Transit Cybersecurity and Threat and Vulnerability Assessments, Public Transit Risk Assessment Methodology

June 4, 2024
The integration of the PT-RAM process into transit agencies’ operational security strategies helps providers address both physical and cyber threats and vulnerabilities.

In the ever-changing landscape of public transportation security, the importance of comprehensive vulnerability assessments has gained increasing recognition among transit and federal agencies. With the commencement of the new fiscal year (FY) 2024 Transit Security Grant Program (TSGP) funds, the Federal Emergency Management Agency (FEMA) has mandated the previously voluntary Public Transit Risk Assessment Methodology (PT-RAM) for transit agencies seeking funding. This pivotal change underscores a strategic enhancement in how transit vulnerabilities are identified, analyzed and mitigated against the backdrop of both physical and cyber threats. 

PT-RAM Requirements

Until the current FY, FEMA permitted transit agencies to voluntarily complete and submit PT-RAM results as part of a TSGP request. Agencies were encouraged (not required) to utilize PT-RAM materials to allow the agency to develop and implement effective risk mitigation projects. Although submission of the materials was not mandatory to justify funding, PT-RAM provided a methodology to holistically and internally evaluate vulnerabilities and potential threats targeting transit. 

In FY 24, FEMA has solidified the requirement to mandate PT-RAM performance within three years of, or in conjunction with, the award of TSGP funding. This new mandate makes PT-RAM obligatory to receive funding while maintaining the intent of the methodology: Addressing security vulnerabilities in transit systems and preparing to combat physical and cyber threats. 

PT-RAM is designed to assess risks across a range of asset types and threat scenarios, utilizing inputs from subject-matter experts within the transit agency. The PT-RAM process compels agencies to submit the PT-RAM tool output provided by FEMA, conduct a gap analysis to assess current capabilities and develop an implementation plan outlining strategies and measures to mitigate risks. 

TVA Process

For compliance with the new FEMA requirements, transit agencies must conduct (internally or via a third-party) a comprehensive Threat and Vulnerability Assessment (TVA). A TVA involves analyzing and evaluating vulnerabilities, consequences and mitigation measures associated with essential operations, capabilities, systems, information, policies and internal controls that can be exploited by a broad range of threats and hazards. 

The primary purpose of a TVA is to ensure operational survivability in the face of threats, encompassing five pillars: 

  1. Redundancy 
  2. Resiliency
  3. Endurance
  4. Diversity
  5. Capacity 

Redundancy ensures the availability of multiple systems or components to provide critical services while resiliency describes the ability of a facility or system to sustain operations despite damaging events. Endurance denotes the period for which backup systems provide critical services and diversity refers to the physical separation of redundant systems to reduce the probability of damage. Finally, capacity measures the output that a system or component can provide. With survivability as a goal, transit agencies can uphold these tenants by conducting a thorough TVA and executing a mitigation strategy.

Conducting a robust TVA is crucial in today’s complex security landscape. The foundational step involves understanding and documenting the organization’s mission and essential functions. This clarity helps to identify assets that need protection, setting the stage for a focused assessment. 

After the mission is defined, critical assets must be identified, in collaboration with operations owners, to assist in formulating the scope and direction of the assessment. A comprehensive threat and hazard analysis identifies potential events or circumstances that could harm the organization, ranging from adversarial actions to natural disasters. Once critical assets and potential threats are identified, the next step is to assess vulnerabilities in an integrated and multidisciplinary approach.

This involves the examination of weaknesses, gaps and strengths surrounding critical assets to determine what resources are necessary for operational continuity under duress. With this information, it is possible to understand system interdependencies, which helps in predicting how a threat to one system could potentially affect others. 

Finally, the severity and priority of each vulnerability can be addressed with focused mitigation strategies to ensure operational continuity under a variety of adverse conditions. By systematically conducting a TVA, agencies can develop a nuanced understanding of their vulnerabilities and implement strategies the significantly enhance their security posture. This comprehensive approach not only protects the organization’s assets, but also ensures that it remains resilient when confronted by evolving threats and challenges. 

Cybersecurity and TVAs

While PT-RAM and TVA processes traditionally focus on physical security, the transit industry’s increased dependence on digital infrastructure implores agencies to address both physical and cybersecurity threats and vulnerabilities. Modern TVA methodologies will incorporate cybersecurity considerations throughout the process, providing a holistic view of the threat landscape. Integrating cyber objectives enhances the overall security posture of transit agencies, promoting a cohesive risk management culture that aligns physical and cybersecurity objectives.

Cybersecurity and physical security objectives should be complementary layers in a defense strategy, enhancing protection through their interconnected roles. Physical security controls, such as surveillance cameras, access controls and physical locking mechanisms, prevent unauthorized access to critical hardware and infrastructure. These measures protect against physical threats and intrusion attempts, ensuring that data and systems are shielded from direct access. 

Conversely, cybersecurity focuses on safeguarding data confidentiality, integrity and availability from digital threats through software solutions and secure configuration. When combined, these controls create a comprehensive security environment. For instance, physical security can prevent cybercriminals from physically accessing a system to install malware while cybersecurity measures protect against a similar remote threat. Together, they form a cohesive security strategy, addressing a wide spectrum of potential vulnerabilities and threats. 

Conclusion 

The integration of the PT-RAM process into transit agencies’ operational security strategies marks a significant advancement in public transportation security management. FEMA’s mandate to perform PT-RAM evaluations strengthens physical security measures while enhancing resilience against cyber threats through a holistic vulnerability management approach. The synergy between PT-RAM and modern TVA methodologies, including cybersecurity considerations, offers a robust framework for addressing the full spectrum of contemporary threats. As transit systems grow more complex and reliant on digital technologies, security assessments are crucial for protecting critical infrastructure and assets, ultimately fostering a secure environment for all users. 

About the Author

Erin Plemons | Director, Center for Critical Infrastructure Protection

Erin Plemons is the director of the Center for Critical Infrastructure Protection in Pueblo, Colo., and specializes in cybersecurity strategy and protection in transportation.

Plemons offers experience in vulnerability assessments, penetration testing, digital forensics and in-classroom instruction.

With Master of Science in Digital Forensics and several industry certifications, she previously served as a technical lead in the U.S. Navy performing computer network defense (CND) assessments, rapid incident response and afloat training. In her current role, Plemons delivers cyber and physical security courses, compliance and vulnerability assessments and cybersecurity consulting to transportation stakeholders. In her free time, Plemons has served as an adjunct professor at New York University (NYU) and the University of Wisconsin-Madison (UW-Madison).