UrRisk04_example2
advertisement
UrRISK04 SRA 311.001 Fall 2014 Table/Row # 1 Student1 [bah5423] Student2 [nxw5047] Table of Contents Introduction .................................................................................................................................................. 3 A) Purpose ............................................................................................................................................. 4 B) Scope of the Risk Assessment ........................................................................................................... 5 II. Risk Assessment Approach ....................................................................................................................... 6 III. System Characterization .......................................................................................................................... 9 IV. Threat Statement ................................................................................................................................... 10 V. Risk Assessment Results ......................................................................................................................... 11 A. Threat/Vulnerability Pairs ................................................................................................................ 12 B. Existing Risk Controls ....................................................................................................................... 13 C. Likelihood: Discussion and Evaluation ............................................................................................ 14 D. Impact: Discussion and Evaluation ................................................................................................. 15 E. Risk Rating ....................................................................................................................................... 16 F. Recommended Controls .................................................................................................................. 17 VI. Summary ................................................................................................................................................ 19 Reference List.............................................................................................................................................. 20 Attachment 1: Information Sheet .............................................................................................................. 22 Attachment 2: Structured Analytic Results ................................................................................................ 24 Attachment 3: Threat Analysis ................................................................................................................... 26 Attachment 4: Vulnerability Analysis .......................................................................................................... 27 Attachment 5: Risk Scenario Likelihood ..................................................................................................... 28 Attachment 6: Risk Scenario Impact ........................................................................................................... 29 Attachment 7: Risk Matrix .......................................................................................................................... 30 Attachment 8: Risk Rating .......................................................................................................................... 31 Attachment 9: Summary Table ................................................................................................................... 32 2 Introduction This document is a risk assessment on the Lewistown, Pennsylvania Amtrak Station. The structure of the risk assessment is based on the NIST 800-30 document. This introduction outlines the purpose and scope of the risk assessment. Included next is an explanation of the three-part risk assessment approach including a literature review, structured analytics, and a virtual site visit. Following this, the system characterization is specified as an input-processoutput (IPO) model. Next, the threat statement specifies which threat categories are being considered in the risk assessment and further defines these categories. Proceeding, the risk assessment results include threat/vulnerability pairs, existing controls, likelihood, impact, risk rating, and recommended controls. Lastly a high level summary is provided for the risk assessment results. There are several supporting attachments as noted within the associated sections of the document (Stoneburner, Goguen, & Feringa, 2002). 