The National Academies Press

Currently Skimming:

Pages 116-151

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 116... ... 115 Appendix B Agency Practices Introduction…………………………………………………………………………………………………………………….. 116 A. State Transportation Agency Practices ................................................................................... 117 1. Risk Management and Risk Assessment ............................................................................. 117 2. Infrastructure Protection and Resilience ............................................................................ 121 3. Physical Security Countermeasures .................................................................................... 124 Prevention ......................................................................................................................................... 125 Deterrence ........................................................................................................................................ 125 Detection ........................................................................................................................................... 127 Mitigation .......................................................................................................................................... 127 Response and Recovery .................................................................................................................... 129 4. Cyber Security Countermeasures ....................................................................................... 129 5. Training and Exercises ......................................................................................................... 133 B. Physical and Cyber Security Legal Authorities ........................................................................ 138 Public Laws .............................................................................................................................. 139 Homeland Security Presidential Directives ............................................................................. 142 National Frameworks and Strategies ...................................................................................... 144 C. Other Areas Impacting Physical and Cyber Security ............................................................... 150 Read the entire page →
From page 117... ... 116 Introduction NCHRP Report 525: Surface Transportation Security, Volume 14: Security 101: A Physical Security Primer for Transportation Agencies (2009) provided transportation managers and employees with an introductory-level reference document containing essential security concepts, guidelines, definitions, and standards. Read the entire page →
From page 118... ... 117 A State Transportation Agency Practices Recent guidance at the national level has been reshaping the focus and long-term direction of transportation agencies. Read the entire page →
From page 119... ... 118 assessment, today it is important to not only understand the sensitivity of system assets, infrastructure and services to different types of events, but to also understand the interdependency of critical infrastructure and assets within the transportation system and also across other sectors. There are a number of methodologies associated with assessing transportation assets that incorporate a variety of risk models such as likelihood models, consequence models, delay/detour models and recovery consequence models. Read the entire page →
From page 120... ... 119 3. Establish Capability Targets: Assess each threat and hazard in context to develop a specific capability target for each core capability identified in the National Preparedness Goal. Read the entire page →
From page 121... ... 120 FWHA Framework for Vulnerability Assessment FHWA developed a Conceptual Model to use in conducting vulnerability and risk assessments of infrastructure to the projected impacts of global climate change. Based on the feedback and lessons learned in pilots with state DOTs, the Conceptual Model was revised and expanded into the Climate Change & Extreme Weather Vulnerability Assessment Framework summarized in Figure 3. Read the entire page →
From page 122... ... 121 2. Infrastructure Protection and Resilience Resilience is "the ability to prepare and plan for, absorb, recover from and more successfully adapt to adverse events" (DISASTER RESILIENCE: A NATIONAL IMPERATIVE, NATIONAL RESEARCH COUNCIL, 2012) Read the entire page →
From page 123... ... 122 Table 2: FHWA Resilience Pilot Locations. Pilot Project Description Arizona DOT (ADOT) The ADOT team conducted a study to identify hotspots where highways are vulnerable to associated hazards from high temperatures, drought, and intense storms. The project focused on the interstate corridor connecting Nogales, Tucson, Phoenix, and Flagstaff, which includes a variety of urban areas, landscapes, biotic communities, and climate zones and presents a range of weather conditions applicable to much of Arizona. California DOT (Caltrans) Read the entire page →
From page 124... ... 123 asset information from MDOT's existing asset management database to help identify locations and infrastructure that may be at risk. Minnesota DOT (MnDOT) The MnDOT team conducted a vulnerability assessment of bridges, culverts, pipes, and roads paralleling streams to flooding in two districts. Based on the vulnerability assessment results, they developed facility‐level adaptation options for two selected culverts programmed for replacement. Using damage and economic loss estimates associated with flash flooding as well as cost estimates for alternative engineering designs the team identified the most cost‐effective options under a range of climate scenarios. Metropolitan Transportation Commission (MTC) Read the entire page →
From page 125... ... 124 Division (WFLHD) and the Alaska DOT and Public Facilities (ADOT&PF) Read the entire page →
From page 126... ... 125 Security Level Definition Recovery The development, coordination, and execution of plans for impacted areas and operations. The following sections contain summary information on effective security countermeasures by continuum category. Prevention There are relatively few security measures available to prevent events from occurring on transportation systems. Read the entire page →
From page 127... ... 126 Figure 6: A selection of procedures, activities, and physical interventions with deterrent effects. Example: Code of Conduct for Transit Passengers: Charlotte Area Transit System Charlotte released a Riders' Code of Conduct, which notes the following acts are prohibited on a CATS or LYNX vehicle:  Smoke or carry any lighted tobacco product or expel the residue of any other tobacco product including chewing tobacco  Consume any alcoholic beverage or possess an open container of any alcoholic beverage  Engage in disruptive, disturbing behavior including: loud conversation, profanity or rude insults, or operating any electronic device used for sound without an earphone(s) Read the entire page →
