Many organizations lack enterprise-wide resiliency plans addressing all risks simultaneously. All- hazards resiliency plans can reduce the impact of interrelated risks and cascading impacts. ï· Personnel must understand both cyber and physical risks and mitigation strategies. Some organizations are facing this challenge with workforce training programs, for example by NIST, DHS, ICS-CERT, and the Transportation Research Board Critical Transportation Infrastructure Protection Committee.
133 5. Training and Exercises SECURITY AWARENESS AND ALERTNESS TRAINING IN STATE DEPARTMENTS OF TRANSPORTATION1 (Chen, Nof, Partridge, Varkonyi, and Nakanishi, 2006) provided a summary of how state departments of transportation train their employees for security awareness and alertness based on a 2004 survey of state DOTs. Eighteen states were found that considered assessment and certification of security training, and a list of 25 most popular training programs conducted by those 18 states were evaluated in the research. The key findings from that analysis included: ï· Large numbers of security training courses and tools are available. ï· State DOT training goals were general in scope, even though a higher level of specificity is recommended. ï· Security training should be continuously updated and flexible to respond to new and changing threats. Over time, there has been an evolution in the preferred methods of training delivery for DOT employees, captured in ASSHTO State DOT Security/Emergency Management Survey results. The 2010 survey summarizes this evolution, as shown in Figure 10. There is a still strong preference for print/electronic materials with significant growth in demand for conferences/peer exchanges and web-based seminars. Exercises and workshops as a preferred source have declined significantly. Figure 10: DOT Preferred Training Delivery Methods (Source: Summary of 2010, NCHRP Project 20-59 (29)) ASSESSMENT OF SURFACE TRANSPORTATION SECURITY TRAINING NEEDS AND DELIVERY PREFERENCES (2011) identified security training content needs and effective approaches through focus groups and interviews with representatives of 45 different major surface transportation or security organizations. The study identified training content needs by audience, as summarized in Table 4. Â 1Â TransportationÂ ResearchÂ Record:Â JournalÂ ofÂ theÂ TransportationÂ ResearchÂ Board,Â No.Â 1942,Â TransportationÂ ResearchÂ BoardÂ ofÂ theÂ NationalÂ Academies,Â Washington,Â D.C.,Â 2006,Â pp.Â 39â51.Â
134 TableÂ 4:Â SecurityÂ TrainingÂ ContentÂ NeedsÂ byÂ Audience.Â AudienceÂ ContentÂ NeedsÂ Â FrontlineÂ â¢ SituationalÂ assessmentÂ ofÂ threatsÂ andÂ incidents â¢ ObservationalÂ skillsÂ andÂ reportingÂ dangerousÂ substances, suspiciousÂ packages,Â andÂ situations â¢ AppropriatelyÂ reactingÂ toÂ allÂ threats â¢ ProperÂ useÂ ofÂ securityÂ equipmentÂ orÂ technology ThereÂ wasÂ clearÂ concernÂ thatÂ trainingÂ forÂ frontlineÂ personnelÂ doesÂ notÂ needÂ beÂ tooÂ inâdepthÂ orÂ technical.Â Â TransportationÂ ProfessionalsÂ MidâÂ toÂ highâlevelÂ managersÂ andÂ executivesÂ inÂ operations,Â planning,Â safety,Â security,Â maintenance,Â andÂ otherÂ relatedÂ fieldsÂ Â AsideÂ fromÂ theÂ sameÂ basicÂ securityÂ awarenessÂ trainingÂ forÂ frontlineÂ employees,Â thisÂ audienceÂ hasÂ specialÂ highâlevelÂ trainingÂ andÂ educationÂ needsÂ inÂ theÂ areaÂ ofÂ securityÂ riskÂ assessmentÂ andÂ management,Â vulnerabilityÂ assessment,Â andÂ planningÂ forÂ resiliency.Â ThisÂ audienceÂ mayÂ needÂ toÂ understandÂ moreÂ clearlyÂ theÂ differenceÂ betweenÂ safetyÂ andÂ security.Â ContractorsÂ andÂ VendorsÂ Â â¢ SimilarÂ toÂ frontlineÂ employeeÂ awarenessÂ training â¢ ReportingÂ suspiciousÂ activity. EmergencyÂ RespondersÂ â¢ TransportationÂ systemÂ operations,Â hazards,Â andÂ vulnerabilities â¢ IntegratedÂ communicationsÂ andÂ response practices/procedures â¢ IntegratedÂ incidentÂ management NeedsÂ forÂ thisÂ groupÂ willÂ notÂ beÂ muchÂ differentÂ fromÂ thatÂ ofÂ frontlineÂ employeesÂ inÂ termsÂ ofÂ emphasisÂ onÂ reportingÂ suspiciousÂ andÂ dangerousÂ activities,Â butÂ wouldÂ varyÂ inÂ priorityÂ basedÂ onÂ theÂ proximityÂ andÂ accessÂ toÂ criticalÂ infrastructureÂ andÂ operationsÂ (forÂ maintenanceÂ workers)Â andÂ toÂ publicÂ areas.Â Source:Â AssessmentÂ ofÂ SurfaceÂ TransportationÂ SecurityÂ TrainingÂ NeedsÂ andÂ DeliveryÂ PreferencesÂ (2011)Â As part NCHRP PROJECT 20-59 (43), INCORPORATING TRANSPORTATION SECURITY AWARENESS INTO ROUTINE STATE DOT OPERATIONS AND TRAINING, a scanning survey was done to identify existing transportation safety and security training. Survey results were obtained from 31 respondents representing 20 different states. Almost 60% of the survey respondents indicated that their organization required or encouraged training in transportation security. The current transportation security training involved âIf You See Something, Say Somethingâ program related security awareness training, ICS/MINS emergency response training, TIMS training, and HazMat Training, where appropriate.
135 Transportation Emergency Response Application (TERA) TERA is a simulation used to respond to and visualize the impact of transportation agency actions in an event/disaster that may affect normal operations. It was created under the Transit Cooperative Research Program (TCRP) Project A-36, âCommand-Level Decision Making for Transportation Emergency Managersâ and sponsored by the National Cooperative Highway Research Program NCHRP Project 20-59, âSurface Transportation Security and Resilience Research.â See Figure 11. TERA is a web-based facilitated exercise with multiple scenarios available. Nine scenarios are for airports. There are roles for transit agencies and departments of transportation in scenarios for the following. 1. Flood 2. Wildfire 3. Hurricane 4. Earthquake 5. Power Outage 6. Hazardous Material 7. Pedestrian-involved Bus Crash 8. Active Shooter 9. Contagious Disease 10. Traffic Incident Management (TIM) Capstone for Strategic Highway Research Program 2 Training Course Example: Texas Department of Transportation (TxDOT) Security Awareness Program The TxDOT Security Training Program is designed to make each employee aware of their role in security, teach them how to identify suspicious activities, behavior and objects, and relay TxDOT procedures for reporting any objects, behaviors or activities. The established reporting process is to call internal security contact who forwards to call fusion center 1-800 or calls 911 depending on what is being reported. There are following major components: 1. Online Security Training Course that all TxDOT employees must take as new employee training and then refresher course every 2 years. The course is module based and includes information on roles in reducing vulnerability, in incident response and in preparedness. 2. Field exercises with scenarios that include delivery and gate procedures, identification process for suspicious people and items. 3. Integration with job-specific courses such as bridge maintenance course that includes information on awareness, what to look out for and how to pass information along. Module on Fracture Critical Bridges â includes information on importance that nothing be placed on certain places on bridge. Figure 11: TERA Portal.