3 A) Purpose The location of this risk assessment is the Lewistown, Pennsylvania Amtrak train station. This station only has trains on the “Pennsylvanian” route which, runs between the cities of Pittsburgh and New York. Furthermore, this station lacks several amenities offered by larger stations in metropolitan areas such as a ticket office, kiosks, ATMs, elevators, lounges, storage, parking services, handicap assistance, and passenger assistance. A risk assessment is particularly important because a wide range of more than nine frequently occurring factors, such as workload/mode transitions, expectations/situation awareness, and equipment, contribute to preventable passenger train accidents. Furthermore, many single accidents have several types of causal factors making the issue more complex and in need of analysis (cross-reference Table 2: Causal Factors in Train Accidents in Attachment 1: Information Sheet) The point of view of this risk assessment is that of a train passenger. A train passenger is concerned with two components of travel: safety and function. Safety is the assurance that the passenger reaches his or her destination without injury or harm. The function is the train’s ability to get the passenger from the source to the destination. 4 B) Scope of the Risk Assessment The scope of this risk assessment is limited to the operational hazards of the train, as it approaches and departs from the Lewistown station. There are several subsets of operational hazards. The first subset of operational hazards is severe weather, which includes the potential for tornadoes and strong hurricane winds which have a strong impact on the structural integrity of railroad tracks and trains. “Criteria for the safety risk from strong cross-winds may consider overturning of the vehicle, the risk of a lateral track shift and the risk of a flange climbing derailment” (Andersson, Häggström, Sima, & Stichel, 2004). Another subset is the safety-critical control system that is in charge of controlling track placement, acceleration, and braking. “The new train control systems employ newer technologies and control architectures, such as positive train control (PTC) systems, train protection warning systems, train collision avoidance systems, etc.” (Mokkapati, Tse, & Rao, 2009). While this reduces the amount of human errors the train is susceptible to, it introduces more avenues for potential threats and risks. “It is easy to refer to automation as if it were a well-defined and homogenous category of technology. Clearly, however, this is not the case in reality” (Wreathall, Woods, Bing, & Christoffersen, 2007). The last subset is the human control of railroad operations, where the potential of outside influence can be detrimental to set policies and standards. “Humans can play a very important role in ensuring safety with the current train control systems” (Weathall, Roth, Bley, & Multer, 2003). Workers have access to a multitude of the train’s critical control systems and that creates an inherent danger to people’s lives and properties. Please reference Figure 1 below as a general diagram of the different areas of risk in a firm. Each section is broken down into the specific risks that can be classified by that subgroup. Please note that the scope of this risk assessment only includes operational risk. The product market, financial, legal, regulatory, tax, and input risks will be beyond the scope of this risk assessment. Figure 1: General scope of enterprise risk sources (http://bit.ly/1icMuln) 5 II. Risk Assessment Approach This risk assessment is being conducted by Student1 and Student2. Student1 is completing a degree this year in Security and Risk Analysis (SRA) at The Pennsylvania State University. has prior internship experience at KPMG, where he worked on a team to complete a technical security assessment (vulnerability assessment and penetration test), as an installment to a risk assessment. Student1 has extensive experience in technical security, research, and writing. Student2 is also a senior at The Pennsylvania State University majoring in SRA with specialization in information and cyber security. Student2 has conducted several in-depth reports on system characterization and risk analysis that follow the NIST guidelines in his SRA courses. This risk assessment uses a three-part approach to hazard identification including a literature review, structured analytics, and a virtual site visit. The literature review contains a summary of the relevant information provided from each professional source. The detailed literature can be found in Attachment 1: Information Sheet. The structured analytic technique used in this risk assessment is structured brainstorming. The first step in structured brainstorming is divergence, which consists of freeform idea generation without any criticism or constraints. The goal of this step is to generate as many ideas as possible. The second step is convergence, in which ideas are placed into groups and ranked. The result of this exercise is prioritized idea groups that can be seen in Attachment 2: Structured Analytics (Glantz, 2014). The virtual site visit part of the approach includes the analysis of site photos. By examining these photos, risk that was previously unforeseen can be realized. For example, the gravel ground surface and limited lighting which can be observed in Figure 2 and Figure 3 below could pose a risk of passengers falling when exiting a train, which was not foreseen by the structured analytic technique described above. 