< < PT04 : PT05 : PT06 > >

PT05: Transit Security

This service package provides for the physical security of transit passengers and transit vehicle operators. On-board equipment performs surveillance and sensor monitoring in order to identify potentially hazardous situations. The surveillance equipment includes video (e.g., CCTV cameras), audio systems and/or event recorder systems. The sensor equipment includes threat sensors (e.g., chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors) and object detection sensors (e.g., metal detectors). Transit user or transit vehicle operator activated alarms are provided on-board. Public areas (e.g., transit stops, park and ride lots, stations) are also monitored with similar surveillance and sensor equipment and provided with transit user activated alarms. In addition this service package provides surveillance and sensor monitoring of non-public areas of transit facilities (e.g., transit yards) and transit infrastructure such as bridges, tunnels, and transit railways or bus rapid transit (BRT) guideways. The surveillance equipment includes video and/or audio systems. The sensor equipment includes threat sensors and object detection sensors as described above as well as, intrusion or motion detection sensors and infrastructure integrity monitoring (e.g., rail track continuity checking or bridge structural integrity monitoring).

Most of the surveillance and sensor data that is collected by this service package may be monitored by either the Emergency Management Center or the Transit Management Center, providing two possible approaches to implementing this service package. This service package also supports remote transit vehicle disabling and transit vehicle operator authentication by the Transit Management Center.

Relevant Regions: Australia, Canada, European Union, and United States

Enterprise

Development Stage Roles and Relationships

Installation Stage Roles and Relationships

Operations Stage Roles and Relationships
(hide)

Source Destination Role/Relationship
Alerting and Advisory System Manager Alerting and Advisory System Manages
Alerting and Advisory System Owner Alerting and Advisory System Owns
Alerting and Advisory System Owner Alerting and Advisory System Manager Operations Agreement
Alerting and Advisory System Owner Emergency Management Center Owner Information Provision Agreement
Alerting and Advisory System Supplier Alerting and Advisory System Owner Warranty
Basic Transit Vehicle Manager Basic Transit Vehicle Manages
Basic Transit Vehicle Manager Transit Vehicle Operator System Usage Agreement
Basic Transit Vehicle Owner Basic Transit Vehicle Owns
Basic Transit Vehicle Owner Basic Transit Vehicle Manager Operations Agreement
Basic Transit Vehicle Owner Transit Vehicle OBE Owner Expectation of Data Provision
Basic Transit Vehicle Supplier Basic Transit Vehicle Owner Warranty
Emergency Management Center Manager Emergency Management Center Manages
Emergency Management Center Manager Emergency System Operator System Usage Agreement
Emergency Management Center Owner Emergency Management Center Owns
Emergency Management Center Owner Emergency Management Center Manager Operations Agreement
Emergency Management Center Owner Other Emergency Management Centers Owner Information Exchange Agreement
Emergency Management Center Owner Rail Operations Center Owner Information Provision Agreement
Emergency Management Center Owner Security Monitoring Equipment Owner Information Exchange Agreement
Emergency Management Center Owner Transit Management Center Owner Information Exchange Agreement
Emergency Management Center Owner Transit Vehicle OBE Owner Information Exchange Agreement
Emergency Management Center Owner Traveler Support Equipment Owner Information Exchange Agreement
Emergency Management Center Supplier Emergency Management Center Owner Warranty
Emergency System Operator Emergency Management Center Operates
Media Manager Media Manages
Media Owner Media Owns
Media Owner Media Manager Operations Agreement
Media Supplier Media Owner Warranty
Other Emergency Management Centers Manager Other Emergency Management Centers Manages
Other Emergency Management Centers Owner Emergency Management Center Owner Information Exchange Agreement
Other Emergency Management Centers Owner Other Emergency Management Centers Owns
Other Emergency Management Centers Owner Other Emergency Management Centers Manager Operations Agreement
Other Emergency Management Centers Supplier Other Emergency Management Centers Owner Warranty
Rail Operations Center Manager Rail Operations Center Manages
Rail Operations Center Owner Rail Operations Center Owns
Rail Operations Center Owner Rail Operations Center Manager Operations Agreement
Rail Operations Center Supplier Rail Operations Center Owner Warranty
Security Monitoring Equipment Manager Security Monitoring Equipment Manages
Security Monitoring Equipment Owner Emergency Management Center Owner Information Exchange Agreement
Security Monitoring Equipment Owner Security Monitoring Equipment Owns
Security Monitoring Equipment Owner Security Monitoring Equipment Manager Operations Agreement
Security Monitoring Equipment Supplier Security Monitoring Equipment Owner Warranty
Transit Management Center Manager Transit Management Center Manages
Transit Management Center Manager Transit Operations Personnel System Usage Agreement
Transit Management Center Owner Emergency Management Center Owner Information Exchange Agreement
Transit Management Center Owner Media Owner Information Provision Agreement
Transit Management Center Owner Transit Management Center Owns
Transit Management Center Owner Transit Management Center Manager Operations Agreement
Transit Management Center Owner Transit Vehicle OBE Owner Information Exchange Agreement
Transit Management Center Owner Transportation Information Center Owner Information Provision Agreement
Transit Management Center Owner Traveler Support Equipment Owner Information Exchange Agreement
Transit Management Center Supplier Transit Management Center Owner Warranty
Transit Operations Personnel Transit Management Center Operates
Transit Vehicle OBE Manager Transit Vehicle OBE Manages
Transit Vehicle OBE Manager Transit Vehicle Operator System Usage Agreement
Transit Vehicle OBE Owner Basic Transit Vehicle Owner Expectation of Data Provision
Transit Vehicle OBE Owner Emergency Management Center Owner Information Exchange Agreement
Transit Vehicle OBE Owner Transit Management Center Owner Information Exchange Agreement
Transit Vehicle OBE Owner Transit Vehicle OBE Owns
Transit Vehicle OBE Owner Transit Vehicle OBE Manager Operations Agreement
Transit Vehicle OBE Supplier Transit Vehicle OBE Owner Warranty
Transit Vehicle Operator Basic Transit Vehicle Operates
Transit Vehicle Operator Transit Vehicle OBE Operates
Transportation Information Center Manager Transportation Information Center Manages
Transportation Information Center Owner Transportation Information Center Owns
Transportation Information Center Owner Transportation Information Center Manager Operations Agreement
Transportation Information Center Supplier Transportation Information Center Owner Warranty
Traveler Traveler Support Equipment Operates
Traveler Support Equipment Manager Traveler System Usage Agreement
Traveler Support Equipment Manager Traveler Support Equipment Manages
Traveler Support Equipment Owner Emergency Management Center Owner Information Exchange Agreement
Traveler Support Equipment Owner Transit Management Center Owner Information Exchange Agreement
Traveler Support Equipment Owner Traveler Support Equipment Owns
Traveler Support Equipment Owner Traveler Support Equipment Manager Operations Agreement
Traveler Support Equipment Supplier Traveler Support Equipment Owner Warranty

Maintenance Stage Roles and Relationships

Functional

This service package includes the following Functional View PSpecs:

Physical Object Functional Object PSpec Number PSpec Name
Emergency Management Center Emergency Response Management 5.1.1.3 Collect Incident And Event Data
5.1.2 Determine Coordinated Response Plan
5.1.3 Communicate Emergency Status
5.1.4 Manage Emergency Response
5.1.5 Manage Emergency Service Allocation Store
5.2 Provide Operator Interface for Emergency Data
5.3.1 Select Response Mode
5.7.1 Assess System Status For Disasters
5.7.2 Provide Disaster Response Coordination
5.7.3 Assess System Status For Evacuation
Emergency Secure Area Alarm Support 5.1.1.4.6 Provide Operator Interface for Security
5.1.7.4 Manage Alarms
Emergency Secure Area Sensor Management 5.1.1.4.1 Manage Secure Area Sensors
5.1.1.4.3 Analyze Threats
5.1.1.4.4 Disseminate Threat Info
5.1.1.4.6 Provide Operator Interface for Security
5.1.4 Manage Emergency Response
5.2 Provide Operator Interface for Emergency Data
Emergency Secure Area Surveillance 5.1.1.4.2 Manage Secure Area Surveillance
5.1.1.4.5 Analyze Traveler Image
5.1.1.4.6 Provide Operator Interface for Security
5.1.4 Manage Emergency Response
5.2 Provide Operator Interface for Emergency Data
Security Monitoring Equipment Field Secure Area Sensor Monitoring 5.1.7.2.3 Collect Secure Area Sensor Data
5.1.7.2.4 Process Secure Area Sensor Data
Field Secure Area Surveillance 5.1.7.2.1 Surveil Secure Area
5.1.7.2.2 Process Secure Area Surveillance
Transit Management Center Transit Center Security 4.1.5.3 Manage Transit Driver Authentication
4.2.1.7 Provide Interface for Other Transit Management Data
4.4.1 Provide Transit Security and Emergency Management
4.4.2 Coordinate Multiple Agency Responses to Transit Incidents
4.4.3 Generate Responses for Transit Incidents
4.4.4 Provide Transit Operations Personnel Security Interface
Transit Vehicle OBE Transit Vehicle Security 4.1.1 Process On-Board Systems Data
4.1.3 Provide Transit Vehicle Location Data
5.1.7.3.1 Surveil Secure Vehicle Area
5.1.7.3.2 Process Secure Vehicle Area Surveillance
5.1.7.3.3 Collect Secure Vehicle Area Sensor Data
5.1.7.3.4 Process Secure Vehicle Area Sensor Data
5.1.7.3.5 Manage Secure Vehicle Emergencies
5.1.7.3.6 Provide Transit Vehicle Operator Interface for Emergencies
Traveler Support Equipment Traveler Security 5.1.7.1 Report Traveler Emergencies