136 4. Proactive information distribution that includes posters in all TxDOT office, emails to directors of operations, statewide message boards (driven by state operations center) and mass emails, if necessary, for major or highly significant information. Making it clear that employees have security responsibilities â that they are the âeyes and earsâ of the agency â and they should be aware of suspicious activity and know who to call to report matters of a suspicious or dangerous nature is an effective physical and cybersecurity measure. Training can also improve safety. For example, maintenance worker training includes information on the hazard of Meth lab debris to mowers. In the border security in districts on Tex/Mex line and regions where the drug cartel operates, awareness of planting drugs on TxDot vehicles for transport and cloning of TxDot vehicles is critical. Incorporating security awareness training into job-specific training is efficient and can be very effective. TxDOT bridge inspectors have identified a number of security events: ï· Bridge marking issue - bridge inspectors reported graffiti that looks suspicious ï· Bridge damage - E Texas district found that someone literally shot column until all concrete was gone. If done in right place, would be able to bring bridge down. All agencies can benefit from a security awareness program similar to that established at TxDOT and can improve existing security by incorporating components of TxDOT program. Example: Tennessee DOT Comprehensive Exercise Program TDOTâs exercise plan is robust and is aligned with relevant federal guidance and the state of Tennesseeâs emergency management program. The program requires, for each identified hazard, that an exercise be conducted at least once in the two-year cycle. The Emergency Management Standards are used as promulgated by the Emergency Management Accreditation Program. HSEEP is used as a reference not as a standard. TDOT is viewed and treated as an equal partner by the emergency management community, and frequently trains and exercises with the state EMA and other state emergency response providers. In addition, TDOT frequently communicates and coordinates with state EMA and other emergency response providers. In incidents, TDOT typically assumes the following roles: IC, Operations, Planning, Intel/Investigations. The training program includes ICS/NIMS, Traffic Incident Management, Hazmat Awareness, Active Shooter Training, and Emergency Radio Communications. NIMS/ICS training and TIM training have been provided to all emergency response personnel in the DOT. After every exercise or real world event, AARs are developed to capture lessons learned, identify areas of needed improvement, and assign the improvements to a functional area within the TDOT. The Comprehensive Exercise Program for the State of Tennessee Department of Transportation (CEP) document is a supporting document to the TEPP and is an agency-wide comprehensive emergency management exercise program plan and framework for TDOT. The document states that the âgoal of the CEP is to develop, implement and institutionalize a quality comprehensive, objective based and threat focused exercise program.â (CEP, page 4) The document supports the State Multi-year Training and Exercise Plan / Program (MTEP) and is intended to fulfill federal HSEEP requirements; at the same time, it should be noted that the state of Tennessee incorporates the HSEEP process into the planning methodology but not as regulation. In addition to the HSEEP, the Emergency Management Accreditation Program (EMAP) and Emergency Management Performance Grant (EMPG) documentation are also used as guidelines by TEMA and TDOT.
137 Standard components to be included in exercise plans and exercise scheduling and priority determination are described in the CEP. Tennesseeâs Multi-year Exercise Plan is contained in CEP Appendix 2 and includes a listing of exercise priorities for each training year. In Training Year 2015 (October 2014 â September 2015) terrorism was the second priority; the first was Hazmat. Training Year 2016 (October 2015 â September 2016) terrorism was the fifth priority and non-Hazmat transportation was the fourth. In Training Year 2017 (October 2016 â September 2017) the third, fourth, and seventh priorities were communications, continuity of operations, and Hazmat, respectively. An Exercise Design Template is provided in CEP Appendix 3. The template provides a detailed outline of the key components of a sample exercise design.