6 Figure 2 Lewistown, PA, Amtrak Station | 1 / 2 (Sturmovik, 2009) Figure 3 Lewistown, PA PRR/Amtrak station (Whipp, 2014) 7 A risk matrix will be used to evaluate risk impacts and likelihoods. Each axis includes a numeric scale so that comprehensive scores can be calculated by using products. For example, if the impact is scored as a three and the probability is scored as a five, the overall severity score is fifteen. Each cell is ranked by a very low, low, medium, high, or critical risk severity category. The categories are based on the following ranges of risk severity scores: very low 1-5, low 6-10, medium 11-15, high 16-20, and critical 21-25. In addition to their calculated score, these categories are also designated by green, yellow, orange, red, and purple respectively. Please reference Figure 4: Risk Matrix, below. Probability Impact 1 2 3 4 5 1 1 2 3 4 5 2 2 4 6 8 10 3 3 6 9 12 15 4 4 8 12 16 20 5 5 10 15 20 25 Figure 4 Risk Matrix 8 III. System Characterization The flow of passengers entering and exiting the train safely can be visualized as a system. This system can be modeled as an input-process-output (IPO) model. An IPO model helps to focus threat, vulnerability, and asset identification. This risk assessment is from the viewpoint of a passenger. As such, the set of IPOs in this model directly relate to the passengers themselves. The input would be the passengers who board a train at the station. The process is the safe transportation of passengers as they arrive at or depart from the Lewistown station. The output is the passengers who exit their train at the station. Figure 5: Basic Input, Process, Output Model, below is a visualization of an IPO model that shows how a system can be broken down into three distinct categories for risk assessment. Figure 5 Basic Input, Process, Output Model (Nickols, 2004, p. 2) 9 IV. Threat Statement A threat-source is any circumstance or event with the potential to harm a system. There are three threats sources being considered in this assessment: human, natural, and environmental. Natural threats include acts of nature such as floods, earthquakes, tornadoes, landslides, avalanches, and electrical storms. Human threats are either enabled by or caused by human beings, whether unintentional or deliberate. Environmental threats are specific to the system being examined. While it is important to consider all potential threat-sources, human threats and natural threats are the main sources of threats covered in this report. Environmental threats are not extensively considered because the number of potential mechanical engineering failures in a train system is immense. Amtrak should more fully consider potential mechanical errors when purchasing new trains or tracks. Attachment 3 provides a table showing the source, motivation, and actions for each threat (Stoneburner, et al., 2002 p.13). 10 V. Risk Assessment Results The following risk scenarios were developed based on researched threats and vulnerabilities for the Lewistown, Pennsylvania Amtrak Station. 1. 2. 3. 4. 5. Severe weather causes damage to station and track Spread of harmful pathogens among passengers Hijacking of train or robbery occurring on or near the train Unsafe staff operation of trains Unsafe passenger environment 11 A. Threat/Vulnerability Pairs A threat is defined as the potential for exercise, either accidentally or intentionally, of a specific vulnerability. A vulnerability is defined as a flaw or weakness in a system’s security procedures, design, implementation, or internal controls that could be exercised, either accidentally or intentionally, and result in a security breach or a violation of the system’s security policy (Stoneburner, et al., 2002). Risk Scenario #1’s vulnerability is the limited durability of Amtrak track and station infrastructure against severe weather and natural disasters. Risk Scenario #2’s vulnerability is that passengers do not follow proper hygiene precautions and procedures. Risk Scenario #3’s vulnerability is the limited Amtrak prevention measures against hijacking and robbery. Risk Scenario #4’s vulnerability is the unsafe procedures and human error of staff members. Scenario #5’s vulnerability is the lack of physical security at Amtrak stations and tracks. Attachment 4 contains a detailed vulnerability analysis which summarizes vulnerabilities and their associated sources, and actions from the protector’s point-of-view (POV). 