The National Academies Press

Currently Skimming:

Pages 102-147

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 102... ... 102 For both physical security and cybersecurity, a vigilant workforce with shared values, beliefs, and behaviors engaging in and using security-enhancing practices on a daily basis can enhance the agency's security posture. Transportation agencies must practice prudent workforce management, promote security awareness, and instill knowledge, skills, and abilities into this important and invaluable asset through organization-wide awareness initiatives and training programs that target relevant segments of the agency workforce. Read the entire page →
From page 103... ... Workforce Planning and Training/Exercises 103 The transportation agency workforce is the central element around which a security culture is built. Culture is shared values, beliefs, attitudes, and behaviors fueled by good basic practices and sustained awareness by all employees. Read the entire page →
From page 104... ... 104 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies cross-sector, national-level NIST efforts such as the national public awareness campaign Stop. Think.ConnectTM; the National Initiative for Cybersecurity Careers and Studies (NICCS) Read the entire page →
From page 105... ... Workforce Planning and Training/Exercises 105 maturity levels. For instance, the National Initiative for Cybersecurity Education (NICE) Read the entire page →
From page 106... ... 106 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies to reduce security-related risk. Unlike any other security countermeasure or technology, personnel provide the one vital capability for which there is no substitution -- the ability to comprehend and apply reason. Read the entire page →
From page 107... ... Workforce Planning and Training/Exercises 107 Source: Countermeasures Assessment & Security Experts, LLC 2008. Figure 5-1. Read the entire page →
From page 108... ... 108 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies transportation agencies experience a low level of serious criminal incidents. Known as Part 1 Crimes in conformance with FBI Uniform Crime Reporting criteria, crimes such as homicide, rape, robbery, aggravated assault, and arson occur so infrequently that the rate is often statistically insignificant from a crimes analysis standpoint. Read the entire page →
From page 109... ... Workforce Planning and Training/Exercises 109 may include attempts to place IEDs at critical infrastructure points such as tunnel entrances, can result in periodic patrol checks at such locations. At the same time, security force response times can be measured by location, time of day, day of the week, and the like simply by treating the tunnel infrastructure check as a call for service. Read the entire page →
From page 110... ... 110 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies (6) securely provision, 33 specialty areas, and 52 work roles. Read the entire page →
From page 111... ... Workforce Planning and Training/Exercises 111 • Advance. Retain cybersecurity staff and develop career paths. Read the entire page →
From page 112... ... 112 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies NCHRP Web-Only Document 221/TCRP Web-Only Document 67: Protection of Transportation Infrastructure from Cyber Attacks: A Primer (TRB 2015, modified 2016) identified the following high-level user categories and training needs derived from the Cybersecurity Framework (NIST 2014a) Read the entire page →
From page 113... ... Workforce Planning and Training/Exercises 113 individuals who will be performing the security work. In the best of all worlds, the agency can identify a security firm with a successful record of past contracted employments performing work in the specific transportation sector and discipline, e.g., rail, highway, or transit. Read the entire page →
From page 114... ... 114 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies security force, a committee of department security coordinators should be empowered with the authority to manage security activities system wide. There are three key areas of program coordination: • Deploy a broad based, system-wide security management process that identifies, tracks, and responds to all security threats, vulnerabilities, and occurrences. Read the entire page →
From page 115... ... Workforce Planning and Training/Exercises 115 security (AASHTO 2015a) Read the entire page →
From page 116... ... 116 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies • COOPs and contingency plans • Document control of security-critical systems and facilities • Emergency employee and public communications • Emergency smoke ventilation in tunnels • Information- and intelligence-gathering and -sharing procedures • IT and communications systems plans • Mutual aid • Regional coordination plans and requirements • Response to increased threat condition levels • Sensitive security information (SSI) designation, markings, and control • Shelter of transit vehicles and nonrevenue equipment during emergencies • Threat and vulnerability identification, assessment, and resolution procedures (APTA 2013a; FTA 2014) Read the entire page →
From page 117... ... Workforce Planning and Training/Exercises 117 who lack familiarity with the surroundings. Frontline employees perform work in stations, on vehicles, or on roadways or rights of way and, as such, are often the first to observe something is wrong. Read the entire page →
