Securing emergency operations

Jan. 16, 2004

The role of the Traffic Management Center (TMC) or Traffic Operations Center (TOC) has evolved from monitoring traffic and incidents and coordinating response to a much broader role in acting as an Emergency Management Agency Operations Center. TMCs addressed this role in the New York area and northern Virginia during 9/11.

The role of the Traffic Management Center (TMC) or Traffic Operations Center (TOC) has evolved from monitoring traffic and incidents and coordinating response to a much broader role in acting as an Emergency Management Agency Operations Center. TMCs addressed this role in the New York area and northern Virginia during 9/11. These facilities have been chosen as possible emergency operation centers as a result of their wide-area surveillance, communications, command and control infrastructure and operational experience. This expanded role creates a number of challenges for operations in the area of logical and physical security.

Experience with emergencies

The role of the TMC has prepared transportation and management center professionals and their first-responder partners for the operational requirements for emergency situations. In certain cases a first response must be coordinated at a greater scale than that encountered on a normal daily basis. It is natural for the TMC team to use their institutional knowledge and leverage it to terrorist events as well. In order to do this a number of access control challenges must be met.

First step: "hardening" the TMC

Some TMCs exist in office buildings without any particular physical intrusion prevention. Sometimes they exist in multi-use facilities without the requirement for emergency operation. A number of low-cost, low-tech approaches such as fences and gates provide a simple upgrade. As evidenced by a November 60 Minutes piece on chemical plants, many facilities that are part of the nation's critical infrastructure lack a solid perimeter. Unfortunately this is not a unique case. Typical security measures such as bars and alarms on windows and doors provide another easy step that would be addressed as part of any security assessment. Once a reasonable perimeter exists next steps can be taken.

[if !supportEmptyParas] [endif]

Access control

There are two aspects to access control: logical and physical. This is simply who is allowed to access what and when and the means to control, monitor, log and alarm. This can refer to specific rooms or doors or it can refer to computers, networks, files or video feeds. Access control rules change based on time of day (personnel shifts and restricted access) and whether the center is operating in normal or emergency conditions or in some case based on threat level.

Normal operation

As is the case with hardening the TMC, implementing access control includes some initial steps that need to be considered. Looking at normal operations involves an analysis of both logical and physical security requirements such as the perimeter security described above. Identifying a security team consisting of physical and logical security and executive management is a good start. Many enterprises have chief information officers and some have chief security officers. Getting these folks to share knowledge in the case where there is not a unified security management structure is a necessary prerequisite.

Start with the list of individuals who need to gain access. Ideally an organization would use its human resources system in a centralized location to specify who you are and your job status. These types of things change infrequently (if ever) and should be accessed infrequently. Organizations need to treat this information just as they would any other organizational secrets. It increases security for the organization and it protects the individual. This type of information should be separated from the information for control of physical access rights to an individual building.

Once establishing team member identity and role their credential can be created. The creation of the credential like the establishment of identity and role should be done in a secure location by a limited number of trusted individuals. Like a cash register in a retail outlet, the identity, role and credential creation process should be under constant and preferably archived surveillance.

Many different types of credentials exist. The card (key) to access the building seldom is used for accessing computer systems. Smart card solutions can address both of these needs but few examples exist outside of places such as Microsoft and the State Department. In some cases legacy systems exist and given current budget constraints will unlikely be swapped out. Therefore implementing access control is often an incremental process. In cases where there are multiple key types key management becomes a concern. Passwords and computer network control aren't any good if someone has a key to a room with computers and walks out with the PC or hard drive.

Various levels of access control systems exist from simple access lists in a panel controlling a single door to smart cards with multiple authentication (including biometric) factors, and real-time monitoring and surveillance. The point made here is that there should be an access control system. Good control of the perimeter, secure credential creation and key (credential) management have to be addressed regardless of access control sophistication. Another point is that the security system needs to be managed, PIN numbers on doors that everyone knows and never get changed give a false sense of security and can be more dangerous than just leaving a door wide open.

Information security at control centers needs to be taken as seriously as physical access even under normal operations. If these controls are not put in place during normal operation it will be increasingly difficult to just throw a switch to "secure" mode in the case of an emergency. A serious challenge exists here. Centers are charged with sharing and disseminating information with the public in the form of traffic flow, incident detection and traffic imagery. In certain situations this information can contain sensitive information not for general consumption. Vehicle location and tracking technology, E9-1-1, 5-1-1, electronic toll collection (and multi-use of ETC infrastructure) and other intelligent transportation systems (ITS) technologies are becoming a part of normal operations. This puts an increasing burden of information security and becomes part of the operational requirement. Solutions exist for all of these issues but it starts with awareness.

Fortunately the same procedures used in the logical realm for establishing a perimeter, identities, roles and credentials can be used in the physical world. An opportunity exists to use a common security infrastructure to meet the needs of both. Once established some method of access control needs to be put in place.

Emergency operations

In the case where the TMC is used for emergency management the list of individuals requiring access expands greatly. One solution is for each authority to use their existing credentials and for this set of credentials to be recognized by the access control system or to create a common credential. While this challenge exists it needs to be put in place. Leaving access to subjection creates a risk that outweighs the cost of implementation.

The same process gets followed except that a new level of access needs to be implemented. This should be part of the system security and response plan. Pre-establishing the list of who, what, where and when and associating this with the credential set for the emergency level creates a procedure to follow. An approach where the same normal access control procedures get expanded to include the larger group presents the way forward.

Allowing individual organizations to establish emergency team members reduces institutional barriers over controlling personnel. Establishing a security team with oversight and execution responsibilities provides a way to get this done.

About The Author: D'Agostino is vice president, physical security, for CoreStreet Ltd., Cambridge, Mass.

Sponsored Recommendations

The Science Behind Sustainable Concrete Sealing Solutions

Extend the lifespan and durability of any concrete. PoreShield is a USDA BioPreferred product and is approved for residential, commercial, and industrial use. It works great above...

Proven Concrete Protection That’s Safe & Sustainable

Real-life DOT field tests and university researchers have found that PoreShieldTM lasts for 10+ years and extends the life of concrete.

Revolutionizing Concrete Protection - A Sustainable Solution for Lasting Durability

The concrete at the Indiana State Fairgrounds & Event Center is subject to several potential sources of damage including livestock biowaste, food/beverage waste, and freeze/thaw...

The Future of Concrete Preservation

PoreShield is a cost-effective, nontoxic alternative to traditional concrete sealers. It works differently, absorbing deep into the concrete pores to block damage from salt ions...