12 B. Existing Risk Controls To protect against a number of natural and human threats, the U.S. Department of Transportation has implemented a safety-critical train control system. Figure 6 shows a simple Train Protection Warning System (TPWS) that monitors speed relative to other traffic. Figure 6: Simple Train Protection Warning System (Mokkapati, Tse, & Rao, 2009, p. 91) The TPWS’s main function is to supervise train controls in order to relay alerts and warnings back to the train’s operator. This system is used on active train lines to prevent signals passed at danger (SPADs). The system sends out alerts that trains receive when they pass stop signals without the required authorization, or rather commit a SPAD. This system links the train and base stations together to provide each with important information such as current speed, distance to closest trains, rotational speeds, etc. However, this system is not the only control measure and is used in cooperation with the train’s conductor (Mokkapati, et al., 2009). 13 C. Likelihood: Discussion and Evaluation Likelihood is the first important factor which must be considered in order to quantify risk. Likelihood refers to the probability of each vulnerability being exploited. In this risk assessment, the likelihood of each risk scenario was rated on a scale from one to five, with five being a very high likelihood, and one being a very low likelihood. The likelihood of severe weather causing damage to the station or track is rated as a ‘one’ or rather ‘rare’, because it would take an rare natural disaster such as a tornado or earthquake to cause considerable damage. Only routine wear and tear would be suffered as a result of ordinary severe weather such as a thunderstorm. The likelihood of the spread of harmful pathogens among passengers is rated as a ‘four’ or rather ‘likely’, because it is very easy to spread common illnesses such as the common cold in public places. The spread of illness is even more likely in places where persons are in close proximity with one another and are enclosed, such as a train. The likelihood of the train being hijacked or a robbery occurring is rated as a ‘two’ or rather ‘unlikely’. This is because trains are not an ideal target for either crime. A robbery is complicated with many potential witnesses and intervention by fellow passengers. The hijacking of a train requires considerable planning and force, with little opportunity to escape. Furthermore, Amtrak Police serves to deter crime at its various stations and on its trains. The likelihood of unsafe operation of trains by Amtrak staff is rated as a ‘three’ or rather ‘possible’. This is because human error is a vast source of error in all systems, including train transportation. There are numerous situations in which a reckless, negligent, or simply incompetent staff operation of the train could occur. The likelihood of an unsafe passenger environment is rated as a ‘four’ or rather ‘likely’. This is because there is a rather large gap in at the physical security of stations and tracks in particular. Amtrak stations are only selectively and periodically patrolled by police, and the tracks and trains themselves are typically left unguarded by Amtrak police while trains are in transit. Attachment 5 contains a table summary of the likelihood associated with each risk scenario. 14 D. Impact: Discussion and Evaluation Impact is the second important factor which must be considered in order to quantify risk. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of vulnerability. In this risk assessment, the impact of each risk scenario was rated on a scale from one to five, with five being a very high impact, and one being a very low impact (Stoneburner, et al., 2002). The impact rating of severe weather causing damage to the station and track is a ‘two’ or rather a ‘considerable to indefinite travel delay’. This is because damage to a station or track delays train service. Depending on the extent of the damage there could be a moderate or indefinite delay to train travel. This risk scenario was not rated as a ‘three’ because modern weather and news capabilities make it easy for all regions to be aware of natural disasters. These capabilities allow Amtrak to be aware of natural disasters which could cause major track damage and thus injury to passengers. The impact rating of the spread of harmful pathogens among passengers is a ‘three’ or rather a ‘minor injury’ to passengers. This is because the spread of ordinary infections such as the common cold, flu, and occasionally more deadly viruses such as Ebola can collectively be considered minor. In most cases the common cold is spread and is a minor inconvenience to a passenger who is infected, but occasionally the common cold could be a detrimental illness to a very old or young passenger. A more rare but deadly disease such as Ebola could potentially cause death. Collectively however, the harmful spread of pathogens among passengers is a minor impact. The impact rating of a hijacking or robbery on the train is a ‘four’ or rather a ‘moderate to severe injury’. This is because the violent nature of a hijacking or robbery is likely to cause severe injury to a passenger. For example, this can occur when a passenger is struck so that a perpetrator can take her purse, or a passenger in a hijacking could be wounded by a gunshot in order to show that perpetrators are serious in their demands. The impact rating of unsafe staff operation of the train is a ‘five’ or rather ‘multiple serious injuries or deaths’. This is because unsafe operation of the train can lead to derailment, collision with another train, or dangerously abrupt acceleration and deceleration. All of these events can cause death or life threatening injuries. The impact rating of an unsafe passenger environment is a ‘five’ or rather ‘multiple serious injuries or deaths’. This is because an unsafe passenger environment allows for a number of hazards such as a bomb or chemical agent being planted on a station, train, or track. All of these events can cause death or life threatening injuries to passengers. Attachment 6 contains a table summary of the impact associated with each risk scenario. 