138 B. Physical and Cyber Security Legal Authorities This section contains an overview of public laws, presidential directives, national frameworks and strategies that establish the legal authorities related to physical and cyber security.Â Â
139 Public Laws NameÂ DescriptionÂ SecurityÂ andÂ InfrastructureÂ ProtectionÂ ImplicationsÂ USAÂ PATRIOTÂ ActÂ ofÂ 2001Â (42Â U.S.C.Â 5195c(e))Â CreatedÂ theÂ authorityÂ toÂ protectÂ andÂ defendÂ criticalÂ infrastructureÂ andÂ otherÂ securityÂ authoritiesÂ andÂ isÂ aÂ basisÂ forÂ HSPDâ7.Â EstablishedÂ requirementÂ toÂ protectÂ andÂ defendÂ criticalÂ infrastructure.Â HomelandÂ SecurityÂ ActÂ ofÂ 2002Â (6Â U.S.C.Â 101),Â 2002Â Â ThisÂ ActÂ createdÂ theÂ DepartmentÂ ofÂ HomelandÂ SecurityÂ andÂ isÂ theÂ primaryÂ authorityÂ forÂ HomelandÂ SecurityÂ PresidentialÂ DirectiveÂ (HSPD)Â NumberÂ 5Â andÂ aÂ majorÂ supporterÂ ofÂ HSPDâ8.Â Â DefinedÂ âemergencyÂ responseÂ providersâÂ toÂ meanÂ âfederal,Â state,Â andÂ localÂ governmentalÂ andÂ nongovernmentalÂ emergencyÂ publicÂ safety,Â fire,Â lawÂ enforcement,Â emergencyÂ response,Â emergencyÂ medicalÂ (includingÂ hospitalÂ emergencyÂ facilities)Â andÂ relatedÂ personnel,Â agencies,Â andÂ authorities.âÂ Â Â ProvidesÂ forÂ grantsÂ toÂ stateÂ andÂ localÂ governmentalÂ entities,Â tribalÂ governments,Â orÂ otherÂ localÂ entities,Â forÂ emergencyÂ andÂ disasterârelatedÂ activities.Â PostâKatrinaÂ EmergencyÂ ManagementÂ ReformÂ ActÂ (PKEMRA)Â ofÂ 2006Â TheÂ PostâKatrinaÂ EmergencyÂ ManagementÂ ReformÂ ActÂ ofÂ 2006Â (PKEMRA)Â amendedÂ theÂ HomelandÂ SecurityÂ ActÂ ofÂ 2002Â toÂ makeÂ extensiveÂ revisionsÂ toÂ emergencyÂ responseÂ provisionsÂ whileÂ keepingÂ FEMAÂ withinÂ theÂ DepartmentÂ ofÂ HomelandÂ Security.Â PKEMRAÂ significantlyÂ reorganizedÂ FEMA,Â providedÂ itÂ substantialÂ newÂ authorityÂ toÂ remedyÂ gapsÂ inÂ response,Â andÂ includedÂ aÂ moreÂ robustÂ preparednessÂ missionÂ forÂ FEMA.Â Â Â DirectedÂ theÂ developmentÂ ofÂ aÂ NationalÂ DisasterÂ RecoveryÂ StrategyÂ andÂ NationalÂ DisasterÂ HousingÂ Strategy.Â AmendedÂ theÂ StaffordÂ ActÂ toÂ directÂ FEMAÂ toÂ appointÂ aÂ DisabilityÂ CoordinatorÂ toÂ ensureÂ theÂ needsÂ ofÂ individualsÂ withÂ disabilitiesÂ areÂ addressedÂ inÂ emergencyÂ preparednessÂ andÂ disasterÂ relief.Â RequiresÂ theÂ developmentÂ ofÂ preâscriptedÂ missionÂ assignmentsÂ asÂ partÂ ofÂ theÂ planningÂ effortsÂ forÂ EmergencyÂ SupportÂ FunctionÂ (ESF)Â responseÂ efforts.Â EmploysÂ theÂ NationalÂ IncidentÂ ManagementÂ SystemÂ (NIMS)Â andÂ theÂ NationalÂ ResponseÂ FrameworkÂ (NRF)Â asÂ theÂ frameworkÂ forÂ emergencyÂ responseÂ andÂ domesticÂ incidentÂ management.Â RequiresÂ theÂ developmentÂ ofÂ comprehensiveÂ plansÂ toÂ respondÂ toÂ catastrophicÂ incidentsÂ toÂ includeÂ clearÂ standardization,Â guidance,Â andÂ assistanceÂ toÂ ensureÂ commonÂ terminology,Â approach,Â andÂ frameworkÂ forÂ allÂ strategicÂ andÂ operationalÂ planning.Â IncludeÂ needsÂ ofÂ individualsÂ withÂ disabilitiesÂ andÂ protectionÂ forÂ householdÂ petsÂ andÂ serviceÂ animals.Â
140 Â CoordinatesÂ andÂ supportsÂ precautionaryÂ evacuationsÂ andÂ recoveryÂ efforts.Â ProvidesÂ transportationÂ assistanceÂ forÂ relocatingÂ andÂ returningÂ individualsÂ displacedÂ fromÂ theirÂ residencesÂ inÂ aÂ majorÂ disaster.Â SecurityÂ andÂ AccountabilityÂ forÂ EveryÂ PortÂ ActÂ ofÂ 2006Â (SAFEÂ PortÂ Act)Â RequiredÂ thatÂ AreaÂ MaritimeÂ SecurityÂ (AMS)Â PlansÂ includeÂ aÂ SalvageÂ ResponseÂ PlanÂ toÂ ensureÂ thatÂ waterwaysÂ areÂ clearedÂ andÂ portÂ commerceÂ isÂ reestablishedÂ asÂ efficientlyÂ andÂ quicklyÂ asÂ possibleÂ followingÂ aÂ transportationÂ securityÂ incident.Â EstablishesÂ USCGÂ effortsÂ inÂ casesÂ ofÂ forÂ portÂ disruptionsÂ andÂ eventsÂ impactingÂ waterways.Â CoastÂ GuardÂ AuthorizationÂ ActÂ ofÂ 2010Â CalledÂ forÂ AMSÂ PlansÂ toÂ establishÂ responseÂ andÂ recoveryÂ protocolsÂ toÂ prepareÂ for,Â respondÂ to,Â mitigateÂ against,Â andÂ recoverÂ fromÂ aÂ transportationÂ securityÂ incident.Â EstablishedÂ MarineÂ TransportationÂ SystemÂ RecoveryÂ UnitÂ (MTSRU)Â toÂ workÂ withÂ stakeholdersÂ andÂ provideÂ guidanceÂ toÂ incidentÂ command.Â MaritimeÂ TransportationÂ SecurityÂ ActÂ (2002,Â 2010)Â Â RequiresÂ anÂ areaÂ maritimeÂ transportationÂ securityÂ planÂ toÂ establishÂ regionalÂ responseÂ andÂ recoveryÂ protocolsÂ toÂ mitigateÂ regionalÂ transportationÂ securityÂ incidents.