Physical

The physical diagram can be viewed in SVG or PNG format and the current format is SVG.
SVG Diagram
PNG Diagram


Display Legend in SVG or PNG

Includes Physical Objects:

Physical Object Class Description
Alerting and Advisory System Center 'Alerting and Advisory System' represents the federal, state, and local alerting and advisory systems that provide alerts, advisories, and other potential threat information that is relevant to surface transportation systems. This includes systems such as the Information Sharing and Analysis Centers (ISACS), the National Infrastructure Protection Center (NIPC), the Homeland Security Advisory System (HSAS), and other systems that provide intelligence about potential, imminent, or actual attacks on the transportation infrastructure or its supporting information systems.

This system also represents the early warning and emergency alert systems operated by federal, state, county, and local agencies that provide advisories and alerts regarding all types of emergencies including natural hazards (floods, hurricanes, tornados, earthquakes), accidents (chemical spills, nuclear power plant emergencies) and other civil emergencies such as child abduction alerts that impact transportation system operation and/or require immediate public notification. Note that weather related watches and warnings, such as those issued by the National Hurricane Center, are provided by both this terminator and the Weather Service terminator since many alerting and advisory systems and the National Weather Service both provide severe weather and related hazards information.

The alerts and advisories that are provided by the systems represented by this terminator are based on analysis of potential threat information that is collected from a variety of sources, including information collected by ITS systems. The bidirectional interface with this terminator allows potential threat information that is collected by ITS systems to be provided to the alerting and advisory systems to improve their ability to identify threats and provide useful and timely information.

The types of information provided by this terminator include general assessments and incident awareness information, advisories that identify potential threats or recommendations to increase preparedness levels, alerts regarding imminent or in-progress emergencies, and specific threat information such as visual imagery used for biometric image processing.
Basic Transit Vehicle Vehicle The 'Basic Transit Vehicle' represents the transit vehicle that hosts the on-board equipment that provides ITS functions. It includes a specialized and extended databus that is subject to different vehicle databus standards and hosts a broad range of components that are unique to a transit vehicle including the farebox and associated electronics, passenger counters, and transit security systems. The Transit Vehicle may represent a bus, paratransit vehicle, light rail vehicle, or other vehicle designed to carry passengers.
Emergency Management Center Center The 'Emergency Management Center' represents systems that support incident management, disaster response and evacuation, security monitoring, and other security and public safety-oriented ITS applications. It includes the functions associated with fixed and mobile public safety communications centers including public safety call taker and dispatch centers operated by police (including transit police), fire, and emergency medical services. It includes the functions associated with Emergency Operations Centers that are activated at local, regional, state, and federal levels for emergencies and the portable and transportable systems that support Incident Command System operations at an incident. This Center also represents systems associated with towing and recovery, freeway service patrols, HAZMAT response teams, and mayday service providers.

It manages sensor and surveillance equipment used to enhance transportation security of the roadway infrastructure (including bridges, tunnels, interchanges, and other key roadway segments) and the public transportation system (including transit vehicles, public areas such as transit stops and stations, facilities such as transit yards, and transit infrastructure such as rail, bridges, tunnels, or bus guideways). It provides security/surveillance services to improve traveler security in public areas not a part of the public transportation system.

It monitors alerts, advisories, and other threat information and prepares for and responds to identified emergencies. It coordinates emergency response involving multiple agencies with peer centers. It stores, coordinates, and utilizes emergency response and evacuation plans to facilitate this coordinated response. Emergency situation information including damage assessments, response status, evacuation information, and resource information are shared The Emergency Management Center also provides a focal point for coordination of the emergency and evacuation information that is provided to the traveling public, including wide-area alerts when immediate public notification is warranted.