15 E. Risk Rating Attachment 8 shows the final calculated risk rating of each risk scenario that is the combination of risk likelihood and risk impact. The final risk rating is on a scale of 1-25, where 25 is an extremely high likelihood risk scenario that has a very high impact if exploited. A score of 1 is a low likelihood risk scenario that has a low impact. Attachment 7 shows the risk matrix that was used to calculate the final risk scores. The risk rating was calculated by multiplying the likelihood value by the impact value for each risk scenario. Both the likelihood values and the impact values are ranged from 1-5, with 1 being the lowest impact or rare likelihood, and 5 being high impact or almost certain likelihood. Severe weather that causes damage to the track or station was given an overall risk rating of 2, which is very low. The harmful spread of pathogens among passengers due to close proximity scored a 12, which is still considered low. The risk scenario of a hijacking or robbery occurring scored a risk rating of 8, which is also considered low. Unsafe train operations due to poor staff performance scored a risk rating of 15 which is considered a medium risk level. The final risk scenario of an unsafe environment due to lack of physical security was given an overall risk rating of 20, which is considered high. 16 F. Recommended Controls When creating recommended controls for the risk scenarios, Figure 7: Probability/Impacts Quadrants, was used to determine the appropriate types of controls. Depending on the probability/impact of the risk scenario, different modes of controls can be utilized. For lowprobability/low-impact risks, the risks are accepted as controls would not be cost beneficial. For low-probability/high-impact risks, the risks should be transferred or mitigated. For highprobability/low-impact risks, the controls aim to reduce the risk likelihood. Finally for highprobability/high-impact risk scenarios, the best control aims to avoid the scenarios all together. Figure 7: Probability/Impact Quadrants (Heiser, 2010, p. 4) One of the highest rating risk scenarios is an unsafe environment that is due to a lack of physical security that opens up an avenue for possible attacks. For this risk scenario a recommended control is to explore options of physical security for the tracks and station. While many big city Amtrak stations are guarded by private security, the outlier towns have limited protections. Each station is recommended to have private security personnel on site 24/7 as well as security cameras. The tracks should also have protections such as barbed wire fences surrounding the track and possibly small station posts at track/road intersections. This control measure will avoid risks and threats from unsafe environments. In regards to the unsafe train operations due to poor staff performance, a recommended control is to install the PTC system more thoroughly throughout all trains and Amtrak lines. These controls are currently only running on high load busy tracks but need to be implemented everywhere. For the systems that this control has been installed, incident likelihoods have decreased and this control will help avoid this risk scenario (Mokkapati, et al., 2009). Furthermore, the training for employees should be greatly increased. 17 For the risk scenario that involves a harmful spread of pathogens among passengers, the recommended control is to install hand sanitizing dispensers. This control method is considered an avoid strategy that will decrease the probability of the scenario. These dispensers will be located at both the station and on the trains. The risk scenario of hijacking or robberies occurring fits into the low-likelihood/high-impact quadrant. The control for this scenario is to devise an incident response procedure to mitigate the impact. However, on-site security personnel can also be used to act quickly if the scenario occurs. The final risk scenario is for severe weather that can cause damage to the track and station. This risk scenario was only given a risk rating of 2, which is considered very low. For this risk scenario, the appropriate control is to simply accept the risk. However, a possible control is storage near the facility that contains replacement wood, windows, tracks, and related material on standby. In the event of a natural disaster, these supplies can be accessed and used to repair any damages in a timely fashion. The option of structurally reinforcing the tracks and stations would not be cost beneficial. 