Developing a Physical and Cyber Security Primer for Transportation Agencies (2020)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

115 Appendix B Agency Practices Introduction…………………………………………………………………………………………………………………….. 116  A. State Transportation Agency Practices ................................................................................... 117  1. Risk Management and Risk Assessment ............................................................................. 117  2. Infrastructure Protection and Resilience ............................................................................ 121  3. Physical Security Countermeasures .................................................................................... 124  Prevention ......................................................................................................................................... 125  Deterrence ........................................................................................................................................ 125  Detection ........................................................................................................................................... 127  Mitigation .......................................................................................................................................... 127  Response and Recovery .................................................................................................................... 129  4. Cyber Security Countermeasures ....................................................................................... 129  5. Training and Exercises ......................................................................................................... 133  B. Physical and Cyber Security Legal Authorities ........................................................................ 138  Public Laws .............................................................................................................................. 139  Homeland Security Presidential Directives ............................................................................. 142  National Frameworks and Strategies ...................................................................................... 144  C. Other Areas Impacting Physical and Cyber Security ............................................................... 150 

116 Introduction NCHRP Report 525: Surface Transportation Security, Volume 14: Security 101: A Physical Security Primer for Transportation Agencies (2009) provided transportation managers and employees with an introductory-level reference document containing essential security concepts, guidelines, definitions, and standards. Since the guide was published there have been significant advances in transportation security approaches. As summarized in Fundamental Capabilities of Effective All-Hazards Infrastructure Protection, Resilience and Emergency Management for State DOTs (2015), the security domain has now expanded to include the complementary topics of infrastructure protection and system resiliency. Also, defending against the full spectrum of threats facing today's’ transportation systems requires a more comprehensive approach encompassing cyber-physical systems security and cybersecurity aspects along with physical security. This section contains a summary of the review of practices in transportation agencies in meeting their security and infrastructure protection responsibilities, highlighting any significant changes since the initial guide was published.

117 A. State Transportation Agency Practices Recent guidance at the national level has been reshaping the focus and long-term direction of transportation agencies. Since the first edition of this guide was published, there is now an emerging focus on the complementary goals of infrastructure protection and resiliency as part of security and emergency management. Today there are even higher expectations for system performance and reliability and lower tolerance for delays. Small events pose threats of great consequences since the impact of any incident is magnified when a transportation network is operating at or past its capacity – as is the case in portions of many states as travel demand on their transportation networks grows. Hazards continue to evolve. Extreme weather, cyber incidents and other additional hazards need to be addressed as part of all hazards. In addition, the risk of natural and man-made events is growing more common due to many pressures including aging infrastructure. Today’s transportation systems are integrated cyber and physical systems. There has been, and continues to be, significant deployment of new technologies to support DOT activities. 1. Risk Management and Risk Assessment Risk may be understood as the potential for unplanned adverse events to affect one or more transportation facilities in a way that causes unacceptable transportation system performance according to any or all of the agency’s performance objectives. As noted in the first edition of Security 101, risk management is the appropriate starting point for any decision making. There have been a number of recent NCHRP reports that provide overviews and case studies describing how state DOTs are utilizing risk assessment and risk management techniques in their planning, operations, and program/project management. NCHRP PROJECT 20-24 (74) EXECUTIVE STRATEGIES FOR RISK MANAGEMENT BY STATE DOTS (2011) conducted a review of transportation, planning, and business management to identify risk management practices and emerging methods related to internal operations and program and project delivery. The study looked at DOT risk management practices at the enterprise, program, and project levels, but focused more on enterprise risk management. The project final report includes an overview of general risk management process and techniques as they apply to DOTs. NCHRP REPORT 706 USES OF RISK MANAGEMENT AND DATA MANAGEMENT TO SUPPORT TARGET- SETTING FOR PERFORMANCE-BASED RESOURCE ALLOCATION BY TRANSPORTATION AGENCIES (2011) focused on risk management to support funding decisions and prioritization of projects. Many, if not all, DOTs have conducted, and continue to conduct, vulnerability assessments of their critical assets. In general, risk is the product of likelihood and consequence. The steps in a Vulnerability Assessment as provided in the GUIDE TO HIGHWAY VULNERABILITY ASSESSMENT FOR CRITICAL ASSET IDENTIFICATION AND PROTECTION (AASHTO, 2002) are illustrated in Figure 1. As part of the Figure 1: Steps in Vulnerability Assessment.

118 assessment, today it is important to not only understand the sensitivity of system assets, infrastructure and services to different types of events, but to also understand the interdependency of critical infrastructure and assets within the transportation system and also across other sectors. There are a number of methodologies associated with assessing transportation assets that incorporate a variety of risk models such as likelihood models, consequence models, delay/detour models and recovery consequence models. States are currently using different methods and models to evaluate risk. In the case of earthquakes, information is relatively well developed in the seismically vulnerable states. The same expertise and capabilities can serve not only in earthquakes, but also after other extreme events such as storm surge, wave action, and scour. Databases exist for floods, fires and other natural hazards. Threat and Hazard Identification and Risk Assessment (THIRA) THIRA, a foundation of the National Preparedness System, is a four-step risk assessment process that provides an understanding of risks and helps estimate capability requirements. The THIRA process (illustrated in Figure 2) standardizes the risk analysis process that emergency managers and homeland security professionals use and builds on existing local, state, tribal, territorial Hazard Identification and Risk Assessments by:  Broadening the threats and hazards considered to include human-caused threats and technological hazards.  Incorporating the whole community into the planning process, including individuals; families; businesses; faith-based and community organizations; nonprofit groups; schools and academia; media outlets; and all levels of government, including local, state, tribal, territorial, and federal partners.  Providing increased flexibility to account for community-specific factors. Figure 2: The THIRA Process 1. Identify Threats and Hazards of Concern: Based on a combination of experience, forecasting, subject matter expertise, and other available resources, identify a list of the threats and hazards of primary concern to the community. 2. Give the Threats and Hazards Context: Describe the threats and hazards of concern, showing how they may affect the community.

119 3. Establish Capability Targets: Assess each threat and hazard in context to develop a specific capability target for each core capability identified in the National Preparedness Goal. The capability target defines success for the capability. 4. Apply the Results: For each core capability, estimate the resources required to achieve the capability targets through the use of community assets and mutual aid, while also considering preparedness activities, including mitigation opportunities. Example: THIRA Template Table 1 illustrates one possibility for how to organize the information in THIRAs. Table 1: THIRA Template.

120 FWHA Framework for Vulnerability Assessment FHWA developed a Conceptual Model to use in conducting vulnerability and risk assessments of infrastructure to the projected impacts of global climate change. Based on the feedback and lessons learned in pilots with state DOTs, the Conceptual Model was revised and expanded into the Climate Change & Extreme Weather Vulnerability Assessment Framework summarized in Figure 3. Figure 3: FWHA Framework for Vulnerability Assessment. (Source: Assessing Vulnerability and Risk of Climate Change Effects on Transportation Infrastructure 2014)

121 2. Infrastructure Protection and Resilience Resilience is “the ability to prepare and plan for, absorb, recover from and more successfully adapt to adverse events” (DISASTER RESILIENCE: A NATIONAL IMPERATIVE, NATIONAL RESEARCH COUNCIL, 2012). DOTs are currently in the process of understanding the impact of shift in focus from protection of assets to resilience of systems. FHWA Resilience Pilot Study locations are shown in Figure 4. FHWA partnered with state departments of transportation (DOTs) and metropolitan planning organizations (MPOs) to conduct climate change and extreme weather vulnerability assessments of transportation infrastructure and to analyze options for adapting and improving resiliency. In 2010-2011, five pilot teams piloted a Conceptual Model to use in conducting vulnerability and risk assessments of infrastructure to the projected impacts of global climate change. Based on the feedback and lessons learned through the pilots, FHWA revised and expanded the model developed the Climate Change & Extreme Weather Vulnerability Assessment Framework (December 2012). In 2013-2105 nineteen pilot teams partnered with FHWA to assess transportation vulnerability and evaluate options for improving resilience using the Climate Change & Extreme Weather Vulnerability Assessment Framework (December 2012) and other resources for their analyses. Figure 4: FHWA Resilience Pilot Locations. Table 2 provides a summary description of the most recent FHWA resilience pilot projects.