It tracks and manages emergency vehicle fleets using real-time road network status and routing information from the other centers to aid in selecting the emergency vehicle(s) and routes, and works with other relevant centers to tailor traffic control to support emergency vehicle ingress and egress, implementation of special traffic restrictions and closures, evacuation traffic control plans, and other special strategies that adapt the transportation system to better meet the unique demands of an emergency.
Emergency System Operator Center 'Emergency System Operator' represents the public safety personnel that monitor emergency requests, (including those from the E911 Operator) and set up pre-defined responses to be executed by an emergency management system. The operator may also override predefined responses where it is observed that they are not achieving the desired result. This also includes dispatchers who manage an emergency fleet (police, fire, ambulance, HAZMAT, etc.) or higher order emergency managers who provide response coordination during emergencies.
Media Center 'Media' represents the information systems that provide traffic reports, travel conditions, and other transportation-related news services to the traveling public through radio, TV, and other media. Traffic and travel advisory information that are collected by ITS are provided to this object. It is also a source for traffic flow information, incident and special event information, and other events that may have implications for the transportation system.
Other Emergency Management Centers Center 'Other Emergency Management Centers' provides a source and destination for information flows between various communications centers operated by public safety agencies, emergency management agencies, other allied agencies, and private companies that participate in coordinated management of transportation-related incidents, including disasters. The interface represented by this object enables emergency management activities to be coordinated across jurisdictional boundaries and between functional areas, supporting requirements for general networks connecting many allied agencies. It also supports interface to other allied agencies like utility companies that also participate in the coordinated response to selected highway-related incidents.
Rail Operations Center Center 'Rail Operations Center' represents the (usually) centralized control point for a substantial segment of a freight railroad's operations and maintenance activities. It is roughly the railroad equivalent to a highway Traffic Management Center. It is the source and destination of information that can be used to coordinate rail and highway traffic management and maintenance operations. It is also the source and destination for incident, incident response, disaster, or evacuation information that is exchanged with an Emergency Management Center. The use of a single object for multiple sources and destination for information exchange with railroads implies the need for a single, consistent interface between a given railroad's operations and maintenance activities and ITS.
Security Monitoring Equipment Field 'Security Monitoring Equipment' includes surveillance and sensor equipment used to provide enhanced security and safety for transportation facilities or infrastructure. The equipment is located in non-public areas of transportation facilities (e.g. maintenance and transit yards), on or near non-roadway parts of the transportation infrastructure (e.g. transit railway and guideways), and in public areas (e.g., transit stops, transit stations, intermodal terminals). This equipment also includes surveillance and sensor equipment located on or near major roadway features such as bridges, tunnels, and interchanges, when the equipment's primary function is one of security and safety. If the primary function of the equipment is traffic surveillance or incident detection, then the surveillance or sensors would be covered as part of the 'ITS Roadway Equipment'. The surveillance equipment includes video (e.g. CCTV cameras) and/or audio systems. The sensor equipment includes threat sensors (e.g. chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors), object detection (e.g. metal detectors), intrusion or motion detection, and infrastructure integrity monitoring (e.g. rail track continuity checking or bridge structural integrity monitoring). Limited processing of collected sensor and surveillance data is also included in this subsystem to support threat detection and classification.
Transit Management Center Center The 'Transit Management Center' manages transit vehicle fleets and coordinates with other modes and transportation services. It provides operations, maintenance, customer information, planning and management functions for the transit property. It spans distinct central dispatch and garage management systems and supports the spectrum of fixed route, flexible route, paratransit services, transit rail, and bus rapid transit (BRT) service. The physical object's interfaces support communication between transit departments and with other operating entities such as emergency response services and traffic management systems.
Transit Operations Personnel Center 'Transit Operations Personnel' represents the people that are responsible for fleet management, maintenance operations, and scheduling activities of the transit system. These different roles represent a variety of individuals in the transit industry. Within the transit industry the person responsible for fleet management is known by many names: Street Supervisor, Starter, Dispatcher, Supervisor, Traffic Controller, Transportation Coordinator. This person actively monitors, controls, and modifies the transit fleet routes and schedules on a day to day basis (dynamic scheduling). The modifications will take account of abnormal situations such as vehicle breakdown, vehicle delay, detours around work zones or incidents (detour management, connection protection, and service restoration), and other causes of route or schedule deviations. Transit operations personnel are also responsible for demand responsive transit operation and for managing emergency situations within the transit network such as silent alarms on board transit vehicles, or the remote disabling of the vehicle. In addition the Transit Operations Personnel may be responsible for assigning vehicle operators to routes, checking vehicle operators in and out, and managing transit stop issues. This object also represents the personnel in the transit garage that are responsible for maintenance of the transit fleets, including monitoring vehicle status, matching vehicles with operators, and maintenance checking of transit vehicles. Finally, it represents the people responsible for planning, development, and management of transit routes and schedules.
Transit Vehicle OBE Vehicle The Transit Vehicle On-Board equipment (OBE) resides in a transit vehicle and provides the sensory, processing, storage, and communications functions necessary to support safe and efficient movement of passengers. The types of transit vehicles containing this physical object include buses, paratransit vehicles, light rail vehicles, other vehicles designed to carry passengers, and supervisory vehicles. It collects ridership levels and supports electronic fare collection. It supports a traffic signal prioritization function that communicates with the roadside physical object to improve on-schedule performance. Automated vehicle location enhances the information available to the transit operator enabling more efficient operations. On-board sensors support transit vehicle maintenance. The physical object supports on-board security and safety monitoring. This monitoring includes transit user or vehicle operator activated alarms (silent or audible), as well as surveillance and sensor equipment. The surveillance equipment includes video (e.g. CCTV cameras), audio systems and/or event recorder systems. It also furnishes travelers with real-time travel information, continuously updated schedules, transfer options, routes, and fares. A separate 'Vehicle OBE' physical object supports the general vehicle safety and driver information capabilities that apply to all vehicles, including transit vehicles. The Transit Vehicle OBE supplements these general capabilities with capabilities that are specific to transit vehicles.
Transit Vehicle Operator Vehicle The 'Transit Vehicle Operator' represents the person that receives and provides additional information that is specific to operating the ITS functions in all types of transit vehicles. The information received by the operator would include status of on-board systems. Additional information received depends upon the type of transit vehicle. In the case of fixed route transit vehicles, the Transit Vehicle Operator would receive operator instructions that might include actions to take to correct schedule deviations. In the case of flexible fixed routes and demand response routes the information would also include dynamic routing or passenger pickup information.
Transportation Information Center Center The 'Transportation Information Center' collects, processes, stores, and disseminates transportation information to system operators and the traveling public. The physical object can play several different roles in an integrated ITS. In one role, the TIC provides a data collection, fusing, and repackaging function, collecting information from transportation system operators and redistributing this information to other system operators in the region and other TICs. In this information redistribution role, the TIC provides a bridge between the various transportation systems that produce the information and the other TICs and their subscribers that use the information. The second role of a TIC is focused on delivery of traveler information to subscribers and the public at large. Information provided includes basic advisories, traffic and road conditions, transit schedule information, yellow pages information, ride matching information, and parking information. The TIC is commonly implemented as a website or a web-based application service, but it represents any traveler information distribution service.
Traveler Personal The 'Traveler' represents any individual who uses transportation services. The interfaces to the traveler provide general pre-trip and en-route information supporting trip planning, personal guidance, and requests for assistance in an emergency that are relevant to all transportation system users. It also represents users of a public transportation system and addresses interfaces these users have within a transit vehicle or at transit facilities such as roadside stops and transit centers.
Traveler Support Equipment Field 'Traveler Support Equipment' provides access to traveler information at transit stations, transit stops, other fixed sites along travel routes (e.g., rest stops, merchant locations), and major trip generation locations such as special event centers, hotels, office complexes, amusement parks, and theaters. Traveler information access points include kiosks and informational displays supporting varied levels of interaction and information access. At transit stops this might be simple displays providing schedule information and imminent arrival signals. This may be extended to include multi-modal information including traffic conditions and transit schedules to support mode and route selection at major trip generation sites. Personalized route planning and route guidance information can also be provided based on criteria supplied by the traveler. It also supports service enrollment and electronic payment of transit fares. In addition to the traveler information provision, it also enhances security in public areas by supporting traveler activated silent alarms.

Includes Functional Objects:

Functional Object Description Physical Object
Emergency Response Management 'Emergency Response Management' provides the strategic emergency response capabilities and broad inter-agency interfaces that are implemented for extraordinary incidents and disasters that require response from outside the local community. It provides the functional capabilities and interfaces commonly associated with Emergency Operations Centers. It develops and stores emergency response plans and manages overall coordinated response to emergencies. It monitors real-time information on the state of the regional transportation system including current traffic and road conditions, weather conditions, special event and incident information. It tracks the availability of resources and assists in the appropriate allocation of these resources for a particular emergency response. It also provides coordination between multiple allied agencies before and during emergencies to implement emergency response plans and track progress through the incident. It also coordinates with the public through the Emergency Telecommunication Systems (e.g., Reverse 911). It coordinates with public health systems to provide the most appropriate response for emergencies involving biological or other medical hazards. Emergency Management Center
Emergency Secure Area Alarm Support 'Emergency Secure Area Alarm Support' receives traveler or transit vehicle operator alarm messages, notifies the system operator, and provides acknowledgement of alarm receipt back to the originator of the alarm. The alarms received can be generated by silent or audible alarm systems and may originate from public areas (e.g. transit stops, park and ride lots, transit stations, rest areas) or transit vehicles. The nature of the emergency may be determined based on the information in the alarm message as well as other inputs. Emergency Management Center
Emergency Secure Area Sensor Management 'Emergency Secure Area Sensor Management' manages sensors that monitor secure areas in the transportation system, processes the collected data, performs threat analysis in which data is correlated with other sensor, surveillance, and advisory inputs, and then disseminates resultant threat information to emergency personnel and other agencies. In response to identified threats, the operator may request activation of barrier and safeguard systems to preclude an incident, control access during and after an incident or mitigate impact of an incident. The sensors may be in secure areas frequented by travelers (i.e., transit stops, transit stations, rest areas, park and ride lots, modal interchange facilities, on-board a transit vehicle, etc.) or around transportation infrastructure such as bridges, tunnels and transit railways or guideways. The types of sensors include acoustic, threat (e.g. chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors), infrastructure condition and integrity, motion and object sensors. Emergency Management Center
Emergency Secure Area Surveillance 'Emergency Secure Area Surveillance' monitors surveillance inputs from secure areas in the transportation system. The surveillance may be of secure areas frequented by travelers (i.e., transit stops, transit stations, rest areas, park and ride lots, modal interchange facilities, on-board a transit vehicle, etc.) or around transportation infrastructure such as bridges, tunnels and transit railways or guideways. It provides both video and audio surveillance information to emergency personnel and automatically alerts emergency personnel of potential incidents. Emergency Management Center
Field Secure Area Sensor Monitoring 'Field Secure Area Sensor Monitoring' includes sensors that monitor conditions of secure areas including facilities (e.g. transit yards), transportation infrastructure (e.g. Bridges, tunnels, interchanges, and transit railways or guideways), and public areas (e.g., transit stops, transit stations, rest areas, park and ride lots, modal interchange facilities). A range of acoustic, environmental threat (e.g. Chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors), infrastructure condition and integrity and motion and object sensors are included. Security Monitoring Equipment
Field Secure Area Surveillance 'Field Secure Area Surveillance' includes video and audio surveillance equipment that monitors conditions of secure areas including facilities (e.g. transit yards), transportation infrastructure (e.g. as bridges, tunnels, interchanges, and transit railways or guideways), and public areas (e.g., transit stops, transit stations, rest areas, park and ride lots, modal interchange facilities). It provides the surveillance information to the Emergency Management Center for possible threat detection. It also provides local processing of the video or audio information, providing processed or analyzed results to the Emergency Management Center. Security Monitoring Equipment
Transit Center Security 'Transit Center Security' monitors transit vehicle operator or traveler activated alarms received from on-board a transit vehicle. It supports transit vehicle operator authentication and provides the capability to remotely disable a transit vehicle. It also includes the capability to alert operators and police to potential incidents identified by these security features. Transit Management Center
Transit Vehicle Security 'Transit Vehicle Security' provides security and safety functions on-board the transit vehicle. It includes surveillance and sensor systems that monitor the on-board environment, silent alarms that can be activated by transit user or vehicle operator, operator authentication, and a remote vehicle disable function. The surveillance equipment includes video (e.g. CCTV cameras), audio systems and/or event recorder systems. The sensor equipment includes threat sensors (e.g. chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors) and object detection sensors (e.g. metal detectors). Transit Vehicle OBE
Traveler Security 'Traveler Security' provides the capability to report an emergency or summon assistance from secure areas such as transit stops, transit stations, modal transfer facilities, rest stops and picnic areas, park-and-ride areas, tourism and travel information areas, and emergency pull off areas. This object includes interfaces that support initiation of an alarm and presentation of the returned alarm acknowledgement as well as a broadcast message to advise or warn the traveler. Traveler Support Equipment

