Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies (2020) / Chapter Skim
Currently Skimming:
Pages 4-40
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 4... ...
4 Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation Risk in the broadest sense is defined as "the possibility of loss or injury." When something of value is identified as "at risk," there is a presumption that the asset has been placed in a condition that creates or suggests the chance of loss or peril. In terms of security, transportation agencies face two main categories of risk, physical and cyber.
|
From page 5... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 5 The transportation industry has not been excepted from this exponential growth in risk associated with cyber, IT, and ICS. There have been many reported instances of direct attacks targeting transportation or occurrences in which downside exposure has resulted from exploitations of common, distributed, or shared multi-industry user technologies.
|
From page 6... ...
6 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies manufacturers and distributors, integrators, standards organizations, and government regulators, can result in the identification of defensive strategies to effectively reduce security risk. Maximizing the accountability of all stakeholders in the supply chain presents the opportunity for a strong and systematized approach to managing risk that is both highly efficient and cost-effective.
|
From page 7... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 7 Risks are generally reported in order of priority or severity and attached to some description of a level of risk. Risk assessment answers the questions: What can go wrong?
|
From page 8... ...
8 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies • Task 2-4. Determine Likelihood -- Determine the likelihood that threat events of concern result in adverse impacts, considering: (1)
|
From page 9... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 9 pliance, safety and health, and business performance and continuity risks. Strategic risks are monitored and assessed at both the strategic and business-line levels.
|
From page 10... ...
10 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: MnDOT 2014. Figure 1-4.
|
From page 11... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 11 may require management at this level. These risks may be identified by senior leaders or through evaluation of business-line risks assessed as having "major" or higher implications for priority agency objectives.
|
From page 12... ...
12 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies business-line management groups. The chief risk officer ensures compliance with the MnDOT ERM Framework throughout the agency.
|
From page 13... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 13 For the short term, the MnDOT ERM deploys an Integrated Risk Register. The risk register provides risk visibility and accountability to managers.
|
From page 14... ...
14 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies trinitrotoluene (TNT) , Semtex, or plastic explosives (C-4)
|
From page 15... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 15 Weapons of Mass Destruction Weapons of mass destruction or effect (WMD)
|
From page 16... ...
16 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies chemicals is not contagious, but the presence of residual chemical agents on the skin or clothing of an exposed individual can affect others. Once the agent is neutralized or removed, the illness stops spreading.
|
From page 17... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 17 their potential for weaponization. Category C agents include emerging infectious diseases such as Nipah virus and hantavirus.
|
From page 18... ...
18 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Radioactive Materials Concern exists about the potential for a terrorist attack involving radioactive materials, possibly through the use of a radiological dispersion device (RDD)
|
From page 19... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 19 block to several square miles. The effective range would depend on factors such as the amount and type of material, method of dispersal, and local weather conditions.
|
From page 20... ...
20 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies A nuclear attack by terrorists is a high-order magnitude event that would potentially kill a large number of people. A dirty bomb containing high-level radioactive material is a potential means of delivery of a nuclear attack.
|
From page 21... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 21 method of choice and event type for terrorists and other criminals who were seeking to deploy a weapon capable of mass casualties. Hit-and-run assault involves a sudden attack on a target and immediate withdrawal to avoid adversary response or retaliation.
|
From page 22... ...
22 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies A threat such as an active shooter can transition into a barricaded suspect or hostage situation with the arrival of police. Cybersecurity In the cyber world threats are continually manifested, voluminous, and subject to variation.
|
From page 23... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 23 3. Deliver/insert/install malicious capabilities a.
|
From page 24... ...
24 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies n. Insert subverted individuals into privileged positions in organizations.
|
From page 25... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 25 n. Compromise software of organizational critical information systems.
|
From page 26... ...
26 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies m. Conduct internally based session hijacking.
|
From page 27... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 27 g. Cause integrity loss by injecting false but believable data into organizational information systems.
|
From page 28... ...
28 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies f. Coordinate cyber attacks using external (outsider)
|
From page 29... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 29 Criminals (Three types divided by level of sophistication) The common objective for all three criminal groups is assumed to be theft of assets.
|
From page 30... ...
30 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Vulnerability Assessment -- Physical Security Managing security risk for transportation agencies is a threat- and scenario-based activity. Threat definition is the tool by which vulnerabilities of transportation operations and systems should be measured.
|
From page 31... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 31 Assets should be considered critical based on their value as determined by the organization and the short- and long-term consequences of their loss, damage, or destruction. Several factors affect the criticality of assets: • Loss and damage consequences -- casualty risk, environmental impact, replacement costs, and replacement/down time; • Consequences to public services -- emergency response functions, government continuity, military importance; and • Consequences to the general public -- available alternatives, economic impact, public health impact, functional importance, and symbolic importance.
|
From page 32... ...
32 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies implications that are specific to a particular mode of transportation. In addition to focusing on individual assets, nodes, and links, information specific to the modal view includes how those assets, nodes, and links interact within the mode and with other modes, their emergent properties and governing principles, or legislative information with specific modal impact.
|
From page 33... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 33 the DHS-TRAM decision tree. Both methods are approved by Federal Emergency Management Agency (FEMA)
|
From page 34... ...
34 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Vulnerability Assessment -- Cybersecurity In the strictest sense, a cyber vulnerability is a weakness in an information system or the procedures, controls, or implementation processes surrounding the system that can be exploited by an intentional actor or compromised by non-adversarial error, natural event, or accident. Generally, information system vulnerabilities result from lapses in security controls.
|
From page 35... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 35 2019)
|
From page 36... ...
36 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Common Vulnerabilities of Transportation Operations Systems Traffic management centers (TMCs) use intelligent transportation systems (ITS)
|
From page 37... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 37 • Loss and damage consequences -- casualty risk, environmental impact, replacement costs, and replacement/down time; • Consequences to public services -- emergency response functions, government continuity, military importance; • Consequences to the general public -- available alternatives, economic impact, public health impact, functional importance, and symbolic importance. Establishing a consequence rating for physical assets can be difficult because of a lack of experience factors or actuarial data.
|
From page 38... ...
38 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies information-system–critical assets based on an assessment of perceived or potential harms (NIST 2012)
|
From page 39... ...
Physical Security and Cybersecurity Risk Management, Risk Assessment, and Asset Evaluation 39 Subscribed systems. These consist of "managed" systems outside the transportation agency, including internet service providers, hosted networks, the agency website, data storage, cloud services, and the like.
|
From page 40... ...
40 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Harm to other organizations. These include harms (e.g., financial costs, sanctions)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.