Â Â Â RequiresÂ theÂ TransportationÂ WorkerÂ IdentificationÂ Credential,Â alsoÂ knownÂ asÂ TWICÂ®,Â forÂ workersÂ whoÂ needÂ accessÂ toÂ secureÂ areasÂ ofÂ theÂ nationâsÂ maritimeÂ facilitiesÂ andÂ vessels.Â Â RequiresÂ ownersÂ ofÂ USÂ facilitiesÂ thatÂ areÂ onÂ orÂ adjacentÂ toÂ U.S.Â watersÂ thatÂ poseÂ aÂ highÂ riskÂ ofÂ beingÂ involvedÂ inÂ aÂ transportationÂ securityÂ incidentÂ to:Â (1)Â makeÂ theÂ vulnerabilityÂ assessmentÂ ofÂ theÂ facilityÂ availableÂ toÂ theÂ localÂ portÂ authorityÂ andÂ appropriateÂ stateÂ orÂ localÂ lawÂ enforcementÂ agencies;Â andÂ (2)Â integrateÂ theÂ facility'sÂ securityÂ systemÂ withÂ compatibleÂ systemsÂ operatedÂ byÂ state,Â lawÂ enforcementÂ agencies,Â andÂ theÂ CG.Â MiddleÂ ClassÂ TaxÂ ReliefÂ andÂ JobÂ CreationÂ ActÂ ofÂ 2012,Â Pub.Â L.Â No.Â 112â96,Â 126Â Stat.Â 156Â (2012)Â EstablishesÂ aÂ StateÂ andÂ LocalÂ ImplementationÂ GrantÂ ProgramÂ forÂ theÂ purposeÂ ofÂ makingÂ grantsÂ âtoÂ StatesÂ toÂ assistÂ State,Â regional,Â tribalÂ andÂ localÂ jurisdictionsÂ toÂ identify,Â plan,Â andÂ implementÂ theÂ ProvidesÂ forÂ grantÂ fundsÂ toÂ stateÂ andÂ localÂ governmentsÂ forÂ emergencyÂ communicationsÂ Activities.Â
141 mostÂ efficientÂ andÂ effectiveÂ wayÂ forÂ suchÂ jurisdictionsâÂ toÂ useÂ andÂ becomeÂ partÂ ofÂ theÂ ânationwideÂ publicÂ safetyÂ broadbandÂ networkâÂ thatÂ isÂ alsoÂ establishedÂ underÂ theÂ Act.Â MovingÂ AheadÂ ForÂ ProgressÂ InÂ TheÂ 21stÂ CenturyÂ ActÂ (MAPâ21)Â Â FocusedÂ onÂ performanceÂ managementÂ andÂ establishedÂ aÂ seriesÂ ofÂ nationalÂ performanceÂ goals.Â MAPâ21Â requiredÂ incorporatingÂ performanceÂ goals,Â measures,Â andÂ targetsÂ intoÂ transportationÂ planning.Â MostÂ aspectsÂ ofÂ MAPâ21Â areÂ continuedÂ inÂ theÂ FASTÂ Act.Â TheÂ goalsÂ relatedÂ toÂ safety,Â congestionÂ reduction,Â freightÂ movementÂ andÂ economicÂ vitalityÂ andÂ environmentalÂ sustainabilityÂ areÂ ofÂ particularÂ relevanceÂ toÂ security.Â FixingÂ AmericaâsÂ SurfaceÂ TransportationÂ (FAST)Â Act,Â 2015Â ExpandsÂ theÂ focusÂ onÂ theÂ resiliencyÂ ofÂ theÂ transportationÂ system.Â âItÂ isÂ inÂ theÂ nationalÂ interestÂ toÂ encourageÂ andÂ promoteÂ theÂ safeÂ andÂ efficientÂ management,Â operation,Â andÂ developmentÂ ofÂ resilientÂ surfaceÂ transportationÂ systemsÂ thatÂ willÂ serveÂ theÂ mobilityÂ needsÂ ofÂ peopleÂ andÂ freightÂ andÂ fosterÂ economicÂ growthÂ andÂ developmentÂ withinÂ andÂ betweenÂ statesÂ andÂ urbanizedÂ areasÂ throughÂ metropolitanÂ andÂ statewideÂ transportationÂ planningÂ processes.âÂ Â RequiresÂ strategiesÂ toÂ reduceÂ theÂ vulnerabilityÂ ofÂ existingÂ transportationÂ infrastructureÂ toÂ naturalÂ disastersÂ andÂ expandsÂ theÂ scopeÂ ofÂ considerationÂ ofÂ theÂ metropolitanÂ planningÂ processÂ toÂ includeÂ improvingÂ transportationÂ systemÂ resiliencyÂ andÂ reliability.Â EncouragesÂ MPOsÂ toÂ consultÂ withÂ stateÂ agenciesÂ thatÂ planÂ forÂ naturalÂ disasterÂ riskÂ reductionÂ toÂ produceÂ plansÂ thatÂ includeÂ strategiesÂ toÂ reduceÂ theÂ vulnerabilityÂ toÂ naturalÂ events.Â KeyÂ featuresÂ include:Â 1)Â emphasisÂ onÂ resilienceÂ withÂ fundingÂ permittedÂ toÂ protectÂ bridgesÂ andÂ tunnels;Â 2)Â emphasisÂ onÂ riskâbasedÂ asÂ wellÂ asÂ performanceâ basedÂ assetÂ management;Â andÂ 3)Â inclusionÂ ofÂ criticalÂ infrastructureÂ forÂ projectÂ fundingÂ eligibility.Â Â Â TitleÂ 44,Â CodeÂ ofÂ FederalÂ RegulationsÂ RegulationsÂ promulgatedÂ toÂ administerÂ theÂ grantÂ programsÂ underÂ FEMAÂ andÂ DHS.Â DefinesÂ eligibleÂ partyÂ andÂ otherÂ requirementsÂ ofÂ federalÂ grantsÂ underÂ FEMAÂ andÂ DHS.Â CodeÂ ofÂ FederalÂ RegulationsÂ 49Â PartÂ 192,Â 49Â CFRÂ PartÂ 193,Â 49Â CFRÂ PartÂ 33,Â 49Â CFRÂ PartÂ 194,Â 49Â CFRÂ PartÂ 195,Â 40Â CFRÂ PartÂ 112,Â 30Â CFRÂ PartÂ 254,Â andÂ 49Â CFRÂ PartÂ 194Â FederalÂ regulationsÂ thatÂ governÂ pipelineÂ safetyÂ andÂ emergencyÂ planningÂ requirements.Â Â AllÂ 50Â statesÂ andÂ theÂ DistrictÂ ofÂ ColumbiaÂ haveÂ electedÂ toÂ adoptÂ byÂ reference,Â federalÂ pipelineÂ safetyÂ regulations.Â FederalÂ pipelineÂ regulationsÂ haveÂ veryÂ specificÂ emergencyÂ planningÂ requirementsÂ thatÂ includeÂ mandatedÂ writtenÂ emergencyÂ responseÂ proceduresÂ andÂ theÂ requirementÂ forÂ communicationÂ ofÂ emergencyÂ plansÂ andÂ proceduresÂ toÂ fire,Â police,Â andÂ otherÂ publicÂ officials.Â