Includes Information Flows:

Information Flow Description
alarm acknowledge Confirmation that alarm was received, instructions and additional information for the alarm initiator, and requests for additional information.
alarm notification Notification of activation of an audible or silent alarm by a traveler in a public area or by a transit vehicle operator using an on-board device.
emergency operations input Emergency operator input supporting call taking, dispatch, emergency operations, security monitoring, and other operations and communications center operator functions.
emergency operations status Presentation of information to the operator including emergency operations data, supporting a range of emergency operating positions including call taker, dispatch, emergency operations, security monitoring, and various other operations and communications center operator positions.
host transit vehicle status Information provided to the ITS on-board equipment from other systems on the Transit Vehicle Platform.
incident information Notification of existence of incident and expected severity, location, time and nature of incident. As additional information is gathered and the incident evolves, updated incident information is provided. Incidents include any event that impacts transportation system operation ranging from routine incidents (e.g., disabled vehicle at the side of the road) through large-scale natural or human-caused disasters that involve loss of life, injuries, extensive property damage, and multi-jurisdictional response. This also includes special events, closures, and other planned events that may impact the transportation system.
incident report Report of an identified incident including incident location, type, severity and other information necessary to initiate an appropriate incident response.
incident response status Status of the current incident response including a summary of incident status and its impact on the transportation system, traffic management strategies implemented at the site (e.g., closures, diversions, traffic signal control overrides), and current and planned response activities.
infrastructure monitoring sensor control Data used to configure and control infrastructure monitoring sensors.
infrastructure monitoring sensor data Data read from infrastructure-based sensors that monitor the condition or integrity of transportation infrastructure including bridges, tunnels, interchanges, pavement, culverts, signs, transit rail or guideway, and other roadway infrastructure. Includes sensor data and the operational status of the sensors.
remote vehicle disable Signal used to remotely disable a transit vehicle.
secure area sensor control Information used to configure and control threat sensors (e.g., thermal, acoustic, radiological, chemical), object, motion and intrusion detection sensors. The provided information controls sensor data collection, aggregation, filtering, and other local processing.
secure area sensor data Data provided by threat sensors (e.g., thermal, acoustic, radiological, chemical), and intrusion, motion, and object detection sensors in secure areas indicating the sensor's operational status, raw and processed sensor data, and alarm indicators when a threat has been detected.
secure area surveillance control Information used to configure and control audio and video surveillance systems used for transportation infrastructure security in secure areas. The provided information controls surveillance data collection, aggregation, filtering, and other local processing.
secure area surveillance data Data collected from surveillance systems used to monitor secure areas. Includes video, audio, processed surveillance data, equipment operational status, and alarm indicators when a threat has been detected.
threat information Threats regarding transportation infrastructure, facilities, or systems detected by a variety of methods (sensors, surveillance, threat analysis of advisories from outside agencies, etc.
threat information coordination Sensor, surveillance, and threat data including raw and processed data that is collected by sensor and surveillance equipment located in secure areas.
threat support data Information provided to help receiving agency identify possible threats, including biometric image processing support data.
transit emergency data Initial notification of transit emergency at a transit stop or on transit vehicles and further coordination as additional details become available and the response is coordinated.
transit incident information Information on transit incidents that impact transit services for public dissemination.
transit operations personnel input User input from transit operations personnel including instructions governing service availability, schedules, emergency response plans, transit personnel assignments, transit maintenance requirements, and other inputs that establish general system operating requirements and procedures.
transit operations status Presentation of information to transit operations personnel including accumulated schedule and fare information, ridership and on-time performance information, emergency response plans, transit personnel information, maintenance records, and other information intended to support overall planning and management of a transit property.
transit vehicle conditions Operating conditions of transit vehicle (e.g., engine running, oil pressure, fuel level and usage). It includes status of other on-board systems including user displays, passenger counters, and security systems. This overall status information is also collected from unused (out of service) vehicles.
transit vehicle control Control commands to transit-specific hardware supporting transit fare collection, passenger counting, traveler information systems, and other transit-specific control systems on-board the transit vehicle. This flow also includes the signal disabling or enabling transit vehicle operation sent as a result of a transit vehicle operator authentication failure or a remote disable command. See also 'vehicle control', which includes general control commands that are applicable to all vehicles.
transit vehicle location data Current transit vehicle location and related operational conditions data provided by a transit vehicle.
transit vehicle operator authentication information Information regarding on-board transit operator authentication
transit vehicle operator authentication update Results of authentication process or update of on-board authentication database.
transit vehicle operator display Visual, audible, and tactile outputs to the transit vehicle operator including vehicle surveillance information, alarm information, vehicle system status, information from the operations center, and information indicating the status of all other on-board ITS services.
transit vehicle operator input Transit vehicle operator inputs to on-board ITS equipment, including tactile and verbal inputs. Includes authentication information, on-board system control, emergency requests, and fare transaction data.
traveler input User input from a traveler to summon assistance, request travel information, make a reservation, or request any other traveler service.
traveler interface updates Visual or audio information (e.g., routes, messages, guidance, emergency information) that is provided to the traveler.

Goals and Objectives

Associated Planning Factors and Goals

Planning Factor Goal
B. Increase the safety of the transportation system for motorized and nonmotorized users; Achieve a significant reduction in traffic fatalities and serious injuries on all public roads
C. Increase the security of the transportation system for motorized and nonmotorized users; Improve the security of the transportation system
D. Increase the accessibility and mobility of people and for freight; Achieve a significant reduction in congestion

Associated Objective Categories

Objective Category
Emergency/Incident Management: Incident Duration
Security: Crime
Security: Terrorism, Natural Disasters, and Hazardous Material Incidents
Transit Operations and Management: Safety

Associated Objectives and Performance Measures

Objective Performance Measure
Decrease by X percent on an annual basis the number of complaints per 1,000 boarding passengers. Complaint rate.
Decrease the number of personal safety incidents by X percent within Y years. Number of reported personal safety incidents.
Increase personal safety ratings by X percent within Y years. Personal safety and customer service ratings.
Increase the number of closed circuit television (CCTV) cameras installed by X percent in Y years on platforms, park-n-ride lots, vehicles, and other transit facilities. Number of CCTV cameras on platforms, park-n-ride lots, vehicles, and other transit facilities.
Reduce mean incident notification time (defined as the time between the first agency's awareness of an incident and the time to notify needed response agencies) by X percent over Y years (i.e., through "Motorist Assist" roving patrol programs, reduction of inaccurate verifications, etc.). Average incident notification time of necessary response agencies.
Reduce mean time of incident duration (from awareness of incident to resumed traffic flow) on transit services and arterial and expressway facilities by X percent in Y years. Mean time of incident duration.
Reduce security risks to motorists and travelers Number of critical sites with security surveillance
Reduce security risks to motorists and travelers Number of security incidents on roadways
Reduce security risks to transit passengers and transit vehicle operators Number of security incidents at transit facilities
Reduce security risks to transit passengers and transit vehicle operators Number of security incidents on transit vehicles
Reduce security risks to transit passengers and transit vehicle operators Number of transit facilities and vehicles under security surveillance
Reduce security risks to transportation infrastructure Number of critical sites with hardened security enhancements
Reduce security risks to transportation infrastructure Number of critical sites with security surveillance
Reduce security risks to transportation infrastructure Number of security incidents on transportation infrastructure


 
Since the mapping between objectives and service packages is not always straight-forward and often situation-dependent, these mappings should only be used as a starting point. Users should do their own analysis to identify the best service packages for their region.