From page 128... ... 127 The Riders' Code of Conduct was adapted from Charlotte Code Sec. Read the entire page →
From page 129... ... 128 guidelines for highway bridge columns were developed. The research found that one of the best ways to mitigate damage was to increase the standoff distance with physical deterrents such as bollards, security fences, and vehicle barriers. Read the entire page →
From page 130... ... 129 needing to take paid leave. In addition, the report also notes, "besides the potential physical harm to people, a repeated pattern of aggravated assaults may instill a culture of fear in a transit agency in which passengers are afraid to use the system or operators are afraid to come to work. Read the entire page →
From page 131... ... 130 4. Cyber Security Countermeasures NIST Computer Security Division's Computer Security Resource Center (CSRC) Read the entire page →
From page 132... ... 131 contractor. Thousands of travelers and flights were disrupted nationwide. Read the entire page →
From page 133... ... 132 selected projects. This decision process occurring several times a year results in implementation of 10-30 cyber security measures. Read the entire page →
From page 134... ... 133 5. Training and Exercises SECURITY AWARENESS AND ALERTNESS TRAINING IN STATE DEPARTMENTS OF TRANSPORTATION1 (Chen, Nof, Partridge, Varkonyi, and Nakanishi, 2006) Read the entire page →
From page 135... ... 134 Table 4: Security Training Content Needs by Audience. Audience Content Needs Frontline • Situational assessment of threats and incidents • Observational skills and reporting dangerous substances, suspicious packages, and situations • Appropriately reacting to all threats • Proper use of security equipment or technology There was clear concern that training for frontline personnel does not need be too in‐depth or technical. Transportation Professionals Mid‐ to high‐level managers and executives in operations, planning, safety, security, maintenance, and other related fields Aside from the same basic security awareness training for frontline employees, this audience has special high‐level training and education needs in the area of security risk assessment and management, vulnerability assessment, and planning for resiliency. This audience may need to understand more clearly the difference between safety and security. Contractors and Vendors • Similar to frontline employee awareness training • Reporting suspicious activity. Emergency Responders • Transportation system operations, hazards, and vulnerabilities • Integrated communications and response practices/procedures • Integrated incident management Needs for this group will not be much different from that of frontline employees in terms of emphasis on reporting suspicious and dangerous activities, but would vary in priority based on the proximity and access to critical infrastructure and operations (for maintenance workers) Read the entire page →
From page 136... ... 135 Transportation Emergency Response Application (TERA) TERA is a simulation used to respond to and visualize the impact of transportation agency actions in an event/disaster that may affect normal operations. Read the entire page →
From page 137... ... 136 4. Proactive information distribution that includes posters in all TxDOT office, emails to directors of operations, statewide message boards (driven by state operations center) Read the entire page →
From page 138... ... 137 Standard components to be included in exercise plans and exercise scheduling and priority determination are described in the CEP. Tennessee's Multi-year Exercise Plan is contained in CEP Appendix 2 and includes a listing of exercise priorities for each training year. Read the entire page →
From page 139... ... 138 B Physical and Cyber Security Legal Authorities This section contains an overview of public laws, presidential directives, national frameworks and strategies that establish the legal authorities related to physical and cyber security. Read the entire page →
From page 140... ... 139 Public Laws Name Description Security and Infrastructure Protection Implications USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e) Read the entire page →
From page 141... ... 140 Coordinates and supports precautionary evacuations and recovery efforts. Provides transportation assistance for relocating and returning individuals displaced from their residences in a major disaster. Security and Accountability for Every Port Act of 2006 (SAFE Port Act) Required that Area Maritime Security (AMS) Read the entire page →
From page 142... ... 141 most efficient and effective way for such jurisdictions" to use and become part of the "nationwide public safety broadband network" that is also established under the Act. Moving Ahead For Progress In The 21st Century Act (MAP–21) Focused on performance management and established a series of national performance goals. MAP‐21 required incorporating performance goals, measures, and targets into transportation planning. Most aspects of MAP‐21 are continued in the FAST Act. The goals related to safety, congestion reduction, freight movement and economic vitality and environmental sustainability are of particular relevance to security. Fixing America's Surface Transportation (FAST) Read the entire page →
From page 143... ... 142 Homeland Security Presidential Directives Name Description Security and Infrastructure Protection Implications HSPD‐5, Management of Domestic Incidents Purpose: "To enhance the ability of the United States to manage domestic incidents by establishing a single, comprehensive National Incident Management System." It created the National Incident Management System and the National Response Plan; the latter has been replaced by the National Response Framework. Established foundation for NIMS and National Response Framework. HSPD‐7, Infrastructure Identification, Prioritization, and Protection "This directive establishes a national policy for federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks." Led to National Protection Infrastructure Protection Plan. Established foundation for NIPP and Transportation Systems Sector‐Specific Plan. HSPD‐8, National Preparedness (2011) "This directive establishes policies to strengthen the preparedness of the United States to prevent and respond to threatened or actual domestic terrorist attacks, major disasters, and other emergencies by requiring a national domestic all‐ hazards preparedness goal, establishing mechanisms for improved delivery of federal preparedness assistance to state and local governments, and outlining actions to strengthen preparedness capabilities of federal, state, and local entities." This led to creation of a National Preparedness Goal, which was implemented in the form of the National Preparedness Guidelines (NPG) Read the entire page →
