Transportation Security  | Physical Security  | Penetration Testing  | Firewall Pro  | Network Security  | S.C.A.D.A.  | H.I.P.A.A.  | eBanking  | Kids' Password  
InfoSecPro.com


InfoSecPro.com is provider of Transportation Security Assessments for Federal, State and Local Governments.
Our staff of Professional Engineers (P.E.), Professional Traffic Operations Engineers (P.T.O.E.), Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE) and Cisco Certified Network Associates (CCNA) will provide the best, cost effective security solutions.

Some of potential vulnerabilities and suggested countermeasures are included in the following Security Checklist.

For Transportation Security assesments contact us at:

InfoSecPro.com
PO Box: 291
Purchase, NY 10577-0291
732-763-2814
tibi@infosecpro.com
www.infosecpro.com

Transportation Security Assessments
Top

The events of September 11, 2001 are just example of a catastrophic incident that could paralyze or even destroy a Transportation Management Center (TMC) such as what became of one of the Port Authority of New York and New Jersey’s TMC’s in the basement of one of the World Trade Center buildings. Other types of Transportation Systems or components exposed to catastrophic events include but are not limited too traffic signal systems, freeway management systems, Surveillance Control and Data Acquisition (SCADA) systems typically deployed for control of tunnel devices, and regional information exchange and sharing systems.
Many TMC’s around the country are the focal point for an organization’s transportation operations. If they are disabled, paralyzed, or temporarily shutdown, then they become ineffective and the traveling public can pay a terrible price. Hence, there is need to examine methods to provide TMC recovery and redundancy.
Unfortunately, catastrophic events may come in an indefinite number of combinations and permutations. Rather than trying to identify each type of catastrophic event, it is more effective to identify one or several of the underlying issues to which the event fits. The underlying issues are common in many of the mitigation and recovery methods utilized in other industries such as the banking industry and include:

  • Loss of infrastructure such as the loss of road, structure, building, utilities, and / or communications.
  • Loss of key personnel such as the loss or inaccessibility of key member(s) of the operational team.
  • Loss of systems that are key to the operations of the TMC.
  • Community-wide disaster such as situations that affect the community as a whole. These may be civil emergencies, flooding or weather emergencies.

Mitigation is the key to keeping a TMC fully functional. When factors occur that would normally lead to a catastrophic event, it is best to have the risk mitigations in place to lessen the impact. TMC risk mitigation includes many different possibilities that should be planed for within a TMC. Development of mitigation strategies should include a review of a typical TMC’s single points of failure.

Mitigation strategies can be characterized as follows:

  • Redundancy of staff, central systems, field devices, and communications infrastructure.
  • Documentation of standard operation procedures, emergency operating procedures.
  • Testing of back-up systems, operational procedures, drills and table top exercises.
  • Security for both physical and data.

For the case where mitigations do not fully protect the TMC from catastrophic events, plans must be formulated to address the appropriate level of recovery for each level of each of the issues listed above. The plans must take into account the cost / benefit of the solution, the amount of time that the TMC or individual functions are allowed to be inactive after a catastrophic event, alternative methods of delivering the service, and the like. The deployment and applicability of the worse case plan must be tested and retested in order to ensure that at any point the TMC is ready to execute the plan.

The objective is to develop a Transportation Security Disaster Recovery and Redundancy plan, that provides guidance and recommended practices on how to plan, initiate, develop and implement recovery and redundancy measures for Transportation Management Centers (TMCs) and Transportation Systems and components.

The scope of the task requires a mix of skills. It requires the use of a range of technical staff with expertise in all facets of a TMC, ranging from staffing and operations to communications to the cyber-security aspects of firmware, software, hardware, system integration, traffic signal systems, freeway management systems, Surveillance Control and Data Acquisition (SCADA) systems typically deployed for control of tunnel devices, and regional information exchange and sharing systems.

Cyber attacks include those that may specifically be waged against software systems. Software components are fundamental to TMC’s and ITS systems. In fact, many ITS systems such as freeway management systems, traffic signal systems, and regional information sharing systems may be completely software based. Attacks on software have the possibility of altering what the system and personnel believe is the state of the system and can be easily launched from a laptop computer that is connected into the Internet through WiFi or cell phone carriers.

The development of a Transportation Security Disaster Recovery planning process should start with questions like:

  • What do you feel that the most important recovery issues and redundancy functions of a TMC?
  • Are there TMC functions that your organization would need in the case of a failure that are not needed on a day-to-day basis?
  • What are the main threats that concern your organization that affect your ability to provide TMC recovery and redundancy capabilities?
  • What support does your agency require of infrastructure providers (electric, phone, on-street hardware, etc) to support TMC recovery and redundancy capabilities?

The following is an outline of a Transportation Security Disaster Recovery and Redundancy Assessment Report:

  • Policies and Procedures
  • Organization Security
  • Asset Management
  • Human Resources
  • Physical and Environmental Security
  • Communication and Operations Management
  • Access Control
  • Information Systems Acquisition, Development And Maintenance
  • Management of Security Incidents And Improvements
  • Security Aspects of Business Continuity Management
  • Compliance
  • Conclusion & Key Considerations

R E S O U R C E S :

Department of Defense Trusted Computer System Evaluation Criteria

Department of Defense Information Technology Security Certification and Accreditation Process

Office of Management and Budget - CIRCULAR NO. A-130

NIST DRAFT Special Publication 800-26, Revision 1: Guide for Information Security Program Assessments and System Reporting Form

NIST SP 800-64: Security Considerations in the Information System Development Life Cycle

NIST SP 800-30: Risk Management Guide for Information Technology Systems

NIST SP 800-26: Security Self-Assessment Guide for Informayion Technology Systems

NIST SP 800-18: Guide for Developing Security Plans for Information Technology Systems

       Transportation Security  | Physical Security  | Penetration Testing  | Firewall Pro  | Network Security  | S.C.A.D.A.  | H.I.P.A.A.  | eBanking  | Kids' Password  

Copyright © 2007 InfoSecPro.com™
No material may be reproduced without written permission.