Needs and Requirements

Need Functional Object Requirement
01 Transit Operations needs to be able to monitor conditions on a transit vehicle in order to provide a secure environment for travelers. Emergency Secure Area Alarm Support 02 The center shall collect silent and audible alarms received from transit vehicles, originated by the traveler or the transit vehicle operator.
03 After the alarm message has been received, the center shall generate an alarm acknowledgment to the sender.
06 The center shall forward the alarm message to center personnel and respond to the traveler or transit vehicle operator as directed by the personnel.
Emergency Secure Area Sensor Management 03 The center shall remotely monitor and control security sensor data collected on-board transit vehicles. The types of security sensor data include environmental threat (e.g. chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors) and object detection sensors. The data may be raw or pre-processed in the field.
10 The center shall respond to control data from center personnel regarding security sensor data collection, processing, threat detection, and threat analysis.
Emergency Secure Area Surveillance 03 The center shall remotely monitor video images and audio surveillance data collected on-board transit vehicles. The data may be raw or pre-processed in the field.
09 The center shall remotely control security surveillance devices on-board transit vehicles.
Transit Center Security 01 The center shall monitor transit vehicle operational data to determine if the transit vehicle is off-route and assess whether a security incident is occurring.
02 The center shall receive reports of emergencies on-board transit vehicles entered directly be the transit vehicle operator or from a traveler through interfaces such as panic buttons or alarm switches.
Transit Vehicle Security 01 The transit vehicle shall perform video and audio surveillance inside of transit vehicles and output raw video or audio data for either local monitoring (for processing or direct output to the transit vehicle operator), remote monitoring or for local storage (e.g., in an event recorder).
02 The transit vehicle shall perform local monitoring of video or audio surveillance data collected inside of transit vehicles, and identify potential incidents or threats based on received processing parameters.
03 The transit vehicle shall output an indication of potential incidents or threats and the processed video or audio information to the center along with the vehicle's current location.
04 The transit vehicle shall detect potential threats via sensors for chemical agents, toxic industrial chemicals, biological agents, explosives, and radiation.
05 The transit vehicle shall detect potential threats via object detection sensors (e.g. metal detectors).
06 The transit vehicle shall output an indication of potential incidents or threats and the processed sensor information to the center along with the vehicle's current location.
07 The transit vehicle shall accept sensor control data to allow remote control of the sensors.
08 The transit vehicle shall monitor and output surveillance and sensor equipment status and fault indications.
09 The transit vehicle shall accept emergency inputs from either the transit vehicle operator or a traveler through such interfaces as panic buttons, silent or audible alarms, etc.
10 The transit vehicle shall output reported emergencies to the center.
11 The transit vehicle shall receive acknowledgments of the emergency request from the center and output this acknowledgment to the transit vehicle operator or to the travelers.
12 The transit vehicle shall be capable of receiving an emergency message for broadcast to the travelers or to the transit vehicle operator.
02 Transit Operations needs to be able to monitor transit stops and transit stations in order to provide a secure environment for travelers. Emergency Secure Area Alarm Support 01 The center shall collect silent and audible alarms received from travelers in secure areas (such as transit stops, rest areas, park and ride lots, modal interchange facilities).
03 After the alarm message has been received, the center shall generate an alarm acknowledgment to the sender.
06 The center shall forward the alarm message to center personnel and respond to the traveler or transit vehicle operator as directed by the personnel.
Emergency Secure Area Sensor Management 10 The center shall respond to control data from center personnel regarding security sensor data collection, processing, threat detection, and threat analysis.
12 The center shall maintain the status of the security sensor field equipment.
Emergency Secure Area Surveillance 02 The center shall remotely monitor video images and audio surveillance data collected in traveler secure areas, which include transit stations, transit stops, rest areas, park and ride lots, and other fixed sites along travel routes (e.g., emergency pull-off areas and travel information centers). The data may be raw or pre-processed in the field.
08 The center shall remotely control security surveillance devices in traveler secure areas, which include transit stations, transit stops, rest areas, park and ride lots, and other fixed sites along travel routes (e.g., emergency pull-off areas and travel information centers).
Field Secure Area Sensor Monitoring 10 The field element shall include security sensors that monitor conditions in traveler secure areas, which include transit stations, transit stops, rest areas, park and ride lots, and other fixed sites along travel routes (e.g., emergency pull-off areas and travel information centers).
Field Secure Area Surveillance 06 The field element shall include video and/or audio surveillance of traveler secure areas including transit stations, transit stops, rest areas, park and ride lots, and other fixed sites along travel routes (e.g., emergency pull-off areas and traveler information centers).
Traveler Security 01 The public interface for travelers shall provide the capability for a traveler to report an emergency and summon assistance from secure areas such as transit stops, transit stations, modal transfer facilities, rest stops, park-and-ride areas, travel information areas, and emergency pull off areas.
02 When initiated by a traveler, the public interface for travelers shall forward a request for assistance to an emergency management function and acknowledge the request.
03 The public interface for travelers shall provide the capability to broadcast a message to advise or warn a traveler.
04 The public interface for travelers shall accept input and provide information to the traveler in a form suitable for travelers with physical disabilities.
03 Transit Operations needs to be able to monitor transit secure areas such as bus or rail yards and transit infrastructure such as tracks and tunnels in order to provide security for transit assets. Emergency Secure Area Sensor Management 01 The center shall remotely monitor and control security sensor data collected in secure areas including facilities (e.g. transit yards) and transportation infrastructure (e.g. bridges, tunnels, interchanges, roadway infrastructure, and transit railways or guideways). The types of security sensor data include environmental threat (e.g. chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors), infrastructure condition and integrity, intrusion and motion, and object detection sensors. The data may be raw or pre-processed in the field.
02 The center shall remotely monitor and control security sensor data collected in traveler secure areas, which include transit stations, transit stops, rest areas, park and ride lots, and other fixed sites along travel routes (e.g., emergency pull-off areas and travel information centers). The types of security sensor data include environmental threat (e.g. chemical agent, toxic industrial chemical, biological, explosives, and radiological sensors), intrusion and motion, and object detection sensors. The data may be raw or pre-processed in the field.
Emergency Secure Area Surveillance 01 The center shall remotely monitor video images and audio surveillance data collected in secure areas including facilities (e.g. transit yards) and transportation infrastructure (e.g. bridges, tunnels, interchanges, roadway infrastructure, and transit railways or guideways). The data may be raw or pre-processed in the field.
07 The center shall remotely control security surveillance devices in secure areas including facilities (e.g. transit yards) and transportation infrastructure (e.g. bridges, tunnels, interchanges, roadway infrastructure, and transit railways or guideways).
Field Secure Area Sensor Monitoring 01 The field element shall include security sensors that monitor conditions of secure areas including facilities (e.g. transit yards) and transportation infrastructure (e.g. bridges, tunnels, interchanges, roadway infrastructure, and transit railways or guideways).
02 The field element sensor monitoring shall be remotely controlled by a center.
03 The field element shall provide equipment status and fault indication of security sensor equipment to a center.
04 The field element shall include environmental threat sensors (e.g. chemical agent, toxic industrial chemical, biological, explosives, and radiological).
05 The field element shall include infrastructure condition and integrity monitoring sensors.
06 The field element shall include motion and intrusion detection sensors.
07 The field element shall include object detection sensors (such as metal detectors).
08 The field element shall provide raw security sensor data.
09 The field element shall remotely process security sensor data and provide an indication of potential incidents or threats to a center.
Field Secure Area Surveillance 01 The field element shall include video and/or audio surveillance of secure areas including facilities (e.g. transit yards) and transportation infrastructure (e.g. bridges, tunnels, interchanges, roadway infrastructure, and transit railways or guideways).
02 The field element shall be remotely controlled by a center.
03 The field element shall provide equipment status and fault indication of surveillance equipment to a center.
04 The field element shall provide raw video or audio data.
05 The field element shall remotely process video and audio data and provide an indication of potential incidents or threats to a center.
04 Transit Operations needs to be able to authenticate operators of transit vehicles and perform remote disabling of vehicles if necessary in order to ensure secure operation of the vehicles. Transit Center Security 03 The center shall support the back-office portion of functionality to authenticate transit vehicle operators.
09 The center shall provide support to remotely disable (or reset the disabling of) a transit vehicle in service.
Transit Vehicle Security 13 The transit vehicle shall be capable of being disabled or enabled based on commands from the center or authentic inputs from the transit vehicle operator
14 The transit vehicle shall perform authentication of the transit vehicle operator.
05 Transit Operations needs to be able to alert emergency services to incidents on vehicles, at stations/stops, or other monitored assets. Emergency Response Management 06 The center shall allocate the appropriate emergency services, resources, and vehicle (s) to respond to incidents, and shall provide the capability to override the current allocation to suit the special needs of a current incident.
10 The center shall provide the capability to request transit resource availability from transit centers for use during disaster and evacuation operations.
11 The center shall assimilate the damage assessment of the transit, traffic, rail, maintenance, and other emergency center services and systems to create an overall transportation system status, and disseminate to each of these centers and the traveling public via traveler information providers.
Emergency Secure Area Alarm Support 04 After the alarm message becomes a verified incident, the center shall determine the appropriate response.
05 The center shall determine whether the alarm message indicates an emergency that requires the attention of public safety agencies, and forward alarm message data to the appropriate agency as necessary.
Emergency Secure Area Sensor Management 04 The center shall exchange security sensor data with other emergency centers.
05 The center shall identify potential security threats based on collected security sensor data.
06 The center shall verify potential security threats by correlating security sensor data from multiple sources.
07 The center shall perform threat analysis based on correlations of security sensor and surveillance data.
Emergency Secure Area Surveillance 04 The center shall exchange surveillance data with other emergency centers.
05 The center shall identify potential security threats based on collected security surveillance data.
06 The center shall verify potential security threats by correlating security surveillance data from multiple sources.
Transit Center Security 04 The center shall provide transit incident information along with other service data to emergency centers.
07 The center shall coordinate the response to security incidents involving transit with other agencies including Emergency Management, other transit agencies, media, traffic management, and traveler information service providers.
06 Transit Operations needs to be able to inform traveler information systems or the media regarding transit related incidents in order to keep the traveling public informed of the impacts these incidents may have on their trips. Transit Center Security 10 The center shall provide transit incident information to traveler information providers and the media.