122 Table 2: FHWA Resilience Pilot Locations.  Pilot  Project Description  Arizona DOT (ADOT)  The ADOT team conducted a study to identify hotspots where highways are  vulnerable to associated hazards from high temperatures, drought, and intense  storms. The project focused on the interstate corridor connecting Nogales, Tucson,  Phoenix, and Flagstaff, which includes a variety of urban areas, landscapes, biotic  communities, and climate zones and presents a range of weather conditions  applicable to much of Arizona.  California DOT  (Caltrans), District 1  The vulnerability assessment approach drew from methodologies developed by  FHWA and the Washington State DOT 2010‐2011 climate resilience pilot project. The  pilot assessed vulnerability in four counties by scoring asset criticality and potential  impact. The pilot identified adaptation options at four prototype locations of  vulnerable road segments. The Caltrans District 1 team formalized their adaptation  methodology into a tool to assist with the evaluation and prioritization of adaptation  options.  Capital Area MPO  (CAMPO)  The CAMPO team used a data and stakeholder‐driven approach to assess risks to nine  critical assets from flooding, drought, extreme heat, wildfire, and ice. The project  team conducted a criticality workshop, developed local climate projections, and  performed risk assessments for each asset.  Connecticut DOT (CT  DOT)  The CTDOT team conducted a systems‐level vulnerability assessment of bridge and  culvert structures from inland flooding associated with extreme rainfall events. The  assessment included data collection and field review, hydrologic and hydraulic  evaluation, criticality assessment and hydraulic design criteria evaluation.  Hillsborough MPO   The Hillsborough MPO team assessed the vulnerability of select surface  transportation assets to sea level rise, storm surge, and flooding in order to identify  cost‐effective risk management strategies for incorporation into short‐term and long‐ range transportation planning.  Iowa DOT  To evaluate future flood conditions, the Iowa DOT team developed a methodology to  integrate climate projections of rainfall within a river system model to predict river  flood response to climate change. Iowa DOT tested this methodology in two river  basins to evaluate the strengths and weaknesses of technology to produce scenarios  of future flood conditions. They also analyzed the potential impact of the future  floods on six bridges to evaluate vulnerability to climate change and extreme weather  and inform the development of adaptation options.  Maine DOT  The Maine DOT team identified transportation assets that are vulnerable to flooding  from sea level rise and storm surge in six coastal towns. The team developed depth‐ damage functions and adaptation design options at three of the sites and evaluated  the costs and benefits of the alternative design structures.  Maryland State  Highway  Administration  (MDSHA)  The MDSHA team developed a three‐tiered vulnerability assessment methodology  and GIS layers of statewide water surfaces to analyze vulnerability to sea level rise,  storm surge, and flooding in two counties. The team also reviewed design strategies,  best management practices, planning standards, and other ways to support the  adoption of adaptive management solutions.  Massachusetts DOT  (MassDOT)  The MassDOT team sought to better understand the vulnerability of the I‐93 Central  Artery/Tunnel system (CA/T) in Boston to sea level rise and extreme storm events.  The team combined a state‐of‐the‐art hydrodynamic flood model with agency‐driven  knowledge and priorities to assess vulnerabilities and develop adaptation strategies.   Michigan DOT  (MDOT)  The MDOT team conducted a climate‐based vulnerability assessment of mostly  MDOT‐owned and ‐operated transportation infrastructure, including roads, bridges,  pumps and culverts. The assessment used GIS to overlay climate projections onto 

123 asset information from MDOT's existing asset management database to help identify  locations and infrastructure that may be at risk.  Minnesota DOT  (MnDOT)  The MnDOT team conducted a vulnerability assessment of bridges, culverts, pipes,  and roads paralleling streams to flooding in two districts. Based on the vulnerability  assessment results, they developed facility‐level adaptation options for two selected  culverts programmed for replacement. Using damage and economic loss estimates  associated with flash flooding as well as cost estimates for alternative engineering  designs the team identified the most cost‐effective options under a range of climate  scenarios.  Metropolitan  Transportation  Commission (MTC)  The MTC team refined a previous vulnerability assessment with additional sea level  rise mapping and hydraulic analysis. Using the revised vulnerability data, the project  team developed a comprehensive suite of adaptation strategies for three focus areas,  and through a systematic evaluation process, they selected five adaptation strategies  for further development: living levees (in two locations), an offshore breakwater, a  drainage study, and mainstreaming climate change risk into transportation agencies  planning processes.  North Central Texas  Council of  Governments  (NCTCOG)  The NCTCOG team assessed the vulnerability of existing and planned transportation  infrastructure in the Dallas‐Fort Worth region, where extreme weather events will  add an additional stress on the transportation system in the rapidly growing region.  New York State DOT  (NYSDOT)  The NYSDOT team assessed the vulnerability of the transportation system to changes  in precipitation in the rural Lake Champlain Basin. The team developed a benefits  valuation approach to help decision‐makers prioritize infrastructure and assess when  to undertake culvert replacements considering social, economic, and environmental  factors. They evaluated vulnerability, criticality and risk, and developed a method to  apply an environmental benefits multiplier to each culvert.   Oregon DOT (ODOT)  The ODOT team engaged maintenance and technical staff and utilized asset data to  assess the vulnerability of highway infrastructure in two coastal counties to extreme  weather events and higher sea levels. Based on the results of the vulnerability  assessment, the pilot conducted further analysis of specific adaptation sites, options,  and benefits and costs for five priority storm and landslide hazard areas. Options  analyzed ranged from “do nothing” scenarios to options for increased operations and  maintenance and options with significant construction and engineering  requirements.   South Florida  The South Florida team focused on a four‐county region in conducting a detailed  geospatial analysis to calculate vulnerability scores for “regionally significant” road  and passenger rail infrastructure. The study also recommended ways for partner  agencies to incorporate the vulnerability results into their normal decision‐making  processes.  Tennessee DOT  (TDOT)  The TDOT team conducted an extreme weather vulnerability assessment of  transportation infrastructure across the state. The project team compiled a statewide  inventory of the most critical transportation infrastructure and used historical and  projected climate and weather data as well as stakeholder feedback to develop  rankings of the vulnerability of critical transportation assets to projected temperature  and precipitation changes and other extreme weather events.  Washington State  DOT (WSDOT)  The WSDOT team examined adaptation options in the Skagit River Basin, an area of  the state identified in an earlier assessment as highly vulnerable to flooding.  Adaptation options centered on 11 vulnerable road segments in the study area.  Options included active traffic management, detour routes, basin‐wide flood  easements, and culvert improvements.  Western Federal  Lands Highway  The WFLHD/ADOT&PF team assessed three unique climate change issues in the state  of Alaska. In Kivalina, the pilot considered the impact of the loss of sea ice, sea level 