From page 118... ... 118 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: TSA 2015. Figure 5-3. Read the entire page →
From page 119... ... Workforce Planning and Training/Exercises 119 Plans include workplace violence plans, emergency action plans (EAPs) , active shooter plans, emergency communications and evacuation plans, other occupational health and safety plans and procedural documents, and lessons learned from exercises or incidents. Read the entire page →
From page 120... ... 120 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies • Communicate regularly and often. • Be proactive by releasing relevant and related public data. Read the entire page →
From page 121... ... Workforce Planning and Training/Exercises 121 • Monitor likely problem areas and explore mitigation/resiliency strategies to minimize impact. Examine activities to reduce asset loss or human consequences (such as injuries or fatalities) Read the entire page →
From page 122... ... 122 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies to security and cybersecurity will be an important training topic for transportation employees, especially staff of metropolitan planning organizations (MPOs) Read the entire page →
From page 123... ... Workforce Planning and Training/Exercises 123 • Transit Response to Bus or Rail Hijackings Seminar, TSI; • Active shooter scenario training, various; and • Shelter-in-place training, various. Exploring the Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area found the following best practices for passenger security awareness campaigns, which are also applicable to employee awareness initiatives: emulate existing campaigns (to save on agency resources) Read the entire page →
From page 124... ... 124 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Role-specific training will vary based on position or function and will include detailed information on threats, vulnerabilities, and countermeasures specific to the function, immediate actions based on threat type, and service continuity and restoration procedures. For bus operators, for example, the following topics may comprise their security training curriculum: • Threats, vulnerabilities, and countermeasures; • Pre-trip inspection; • Vehicle securement; • Fare enforcement; • Customer assistance; • Self-protection against active threats; • Emergency evacuation and shelter-in-place procedures; • Fire suppression; • Panic button and emergency communications; • Customer communications/verbal de-escalation; • Interacting with responders/how to handle on-scene investigations; and • Service continuity and restoration. Read the entire page →
From page 125... ... Workforce Planning and Training/Exercises 125 The proposed rule would require these entities to do the following: • Develop security training programs to enhance and sustain the capability of their securitysensitive employees to observe, assess, and respond to security incidents as well as to have the training necessary to implement their specific responsibilities in the event of a security incident. • Submit the required security training program to TSA for review and approval. Read the entire page →
From page 126... ... 126 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies employees and contractors (TRB 2014a) Read the entire page →
From page 127... ... Workforce Planning and Training/Exercises 127 Source: DHS n.d.b. Figure 5-5. Read the entire page →
From page 128... ... 128 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Cybersecurity Awareness Delivery Specific NIST recommendations on awareness delivery mechanisms include the following: • Posters, do-and-don't lists, or checklists • Screensavers and warning banners/messages • Newsletters • Desk-to-desk alerts • Agency-wide email messages • Videotapes • Web-based sessions • Computer-based sessions • Teleconferencing sessions • In-person, instructor-led sessions • IT security days or similar events • "Brown bag" seminars • Pop-up calendar with security contact information, monthly security tips, etc. • Mascots • Crossword puzzles • Awards programs (Section 5.2, NIST SP 800-50, 2003) Read the entire page →
From page 129... ... Workforce Planning and Training/Exercises 129 the agency will depend on agency size, geographic dispersion of the workforce, staff schedules, training content and objectives, budget, and predilections of the organizations. Training implementation is difficult, especially for frontline personnel. Read the entire page →
From page 130... ... 130 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Face-to-face training solutions identified and discussed in 2015's NCHRP Synthesis 468 include the following: • Field crew meetings. Field crew meetings, regularly scheduled meetings at the district level, can be a cost-effective solution to providing training. Read the entire page →
From page 131... ... Workforce Planning and Training/Exercises 131 Field Crew Meetings Advantages Meetings are brief and are held on a regular basis at a location/time convenient to field personnel. Meetings are focused and relevant to field crew. Read the entire page →
From page 132... ... 132 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies employee is low. Agencies should consider applying to federal grants to cover training costs. Read the entire page →