Related Sources

Document Name Version Publication Date
ITS User Services Document 1/1/2005


Security

In order to participate in this service package, each physical object should meet or exceed the following security levels.

Physical Object Security
Physical Object Confidentiality Integrity Availability Security Class
Alerting and Advisory System Moderate High High Class 5
Basic Transit Vehicle  
Emergency Management Center High High High Class 5
Media Low Low Moderate Class 1
Other Emergency Management Centers High High High Class 5
Rail Operations Center Moderate Moderate High Class 5
Security Monitoring Equipment High Moderate Moderate Class 4
Transit Management Center High High High Class 5
Transit Vehicle OBE Moderate High High Class 5
Transportation Information Center Low Low Moderate Class 1
Traveler Support Equipment Moderate High Moderate Class 3



In order to participate in this service package, each information flow triple should meet or exceed the following security levels.

Information Flow Security
Source Destination Information Flow Confidentiality Integrity Availability
Basis Basis Basis
Alerting and Advisory System Emergency Management Center threat support data Moderate High High
This data is used to determine if there may be a threat to the transportation infrastructure. As this may provoke a response against that threat, this information should be protected from viewing by parties that may be related to the threat. If this data is corrupted, potential security threats will not be detected. If this data is modified in transit, it could be used to suggest the presence or non-presence of specific individuals, which is a grave threat to the response to an incident and significant also for the cover up of illicit activity in the post-operational phase. Since this information may indicate a threat against the transportation system, including personal safety, we can justify a HIGH rating. Lack of information could lead to extreme consequences if no response is taken. In areas where responses are already part of daily activity, this may be reduced to MODERATE.
Basic Transit Vehicle Transit Vehicle OBE host transit vehicle status Moderate Moderate Moderate
This can include some sensitive data. However, other data, such as vehicle location and motion will then be broadcast. There also may be proprietary information included in this. DISC THEA believes this to be LOW: "sensor data is not confidential; harm should not come from seeing status." This is used later on to determine whether a vehicle should request priority at an intersection. If this information is incorrect the vehicle may make false requests. All other flows that use the data from this flow have a MODERATE integrity requirement, therefore, this must also have a MODERATE integrity requirement. DISC: THEA believes this should be HIGH: "sensor data needs to be accurate and should not be tampered with." This information would need to be available immediately for the application to work.DISC: THEA believes this should be HIGH: "sensor data must be consistently available to feed BSMs broadcast at 10Hz, notifications, etc.."
Emergency Management Center Emergency System Operator emergency operations status Moderate High High
Emergency system controls should not be casually viewable as they impact the availability of emergency services, which if known could be leveraged for illegal activity. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Emergency Management Center Other Emergency Management Centers incident report High Moderate Moderate
This data contains all information regarding the incident. This could include personal information regarding persons involved in the incident. It could also include sensitive information regarding special events or closures. DISC: WYO believes this to be MODERATE. Minor discrepancies in this data should not have a catastrophic effect, but it should be reasonably controlled and accurate. A few missed messages should not have a significant effect. However, most messages should make it through and the EMC should be able to know if the TMC has received a message.
Emergency Management Center Other Emergency Management Centers threat information coordination Moderate High High
Coordination of threat response would be useful to the source of the threat, and allow them to respond to maximize intent. As such, this information must be kept from them if possible. Given that the EMC is the source of threat response, we justify HIGH. If threat responses in the area are typically similar to day-to-day opeations, can be MODERATE. All threat-related flows should have some measure of confidence assigned to them, as they will necessarily provoke responses from the receiving entities. Corrupted or forged data could inhibit that response or cause one when none is warranted. Both of these cases offer significant negative impacts. Given the scope of the transportation system, we set this HIGH. For small-scoped systems, this may be MODERATE if the response would never be significantly different than daily operations. Since this information may indicate a threat against the transportation system, including personal safety, we can justify a HIGH rating. Lack of information could lead to extreme consequences if no response is taken. In areas where responses are already part of daily activity, this may be reduced to MODERATE.
Emergency Management Center Rail Operations Center threat information Moderate High High
This data is used to determine if there may be a threat to the transportation infrastructure. As this may provoke a response against that threat, this information should be protected from viewing by parties that may be related to the threat. All threat-related flows should have some measure of confidence assigned to them, as they will necessarily provoke responses from the receiving entities. Corrupted or forged data could inhibit that response or cause one when none is warranted. Both of these cases offer significant negative impacts. Given the scope of the transportation system, we set this HIGH. For small-scoped systems, this may be MODERATE if the response would never be significantly different than daily operations. Since this information may indicate a threat against the transportation system, including personal safety, we can justify a HIGH rating. Lack of information could lead to extreme consequences if no response is taken. In areas where responses are already part of daily activity, this may be reduced to MODERATE.
Emergency Management Center Security Monitoring Equipment infrastructure monitoring sensor control Moderate High Moderate
Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: NYC believes this to be low: "This information is directly observable." Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. From NYC: The information sent from TMC directly affect the ITS-RE speed "announcement". Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH.. From NYC: The ITS-RE can work accordingly or in fail-safe if information is not available.
Emergency Management Center Security Monitoring Equipment secure area sensor control Moderate High Moderate
Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: NYC believes this to be low: "This information is directly observable." Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. From NYC: The information sent from TMC directly affect the ITS-RE speed "announcement". Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH.. From NYC: The ITS-RE can work accordingly or in fail-safe if information is not available.
Emergency Management Center Security Monitoring Equipment secure area surveillance control Moderate High Moderate
Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: NYC believes this to be low: "This information is directly observable." Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. From NYC: The information sent from TMC directly affect the ITS-RE speed "announcement". Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH.. From NYC: The ITS-RE can work accordingly or in fail-safe if information is not available.
Emergency Management Center Transit Management Center incident information High Moderate Moderate
This data contains all of the information regarding the incident. This could include personal information regarding persons involved in the incident. It could also include sensitive information regarding special events or closures. Minor discrepancies in this data should not have a catastrophic effect, but it should be reasonably controlled and accurate. A few missed messages should not have a significant effect. However, most messages should make it through and the EMC should be able to know if the Transit Management Center has received a message.
Emergency Management Center Transit Management Center incident response status Moderate Moderate Moderate
This flow implies details of an incident, which could be used by an attacker as intelligence gathering and target assessment. If this data is incorrect or unavailable then maintenance assets may not be appropriately assigned, resulting in inefficient use of maintenance assets and higher overall downtime in the incident locale. If this data is incorrect or unavailable then maintenance assets may not be appropriately assigned, resulting in inefficient use of maintenance assets and higher overall downtime in the incident locale.
Emergency Management Center Transit Management Center threat information Moderate High High
This data is used to determine if there may be a threat to the transportation infrastructure. As this may provoke a response against that threat, this information should be protected from viewing by parties that may be related to the threat. All threat-related flows should have some measure of confidence assigned to them, as they will necessarily provoke responses from the receiving entities. Corrupted or forged data could inhibit that response or cause one when none is warranted. Both of these cases offer significant negative impacts. Given the scope of the transportation system, we set this HIGH. For small-scoped systems, this may be MODERATE if the response would never be significantly different than daily operations. Since this information may indicate a threat against the transportation system, including personal safety, we can justify a HIGH rating. Lack of information could lead to extreme consequences if no response is taken. In areas where responses are already part of daily activity, this may be reduced to MODERATE.
Emergency Management Center Transit Vehicle OBE alarm acknowledge Moderate High Moderate
While this flow may not directly include PII, it responds to one that does. Security requirements for response flows set at minimum to those of the triggering flow. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents on board a transit vehicle, station or other public transport facility likely to include one or more travelers must be timely or appropriate measures may be delayed, which could impact personal safety. Could be HIGH.