124 Division (WFLHD)  and the Alaska DOT  and Public Facilities  (ADOT&PF)  rise, and wind on shoreline erosion of the coastal runway. In Igloo Creek and along  the Dalton Highway, the pilot considered the impacts of increased temperature  (resulting in permafrost melt) and increased precipitation on landslides and  pavement cracking.   3. Physical Security Countermeasures This section discusses the many of the tools and countermeasures used to improve the security of critical infrastructure and facilities, and other areas. Physical security countermeasures include signs; emergency telephones, duress alarms, and assistance stations; key controls and locks; protective barriers; protective lighting; alarm and intrusion detection systems; electronic access control systems; and surveillance systems and monitoring. For nonpublic spaces, access control, perimeter security, intrusion detection systems, and other similar types of technology are deployed to protect facilities from external losses. In facilities that are open to the public, security personnel or possibly surveillance systems are the primary means of providing protection. TCRP REPORT 180 POLICY AND SECURITY PRACTICES FOR SMALL- AND MEDIUM-SIZED PUBLIC TRANSIT SYSTEMS (2015) explores the current state of practice and identifies potential security countermeasures that could be deployed by both of these sizes of transit agencies. TCRP F-21 TOOLS AND STRATEGIES FOR ELIMINATING ASSAULTS AGAINST TRANSIT OPERATORS (2017) provides an overview of countermeasures - ranging from policing, personnel, and training to technology, information management, policy, and legislation - that can be considered as a means to prevent, deter, detect, mitigate, respond to or recover from an attempt or actual assault upon a transit operator. In contemplating the appropriate level of security, it is important to take into account the purpose and benefits of the various types of security countermeasures that are available. Security can be designed to prevent, deter, detect, mitigate, respond to, or recover from an incident. Security spans the continuum from prevention through response and recovery. Table 3 below provides definitions of the levels of security. Table 3: Levels of Security.  Security Level  Definition  Prevention  Those capabilities necessary to avoid, prevent, or stop a threatened  or actual act.  Deterrence  An activity, procedure, or physical barrier that reduces the likelihood  of an incident, attack, or criminal activity.   Detection  The identification and validation of potential threat or attack that is  communicated to an appropriate authority that can act.  Mitigation  The application of measure or measures to reduce the likelihood of  an unwanted occurrence and/or its consequences.   Response  Capabilities  necessary  to  save  lives,  protect  property  and  the  environment,  and  meet  basic  human  needs  after  an  incident  has  occurred. 

125 Security Level  Definition  Recovery  The development, coordination, and execution of plans for impacted  areas and operations.   The following sections contain summary information on effective security countermeasures by continuum category. Prevention There are relatively few security measures available to prevent events from occurring on transportation systems. Transportation conveyances, in general, are public open access vehicles available for use by an unrestricted general population. With the exception of no-fly lists, individuals who represent security risks are not pre-identified or barred from riding because their propensity to action is generally unknown. Often, there is no screening for weapons or dangerous implements prior to boarding. Riders are placed in close proximity to one another. In summary, the openness of transportation systems makes them virtually unprotectable using modern physical security technology. See Figure 5. Figure 5: A selection of prevention countermeasures with varying visibility, cost, and ease of implementation. Deterrence Deterrence is largely a matter of reducing exposure to potential harm, or influencing how the attacker or offender interprets the risk of apprehension or personal loss. Security-related technologies can greatly reduce both the perceived window of opportunity and the potential impact of incidents. Figure 6 provides a summary of the most relevant countermeasures and approaches related to deterrence. PREVENTION Police  Personnel Protective  Barriers Barring  Systems

126 Figure 6: A selection of procedures, activities, and physical interventions with deterrent effects. Example: Code of Conduct for Transit Passengers: Charlotte Area Transit System Charlotte released a Riders’ Code of Conduct, which notes the following acts are prohibited on a CATS or LYNX vehicle:  Smoke or carry any lighted tobacco product or expel the residue of any other tobacco product including chewing tobacco  Consume any alcoholic beverage or possess an open container of any alcoholic beverage  Engage in disruptive, disturbing behavior including: loud conversation, profanity or rude insults, or operating any electronic device used for sound without an earphone(s)  Take any animal onto a vehicle unless its purpose is to assist a person with a disability or in training activities  Carry, possess or have within immediate access any dangerous weapon  Possess or transport any flammable liquid, combustible material or other dangerous substance such as gasoline, kerosene or propane  Litter  Vandalize the vehicle or station platform by writing, marking, scribbling, defacing or causing damage to the vehicle or platform facilities in any manner  Beg by forcing yourself upon another person  Excrete any bodily fluid or spit upon or at another person on the vehicle or station platform  Possess, use or sell any controlled substance  Lying down on seats, benches or tables at stations and bus stops  Standing, sitting or lying within 2 feet of the edge of the rail station platforms except for boarding and exiting the light rail vehicle  Skating or skateboarding on station platforms  Trespassing upon any area not open to the public and posted as such Deterrence Surveillance  Systems Public  Address  Systems and  Signage Awareness  Training LegislationOnboard Security Passenger  Codes of  Conduct Physical  Barriers

127 The Riders’ Code of Conduct was adapted from Charlotte Code Sec. 15-272 and 15-273. As of the publication of TCRP Report 180, violations of this code could be enforced by a fine of $50 or by arrest. Local laws, regulations, or ordinances such as the Charlotte Code (as mentioned above) can provide a basis for creating a code of conduct for users of state DOT assets. Detection There are technology measures such as video/audio surveillance, sensors, and other tools that can support detection when a potential incident is imminent. Detection and assessment of transportation systems has been enhanced by rapidly developing technologies providing digitized data acquisition, storage and transmission along with structural diagnostics, i.e. monitoring of structures by sensitive instruments measuring temperature, displacement, acceleration, and other significant performance indicators during regular service. A number of remote, in-situ, or portable monitoring/damage detection techniques have become available for use in post-event assessment such as sensors, sonar, ground-breaking radar, satellite imagery and unmanned aerial vehicles. These new capabilities are not fully explored and utilized by state DOTs today. Figure 7 provides a summary of the most relevant countermeasures and approaches. Figure 7: Detection tools for identifying and interrupting incidents range from more affordable sensors and alarms to complex security staffing plans and tracking systems. Mitigation Measures to reduce the likelihood of an assault or to minimize the consequences of an incident include policy, such as security plans, technology measures such as smart components and sensors; and awareness and training. Figure 8 provides a summary of the most relevant countermeasures and approaches to mitigate incidents. Detection Incident  Responce  Plan Two‐way  Radio /  Mobile  Broadband  Communicat ions Remote  Sensors Telemetry  Systems Anti‐theft  Devices Intelligence  Sharing Based on experimental evidence and numerical simulation results gathered during the research for NCHRP REPORT 645: BLAST-RESISTANT HIGHWAY BRIDGES: DESIGN AND DETAILING GUIDELINES,