18 VI. Summary This risk assessment identified, quantified, and recommended controls for five risk scenarios faced by the Lewistown Amtrak Station. These scenarios include severe weather, pathogen spread, hijacking/robbery, unsafe train operation, and unsafe environment. The highest risk rating and therefore most pressing risk scenario is an unsafe environment due to a lack of physical security. The recommended risk control for this risk scenario is the installation of fences around all tracks and implementation of on-site security personnel. Refer to Attachment 9 for a complete summary of all risk scenarios, ratings, recommended controls, etc. 19 Reference List Andersson, E., Häggström, J., Sima, M., & Stichel, S. (2004, May 1). Assessment of trainoverturning risk due to strong cross-winds. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 218(3), 213-223. Retrieved September 22, 2014, from http://pif.sagepub.com/content/218/3/213.full.pdf+html Glantz, E. (2014, September 3). SRA 311 Week02: Critical Thinking. In Angel Course Management System. Retrieved October 7, 2014, from https://cms.psu.edu/section/default.asp?id=MRG-140422-142639-EJG8&goto= Heiser, J. (2010). Risk Assessment 101: What You Need to Know. Retrieved October 23, 2014, from http://goo.gl/FfxHxc Mokkapati, C., Tse, T., & Rao, A. (2009, July). Practical Risk Assessment Methodology for Safety-Critical Train Control Systems (No. DOT-FRA-ORD-09-15). Retrieved September 24, 2014, from http://permanent.access.gpo.gov/gpo22485/ord0915.pdf Nickols, F. (2004). Knowledge Management & Process Performance: Implications for Action. 2. Retrieved October 7, 2014, from http://mail.nickols.us/KM_and_Process.pdf Stoneburner, G., Goguen, A., & Feringa, A. (2001). NIST Special Publication 800-30. Risk Management Guide for Information Technology Systems. Retrieved October 18, 2014, from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems. In National Institute of Standards and Technology. Retrieved September 25, 2014, from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Sturmovik. (2009) Lewistown, PA, Amtrak Station | 1 / 2 [Photograph], Retrieved October 9, 2014, from http://wikimapia.org/5627735/Lewistown-PA-AmtrakStation#/photo/1153641 20 Vancouver Island University. (2013). Risk Management Framework. Retrieved October 22, 2014, from https://www2.viu.ca/riskmanagement/documents/July12_2013RiskManagementFramewo rk.pdf Whipp, C. (2014). Lewistown, PA PRR/Amtrak station [Photograph], Retrieved October 9, 2014, from http://static.panoramio.com/photos/large/105374606.jpg Wreathall, J., Roth, E., Bley, D., & Multer, J. (2003, July). Human reliability analysis in support of risk assessment for positive train control (No. DOT-VNTSC-FRA-03-03,). Retrieved September 21, 2014, from http://ntl.bts.gov/lib/33000/33600/33684/33684.pdf Wreathall, J., Woods, D., Bing, A., & Christoffersen, K. (2007, March). Relative risk of workload transitions in positive train control. Washington, DC: U.S. Dept. of Transportation, Federal Railroad Administration, Office of Safety and Research & Development. Retrieved September 22, 2014, from http://permanent.access.gpo.gov/gpo21449/ord0712.pdf 21 Attachment 1: Information Sheet http://pif.sagepub.com/content/218/3/213.full.pdf+html This assessment details the amount of force required by wind to cause damage or derailment. There are several factors that may cause variations in wind such as altitude changes, long flat paths, and pressure differences. http://permanent.access.gpo.gov/gpo22485/ord0915.pdf The severity of an accident can be represented by its associated damages to individuals, track, and equipment. This estimate can be used to create a more accurate risk assessment because each risk is valued not only on the likelihood but also on the resulting damage. This table shows the cost of the damages associated with a train crash. Table 1: Valued Estimations of Individual and Property Damage Type of Damage Cost Injuries $1,500,000 Fatalities $3,000,000 Property Damages by a Low Speed Collision/Derailment (0-19 mph) $2,500,000 Property Damages by a Medium Speed Collision/Derailment (20-49 mph) $5,000,000 Property Damages by a High Speed Collision/Derailment (50+ mph) $10,000,000 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Appendix B of NIST 800-30 provides a sample risk assessment report outline. This provides the appropriate structure and content for this risk assessment. http://ntl.bts.gov/lib/33000/33600/33684/33684.pdf Human reliability is often compared to the reliability of automated machines, however this 2003 document of human reliability analysis has found that “unsafe actions by individuals or teams can reduce the effectiveness of the defenses, thereby making the likelihood of an accident higher” (Wreathall, et al, 2003). This source points out that more often than not, humans are at fault rather than automated machines. 