142 Homeland Security Presidential Directives NameÂ DescriptionÂ SecurityÂ andÂ InfrastructureÂ ProtectionÂ ImplicationsÂ HSPDâ5,Â ManagementÂ ofÂ DomesticÂ IncidentsÂ Â Purpose:Â âToÂ enhanceÂ theÂ abilityÂ ofÂ theÂ UnitedÂ StatesÂ toÂ manageÂ domesticÂ incidentsÂ byÂ establishingÂ aÂ single,Â comprehensiveÂ NationalÂ IncidentÂ ManagementÂ System.âÂ ItÂ createdÂ theÂ NationalÂ IncidentÂ ManagementÂ SystemÂ andÂ theÂ NationalÂ ResponseÂ Plan;Â theÂ latterÂ hasÂ beenÂ replacedÂ byÂ theÂ NationalÂ ResponseÂ Framework.Â EstablishedÂ foundationÂ forÂ NIMSÂ andÂ NationalÂ ResponseÂ Framework.Â Â HSPDâ7,Â InfrastructureÂ Identification,Â Prioritization,Â andÂ ProtectionÂ Â âThisÂ directiveÂ establishesÂ aÂ nationalÂ policyÂ forÂ federalÂ departmentsÂ andÂ agenciesÂ toÂ identifyÂ andÂ prioritizeÂ UnitedÂ StatesÂ criticalÂ infrastructureÂ andÂ keyÂ resourcesÂ andÂ toÂ protectÂ themÂ fromÂ terroristÂ attacks.âÂ LedÂ toÂ NationalÂ ProtectionÂ InfrastructureÂ ProtectionÂ Plan.Â EstablishedÂ foundationÂ forÂ NIPPÂ andÂ TransportationÂ SystemsÂ SectorâSpecificÂ Plan.Â Â HSPDâ8,Â NationalÂ PreparednessÂ (2011)Â Â âThisÂ directiveÂ establishesÂ policiesÂ toÂ strengthenÂ theÂ preparednessÂ ofÂ theÂ UnitedÂ StatesÂ toÂ preventÂ andÂ respondÂ toÂ threatenedÂ orÂ actualÂ domesticÂ terroristÂ attacks,Â majorÂ disasters,Â andÂ otherÂ emergenciesÂ byÂ requiringÂ aÂ nationalÂ domesticÂ allâ hazardsÂ preparednessÂ goal,Â establishingÂ mechanismsÂ forÂ improvedÂ deliveryÂ ofÂ federalÂ preparednessÂ assistanceÂ toÂ stateÂ andÂ localÂ governments,Â andÂ outliningÂ actionsÂ toÂ strengthenÂ preparednessÂ capabilitiesÂ ofÂ federal,Â state,Â andÂ localÂ entities.âÂ ThisÂ ledÂ toÂ creationÂ ofÂ aÂ NationalÂ PreparednessÂ Goal,Â whichÂ wasÂ implementedÂ inÂ theÂ formÂ ofÂ theÂ NationalÂ PreparednessÂ GuidelinesÂ (NPG)Â documentÂ andÂ severalÂ otherÂ guidelines.Â Â EmphasisÂ ofÂ theÂ NationalÂ PreparednessÂ GoalÂ isÂ onÂ buildingÂ andÂ sustainingÂ coreÂ capabilitiesÂ acrossÂ fiveÂ missionÂ areasÂ âÂ Prevention,Â Protection,Â Mitigation,Â Response,Â andÂ Recovery.Â Â Â IdentifiesÂ capabilitiesÂ requiredÂ forÂ executingÂ theÂ missionÂ orÂ functionÂ atÂ anyÂ timeÂ (before,Â during,Â orÂ afterÂ anÂ incident)Â andÂ acrossÂ allÂ threatsÂ andÂ hazards.Â Â Â Â PresidentialÂ PolicyÂ DirectiveÂ 8:Â NationalÂ PreparednessÂ (2011)Â Â IntegratesÂ NationalÂ PlanningÂ FrameworksÂ âÂ NationalÂ PreventionÂ Framework.Â NationalÂ MitigationÂ Framework,Â NationalÂ ResponseÂ StrengthenÂ securityÂ andÂ resilienceÂ throughÂ fiveÂ preparednessÂ missionÂ areasâPrevention,Â Protection,Â Mitigation,Â Response,Â andÂ Recovery.Â
143 Framework,Â NationalÂ DisasterÂ RecoveryÂ Framework.Â PresidentialÂ PolicyÂ Directiveâ21:Â CriticalÂ InfrastructureÂ SecurityÂ andÂ ResilienceÂ (2013)Â CriticalÂ infrastructureÂ mustÂ beÂ secureÂ andÂ ableÂ toÂ withstandÂ andÂ rapidlyÂ recoverÂ fromÂ allÂ hazards.Â ResilientÂ infrastructureÂ systemsÂ areÂ flexibleÂ andÂ agileÂ andÂ shouldÂ beÂ ableÂ toÂ bounceÂ backÂ afterÂ disruptions.Â EstablishedÂ integrationÂ withÂ NationalÂ PreparednessÂ System.Â EstablishesÂ resilienceÂ andÂ rapidÂ recoveryÂ asÂ focusÂ ofÂ criticalÂ infrastructureÂ security.Â Â ExecutiveÂ OrderÂ 13636:Â ImprovingÂ CriticalÂ InfrastructureÂ CybersecurityÂ (2013)Â DevelopÂ aÂ technologyâneutralÂ voluntaryÂ cybersecurityÂ framework.Â PromoteÂ andÂ incentivizeÂ theÂ adoptionÂ ofÂ cybersecurityÂ practices.Â EstablishesÂ cybersecurityÂ asÂ aspectÂ ofÂ criticalÂ infrastructureÂ security.Â Â ExecutiveÂ OrderÂ 13653,Â PreparingÂ TheÂ UnitedÂ StatesÂ ForÂ TheÂ ImpactsÂ OfÂ ClimateÂ ChangeÂ (2013)Â RequiresÂ federalÂ agenciesÂ toÂ integrateÂ considerationsÂ ofÂ theÂ challengesÂ posedÂ byÂ climateÂ changeÂ effectsÂ intoÂ theirÂ programs,Â policies,Â rulesÂ andÂ operationsÂ toÂ ensureÂ theyÂ continueÂ toÂ beÂ effective,Â evenÂ asÂ theÂ climateÂ changes.Â EstablishesÂ climateÂ changeÂ asÂ additionalÂ aspectÂ toÂ addressÂ inÂ plansÂ andÂ programs.Â Â ExecutiveÂ OrderÂ ââÂ CoordinatingÂ EffortsÂ toÂ PrepareÂ theÂ nationÂ forÂ SpaceÂ WeatherÂ Events,Â 2016Â SpaceÂ weatherÂ hasÂ theÂ potentialÂ toÂ simultaneouslyÂ affectÂ andÂ disruptÂ healthÂ andÂ safetyÂ acrossÂ entireÂ continents.Â ThisÂ orderÂ definesÂ agencyÂ rolesÂ andÂ responsibilitiesÂ andÂ directsÂ agenciesÂ toÂ takeÂ specificÂ actionsÂ toÂ prepareÂ theÂ nationÂ forÂ theÂ hazardousÂ effectsÂ ofÂ spaceÂ weather.Â EstablishesÂ spaceâweatherÂ eventsÂ asÂ additionalÂ aspectÂ toÂ addressÂ inÂ plansÂ andÂ programs.Â