128 guidelines for highway bridge columns were developed. The research found that one of the best ways to mitigate damage was to increase the standoff distance with physical deterrents such as bollards, security fences, and vehicle barriers. When standoff distance is not available, the design and detailing provisions as described in the guidelines should be met. . Figure 8: A selection of mitigation countermeasures. Example: Red Kite Training Program for Conflict Management SEPTA This training program is designed to help employees to be more aware and to show more understanding for individuals (the customers) by allowing them to understand self-importance, to show respect and to see the human factor, allowing them to focus on de-escalating potential problems before they happen. Operators participate in their training while learning that they have choices in every interaction and how they can create a shift that can disarm a potentially difficult situation. This internationally used training model uses trauma-informed crisis management as a means to de-escalate violence with those who have experienced it. Program tenets include a belief that teaching public-service workers the effects of trauma and how to de-escalate violence is the key to community safety. In terms of physical security, simple and aggravated assaults against operators can harm those operators physically and emotionally. TCRP Report 180 notes that even spitting attacks have resulted in drivers Mitigation Incident  Response Plan Physical Barriers Automatic  Assessment  Systems Electronic SignsTraining Real Time  Incident  Surveillance Immediate  Response

129 needing to take paid leave. In addition, the report also notes, “besides the potential physical harm to people, a repeated pattern of aggravated assaults may instill a culture of fear in a transit agency in which passengers are afraid to use the system or operators are afraid to come to work. Damage to property and scheduling may also occur as a result of an aggravated assault.” Response and Recovery There are numerous types of countermeasures that can support the maintenance of an effective response program for incidents. Many of these measures are low cost and/or low effort, consisting of policy responses, awareness and training, security planning, or coordination with local authorities. Figure 9 provides a summary of the most relevant countermeasures and approaches to respond to and recover from incidents. Response  and  Recovery Waivers and  Emergency   Legislation Post  Incident  Action Steps Training, Drills   and Exercises Immediate  Actions Security   Communications  Training Coordination &  Collaboration Task Forces Figure 9: Response and Recovery Countermeasures

130 4. Cyber Security Countermeasures NIST Computer Security Division's Computer Security Resource Center (CSRC) facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. The CSRC is the primary gateway for gaining access to NIST computer security publications, standards, and guidelines plus other useful security-related information. NIST has published over 300 Information Security guides that include Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NIST IR). Most commonly referenced NIST publications include: PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER ATTACKS: A PRIMER (2016), a joint product of two Transportation Research Board Cooperative Research Programs, provides transportation organizations basic reference material concerning cybersecurity concepts, guidelines, definitions and standards. The primer delivers fundamental strategic, management and planning information associated with cybersecurity and its applicability to transit and state department of transportation operations. The primer presents fundamental definitions and rationales that describe the principles and practices that enable effective cybersecurity risk management. The goals of the primer are to: increase awareness of cybersecurity as it applies to highway and public transportation; plant the seeds of organizational culture change; address those situations where the greatest risks lie; and provide industry- specific approaches to monitoring, responding to and mitigating cyber threats. Individual chapters address: myths of cybersecurity; risk management, risk assessment and asset evaluation; plans and strategies, establishing priorities, organizing roles and responsibilities; transportation operations cyber systems; countermeasures; training; and security programs and support frameworks. APTA STANDARDS DEVELOPMENT PROGRAM RECOMMENDED PRACTICE: SECURING CONTROL AND COMMUNICATIONS SYSTEMS IN TRANSIT ENVIRONMENTS, PARTS I, II AND IIIA (2010 – 2015), addresses the importance of control and communications security to a transit agency and presents recommended approaches for securing communications and control systems. Parts IIIb and IIIc are anticipated in the future. Example: San Francisco Municipal Transportation Authority (SFMTA) Ransomware Event In November 2016, SFMTA experienced a ransomware attack that encrypted SFMTA’s information systems. The impact on physical control systems was minimized because SFMTA used a segmentation approach to separate operational control and communications systems from other IT systems and disconnected their fare gates and ticket vending machines systems from the network. Cybersecurity is a growing issue for all organizations, including airports. ACRP Report 140: Guidebook on Best Practices for Airport Cybersecurity (2015) provides resources for airport managers and IT staff to reduce or mitigate inherent risks of cyberattacks on technology-based systems. Traditional IT infrastructure such as servers, desktops, and network devices are covered along with increasingly sophisticated and interconnected industrial control systems, such as baggage handling, temperature control, and airfield lighting systems. Example: Chicago Air Traffic Control Center Fire On September 26, 2014, Federal Aviation Administration’s (FAA) Air Route Traffic Control facility outside of Chicago shut down over 91,000 mi2 of airspace due to a massive fire set by a disgruntled

131 contractor. Thousands of travelers and flights were disrupted nationwide. The FAA and air traffic control minimized the disruption by using air traffic control centers in other locations. The contractor could easily overcome the existing security systems, since he held access privileges, highlighting the need for system redundancy and adaptability of processes and personnel. This example also illustrates the importance of coordinated programs for physical, cyber, and personnel security. Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” February 2013, directed National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary cybersecurity framework for reducing risks for critical infrastructure. The resulting Framework for Improving Critical Infrastructure Cybersecurity was released in 2014. Recognizing that a “one size fits all” methodology for implementation of the framework is impractical, the Transportation Security Administration, Department of Transportation, United States Coast Guard, and Transportation Systems Sector (TSS) stakeholders organized to create implementation guidance of greatest relevance to the TSS. The TSS Cybersecurity Framework Implementation Guidance, published in 2015, provides guidance, resource direction, and a directory of options to assist a transportation agency or organization in adopting the NIST Framework. The implementation guidance can be used by organizations to do the following: • Characterize their current and target cybersecurity posture. • Identify opportunities for evolving their existing cybersecurity risk management programs. • Recognize existing sector tools, standards, and guidelines that may support framework implementation. • Assess and communicate their risk management approach to both internal and external stakeholders. Example: Utah Transit Authority Cybersecurity Program UTA, a medium-sized transit agency with about 2,500 employees, serves six counties or about 1,600 square miles and 80% of the state’s population. UTA’s infrastructure and assets consist of the following: • 6,206 active bus stops • 520 buses, 123 paratransit, 441 vans, 70+ Support • 146 Light Rail Cars, 18 locos, 53 Commuter Rail Cars • 90 miles of commuter rail track. 16 commuter rail stations, 50 light rail stations UTA’s cybersecurity program is comprised of a cybersecurity monitoring strategy, a systematic decision- making process for selecting and implementing countermeasures, SCADA rail cybersecurity and cybersecurity layers. UTA’s cybersecurity program is based on best practices and is effective in protecting UTA’s SCADA and rail control systems, and its IT and enterprise systems. UTA’s cybersecurity monitoring strategy effectively manages its cyber security threats and vulnerabilities. Discussed in the case study are its monthly monitoring system used by the IT unit and Security Incident Reporting tools UTA’s decision-making process to initiate a cyber security project proceeds as follows: First, there is a risk assessment process which identifies possible security enhancement measures. For each decision cycle, several of UTA’s many systems undergo the risk assessment process. Second, a committee ranks these measures based on certain high-level factors. While the CTO is responsible for overall cyber security for UTA, the UTA Security Administrator makes the final decisions on whether or not to proceed with the

