Developing a Physical and Cyber Security Primer for Transportation Agencies (2020)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

8 Chapter 2 Literature Review For the literature review, the research team sought out recent resources and guidance to compile information in preparation for the revision of Security 101 that would effectively capture and present the scope of physical and cyber security issues impacting today’s transportation agencies. In particular, the team focused on: • Updating the Annotated Bibliography contained in Appendix A in the first edition of Security 101. • Cataloging current security threats and vulnerabilities; transportation system security plans and strategies; countermeasures and other response options and approaches. • Identifying current training resources and requirements. To update the Annotated Bibliography, the research team reviewed all entries in the original document to determine if the entries are still current or have been superseded. “Current” entries are generally still found on the websites of the organizations that first published them. “Superseded” publications are those which have either an updated version or a differently titled publication that is now being recommended. Some entries were considered discontinued if they could no longer be found on the website of the organization which first published it. “Discontinued” entries will be removed from the updated Annotated Bibliography. The URLs listed in the original document were reviewed to determine if they were still active or inactive (listed as not found on the website). Active URLs were identified for all entries to be included in the updated version of the Annotated Bibliography. To identify current transportation system physical and cyber security hazards; vulnerabilities, countermeasures, security plans and recommendations; and training requirements the research team identified and reviewed recent reports and domestic and international research results published after 2009 (the publication date of original Security 101). In particular, the team sought out current information on: • Risk Management and Risk Assessment • Security Planning and Strategies • Threats and Vulnerabilities in Transportation Physical and Cyber Systems • Physical and Cyber Countermeasures and Recommended Practices • Security Training and Exercises • Infrastructure Protection, Resilience and Sustainability • Federal and State Physical and Cyber Security Requirements Sources for the literature review include Google, Google Scholar, and the Transportation Research Integrated Database (TRID)—composed of Transportation Research Information Services (TRIS) Database and the OECD’s Joint Transport Research Centre’s International Transport Research Documentation (ITRD) Database—as the initial search engines for the online search of relevant research and resources. The team looked at both U.S. and non-U.S. results as part of the literature review.

9 Transportation specific sources included the published research reports from the NCHRP and TCRP programs; FHWA, FTA, Volpe National Transportation Systems Center and other federal agencies; ITS America, AASHTO, APTA and other transportation related organizations. The team also searched specific databases and sources such as the National Laboratory research (e.g. Sandia, Idaho National Lab, Argonne National Lab), IEEE publications, NIST cyber security publications, US-CERT, NERC, SANS InfoSec and other databases, MITRE reports, RAND publications, NASCIO and state Homeland Security guidance and reports, DHS cyber security guidance and reports, National Cybersecurity and Communications Integration Center (NCCIC) resources, DOE databases, NSA Information Assurance Service Center, and others. Non-U.S. research efforts and databases included the European Union Agency for Network and Information Security (ENISA) Study on the ICS/SCADA Security, SCADALab, European Network for Cyber Security and BSI (UK’s National Standards organization). Searches were also conducted of standards associations such as ISO/IEC, ISA, ANSI, North American Electric Reliability Council (NERC) CIP, and others. Appendix A provides a listing of selected documents reviewed for the literature search. Key findings are summarized below. Literature Review Findings • Today there are even higher expectations for system performance and reliability and lower tolerance for delays. Small events pose threats of great consequences since the impact of any incident is magnified when a transportation network is operating at or past its capacity—as is the case in portions of many states as travel demand on their transportation networks grows. • Threats and hazards to the system have also continued to evolve since the Security 101 primer was published. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, accidents or unintentional human intervention or intentional criminal acts (e.g., active shooter incidents). • Extreme weather, cyber incidents and other additional hazards need to be addressed as part of all hazards. In addition, the risk of natural and man-made events is growing due to numerous factors including aging infrastructure. • Because today’s transportation systems integrate cyber and physical components, cyber risks are increasing, and include the risk of a cyber incident impacting not only data but the control systems of the physical infrastructure operated by transportation agencies (e.g., tunnel ventilation systems). • Risk may be understood as the potential for unplanned adverse events to impact one or more transportation facilities in a way that causes unacceptable transportation system performance according to any or all of the agency’s performance objectives.

10 • There are a number of transportation asset assessment methodologies that incorporate a variety of risk models such as likelihood models, consequence models, delay/detour models and recovery consequence models. • There are, however, a very limited number of tools available to assess resilience of transportation systems. For example, the NOAA Office of Coastal Management has created a prototype Port Resilience planning tool with checklists and data for “those involved in infrastructure planning for ports and surrounding communities and those responsible for freight-related infrastructure project development or review.” The tool includes a section on coastal hazards that addresses transportation and critical infrastructure exposure to weather-related, technology-related (oil spills, chemical spills), and other hazards (sea level rise, shore erosion). • In the context of transportation systems, increasing the resilience of transportation networks could include adaptations or elements that can be incorporated into the planning and design of specific asset types. For example, NCHRP REPORT 750: STRATEGIC ISSUES FACING TRANSPORTATION, VOLUME 2: CLIMATE CHANGE, EXTREME WEATHER EVENTS, AND THE HIGHWAY SYSTEM: PRACTITIONER’S GUIDE AND RESEARCH REPORT provided specific guidance on potential adaptations for bridges, culverts, storm water infrastructure, slopes/walls, and pavement in light of extreme weather events. • Transportation security is now part of a broader set of emergency management capabilities that DOTs are adopting to ensure resiliency of their transportation networks. • New security guidance documents have been issued since the original guide was released such as NCHRP Report 645: BLAST-RESISTANT HIGHWAY BRIDGES: DESIGN AND DETAILING GUIDELINES and the ANTI-TERRORISM PLANNER FOR BRIDGES (the basis for the new FHWA BRIDGE SECURITY DESIGN MANUAL).