144 National Frameworks and Strategies NameÂ DescriptionÂ SecurityÂ andÂ InfrastructureÂ ProtectionÂ ImplicationsÂ NationalÂ PreparednessÂ Goal,Â SecondÂ Edition,Â 2011Â updatedÂ 2015Â TheÂ 2011Â NationalÂ PreparednessÂ GoalÂ definesÂ whatÂ itÂ meansÂ forÂ theÂ wholeÂ communityÂ toÂ beÂ preparedÂ forÂ allÂ typesÂ ofÂ disastersÂ andÂ emergencies.Â âAÂ secureÂ andÂ resilientÂ nationÂ withÂ theÂ capabilitiesÂ requiredÂ acrossÂ theÂ wholeÂ communityÂ toÂ prevent,Â protectÂ against,Â mitigate,Â respondÂ to,Â andÂ recoverÂ fromÂ theÂ threatsÂ andÂ hazardsÂ thatÂ poseÂ theÂ greatestÂ risk.âÂ UpdatedÂ inÂ 2015,Â theÂ keyÂ changesÂ areÂ Â ï· StressesÂ importanceÂ ofÂ community preparednessÂ andÂ resilience. ï· RiskÂ andÂ theÂ CoreÂ CapabilitiesÂ include cybersecurityÂ andÂ climateÂ change. ï· AÂ newÂ coreÂ capability,Â FireÂ ManagementÂ and Suppression,Â wasÂ added. ï· CoreÂ CapabilityÂ TitlesÂ wereÂ revised: o ThreatsÂ andÂ HazardÂ Identification (Mitigation)Â âÂ revisedÂ toÂ ThreatsÂ and HazardsÂ Identification; o PublicÂ andÂ PrivateÂ ServicesÂ and ResourcesÂ (Response)Â âÂ revisedÂ to LogisticsÂ andÂ SupplyÂ Chain Management; o OnâsceneÂ SecurityÂ andÂ Protection (Response)Â âÂ revisedÂ toÂ Onâscene Security,Â Protection,Â andÂ Law Enforcement;Â and o PublicÂ HealthÂ andÂ MedicalÂ Services (Response)Â âÂ revisedÂ toÂ PublicÂ Health, ImportanceÂ ofÂ communityÂ preparednessÂ andÂ resilience.Â ThreatsÂ andÂ HazardÂ IdentificationÂ incorporatesÂ cybersecurityÂ andÂ climateÂ changeÂ intoÂ risksÂ andÂ coreÂ capabilities.Â Â
145 Healthcare,Â andÂ EmergencyÂ MedicalÂ Services.Â ï· SeveralÂ ofÂ theÂ coreÂ capabilityÂ definitionsÂ were revised. NationalÂ DisasterÂ RecoveryÂ Framework,Â SecondÂ Edition,Â 2011Â updatedÂ inÂ 2016Â TheÂ NationalÂ DisasterÂ RecoveryÂ FrameworkÂ describes,Â âhowÂ theÂ wholeÂ communityÂ worksÂ togetherÂ toÂ restore,Â redevelop,Â andÂ revitalizeÂ theÂ health,Â social,Â economic,Â natural,Â andÂ environmentalÂ fabricÂ ofÂ theÂ community.âÂ TheÂ newÂ frameworkÂ incorporatesÂ theÂ editsÂ toÂ theÂ NationalÂ PreparednessÂ GoalÂ andÂ newÂ lessonsÂ learned.Â AdditionalÂ changesÂ madeÂ toÂ theÂ frameworkÂ include:Â âIncreasedÂ focusÂ onÂ RecoveryâsÂ relationshipÂ withÂ theÂ otherÂ fourÂ missionÂ areas.Â UpdatedÂ RecoveryÂ SupportÂ FunctionsÂ (RSFs)Â toÂ reflectÂ changesÂ inÂ PrimaryÂ AgenciesÂ andÂ SupportingÂ Organizations.Â AdditionalÂ languageÂ onÂ scienceÂ andÂ technologyÂ capabilitiesÂ andÂ investmentsÂ forÂ theÂ rebuildingÂ andÂ recoveryÂ efforts.âÂ GuidesÂ effectiveÂ recoveryÂ supportÂ toÂ disasterâimpactedÂ areasÂ andÂ introducesÂ sixÂ RecoveryÂ SupportÂ FunctionsÂ (RSFs).Â Â InfrastructureÂ SystemsÂ RSFÂ providesÂ theÂ coordinatingÂ structures,Â frameworkÂ andÂ guidanceÂ forÂ resilience,Â sustainabilityÂ andÂ mitigation.Â Â Â NationalÂ ResponseÂ Framework,Â ThirdÂ Edition,Â updatedÂ inÂ 2013,Â 2016Â TheÂ NRFÂ isÂ alignedÂ withÂ NIMSÂ andÂ providesÂ capabilitiesÂ toÂ saveÂ lives,Â protectÂ property,Â andÂ meetÂ basicÂ humanÂ needs.Â ResponseÂ activitiesÂ occurÂ before,Â during,Â andÂ afterÂ anÂ incidentÂ andÂ canÂ overlapÂ withÂ theÂ startÂ ofÂ recoveryÂ activities.Â TheÂ followingÂ changesÂ wereÂ madeÂ toÂ theÂ framework:Â â¢ TheÂ additionÂ ofÂ aÂ newÂ coreÂ capability,Â Fire ManagementÂ andÂ Suppression. â¢ ThreeÂ revisedÂ coreÂ capabilityÂ titles o LogisticsÂ andÂ SupplyÂ ChainÂ Management; o OnâsceneÂ Security,Â Protection,Â andÂ Law Enforcement;Â and o PublicÂ Health,Â Healthcare,Â andÂ Emergency MedicalÂ Services. IdentifiesÂ criticalÂ roleÂ ofÂ transportationÂ inÂ response.Â CallsÂ forÂ EmergencyÂ OperationsÂ PlansÂ (EOPs)Â andÂ ContinuityÂ ofÂ OperationsÂ PlansÂ (COOPs).Â WhenÂ anÂ incidentÂ exceedsÂ theÂ abilityÂ ofÂ localÂ andÂ stateÂ governmentÂ toÂ respondÂ effectively,Â theÂ FederalÂ GovernmentÂ usesÂ NRFÂ toÂ organizeÂ federalÂ assistance.Â
146 â¢ ThreeÂ revisedÂ coreÂ capabilityÂ definitions o EnvironmentalÂ Response/Â HealthÂ andÂ Safety; o FatalityÂ ManagementÂ Services;Â and o LogisticsÂ andÂ SupplyÂ ChainÂ Management. NationalÂ MitigationÂ Framework,Â SecondÂ Edition,Â 2016Â TheÂ NationalÂ MitigationÂ FrameworkÂ coversÂ theÂ capabilitiesÂ necessaryÂ toÂ reduceÂ theÂ lossÂ ofÂ lifeÂ andÂ propertyÂ byÂ lesseningÂ theÂ effectsÂ ofÂ disasters,Â andÂ focusesÂ onÂ riskÂ (understandingÂ andÂ reducingÂ it),Â resilienceÂ (helpingÂ communitiesÂ recoverÂ quicklyÂ andÂ effectivelyÂ afterÂ disasters),Â andÂ aÂ cultureÂ ofÂ preparedness.Â TheÂ newÂ frameworkÂ incorporatesÂ theÂ editsÂ toÂ theÂ NationalÂ PreparednessÂ GoalÂ andÂ newÂ lessonsÂ learnedÂ includingÂ aÂ revisedÂ coreÂ capabilityÂ title,Â ThreatsÂ andÂ HazardsÂ Identification.