Panel Session on SecurityModerator – John Himmel, WSDOT

Presenters:– Neal Murphy, Idaho DOT– David Cooper, TSA– TBD, FHWA– David Fletcher, GPC, Inc.

Active Threat

https://www.gunviolencearchive.org/query/0484b316-f676-44bc-97ed-ecefeabae077/map?year=2019

Terrorism

Cybersecurity

Security 101 - David Fletcher, GPC, Inc.Security 101: A Physical Security Primer for Transportation Agencies provides transportation managers and employees with an introductory-level reference document to enhance their working knowledge of security concepts, guidelines, definitions, and standards.

By Stephen Parker

Threat Environment to Employees – David Cooper, TSA

Employee Safety/Security/THIRA– Neal Murphy (Murph)

Connected Vehicles / Cybersecurity – FHWA

1

Emergency ManagementNeal “Murph” Murphy

Preparedness

9-11 to Sleepy Hollow • Prepared not Paranoid

– Threat Hazard Identification Risk Analysis– Standard procedures for every

Building/Section• Open but secure

– Facility Management

– Security Plan• Development/Strengthen• Implementation

2

Team Work

• Communication– HSIN/Fusion Center– EMR-ISAC

• Shortened Checklist– Easy for quick reaction

• Employee teams– Security, Emergency

• Security Incident Tracking• Cyber

– Team with Emergency Manager

3

Partners

• DHS• Active Assailant Training Exercise• Facility Security review

– Local and State Agencies• Coordination with

– Office of Emergency Management– National Guard– Health and Welfare– LE/FIRE– Idaho State Police

4

Questions?

5

AASHTO Committee on Transportation Systems Security and Resilience

Annual Meeting

August 28, 2019Jackson, WY

David Fletcher, GPC, Inc.

Physical and Cyber Security inSurface Transportation

28/28/2019

Background

38/28/2019

Security 101 Update

• Aimed at transportation personnel who lack a security background and are responsible for security or infrastructure protection activities

• Presents security topics within a systems resilience and sustainability framework

• Contains state-of-the-practice guidance• Focused on highway and transit modes• Developed from non-classified sources• Suitable for adoption by the AASHTO

8/28/2019 4

5

Table of Contents

• Executive Summary• Chapter 1 – Risk Management and Risk Assessment• Chapter 2 – Plans and Strategies• Chapter 3 – Security Countermeasures• Chapter 4 – Cyber Security • Chapter 5 – Workforce Planning and Training/Exercises• Chapter 6 – Infrastructure Protection and Resilience• Chapter 7 – Homeland Security Laws, Directives, and

Guidance• Appendices

– Annotated Bibliography

8/28/2019

1: Risk Management and Risk Assessment

• Risk Management• Cybersecurity Risk Management• Risk Assessment• Vulnerability Assessment• Consequence Assessment

68/28/2019

7

Active Threats

• Active shooter• “Hit and run” assault• Assault using edged weapons• Assault using other weapons• Vehicle ramming

8/28/2019

8

Cyber Threats

• Cyber breach (malware, DDOS, ransomware)• Construction/maintenance damage• Natural disasters• Space weather• Spoofing/jamming• Theft (phishing)

8/28/2019

Confidentiality

Integrity

Availability

2: Plans and Strategies

• Security Plan Objectives & Benefits• Security Plan Elements

– Establishing Priorities – Roles & Responsibilities– Selecting Countermeasures & Strategies– Plan Maintenance

• Security Design Processes• Cybersecurity Risk-Based Framework• Asset Management Plans• Response and Recovery Plans

98/28/2019

3: Security Countermeasures

• Physical security countermeasure selection process

• Physical security countermeasures– Signs, fencing, barriers, lighting, alarms, etc.

• Cybersecurity countermeasures– Defense-in-depth, access control, monitoring,– Configuration Mgmt, update/patching, etc.

108/28/2019

4: Cybersecurity

• Cybersecurity Myths• Cyber-Physical Systems• Procurement Guidance• Cyber Resilience• Emerging Trends

11

5: Workforce Planning and Training

• Building a culture of physical & cyber security• Physical & cyber security workforce• Physical & cyber security awareness &

training, content, delivery, and evaluation• Exercises (discussion-based & operations-

based)

128/28/2019

6: Infrastructure Protection and Resilience

• Infrastructure Protection & Resilience Concepts• Criticality Analysis• Critical Transportation Assets• Critical Transit Assets• Transportation Operations Systems• IT and Industrial Control Systems• Highway and Transit Operations Systems• Building Security

138/28/2019

7: Homeland Security Laws, Directives, and Guidance

• Homeland Security Laws, Statutes, & Regulations

• Homeland Security Directives & Executive Orders

• National Guidance Documents

148/28/2019

Future Action Plan

• NCHRP Project 20-124 “Deploying Transportation Security Practices in State DOTs”

• Develop and support implementation of a comprehensive deployment and change management strategy for deploying transportation security practices in state DOTs

• Measurement of success will be the acceptance and implementation of the developed strategy in increasing security practices at the state DOTs

8/28/2019 15

Thank you“Today we were unlucky, but remember we only have to

be lucky once. You will have to be lucky always.”

Irish Republican Army Communiqué, 1984

8/28/2019 16

Security 101 Primer Update

8/28/2019 17

Countermeasures Assessment & Security Experts, LLCErnest “Ron” Frazier, Sr., Esq, Co-Principal Investigator

Western Management & Consulting, LLCJeffrey Western, Co-Principal Investigator

Pat Bye

Nakanishi Research and Consulting, LLC Yuko Nakanishi

Pierre Auza

Geographic Paradigm Computing, Inc.David Fletcher

Visit the NCHRP Project 20-59(51A) webpage http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=4070

TRB Program Officer: Stephan Parker