132 selected projects. This decision process occurring several times a year results in implementation of 10-30 cyber security measures. To protect data connections between traffic control, SCADA, and data systems, IT worked with rail operations units to implement cybersecurity systems. They constantly scan the systems for viruses and unusual activity. The case study includes a presentation of Defense in Depth corporate policies. UTA’s layers of security begin with corporate policies and progresses to physical security, perimeter security, internal network security, host security and application/data security. Cyber-Physical Security Cybersecurity cannot be easily separated from physical security. Physical and cyber systems in transportation have become increasingly colocated and functionally dependent on one another. Inadequate physical security can put cyber assets in jeopardy. Physical damage can compromise cyber assets. Evidence of intrusion into physical assets, especially control system cabinets, devices or terminals, communications devices or networks, is an indicator for a suspected cyber breach. Along with more obvious damage or telltale evidence of intrusion and unreconciled door and/or cabinet alarms, inexplicable loss or behavior of communications links or behavior of control system devices could be indications of physical security breaches. Policies and practices for responding to physical security breaches need to also address cybersecurity, and incorporate considerations that a cyber-related incident may have also occurred. Benefits and Needs for an Integrated Approach to Cyber–Physical Security for Transportation, (Zimmerman and Dinning, 2017) published in Transportation Research Circular E-226: Transportation Systems Resilience: Preparation, Recovery, and Adaptation (Transportation Research Board, 2017), provides an overview of cyber and physical systems, gives examples of effective security approaches, and includes transportation case studies. The authors identify four challenges:  Redundancy and backup systems, that are needed to mitigate impacts of disruptions, should be part of continuity of operations plans, and require training, management, and close oversight.  Because cyber and physical systems, and their respective security system products, are specified and purchased independently from different sources, a systems approach to acquisitions should be used that includes security and resilience in system specifications. Where possible, product designs should address both cyber and physical security.  Many organizations lack enterprise-wide resiliency plans addressing all risks simultaneously. All- hazards resiliency plans can reduce the impact of interrelated risks and cascading impacts.  Personnel must understand both cyber and physical risks and mitigation strategies. Some organizations are facing this challenge with workforce training programs, for example by NIST, DHS, ICS-CERT, and the Transportation Research Board Critical Transportation Infrastructure Protection Committee.

133 5. Training and Exercises SECURITY AWARENESS AND ALERTNESS TRAINING IN STATE DEPARTMENTS OF TRANSPORTATION1 (Chen, Nof, Partridge, Varkonyi, and Nakanishi, 2006) provided a summary of how state departments of transportation train their employees for security awareness and alertness based on a 2004 survey of state DOTs. Eighteen states were found that considered assessment and certification of security training, and a list of 25 most popular training programs conducted by those 18 states were evaluated in the research. The key findings from that analysis included:  Large numbers of security training courses and tools are available.  State DOT training goals were general in scope, even though a higher level of specificity is recommended.  Security training should be continuously updated and flexible to respond to new and changing threats. Over time, there has been an evolution in the preferred methods of training delivery for DOT employees, captured in ASSHTO State DOT Security/Emergency Management Survey results. The 2010 survey summarizes this evolution, as shown in Figure 10. There is a still strong preference for print/electronic materials with significant growth in demand for conferences/peer exchanges and web-based seminars. Exercises and workshops as a preferred source have declined significantly. Figure 10: DOT Preferred Training Delivery Methods (Source: Summary of 2010, NCHRP Project 20-59 (29)) ASSESSMENT OF SURFACE TRANSPORTATION SECURITY TRAINING NEEDS AND DELIVERY PREFERENCES (2011) identified security training content needs and effective approaches through focus groups and interviews with representatives of 45 different major surface transportation or security organizations. The study identified training content needs by audience, as summarized in Table 4.   1 Transportation Research Record: Journal of the Transportation Research Board,  No. 1942, Transportation Research Board of the National Academies, Washington,  D.C., 2006, pp. 39–51. 

134 Table 4: Security Training Content Needs by Audience.  Audience  Content Needs   Frontline  • Situational assessment of threats and incidents • Observational  skills  and  reporting  dangerous  substances, suspicious packages, and situations • Appropriately reacting to all threats • Proper use of security equipment or technology There was clear concern that training for frontline personnel does  not need be too in‐depth or technical.   Transportation Professionals  Mid‐ to high‐level managers and  executives  in  operations,  planning,  safety,  security,  maintenance,  and other related fields   Aside from the same basic security awareness training for frontline  employees,  this  audience  has  special  high‐level  training  and  education  needs  in  the  area  of  security  risk  assessment  and  management, vulnerability assessment, and planning for resiliency.  This audience may need to understand more clearly the difference  between safety and security.  Contractors and Vendors   • Similar to frontline employee awareness training • Reporting suspicious activity. Emergency Responders  • Transportation system operations, hazards, and vulnerabilities • Integrated communications and response practices/procedures • Integrated incident management Needs for this group will not be much different from that of  frontline employees in terms of emphasis on reporting suspicious  and dangerous activities, but would vary in priority based on the  proximity and access to critical infrastructure and operations (for  maintenance workers) and to public areas.  Source: Assessment of Surface Transportation Security Training Needs and Delivery Preferences (2011)  As part NCHRP PROJECT 20-59 (43), INCORPORATING TRANSPORTATION SECURITY AWARENESS INTO ROUTINE STATE DOT OPERATIONS AND TRAINING, a scanning survey was done to identify existing transportation safety and security training. Survey results were obtained from 31 respondents representing 20 different states. Almost 60% of the survey respondents indicated that their organization required or encouraged training in transportation security. The current transportation security training involved “If You See Something, Say Something” program related security awareness training, ICS/MINS emergency response training, TIMS training, and HazMat Training, where appropriate.

135 Transportation Emergency Response Application (TERA) TERA is a simulation used to respond to and visualize the impact of transportation agency actions in an event/disaster that may affect normal operations. It was created under the Transit Cooperative Research Program (TCRP) Project A-36, “Command-Level Decision Making for Transportation Emergency Managers” and sponsored by the National Cooperative Highway Research Program NCHRP Project 20-59, “Surface Transportation Security and Resilience Research.” See Figure 11. TERA is a web-based facilitated exercise with multiple scenarios available. Nine scenarios are for airports. There are roles for transit agencies and departments of transportation in scenarios for the following. 1. Flood 2. Wildfire 3. Hurricane 4. Earthquake 5. Power Outage 6. Hazardous Material 7. Pedestrian-involved Bus Crash 8. Active Shooter 9. Contagious Disease 10. Traffic Incident Management (TIM) Capstone for Strategic Highway Research Program 2 Training Course Example: Texas Department of Transportation (TxDOT) Security Awareness Program The TxDOT Security Training Program is designed to make each employee aware of their role in security, teach them how to identify suspicious activities, behavior and objects, and relay TxDOT procedures for reporting any objects, behaviors or activities. The established reporting process is to call internal security contact who forwards to call fusion center 1-800 or calls 911 depending on what is being reported. There are following major components: 1. Online Security Training Course that all TxDOT employees must take as new employee training and then refresher course every 2 years. The course is module based and includes information on roles in reducing vulnerability, in incident response and in preparedness. 2. Field exercises with scenarios that include delivery and gate procedures, identification process for suspicious people and items. 3. Integration with job-specific courses such as bridge maintenance course that includes information on awareness, what to look out for and how to pass information along. Module on Fracture Critical Bridges – includes information on importance that nothing be placed on certain places on bridge. Figure 11: TERA Portal.