Â InÂ addition,Â theÂ followingÂ changesÂ haveÂ beenÂ made:Â âAdditionalÂ languageÂ onÂ scienceÂ andÂ technologyÂ effortsÂ toÂ reduceÂ riskÂ andÂ analyzeÂ vulnerabilitiesÂ withinÂ theÂ mitigationÂ missionÂ area.Â UpdatesÂ onÂ theÂ MitigationÂ FrameworkÂ LeadershipÂ GroupÂ (MitFLG),Â whichÂ isÂ nowÂ operational.Â UpdatesÂ toÂ theÂ CommunityÂ ResilienceÂ coreÂ capabilityÂ definitionÂ toÂ promoteÂ preparednessÂ activitiesÂ amongÂ individuals,Â householdsÂ andÂ families.âÂ VulnerabilityÂ assessmentsÂ andÂ riskâreductionÂ plansÂ andÂ activities.Â Â NationalÂ ProtectionÂ Framework,Â SecondÂ Edition,Â 2016Â TheÂ NationalÂ ProtectionÂ FrameworkÂ focusesÂ onÂ âactionsÂ toÂ deterÂ threats,Â reduceÂ vulnerabilities,Â andÂ minimizeÂ theÂ consequencesÂ associatedÂ withÂ anÂ incident.âÂ TheÂ newÂ frameworkÂ incorporatesÂ theÂ editsÂ toÂ theÂ NationalÂ PreparednessÂ GoalÂ andÂ newÂ lessonsÂ learned.Â InÂ addition,Â theÂ followingÂ changesÂ haveÂ beenÂ made:Â âUpdatedÂ CybersecurityÂ CoreÂ CapabilityÂ CriticalÂ TasksÂ toÂ alignÂ withÂ theÂ Mitigation,Â Response,Â andÂ RecoveryÂ MissionÂ Areas.Â AdditionalÂ languageÂ onÂ scienceÂ andÂ technologyÂ investmentsÂ toÂ protectÂ EstablishÂ andÂ maintainÂ anÂ allâhazardsÂ infrastructureÂ protectionÂ programÂ designedÂ toÂ (1)Â safeguardÂ personnel;Â (2)Â preventÂ unauthorizedÂ accessÂ (3)Â safeguardÂ infrastructure,Â facilities,Â equipment,Â installations,Â materiel,Â andÂ data.Â
147 againstÂ emergingÂ vulnerabilitiesÂ areÂ includedÂ withinÂ theÂ protectionÂ missionÂ area.Â AdditionalÂ languageÂ onÂ interagencyÂ coordinationÂ withinÂ theÂ protectionÂ missionÂ areaÂ toÂ supportÂ theÂ decisionâmakingÂ processesÂ outlinedÂ withinÂ theÂ framework.âÂ NationalÂ PreventionÂ Framework,Â SecondÂ Edition,Â 2016Â TheÂ NationalÂ PreventionÂ FrameworkÂ focusesÂ onÂ terrorismÂ andÂ addressesÂ theÂ capabilitiesÂ necessaryÂ toÂ avoid,Â prevent,Â orÂ stopÂ imminentÂ threatsÂ orÂ attacks.Â SomeÂ coreÂ capabilitiesÂ overlapÂ withÂ theÂ protectionÂ missionÂ area.Â TheÂ updatesÂ includeÂ editsÂ toÂ theÂ NationÂ PreparednessÂ Goal,Â andÂ lessonsÂ learned.Â OtherÂ editsÂ include:Â âUpdatesÂ toÂ CoordinatingÂ StructureÂ languageÂ onÂ JointÂ OperationsÂ CentersÂ andÂ theÂ NationwideÂ SuspiciousÂ ActivityÂ ReportingÂ Initiative.Â ClarificationÂ onÂ theÂ relationshipÂ andÂ differencesÂ betweenÂ theÂ PreventionÂ andÂ ProtectionÂ missionÂ areas.Â UpdatedÂ languageÂ onÂ theÂ NationalÂ TerrorismÂ AdvisoryÂ SystemÂ (NTAS)Â asÂ partÂ ofÂ theÂ PublicÂ InformationÂ andÂ WarningÂ coreÂ capability.Â AdditionalÂ languageÂ onÂ scienceÂ andÂ technologyÂ investmentsÂ withinÂ theÂ preventionÂ missionÂ area.âÂ PreventionÂ coordinationÂ withÂ lawÂ enforcementÂ andÂ state,Â local,Â federalÂ intelligence.Â Â NIPPÂ 2013:Â PartneringÂ forÂ CriticalÂ InfrastructureÂ SecurityÂ andÂ ResilienceÂ TheÂ NationalÂ InfrastructureÂ ProtectionÂ PlanÂ (NIPP)Â âÂ NIPPÂ 2013:Â PartneringÂ forÂ CriticalÂ InfrastructureÂ SecurityÂ andÂ ResilienceÂ âÂ outlinesÂ howÂ governmentÂ andÂ privateÂ sectorÂ participantsÂ inÂ theÂ criticalÂ infrastructureÂ communityÂ workÂ togetherÂ toÂ manageÂ risksÂ andÂ achieveÂ securityÂ andÂ resilienceÂ outcomes.âÂ â).Â Â ProvidesÂ coordinatedÂ approachÂ forÂ CriticalÂ InfrastructureÂ andÂ KeyÂ ResourcesÂ (CI/KR)Â protection.Â FocusÂ onÂ resilienceÂ âÂ âtheÂ abilityÂ toÂ resist,Â absorb,Â recoverÂ from,Â orÂ successfullyÂ adaptÂ toÂ adversityÂ orÂ aÂ changeÂ inÂ conditions.âÂ TransportationÂ SystemsÂ Sectorâ SpecificÂ PlanÂ (TSSSP)Â AnnexÂ toÂ NIPPÂ TransportationÂ SystemsÂ SSPÂ describesÂ strategiesÂ toÂ reduceÂ risksÂ toÂ criticalÂ transportationÂ infrastructure.Â Â TheÂ threeÂ goalsÂ areÂ (1)Â PreventÂ andÂ deterÂ actsÂ ofÂ terrorismÂ againstÂ transportationÂ FocusesÂ onÂ reducingÂ risksÂ fromÂ allÂ hazards,Â increasingÂ resiliency,Â andÂ enhancingÂ readinessÂ forÂ continuityÂ andÂ recoveryÂ operations.Â Â
148 system,Â (2)Â EnhanceÂ resilienceÂ ofÂ transportationÂ system,Â andÂ (3)Â ImproveÂ costâeffectiveÂ useÂ ofÂ resourcesÂ forÂ transportationÂ security.Â TheÂ SectorâSpecificÂ PlansÂ ofÂ theÂ 16Â criticalÂ infrastructureÂ sectorsÂ areÂ beingÂ updatedÂ toÂ alignÂ withÂ theÂ NIPPÂ 2013.Â EncouragesÂ widerÂ participationÂ inÂ riskâreductionÂ activities.Â Â RecommendsÂ determiningÂ securityÂ andÂ resiliencyÂ priorities.Â NationalÂ IncidentÂ ManagementÂ SystemÂ (NIMS)Â NIMSÂ provideÂ aÂ consistentÂ nationwideÂ templateÂ toÂ enableÂ allÂ government,Â privateÂ sector,Â andÂ nongovernmentalÂ organizationsÂ toÂ workÂ togetherÂ duringÂ domesticÂ incidents.