22 http://permanent.access.gpo.gov/gpo21449/ord0712.pdf This source by U.S. Department of Transportation provides data on the frequency of types of errors that lead to passenger train accidents. This table consists of 13 preventable accidents from 1986 - 2003. Please also note that a single accident may have several causal factors. Table 2: Causal Factors in Train Accidents Causal Factor Number Percent of Total Workload/mode transition 7 54% Expectations/situation awareness 5 38% Equipment 5 38% Distractions 5 38% Inexperience 4 31% Fitness for duty 4 31% Inattentiveness 4 31% Communications 3 23% Weather 0 0% 23 Attachment 2: Structured Analytic Results In the divergent phase the team attempted to brainstorm all possible hazards. To facilitate creativity the ideas were listed as they were thought of without any restrictive structure. Divergent Results Train derails as it arrives/departs from the station from high speeds. Train derailment caused during mode transitions. Train breaks down and is unable to start or move Train is unable to function due to employee errors Earthquake causes physical damage to track/station Storm causes physical damage to track/station Tornado causes physical damage to track/station Strong winds causes physical damage to track/station Robbery takes place on train Hijacking of train Viral Pandemic on train Incoming train crashes with stationed train Train is carrying material that is harmful to my well-being (Radioactive, Prisoners, Fugitives, Chemicals, etc.) Something located on tracks prevents arrival/departure Engine pressure build up causes an explosion 24 Convergent Results The convergent phase is used to group the unordered hazards into categories based on their nature or root cause. These categories were then ranked by their priority from highest to lowest in the following order: passenger-based hazards, train malfunctions, and employee error. Please reference below Table 3: Convergent Brainstorming Results. Table 3: Convergent Brainstorming Results 1. Passenger-Based Hazards Robbery on train Train hijacking Train is carrying harmful materials (Radioactive, chemical, prisoners, fugitives) Viral pandemic 2. Train Malfunctions 3. Employee Error Train derailment from high speeds Train breaks down and is unable to start/move Explosion from engine pressure Train derailment during mode transition Employees poorly train and unable get train moving Something left on track that prevents arrival/departure Earthquake causes damage to track/station Storm causes damage to track/station Tornado causes damage to track/station Strong Winds cause damage to track/station Incoming train crashes with stationed train 25 Attachment 3: Threat Analysis Table 4 describes the threat source, type, motivation and action for the Lewistown Amtrak Station and nearby tracks. Please note that these threats could be intentional or unintentional. This table is modeled after the table included in NIST 800-30 (2002, p. 14) Table 4: Threat-Sources, Motivation, and Threat Actions Threat Source (Type) Motivation Threat-Action Hazardous weather (Natural) Natural pressure differences Strong winds/hard rain/lightning Tectonic plates (Natural) Natural movement Earthquakes Pathogens (Human) Dense population arrangement, poor hygiene Pathogen spreading between passengers People on-board (Human) Malicious needs, terrorism Adversaries cause physical harm to passengers or take control of the train Excessive speed (Human) Poor regulations/safety controls Train derailment Staff Members (Human) Poor employee training, disregard of controls/maintenance Train unable to move, breaks down, or gets damaged Other trains (Environmental) Poor or lack of safety controls Train on train collision Objects on tracks (Environmental) Misplaced, or intentionally left Object prevents incoming or outgoing train, causing delays 26 Attachment 4: Vulnerability Analysis Table 5 summarizes the possible vulnerabilities in the train station and tracks, as well as the source and vulnerability-actions from the passengers’ perspective. This table is modeled after the table included in NIST 800-30 (2002, p. 15-16). Table 5: Vulnerability Source and Vulnerability-Action Vulnerability Source Vulnerability-Action Tracks/station are not built for handling severe weather or earthquakes Tectonic plates and hazardous weather Tornado/strong winds/earthquakes occur that cause damage to tracks/station Passengers do not follow proper hygiene precautions and procedures Pathogens Infected passengers or harmful supplies infect other passengers/employees Limited hijacking/robbery prevention measures Passengers/terrorists Adversaries/terrorists rob/hijack the passengers on the train Unsafe staff procedures Staff members Short cuts are made that lead to damage of train, derailment, or train on train collisions Lack of physical security Adversaries or careless workers Objects are left on the tracks that prevent incoming and out-going trains 27 Attachment 5: Risk Scenario Likelihood Table 6 shows