From page 144... ... 143 Framework, National Disaster Recovery Framework. Presidential Policy Directive‐21: Critical Infrastructure Security and Resilience (2013) Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Resilient infrastructure systems are flexible and agile and should be able to bounce back after disruptions. Established integration with National Preparedness System. Establishes resilience and rapid recovery as focus of critical infrastructure security. Executive Order 13636: Improving Critical Infrastructure Cybersecurity (2013) Read the entire page →
From page 145... ... 144 National Frameworks and Strategies Name Description Security and Infrastructure Protection Implications National Preparedness Goal, Second Edition, 2011 updated 2015 The 2011 National Preparedness Goal defines what it means for the whole community to be prepared for all types of disasters and emergencies. "A secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk." Updated in 2015, the key changes are  Stresses importance of community preparedness and resilience.  Risk and the Core Capabilities include cybersecurity and climate change. Read the entire page →
From page 146... ... 145 Healthcare, and Emergency Medical Services.  Several of the core capability definitions were revised. National Disaster Recovery Framework, Second Edition, 2011 updated in 2016 The National Disaster Recovery Framework describes, "how the whole community works together to restore, redevelop, and revitalize the health, social, economic, natural, and environmental fabric of the community." The new framework incorporates the edits to the National Preparedness Goal and new lessons learned. Additional changes made to the framework include: "Increased focus on Recovery's relationship with the other four mission areas. Updated Recovery Support Functions (RSFs) Read the entire page →
From page 147... ... 146 • Three revised core capability definitions o Environmental Response/ Health and Safety; o Fatality Management Services; and o Logistics and Supply Chain Management. National Mitigation Framework, Second Edition, 2016 The National Mitigation Framework covers the capabilities necessary to reduce the loss of life and property by lessening the effects of disasters, and focuses on risk (understanding and reducing it) Read the entire page →
From page 148... ... 147 against emerging vulnerabilities are included within the protection mission area. Additional language on interagency coordination within the protection mission area to support the decision‐making processes outlined within the framework." National Prevention Framework, Second Edition, 2016 The National Prevention Framework focuses on terrorism and addresses the capabilities necessary to avoid, prevent, or stop imminent threats or attacks. Some core capabilities overlap with the protection mission area. The updates include edits to the Nation Preparedness Goal, and lessons learned. Other edits include: "Updates to Coordinating Structure language on Joint Operations Centers and the Nationwide Suspicious Activity Reporting Initiative. Clarification on the relationship and differences between the Prevention and Protection mission areas. Updated language on the National Terrorism Advisory System (NTAS) as part of the Public Information and Warning core capability. Additional language on science and technology investments within the prevention mission area." Prevention coordination with law enforcement and state, local, federal intelligence. NIPP 2013: Partnering for Critical Infrastructure Security and Resilience The National Infrastructure Protection Plan (NIPP) Read the entire page →
From page 149... ... 148 system, (2) Enhance resilience of transportation system, and (3) Read the entire page →
From page 150... ... 149 plan identifies roles and actions to prepare the nation for the hazardous effects of space weather. National Information Exchange Model (NIEM) NIEM is a community‐driven, standards‐based approach to exchanging information. Diverse communities can collectively leverage NIEM to increase efficiencies and improve decision making. Recommended approach to information exchange. Read the entire page →
From page 151... ... 150 C Other Areas Affecting Physical and Cyber Security This section contains an overview of other regulations that have an impact on physical and cyber security at state departments of transportation and other transportation agencies. Read the entire page →

From page 116...

... 115 Appendix B Agency Practices Introduction…………………………………………………………………………………………………………………….. 116 A. State Transportation Agency Practices ................................................................................... 117 1. Risk Management and Risk Assessment ............................................................................. 117 2. Infrastructure Protection and Resilience ............................................................................ 121 3. Physical Security Countermeasures .................................................................................... 124 Prevention ......................................................................................................................................... 125 Deterrence ........................................................................................................................................ 125 Detection ........................................................................................................................................... 127 Mitigation .......................................................................................................................................... 127 Response and Recovery .................................................................................................................... 129 4. Cyber Security Countermeasures ....................................................................................... 129 5. Training and Exercises ......................................................................................................... 133 B. Physical and Cyber Security Legal Authorities ........................................................................ 138 Public Laws .............................................................................................................................. 139 Homeland Security Presidential Directives ............................................................................. 142 National Frameworks and Strategies ...................................................................................... 144 C. Other Areas Impacting Physical and Cyber Security ............................................................... 150