Â Â NIMSÂ updatesÂ inÂ 2008Â providedÂ importantÂ newÂ definitions,Â policyÂ directionÂ andÂ guidanceÂ explaining:Â (1)Â theÂ NIMSÂ relationshipÂ toÂ theÂ NationalÂ PreparednessÂ Framework;Â (2)Â additionsÂ toÂ coverÂ intelligenceÂ andÂ cyberÂ issues;Â (3)Â support,Â coordination,Â collaboration,Â andÂ commandÂ andÂ managementÂ tacticalÂ andÂ nonâtacticalÂ operations;Â (4)Â useÂ andÂ interoperabilityÂ ofÂ emergencyÂ communications;Â andÂ (5)Â inclusionÂ ofÂ âwholeÂ communityâÂ concepts.Â Â Â Â FEMAÂ isÂ inÂ theÂ processÂ ofÂ reviewingÂ andÂ refreshingÂ NIMS.Â TheÂ draftÂ ofÂ theÂ refreshedÂ NIMSÂ retainsÂ keyÂ conceptsÂ andÂ principlesÂ fromÂ theÂ 2004Â andÂ 2008Â versions,Â whileÂ incorporatingÂ lessonsÂ learnedÂ fromÂ exercisesÂ andÂ realÂ worldÂ incidents,Â bestÂ practices,Â andÂ changesÂ inÂ nationalÂ policy,Â includingÂ updatesÂ toÂ theÂ NationalÂ PreparednessÂ System.Â NIMSÂ complianceÂ byÂ local,Â state,Â territorial,Â andÂ tribalÂ nationÂ jurisdictionsÂ isÂ aÂ prerequisiteÂ forÂ federalÂ preparednessÂ grantsÂ andÂ funds.Â Â Â AdoptionÂ ofÂ newÂ CenterÂ ManagementÂ SystemÂ (CMS)Â guidanceÂ isÂ notÂ mandatoryÂ asÂ partÂ ofÂ preparednessÂ grants.Â NationalÂ SpaceÂ WeatherÂ StrategyÂ andÂ ActionÂ Plan,Â 2015Â SuccessfullyÂ preparingÂ forÂ spaceâweatherÂ eventsÂ isÂ anÂ allâofânationÂ endeavorÂ thatÂ requiresÂ partnershipsÂ acrossÂ governments,Â emergencyÂ managers,Â academia,Â theÂ media,Â theÂ insuranceÂ industry,Â nonâprofits,Â andÂ theÂ privateÂ sector.Â ThisÂ IncorporateÂ spaceâweatherÂ eventsÂ inÂ plansÂ andÂ programs.Â Â
149 planÂ identifiesÂ rolesÂ andÂ actionsÂ toÂ prepareÂ theÂ nationÂ forÂ theÂ hazardousÂ effectsÂ ofÂ spaceÂ weather.Â Â NationalÂ InformationÂ ExchangeÂ ModelÂ (NIEM)Â NIEMÂ isÂ aÂ communityâdriven,Â standardsâbasedÂ approachÂ toÂ exchangingÂ information.Â DiverseÂ communitiesÂ canÂ collectivelyÂ leverageÂ NIEMÂ toÂ increaseÂ efficienciesÂ andÂ improveÂ decisionÂ making.Â RecommendedÂ approachÂ toÂ informationÂ exchange.Â
150 C. Other Areas Affecting Physical and Cyber Security This section contains an overview of other regulations that have an impact on physical and cyber security at state departments of transportation and other transportation agencies. NameÂ DescriptionÂ SecurityÂ andÂ InfrastructureÂ ProtectionÂ ImplicationsÂ RailÂ Â AdjacentÂ TrackÂ RuleÂ RuleÂ restrictsÂ laborÂ fromÂ workingÂ onÂ aÂ trackÂ adjacentÂ toÂ aÂ trackÂ withÂ anÂ activeÂ train.Â InÂ someÂ portÂ terminals,Â thisÂ ruleÂ hasÂ beenÂ expandedÂ fromÂ theÂ adjacentÂ trackÂ toÂ includeÂ anÂ entireÂ terminalÂ withÂ theÂ resultsÂ thatÂ wheneverÂ aÂ trainÂ entersÂ orÂ exitsÂ aÂ terminal,Â allÂ laborÂ stopsÂ work.Â MayÂ causeÂ delaysÂ inÂ theÂ recoveryÂ processÂ ofÂ portÂ terminalsÂ andÂ otherÂ facilitiesÂ withÂ activeÂ trainÂ lines.Â HighwayÂ Â VehicleÂ WeightÂ RestrictionsÂ CurrentÂ truckÂ sizeÂ andÂ weightÂ standardsÂ areÂ aÂ blendÂ ofÂ federalÂ andÂ stateÂ regulationsÂ andÂ laws.Â FederalÂ lawÂ controlsÂ maximumÂ grossÂ vehicleÂ weightsÂ andÂ axleÂ loadsÂ onÂ theÂ InterstateÂ System.Â ThereÂ areÂ alsoÂ federalÂ standardsÂ forÂ lengthÂ andÂ widthÂ onÂ theÂ NationalÂ Network.Â AllÂ statesÂ haveÂ lawsÂ inÂ placeÂ toÂ ensureÂ complianceÂ withÂ federalÂ sizeÂ andÂ weightÂ requirements.Â InÂ someÂ instances,Â statesÂ haveÂ lawsÂ thatÂ allowÂ sizesÂ andÂ weightsÂ onÂ nonâinterstateÂ highwaysÂ inÂ excessÂ ofÂ theÂ currentÂ federalÂ truckÂ sizeÂ andÂ weightÂ limits.Â MayÂ requireÂ temporaryÂ reliefÂ fromÂ regulationsÂ andÂ implementationÂ ofÂ shortâtermÂ heavyÂ weightÂ corridors.Â HoursÂ ofÂ ServiceÂ ofÂ DriversÂ FinalÂ RuleÂ (2011)Â DefinesÂ maximumÂ allowableÂ hoursÂ ofÂ drivingÂ forÂ truckÂ andÂ drayageÂ drivers.Â MayÂ requireÂ temporaryÂ reliefÂ fromÂ regulations.Â Â HazardousÂ MaterialsÂ TransportationÂ ActÂ ,Â Â asÂ amendedÂ andÂ codifiedÂ inÂ 49Â U.S.C.Â 5101Â etÂ seqÂ "NoÂ personÂ mayÂ offerÂ orÂ acceptÂ aÂ hazardousÂ materialÂ forÂ transportationÂ inÂ commerceÂ unlessÂ thatÂ personÂ isÂ registeredÂ inÂ conformanceÂ withÂ [law],Â ifÂ applicable,Â andÂ theÂ hazardousÂ materialÂ isÂ properlyÂ classed,Â described,Â packaged,Â marked,Â labeled,Â andÂ inÂ conditionÂ forÂ shipmentÂ asÂ requiredÂ orÂ authorized..."(49Â CFRÂ 171.2(a)).Â Â FederalÂ MotorÂ CarrierÂ SafetyÂ AdministrationÂ (FMCSA)Â requiresÂ motorÂ carriersÂ toÂ obtainÂ aÂ HazardousÂ MaterialsÂ SafetyÂ PermitÂ (HMSP)Â priorÂ toÂ transportingÂ certainÂ highlyÂ hazardousÂ materials.Â DefinesÂ hazardousÂ materialsÂ incidentÂ rulesÂ andÂ regulations.Â