136 4. Proactive information distribution that includes posters in all TxDOT office, emails to directors of operations, statewide message boards (driven by state operations center) and mass emails, if necessary, for major or highly significant information. Making it clear that employees have security responsibilities – that they are the ”eyes and ears” of the agency – and they should be aware of suspicious activity and know who to call to report matters of a suspicious or dangerous nature is an effective physical and cybersecurity measure. Training can also improve safety. For example, maintenance worker training includes information on the hazard of Meth lab debris to mowers. In the border security in districts on Tex/Mex line and regions where the drug cartel operates, awareness of planting drugs on TxDot vehicles for transport and cloning of TxDot vehicles is critical. Incorporating security awareness training into job-specific training is efficient and can be very effective. TxDOT bridge inspectors have identified a number of security events:  Bridge marking issue - bridge inspectors reported graffiti that looks suspicious  Bridge damage - E Texas district found that someone literally shot column until all concrete was gone. If done in right place, would be able to bring bridge down. All agencies can benefit from a security awareness program similar to that established at TxDOT and can improve existing security by incorporating components of TxDOT program. Example: Tennessee DOT Comprehensive Exercise Program TDOT’s exercise plan is robust and is aligned with relevant federal guidance and the state of Tennessee’s emergency management program. The program requires, for each identified hazard, that an exercise be conducted at least once in the two-year cycle. The Emergency Management Standards are used as promulgated by the Emergency Management Accreditation Program. HSEEP is used as a reference not as a standard. TDOT is viewed and treated as an equal partner by the emergency management community, and frequently trains and exercises with the state EMA and other state emergency response providers. In addition, TDOT frequently communicates and coordinates with state EMA and other emergency response providers. In incidents, TDOT typically assumes the following roles: IC, Operations, Planning, Intel/Investigations. The training program includes ICS/NIMS, Traffic Incident Management, Hazmat Awareness, Active Shooter Training, and Emergency Radio Communications. NIMS/ICS training and TIM training have been provided to all emergency response personnel in the DOT. After every exercise or real world event, AARs are developed to capture lessons learned, identify areas of needed improvement, and assign the improvements to a functional area within the TDOT. The Comprehensive Exercise Program for the State of Tennessee Department of Transportation (CEP) document is a supporting document to the TEPP and is an agency-wide comprehensive emergency management exercise program plan and framework for TDOT. The document states that the “goal of the CEP is to develop, implement and institutionalize a quality comprehensive, objective based and threat focused exercise program.” (CEP, page 4) The document supports the State Multi-year Training and Exercise Plan / Program (MTEP) and is intended to fulfill federal HSEEP requirements; at the same time, it should be noted that the state of Tennessee incorporates the HSEEP process into the planning methodology but not as regulation. In addition to the HSEEP, the Emergency Management Accreditation Program (EMAP) and Emergency Management Performance Grant (EMPG) documentation are also used as guidelines by TEMA and TDOT.

137 Standard components to be included in exercise plans and exercise scheduling and priority determination are described in the CEP. Tennessee’s Multi-year Exercise Plan is contained in CEP Appendix 2 and includes a listing of exercise priorities for each training year. In Training Year 2015 (October 2014 – September 2015) terrorism was the second priority; the first was Hazmat. Training Year 2016 (October 2015 – September 2016) terrorism was the fifth priority and non-Hazmat transportation was the fourth. In Training Year 2017 (October 2016 – September 2017) the third, fourth, and seventh priorities were communications, continuity of operations, and Hazmat, respectively. An Exercise Design Template is provided in CEP Appendix 3. The template provides a detailed outline of the key components of a sample exercise design.

138 B. Physical and Cyber Security Legal Authorities This section contains an overview of public laws, presidential directives, national frameworks and strategies that establish the legal authorities related to physical and cyber security.  

139 Public Laws Name  Description  Security and Infrastructure Protection Implications  USA PATRIOT Act of 2001 (42  U.S.C. 5195c(e))  Created the authority to protect and defend  critical infrastructure and other security  authorities and is a basis for HSPD‐7.  Established requirement to protect and defend  critical infrastructure.  Homeland Security Act of 2002  (6 U.S.C. 101), 2002    This Act created the Department of Homeland  Security and is the primary authority for Homeland  Security Presidential Directive (HSPD) Number 5  and a major supporter of HSPD‐8.    Defined “emergency response providers” to mean  “federal, state, and local governmental and  nongovernmental emergency public safety, fire, law  enforcement, emergency response, emergency  medical (including hospital emergency facilities) and  related personnel, agencies, and authorities.”     Provides for grants to state and local governmental  entities, tribal governments, or other local entities,  for emergency and disaster‐related activities.  Post‐Katrina Emergency  Management Reform Act  (PKEMRA) of 2006  The Post‐Katrina Emergency Management Reform  Act of 2006 (PKEMRA) amended the Homeland  Security Act of 2002 to make extensive revisions to  emergency response provisions while keeping  FEMA within the Department of Homeland  Security. PKEMRA significantly reorganized FEMA,  provided it substantial new authority to remedy  gaps in response, and included a more robust  preparedness mission for FEMA.     Directed the development of a National Disaster  Recovery Strategy and National Disaster Housing  Strategy.  Amended the Stafford Act to direct FEMA to  appoint a Disability Coordinator to ensure the  needs of individuals with disabilities are addressed  in emergency preparedness and disaster relief.  Requires the development of pre‐scripted mission  assignments as part of the planning efforts for  Emergency Support Function (ESF) response efforts.  Employs the National Incident Management System  (NIMS) and the National Response Framework (NRF)  as the framework for emergency response and  domestic incident management.  Requires the development of comprehensive plans  to respond to catastrophic incidents to include clear  standardization, guidance, and assistance to ensure  common terminology, approach, and framework for  all strategic and operational planning.  Include needs of individuals with disabilities and  protection for household pets and service animals. 

140   Coordinates and supports precautionary evacuations  and recovery efforts.  Provides transportation assistance for relocating and  returning individuals displaced from their residences  in a major disaster.  Security and Accountability for  Every Port Act of 2006 (SAFE  Port Act)  Required that Area Maritime Security (AMS) Plans  include a Salvage Response Plan to ensure that  waterways are cleared and port commerce is  reestablished as efficiently and quickly as possible  following a transportation security incident.  Establishes USCG efforts in cases of for port  disruptions and events impacting waterways.  Coast Guard Authorization Act of  2010  Called for AMS Plans to establish response and  recovery protocols to prepare for, respond to,  mitigate against, and recover from a  transportation security incident.  Established Marine Transportation System Recovery  Unit (MTSRU) to work with stakeholders and provide  guidance to incident command.  Maritime Transportation  Security Act (2002, 2010)   Requires an area maritime transportation security  plan to establish regional response and recovery  protocols to mitigate regional transportation  security incidents.      Requires the Transportation Worker Identification  Credential, also known as TWIC®, for workers who  need access to secure areas of the nation’s maritime  facilities and vessels.    Requires owners of US facilities that are on or  adjacent to U.S. waters that pose a high risk of being  involved in a transportation security incident to: (1)  make the vulnerability assessment of the facility  available to the local port authority and appropriate  state or local law enforcement agencies; and (2)  integrate the facility's security system with  compatible systems operated by state, law  enforcement agencies, and the CG.  Middle Class Tax Relief and Job  Creation Act of 2012, Pub. L. No.  112‐96, 126 Stat. 156 (2012)  Establishes a State and Local Implementation  Grant Program for the purpose of making grants  “to States to assist State, regional, tribal and local  jurisdictions to identify, plan, and implement the  Provides for grant funds to state and local  governments for emergency communications  Activities. 