From page 133... ... Workforce Planning and Training/Exercises 133 integration methods and approaches. Further, physical and cybersecurity workforce development initiatives can be integrated into existing workforce development programs, such as internship or apprenticeship programs and tuition reimbursement programs. Read the entire page →
From page 134... ... 134 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The Homeland Security Workforce Assessment Act, signed into law in December 2014, requires DHS to assess its cybersecurity workforce and create a strategy "to enhance the readiness, capacity, training, recruitment and retention of its cybersecurity workforce." Elements of the strategy developed through this legislation may help state DOTs and transit agencies address their cybersecurity workforce needs. A mixture of qualitative and quantitative measures to evaluate progress in these activities appears in the 2015 Transportation Systems SectorSpecific Plan (TSSSP) Read the entire page →
From page 135... ... Workforce Planning and Training/Exercises 135 policies, agreements, and procedures. Operations-based exercises -- drills, functional exercises (FEs) Read the entire page →
From page 136... ... Source: DHS 2013. Operations-Based Workshops Tabletops Planning/Training Games Drills Functional Exercises Full-Scale Exercises C ap ab ili ty Seminars Discussion-Based Figure 5-7. Read the entire page →
From page 137... ... Workforce Planning and Training/Exercises 137 The interaction that takes place among peers can lead to learning. Feedback obtained from after-action reports, debriefings, and hot washes can be beneficial in identifying additional training needs of individuals and groups. Read the entire page →
From page 138... ... 138 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Further information on exercise types, their differentiating features, their development and conduct, and evaluation methods can be obtained from the 2013 Homeland Security Exercise and Evaluation Program (HSEEP) , the 2015 NCHRP Synthesis 468 and the 2017 NCHRP 20-59(51) Read the entire page →
From page 139... ... Workforce Planning and Training/Exercises 139 Report 12-08 Exercise Handbook annex, which includes an example scenario for a SCADA failure for mass transit system. The following scenario was used in an active shooter training and exercise by the TSA Inter modal Security Training and Exercise Program (I-STEP) Read the entire page →
From page 140... ... 140 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies • What to expect and do when police arrive; and • Emergency care tips. Pre-incident planning by the state DOT included creation of an emergency action plan (EAP) Read the entire page →
From page 141... ... Workforce Planning and Training/Exercises 141 Box 5-2. Subway Bombing and Active Shooter Scenario Exercises and drills are expensive and require all participants to be present in the same location at the same time. Read the entire page →
From page 142... ... 142 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Exercise Types The two major categories of exercises described in HSEEP are discussion-based exercises and operations-based exercises. • Discussion-based exercises -- seminars, workshops, tabletop exercises, and games -- are less costly and time-consuming than operations-based exercises. Read the entire page →
From page 143... ... Workforce Planning and Training/Exercises 143 Figure 5-8. Full-scale exercise checklist. Read the entire page →
From page 144... ... 144 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Exercise Conduct Plan for exercise conduct and control. Plan for exercise evaluation. Read the entire page →
From page 145... ... Workforce Planning and Training/Exercises 145 general, DOTs preferred using a mix of classroom and online training, and classroom training for interagency rather than for intra-agency training. HSEEP offers substantial exercise planning guidance, and conformance to it is required for many preparedness and homeland security grants. Read the entire page →
From page 146... ... 146 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Also, civilians may not know how to react in the presence of police and mistakenly act in a suspicious or threatening manner. Exercises offer participants a chance to experience an active shooter scenario in a safe setting and learn how to interact with and support law enforcement. Read the entire page →
From page 147... ... Workforce Planning and Training/Exercises 147 Personnel can proactively enhance their preparedness through Awareness, Preparation, and Reporting Problems or Suspicious Persons. The training describes actions to take based on location -- in a break room or office, in an auditorium or other large room, in a hallway. Read the entire page →

From page 102...

... 102 For both physical security and cybersecurity, a vigilant workforce with shared values, beliefs, and behaviors engaging in and using security-enhancing practices on a daily basis can enhance the agency's security posture. Transportation agencies must practice prudent workforce management, promote security awareness, and instill knowledge, skills, and abilities into this important and invaluable asset through organization-wide awareness initiatives and training programs that target relevant segments of the agency workforce.