Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
14 Chapter 4 Updated Guide NCHRP REPORT 525, VOLUME 14: SECURITY 101: A PHYSICAL SECURITY PRIMER FOR TRANSPORTATION AGENCIES (2009) provided transportation managers and employees with an introductory-level reference document containing essential security concepts, guidelines, definitions, and standards. NCHRP WEB-ONLY DOCUMENT 221/TCRP WEB-ONLY DOCUMENT 67: PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER ATTACKS: A PRIMER (2015) provided transportation organizations basic reference material concerning cyber security concepts, guidelines, definitions and standards and identified effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an incident or breach occur. NCHRP RESEARCH REPORT 930: UPDATE OF SECURITY 101: A PHYSICAL AND CYBER SECURITY PRIMER FOR TRANSPORTATION AGENCIES provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation. The main audience for this document is transportation personnel without a security background whose work requires them to address, perform, or supervise security activities as part of their overall job responsibilities. Although the document is designed for those with minimal or no formal security training or experience, the guide is also a handy reference guide sufficiently detailed to be of use to security professionals as well. Each chapter addresses fundamental aspects of security strategy, management, or planning. Chapter summaries follow. 1. Risk Management and Risk Assessment As noted in the first edition of Security 101, risk management is the appropriate starting point for any decision making about security, infrastructure protection and resilience. This chapter provides background on risk management and information on risk assessment and how it can be used to improve decision making in managing transportation physical and cyber assets. The information contained in the chapter defines risks to transportation systems, explains risk management and associated processes and provides agencies with an understanding of risk and its relationship to security, infrastructure protection and resilience. The chapter includes discussion on enterprise risk management and use of a risk register, risk assessment frameworks, and the application of risk in asset management programs. 2. Plans and Strategies This chapter addresses security planning and strategies including developing enterprise-wide approaches to cyber security enhancement and governance strategies. The chapter highlights the core components of a comprehensive security plan, current national frameworks, strategies and guidance related to cyber security planning. 3. Physical and Cyber Security Countermeasures This chapter discusses the many tools and countermeasures used to improve the security of critical infrastructure and facilities, and other areas. Physical security countermeasures include signs; emergency telephones, duress alarms, and assistance stations; key controls and locks; protective barriers; protective lighting; alarm and intrusion detection systems; electronic access
15 control systems; and surveillance systems and monitoring. For nonpublic spaces, access control, perimeter security, intrusion detection systems, and other similar types of technology are deployed to protect facilities from external losses. Cyber security tools and countermeasures available to address transportation systems are based on NCHRP WEB-ONLY DOCUMENT 221 AND TCRP WEB-ONLY DOCUMENT 67: PROTECTION OF TRANSPORTATION INFRASTRUCTURE FROM CYBER ATTACKS: A PRIMER (2015), a basic reference material concerning cyber security concepts, guidelines, definitions and standards, and on ACRP REPORT 140: GUIDEBOOK ON BEST PRACTICES FOR AIRPORT CYBERSECURITY (2015) that provides resources for airport managers and IT staff to reduce or mitigate inherent risks of cyberattacks on technology-based systems. This information is supplemented with guidance and practices from other sources such as NIST Information Security guides and DHS or FHWA cyber security recommendations. 4. Cyber Security This chapter provides an overview of cyber security and why it is important for transportation systems. It highlights common myths about cyber security and transportation systems to dispel misunderstandings and to enable transportation agencies to more efficiently and effectively improve the cyber security and resilience of critical transportation infrastructure. The chapter also contains a summary of issues of particular relevance to transportation system cyber security such as Control Systems and Information Technology, data security, cyber-physical systems and emerging trends. 5. Workforce Planning and Training/Exercises This chapter emphasizes the role of the workforce by highlighting its contribution to security and cyber security culture. It contains information on developing and maintaining an effective security-aware and focused transportation agency workforce and then focuses on workforce planning and awareness and training programs for physical security and cyber security personnel of state DOTs and transit agencies. Training delivery and evaluation issues, and exercises, exercise types, and the Homeland Security Exercise and Evaluation Program (HSEEP) are also discussed. A comprehensive checklist for a full-scale exercise is provided. 6. Infrastructure Protection and Resilience This chapter provides an overview of the significant role transportation agencies have in infrastructure protection such as controlling access to critical components, establishing coordination with law enforcement to ensure quick response to incidents, conducting risk and vulnerability assessments, and taking action to mitigate the effects of those risks and vulnerabilities. It also includes information to assist transportation agencies in understanding the impact of a shift in focus from protection of assets to resilience of systems. 7. Homeland Security Laws, Directives, and Guidance This section contains an overview of public laws, presidential directives, national frameworks and strategies that establish the legal authorities related to physical and cyber security.