Emergency Management Center Transit Vehicle OBE secure area sensor control Moderate High Moderate
Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: NYC believes this to be low: "This information is directly observable." Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. From NYC: The information sent from TMC directly affect the ITS-RE speed "announcement". Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH.. From NYC: The ITS-RE can work accordingly or in fail-safe if information is not available.
Emergency Management Center Transit Vehicle OBE secure area surveillance control Moderate High Moderate
Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: NYC believes this to be low: "This information is directly observable." Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. From NYC: The information sent from TMC directly affect the ITS-RE speed "announcement". Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH.. From NYC: The ITS-RE can work accordingly or in fail-safe if information is not available.
Emergency Management Center Traveler Support Equipment alarm acknowledge Moderate High Moderate
While this flow may not directly include PII, it responds to one that does. Security requirements for response flows set at minimum to those of the triggering flow. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents on board a transit vehicle, station or other public transport facility likely to include one or more travelers must be timely or appropriate measures may be delayed, which could impact personal safety. Could be HIGH.
Emergency System Operator Emergency Management Center emergency operations input Moderate High High
Emergency system controls should not be casually viewable as they impact the availability of emergency services, which if known could be leveraged for illegal activity. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Other Emergency Management Centers Emergency Management Center incident report High Moderate Moderate
This data contains all information regarding the incident. This could include personal information regarding persons involved in the incident. It could also include sensitive information regarding special events or closures. DISC: WYO believes this to be MODERATE. Minor discrepancies in this data should not have a catastrophic effect, but it should be reasonably controlled and accurate. A few missed messages should not have a significant effect. However, most messages should make it through and the EMC should be able to know if the TMC has received a message.
Other Emergency Management Centers Emergency Management Center threat information coordination Moderate High High
Coordination of threat response would be useful to the source of the threat, and allow them to respond to maximize intent. As such, this information must be kept from them if possible. Given that the EMC is the source of threat response, we justify HIGH. If threat responses in the area are typically similar to day-to-day opeations, can be MODERATE. All threat-related flows should have some measure of confidence assigned to them, as they will necessarily provoke responses from the receiving entities. Corrupted or forged data could inhibit that response or cause one when none is warranted. Both of these cases offer significant negative impacts. Given the scope of the transportation system, we set this HIGH. For small-scoped systems, this may be MODERATE if the response would never be significantly different than daily operations. Since this information may indicate a threat against the transportation system, including personal safety, we can justify a HIGH rating. Lack of information could lead to extreme consequences if no response is taken. In areas where responses are already part of daily activity, this may be reduced to MODERATE.
Security Monitoring Equipment Emergency Management Center infrastructure monitoring sensor data High Moderate Moderate
Includes asset status and security-related monitoring both of which if available to a hostile third party would be useful in developing targets and inflicting damage. May be MODERATE if little such data is available or assets and potential impact is limited. Real-time monitoring of transportation asset data should be accurate and timely to protect the monitored assets. Given that the destintation of this flow cannot act directly, it is difficult to justify HIGH, unless 'infrastructure situation data' does not exist. As this flow includes data that reflects the condition of transportation assets, and can be used to infer the safety of use of those assets, loss of this flow means loss of asset safety monitoring, which has a potentially significant impact.
Security Monitoring Equipment Emergency Management Center secure area sensor data Moderate Moderate Moderate
Any security or surveillance data should be protected from casual viewing. An attacker could use this information to assess a facility's susceptibility to attack, or intercept it and use it to monitor their own progress. Security and surveillance data needs guarantee of accuracy. However, there will be procedures in place to verify any alarms or alerts, suggesting this could be MODERATE in most instances. For sensitive areas, this might be HIGH. Surveillance and security data should be generally available to security systems; if this goes down it could indicate some kind of hostile action against the monitored facility. This might be HIGH for areas that are sensitive or have particularly high value equipment.
Security Monitoring Equipment Emergency Management Center secure area surveillance data Moderate Moderate Moderate
Any security or surveillance data should be protected from casual viewing. An attacker could use this information to assess a facility's susceptibility to attack, or intercept it and use it to monitor their own progress. Security and surveillance data needs guarantee of accuracy. However, there will be procedures in place to verify any alarms or alerts, suggesting this could be MODERATE in most instances. For sensitive areas, this might be HIGH. Surveillance and security data should be generally available to security systems; if this goes down it could indicate some kind of hostile action against the monitored facility. This might be HIGH for areas that are sensitive or have particularly high value equipment.
Transit Management Center Emergency Management Center transit emergency data Moderate High High
Security event or other emergency could be used by an attacker to confirm or further a crime in progress. This must be accurate to ensure correct response, as human safety may be at stake. Human safety could be at stake, which suggest sever consequences.
Transit Management Center Media transit incident information Low Moderate Moderate
Generally, center-originating flows destined for a TIC don't contain any personal or confidential information, and are eventually intended for some kind of public consumption. While accuracy of this data is important for decision making purposes, applications should be able to cfunction without it. Thus MODERATE generally. While availability of this data is important for decision making purposes, applications should be able to function without it. Thus MODERATE generally.
Transit Management Center Transit Operations Personnel transit operations status Moderate High High
Backoffice operations flows should have minimal protection from casual viewing, as otherwise imposters could gain illicit control or information that should not be generally available. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Transit Management Center Transit Vehicle OBE alarm acknowledge Moderate High Moderate
While this flow may not directly include PII, it responds to one that does. Security requirements for response flows set at minimum to those of the triggering flow. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents on board a transit vehicle, station or other public transport facility likely to include one or more travelers must be timely or appropriate measures may be delayed, which could impact personal safety. Could be HIGH.
Transit Management Center Transit Vehicle OBE remote vehicle disable Moderate High Moderate
This flow disables the target vehicle. While its integrity is thus obviously paramount, if this flow were observed by a third party they might understand what was occuring, which provides intelligence that is not necessarily visible otherwise. Since this flow disables the target vehicle, it must be correct and difficult to forge or modify to ensure the safe operation of the vehicle. This is one of several security-focused mechanisms that may be implemented to secure the transit vehicle. If this particular flow is relied on exclusively for security, HIGH might be considered, but given the constraint of a wireless medium, that is likely impractical.
Transit Management Center Transit Vehicle OBE transit vehicle operator authentication update Moderate High High
Authentication information exchanged probably does not include PII, but even so it betrays actions that are otherwise not easy to observe and not designed to be observable. Attackers might use this information during the commission of a crime. As this may be used as part of transit vehicle security processes, any corruption or manipulation of this flow could defeat those processes, impacting vehicle security. There are likely onboard mechanisms for coping with a loss of availability, but if this flow is a critical part of transit security then it really should be protected at all costs. Possibly MODERATE.
Transit Management Center Transportation Information Center transit incident information Low Moderate Moderate
Generally, center-originating flows destined for a TIC don't contain any personal or confidential information, and are eventually intended for some kind of public consumption. While accuracy of this data is important for decision making purposes, applications should be able to cfunction without it. Thus MODERATE generally. While availability of this data is important for decision making purposes, applications should be able to function without it. Thus MODERATE generally.
Transit Management Center Traveler Support Equipment alarm acknowledge Moderate High Moderate
While this flow may not directly include PII, it responds to one that does. Security requirements for response flows set at minimum to those of the triggering flow. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents on board a transit vehicle, station or other public transport facility likely to include one or more travelers must be timely or appropriate measures may be delayed, which could impact personal safety. Could be HIGH.
Transit Operations Personnel Transit Management Center transit operations personnel input Moderate High High