141 most efficient and effective way for such  jurisdictions” to use and become part of the  “nationwide public safety broadband network”  that is also established under the Act.  Moving Ahead For Progress In  The 21st Century Act (MAP–21)   Focused on performance management and  established a series of national performance goals.  MAP‐21 required incorporating performance  goals, measures, and targets into transportation  planning.  Most aspects of MAP‐21 are continued in the FAST  Act. The goals related to safety, congestion  reduction, freight movement and economic vitality  and environmental sustainability are of particular  relevance to security.  Fixing America’s Surface  Transportation (FAST) Act, 2015  Expands the focus on the resiliency of the  transportation system. “It is in the national  interest to encourage and promote the safe and  efficient management, operation, and  development of resilient surface transportation  systems that will serve the mobility needs of  people and freight and foster economic growth  and development within and between states and  urbanized areas through metropolitan and  statewide transportation planning processes.”   Requires strategies to reduce the vulnerability of  existing transportation infrastructure to natural  disasters and expands the scope of consideration of  the metropolitan planning process to include  improving transportation system resiliency and  reliability.  Encourages MPOs to consult with state agencies that  plan for natural disaster risk reduction to produce  plans that include strategies to reduce the  vulnerability to natural events.  Key features include: 1) emphasis on resilience with  funding permitted to protect bridges and tunnels; 2)  emphasis on risk‐based as well as performance‐ based asset management; and 3) inclusion of critical  infrastructure for project funding eligibility.    Title 44, Code of Federal  Regulations  Regulations promulgated to administer the grant  programs under FEMA and DHS.  Defines eligible party and other requirements of  federal grants under FEMA and DHS.  Code of Federal Regulations 49  Part 192, 49 CFR Part 193, 49  CFR Part 33, 49 CFR Part 194, 49  CFR Part 195, 40 CFR Part 112,  30 CFR Part 254, and 49 CFR Part  194  Federal regulations that govern pipeline safety and  emergency planning requirements.   All 50 states and the District of Columbia have  elected to adopt by reference, federal pipeline  safety regulations.  Federal pipeline regulations have very specific  emergency planning requirements that include  mandated written emergency response procedures  and the requirement for communication of  emergency plans and procedures to fire, police, and  other public officials. 

142 Homeland Security Presidential Directives Name  Description  Security and Infrastructure Protection Implications  HSPD‐5,  Management of  Domestic Incidents    Purpose: “To enhance the ability of the United  States to manage domestic incidents by  establishing a single, comprehensive National  Incident Management System.” It created the  National Incident Management System and the  National Response Plan; the latter has been  replaced by the National Response Framework.  Established foundation for NIMS and National  Response Framework.   HSPD‐7,  Infrastructure  Identification,  Prioritization, and Protection    “This directive establishes a national policy for  federal departments and agencies to identify and  prioritize United States critical infrastructure and  key resources and to protect them from terrorist  attacks.” Led to National Protection Infrastructure  Protection Plan.  Established foundation for NIPP and Transportation  Systems Sector‐Specific Plan.   HSPD‐8, National  Preparedness (2011)    “This directive establishes policies to strengthen  the preparedness of the United States to prevent  and respond to threatened or actual domestic  terrorist attacks, major disasters, and other  emergencies by requiring a national domestic all‐ hazards preparedness goal, establishing  mechanisms for improved delivery of federal  preparedness assistance to state and local  governments, and outlining actions to strengthen  preparedness capabilities of federal, state, and  local entities.” This led to creation of a National  Preparedness Goal, which was implemented in the  form of the National Preparedness Guidelines  (NPG) document and several other guidelines.   Emphasis of the National Preparedness Goal is on  building and sustaining core capabilities across five  mission areas ‐ Prevention, Protection, Mitigation,  Response, and Recovery.     Identifies capabilities required for executing the  mission or function at any time (before, during, or  after an incident) and across all threats and hazards.       Presidential  Policy  Directive  8:  National Preparedness (2011)    Integrates National Planning Frameworks ‐  National Prevention Framework. National  Mitigation Framework, National Response  Strengthen security and resilience through five  preparedness mission areas—Prevention, Protection,  Mitigation, Response, and Recovery. 

143 Framework, National Disaster Recovery  Framework.  Presidential Policy Directive‐21:  Critical Infrastructure Security  and Resilience (2013)  Critical infrastructure must be secure and able to  withstand and rapidly recover from all hazards.  Resilient infrastructure systems are flexible and  agile and should be able to bounce back after  disruptions.  Established integration with National  Preparedness System.  Establishes resilience and rapid recovery as focus of  critical infrastructure security.   Executive Order 13636:  Improving Critical Infrastructure  Cybersecurity (2013)  Develop a technology‐neutral voluntary  cybersecurity framework.  Promote and incentivize the adoption of  cybersecurity practices.  Establishes cybersecurity as aspect of critical  infrastructure security.   Executive Order 13653,  Preparing The United States For  The Impacts Of Climate Change  (2013)  Requires federal agencies to integrate  considerations of the challenges posed by climate  change effects into their programs, policies, rules  and operations to ensure they continue to be  effective, even as the climate changes.  Establishes climate change as additional aspect to  address in plans and programs.   Executive Order ‐‐ Coordinating  Efforts to Prepare the nation for  Space Weather Events, 2016  Space weather has the potential to simultaneously  affect and disrupt health and safety across entire  continents. This order defines agency roles and  responsibilities and directs agencies to take  specific actions to prepare the nation for the  hazardous effects of space weather.  Establishes space‐weather events as additional  aspect to address in plans and programs. 

144 National Frameworks and Strategies Name  Description  Security and Infrastructure Protection Implications  National Preparedness Goal,  Second Edition, 2011 updated  2015  The 2011 National Preparedness Goal defines what  it means for the whole community to be prepared  for all types of disasters and emergencies.  “A secure and resilient nation with the capabilities  required across the whole community to prevent,  protect against, mitigate, respond to, and recover  from the threats and hazards that pose the  greatest risk.”  Updated in 2015, the key changes are    Stresses importance of community preparedness and resilience.  Risk and the Core Capabilities include cybersecurity and climate change.  A new core capability, Fire Management and Suppression, was added.  Core Capability Titles were revised: o Threats and Hazard Identification (Mitigation) – revised to Threats and Hazards Identification; o Public and Private Services and Resources (Response) – revised to Logistics and Supply Chain Management; o On‐scene Security and Protection (Response) – revised to On‐scene Security, Protection, and Law Enforcement; and o Public Health and Medical Services (Response) – revised to Public Health, Importance of community preparedness and resilience.  Threats and Hazard Identification incorporates  cybersecurity and climate change into risks and core  capabilities.  

145 Healthcare, and Emergency Medical  Services.   Several of the core capability definitions were revised. National Disaster Recovery  Framework, Second Edition,  2011 updated in 2016  The National Disaster Recovery Framework  describes, “how the whole community works  together to restore, redevelop, and revitalize the  health, social, economic, natural, and  environmental fabric of the community.” The new  framework incorporates the edits to the National  Preparedness Goal and new lessons learned.  Additional changes made to the framework  include:  “Increased focus on Recovery’s relationship with  the other four mission areas. Updated Recovery  Support Functions (RSFs) to reflect changes in  Primary Agencies and Supporting Organizations.  Additional language on science and technology  capabilities and investments for the rebuilding and  recovery efforts.”  Guides effective recovery support to disaster‐impacted  areas and introduces six Recovery Support Functions  (RSFs).   Infrastructure Systems RSF provides the coordinating  structures, framework and guidance for resilience,  sustainability and mitigation.    National Response Framework,  Third Edition, updated in 2013,  2016  The NRF is aligned with NIMS and provides  capabilities to save lives, protect property, and  meet basic human needs. Response activities occur  before, during, and after an incident and can  overlap with the start of recovery activities. The  following changes were made to the framework:  • The addition of a new core capability, Fire Management and Suppression. • Three revised core capability titles o Logistics and Supply Chain Management; o On‐scene Security, Protection, and Law Enforcement; and o Public Health, Healthcare, and Emergency Medical Services. Identifies critical role of transportation in response.  Calls for Emergency Operations Plans (EOPs) and  Continuity of Operations Plans (COOPs).  When an incident exceeds the ability of local and state  government to respond effectively, the Federal  Government uses NRF to organize federal assistance. 

146 • Three revised core capability definitions o Environmental Response/ Health and Safety; o Fatality Management Services; and o Logistics and Supply Chain Management. National Mitigation Framework,  Second Edition, 2016  The National Mitigation Framework covers the  capabilities necessary to reduce the loss of life and  property by lessening the effects of disasters, and  focuses on risk (understanding and reducing it),  resilience (helping communities recover quickly  and effectively after disasters), and a culture of  preparedness. The new framework incorporates  the edits to the National Preparedness Goal and  new lessons learned including a revised core  capability title, Threats and Hazards Identification.  In addition, the following changes have been made:  “Additional language on science and technology  efforts to reduce risk and analyze vulnerabilities  within the mitigation mission area. Updates on the  Mitigation Framework Leadership Group (MitFLG),  which is now operational. Updates to the  Community Resilience core capability definition to  promote preparedness activities among  individuals, households and families.”  Vulnerability assessments and risk‐reduction plans and  activities.   National Protection Framework,  Second Edition, 2016  The National Protection Framework focuses on  “actions to deter threats, reduce vulnerabilities,  and minimize the consequences associated with an  incident.” The new framework incorporates the  edits to the National Preparedness Goal and new  lessons learned. In addition, the following changes  have been made:  “Updated Cybersecurity Core Capability Critical  Tasks to align with the Mitigation, Response, and  Recovery Mission Areas. Additional language on  science and technology investments to protect  Establish and maintain an all‐hazards infrastructure  protection program designed to (1) safeguard  personnel; (2) prevent unauthorized access (3)  safeguard infrastructure, facilities, equipment,  installations, materiel, and data. 

147 against emerging vulnerabilities are included within  the protection mission area. Additional language  on interagency coordination within the protection  mission area to support the decision‐making  processes outlined within the framework.”  National Prevention Framework,  Second Edition, 2016  The National Prevention Framework focuses on  terrorism and addresses the capabilities necessary  to avoid, prevent, or stop imminent threats or  attacks. Some core capabilities overlap with the  protection mission area. The updates include edits  to the Nation Preparedness Goal, and lessons  learned. Other edits include:  “Updates to Coordinating Structure language on  Joint Operations Centers and the Nationwide  Suspicious Activity Reporting Initiative. Clarification  on the relationship and differences between the  Prevention and Protection mission areas. Updated  language on the National Terrorism Advisory  System (NTAS) as part of the Public Information  and Warning core capability. Additional language  on science and technology investments within the  prevention mission area.”  Prevention coordination with law enforcement and  state, local, federal intelligence.   NIPP 2013: Partnering for Critical  Infrastructure Security and  Resilience  The National Infrastructure Protection Plan (NIPP)  — NIPP 2013: Partnering for Critical Infrastructure  Security and Resilience — outlines how  government and private sector participants in the  critical infrastructure community work together to  manage risks and achieve security and resilience  outcomes.”  ”).   Provides coordinated approach for Critical  Infrastructure and Key Resources (CI/KR) protection.  Focus on resilience ‐ “the ability to resist, absorb,  recover from, or successfully adapt to adversity or a  change in conditions.”  Transportation Systems Sector‐ Specific Plan (TSSSP) Annex to  NIPP  Transportation Systems SSP describes strategies to  reduce risks to critical transportation  infrastructure.  The three goals are (1) Prevent and  deter acts of terrorism against transportation  Focuses on reducing risks from all hazards, increasing  resiliency, and enhancing readiness for continuity and  recovery operations.  

148 system, (2) Enhance resilience of transportation  system, and (3) Improve cost‐effective use of  resources for transportation security.  The Sector‐Specific Plans of the 16 critical  infrastructure sectors are being updated to align  with the NIPP 2013.  Encourages wider participation in risk‐reduction  activities.    Recommends determining security and resiliency  priorities.  National Incident Management  System (NIMS)  NIMS provide a consistent nationwide template to  enable all government, private sector, and  nongovernmental organizations to work together  during domestic incidents.    NIMS updates in 2008 provided important new  definitions, policy direction and guidance  explaining: (1) the NIMS relationship to the  National Preparedness Framework; (2) additions to  cover intelligence and cyber issues; (3) support,  coordination, collaboration, and command and  management tactical and non‐tactical operations;  (4) use and interoperability of emergency  communications; and (5) inclusion of “whole  community” concepts.      FEMA is in the process of reviewing and refreshing  NIMS. The draft of the refreshed NIMS retains key  concepts and principles from the 2004 and 2008  versions, while incorporating lessons learned from  exercises and real world incidents, best practices,  and changes in national policy, including updates to  the National Preparedness System.  NIMS compliance by local, state, territorial, and tribal  nation jurisdictions is a prerequisite for federal  preparedness grants and funds.     Adoption of new Center Management System (CMS)  guidance is not mandatory as part of preparedness  grants.  National Space Weather Strategy  and Action Plan, 2015  Successfully preparing for space‐weather events is  an all‐of‐nation endeavor that requires  partnerships across governments, emergency  managers, academia, the media, the insurance  industry, non‐profits, and the private sector. This  Incorporate space‐weather events in plans and  programs.  

149 plan identifies roles and actions to prepare the  nation for the hazardous effects of space weather.   National Information Exchange  Model (NIEM)  NIEM is a community‐driven, standards‐based  approach to exchanging information. Diverse  communities can collectively leverage NIEM to  increase efficiencies and improve decision making.  Recommended approach to information exchange. 

150 C. Other Areas Affecting Physical and Cyber Security This section contains an overview of other regulations that have an impact on physical and cyber security at state departments of transportation and other transportation agencies. Name  Description  Security and Infrastructure  Protection Implications  Rail   Adjacent Track  Rule  Rule restricts labor from working on a track  adjacent to a track with an active train. In  some port terminals, this rule has been  expanded from the adjacent track to include  an entire terminal with the results that  whenever a train enters or exits a terminal, all  labor stops work.  May cause delays in the  recovery process of port  terminals and other facilities  with active train lines.  Highway   Vehicle Weight  Restrictions  Current truck size and weight standards are a  blend of federal and state regulations and  laws. Federal law controls maximum gross  vehicle weights and axle loads on the  Interstate System. There are also federal  standards for length and width on the National  Network. All states have laws in place to  ensure compliance with federal size and  weight requirements. In some instances,  states have laws that allow sizes and weights  on non‐interstate highways in excess of the  current federal truck size and weight limits.  May require temporary relief  from regulations and  implementation of short‐term  heavy weight corridors.  Hours of Service  of Drivers Final  Rule (2011)  Defines maximum allowable hours of driving  for truck and drayage drivers.  May require temporary relief  from regulations.   Hazardous  Materials  Transportation  Act ,  as amended  and codified in 49  U.S.C. 5101 et seq  "No person may offer or accept a hazardous  material for transportation in commerce  unless that person is registered in  conformance with [law], if applicable, and the  hazardous material is properly classed,  described, packaged, marked, labeled, and in  condition for shipment as required or  authorized..."(49 CFR 171.2(a)).   Federal Motor Carrier Safety Administration  (FMCSA) requires motor carriers to obtain a  Hazardous Materials Safety Permit (HMSP)  prior to transporting certain highly hazardous  materials.  Defines hazardous materials  incident rules and regulations.