Backoffice operations flows should have minimal protection from casual viewing, as otherwise imposters could gain illicit control or information that should not be generally available. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Transit Vehicle OBE Basic Transit Vehicle transit vehicle control Moderate High High
Internal vehicle flow that if reverse engineered could enable third party vehicle control. Largely a competitive question, could be set LOW if manufacturer and operator are not concerned with this type of compromise. Includes vehicle control commands, which must be timely and accurate to support safe vehicle operation. Includes vehicle control commands, which must be timely and accurate to support safe vehicle operation.
Transit Vehicle OBE Emergency Management Center alarm notification Moderate High Moderate
This flow contains regarding an issue aboard a transit vehicle. This identity of the vehicle as well as its location will be included. Video and personal information regarding persons involved in the incident and the type of incident could also be included. All of this could be PII. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents on board a transit vehicle must be timely or appropriate measures may be delayed, which could impact safety on board the vehicle. Could be HIGH.
Transit Vehicle OBE Emergency Management Center secure area sensor data Moderate Moderate Moderate
Any security or surveillance data should be protected from casual viewing. An attacker could use this information to assess a facility's susceptibility to attack, or intercept it and use it to monitor their own progress. Security and surveillance data needs guarantee of accuracy. However, there will be procedures in place to verify any alarms or alerts, suggesting this could be MODERATE in most instances. For sensitive areas, this might be HIGH. Surveillance and security data should be generally available to security systems; if this goes down it could indicate some kind of hostile action against the monitored facility. This might be HIGH for areas that are sensitive or have particularly high value equipment.
Transit Vehicle OBE Emergency Management Center secure area surveillance data Moderate Moderate Moderate
Any security or surveillance data should be protected from casual viewing. An attacker could use this information to assess a facility's susceptibility to attack, or intercept it and use it to monitor their own progress. Security and surveillance data needs guarantee of accuracy. However, there will be procedures in place to verify any alarms or alerts, suggesting this could be MODERATE in most instances. For sensitive areas, this might be HIGH. Surveillance and security data should be generally available to security systems; if this goes down it could indicate some kind of hostile action against the monitored facility. This might be HIGH for areas that are sensitive or have particularly high value equipment.
Transit Vehicle OBE Transit Management Center alarm notification Moderate High Moderate
This flow contains regarding an issue aboard a transit vehicle. This identity of the vehicle as well as its location will be included. Video and personal information regarding persons involved in the incident and the type of incident could also be included. All of this could be PII. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents on board a transit vehicle must be timely or appropriate measures may be delayed, which could impact safety on board the vehicle. Could be HIGH.
Transit Vehicle OBE Transit Management Center transit vehicle conditions Moderate Moderate Moderate
Basic diagnostic information should not be sensitive, but any warnings or alarms could be, particularly if they are related to an incident or hostile event related to the vehicle. Such information could be used as part of damage assessment or target identification. This needs to be accurate to properly schedule maintenance activities (for the basic maintenance data items) and to properly respond to warning indicators. If corrupted or unavailable, there could be a significant repurcussion for the vehicle and by extension, the vehicle operator. This needs to be accurate to properly schedule maintenance activities (for the basic maintenance data items) and to properly respond to warning indicators. If corrupted or unavailable, there could be a significant repurcussion for the vehicle and by extension, the vehicle operator.
Transit Vehicle OBE Transit Management Center transit vehicle location data Moderate Moderate Moderate
While internal, contains identification, passenger load and routing data that if observed could be used by an attacker to identify targets. Applications relying on this data will not function properly if the data is incorrect, so it must be protected commensurate to the value of the application. Applications relying on this data will not function properly if the data is incorrect, so it must be protected commensurate to the value of the application. Location data is dynamic, so probably needs to be updated frequently.
Transit Vehicle OBE Transit Management Center transit vehicle operator authentication information Moderate High High
Authentication information exchanged probably does not include PII, but even so it betrays actions that are otherwise not easy to observe and not designed to be observable. Attackers might use this information during the commission of a crime. As this may be used as part of transit vehicle security processes, any corruption or manipulation of this flow could defeat those processes, impacting vehicle security. There are likely onboard mechanisms for coping with a loss of availability, but if this flow is a critical part of transit security then it really should be protected at all costs. Possibly MODERATE.
Transit Vehicle OBE Transit Vehicle Operator transit vehicle operator display Low Moderate Low
This should not include any sensitive information. It would be possible for a person standing behind the driver to observe the information transmitted. Some minimal guarantee of data integrity is necessary for all C-ITS flows. This entire application should not directly affect the drivers driving habits. The operator should still be slowing and stopping at yellow or red lights, along with observing all other driving regulations. DISC: Original V2I analysis classified this as LOW. Even if the operator is not made aware of the signal preemption, the system should still operate correctly. The operator should be using the traffic lights to influence their decision about whether or not to stop, not the display.
Transit Vehicle OBE Traveler traveler interface updates Not Applicable Moderate Moderate
This data is informing the vehicle of operational information that is relevant to the operation of the vehicle. It should not contain anything sensitive, and does not matter if another person can observe it. Should be accurate as the Traveler will be relying on this information for routing and related choices. Lack of accuracy will result in lack of confidence from the traveler as well as an unsatisfactory trip, leading to a negative feedback spiral. Users expect their devices to work. If information is not presented to the operator, the relevant applications simply won't be used.
Transit Vehicle Operator Transit Vehicle OBE transit vehicle operator input Low Moderate Low
This information is transmitted through systems on board the Transit Vehicle. Even if the vehicle were compromised and these communications monitored, most of this information is directly observable. Some minimal guarantee of data integrity is necessary for all C-ITS flows. If this is compromised, it could result in an incorrect signal priority request, which has minimal impact. DISC: Original V2I analysis classified this as LOW. A delay in reporting this may result in a signal priority request not going through, which has minimal impact.
Traveler Transit Vehicle OBE traveler input Not Applicable Moderate Low
This data is informing the vehicle of operational information that is relevant to the operation of the vehicle. It should not contain anything sensitive, and does not matter if another person can observe it. While public, information must be correct or travelers may make incorrect decisions with regard to their travel plans. Information is available through other means, though depending on the location this might not always be the case, in which case this would be MODERATE.
Traveler Traveler Support Equipment traveler input Not Applicable Moderate Low
Publicly available information, while not directly observable, is intended for widespread distribution While public, information must be correct or travelers may make incorrect decisions with regard to their travel plans. Information is available through other means, though depending on the location this might not always be the case, in which case this would be MODERATE.
Traveler Support Equipment Emergency Management Center alarm notification Moderate High Moderate
This flow contains regarding an issue at a public location that could involve human safety. This identity of the device reporting the alarm as well as its location will be included. Other data incuding video if available, and relevant personal information regarding persons involved in the incident and the type of incident may also be provided, all of which is PII. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents at a publicly managed area must be timely or appropriate measures might be delayed, which could impact safety at the location. Could be HIGH.
Traveler Support Equipment Transit Management Center alarm notification Moderate High Moderate
This flow contains regarding an issue at a public location that could involve human safety. This identity of the device reporting the alarm as well as its location will be included. Other data incuding video if available, and relevant personal information regarding persons involved in the incident and the type of incident may also be provided, all of which is PII. Even a minor discrepancy in this data could have a significant effect for a personal safety incident. Data describing incidents at a publicly managed area must be timely or appropriate measures might be delayed, which could impact safety at the location. Could be HIGH.
Traveler Support Equipment Traveler traveler interface updates Not Applicable Moderate Moderate
Publicly available information, while not directly observable, is intended for widespread distribution Should be accurate as the Traveler will be relying on this information for routing and related choices. Lack of accuracy will result in lack of confidence from the traveler as well as an unsatisfactory trip, leading to a negative feedback spiral. Users expect their devices to work. If information is not presented to the operator, the relevant applications simply won't be used.

Standards

Currently, there are no standards associated with the physical objects in this service package. For standards related to interfaces, see the specific information flow triple pages.