the likelihood of each risk scenario for the Lewistown Amtrak Station and nearby tracks. The risk scenario is a combination of the threat source and vulnerability. Table 6: Risk Scenario and Likelihood Analysis Risk Scenario Likelihood (15) Severe weather causes damage due to limited durability of track/station 1 Harmful spread of pathogens among passengers due to close proximity required by train travel 4 Hijacking or robbery occurs due to limited prevention measures 2 Unsafe train operation due to poor staff performance 3 Unsafe environment due to lack of physical security 4 Table 7 shows the descriptions associated with the selected likelihood values. These descriptions were formulated for this report and are not generalized for all likelihood analyses. Table 7: Likelihood Values and Descriptions (Vancouver Island University, 2014) Descriptor Likelihood Value Rare (Less than 5%) 1 Unlikely (5-25%) 2 Possible (25-55%) 3 Likely (55-90%) 4 Almost Certain (90-99%) 5 28 Attachment 6: Risk Scenario Impact Table 8 rates the impact of each of the risk scenarios on a scale of 1-5. Each risk scenario is described by the vulnerability being used and its impact rating. Table 8: Risk Scenario and Impact Analysis Risk Scenario Threat/Vulnerability Impact Severe weather causes damage due to limited durability of track/station Severe weather damaging the track and station 2 Harmful spread of pathogens among passengers due to close proximity required by train travel Infectious pathogens spreading between passengers 3 Hijacking or robbery occurs due to limited prevention measures Adversaries hijack or rob unprotected trains 4 Unsafe train operation due to poor staff performance Unsafe train staff and operations causing severe accidents or damage 5 Unsafe environment due to lack of physical security Lack of physical security protecting the track and station 5 Table 9 shows the descriptions associated with the selected impact values. These descriptions were formulated for this report and are not generalized for all impact analyses. Table 9: Impact Values and Descriptions Impact Descriptor Impact Rating Minor travel delay 1 Considerable to indefinite travel delay 2 Minor injury 3 Moderate to severe Injury 4 Multiple deaths / serious Injury 5 29 Attachment 7: Risk Matrix A risk matrix will be used to evaluate risk impacts and likelihoods. Each axis includes a numeric scale so that comprehensive scores can be calculated by using products (please refer back to Table 7 and Table 9 for a description of each likelihood and impact numeric). For example, if the impact is scored as a three and the probability is scored as a five, the overall severity score is fifteen. Each cell is ranked by a very low, low, medium, high, or critical risk severity category. The categories are based on the following ranges of risk severity scores: very low 1-5, low 6-10, medium 11-15, high 16-20, and critical 21-25. In addition to their calculated score, these categories are also designated by green, yellow, orange, red, and purple respectively. Please reference Figure 8: Risk Matrix, below. Figure 8: Risk Matrix 30 Attachment 8: Risk Rating The risk rating is the final value that describes the relationship between likelihood and impact. This is used when prioritizing risks and sorting scenarios by their overall risk level. Table 10 describes the final risk rating associated with the selected risk scenarios. The final risk rating was calculated by multiplying the likelihood value by the impact value. The likelihood and impact values were provided in Table 6 and Table 8 respectively. Table 10: Risk Rating of Scenarios by Likelihood and Impact Risk Scenario Likelihood Impact Risk Rating Severe weather causes damage due to limited durability of track/station 1 2 2 (Very Low) Harmful spread of pathogens among passengers due to close proximity required by train travel 4 3 12 (Medium) Hijacking or robbery occurs due to limited prevention measures 2 4 8 (Low) Unsafe train operation due to poor staff performance 3 5 15 (Medium) Unsafe environment due to lack of physical security 4 5 20 (High) 31 Attachment 9: Summary Table Table 11 summarizes the selected risk scenarios as well as the associated recommended controls. The recommended controls are broken into the action priority, required resources, party responsible for control implementation, and any maintenance that may be required for the control. Table 11: Summary Table of Risk Scenarios and Recommended Controls Risk Scenario Risk Rating Recommended Control Action Priority Required Resources Responsible Party Maintenance Requirement Severe weather causes damage due to limited durability of track/station 2 (Very Low) None, accept the risk Low Tracks, concrete, wood, windows, labor, contractor Property Owner Reconstruct building/track if event occurs Harmful spread of pathogens among passengers due to close proximity required by train travel 12 (Medium) Hand sanitizing dispensers Medium Hand sanitizing wall dispensers, labor, sanitizer bags Property Owner Refill dispensers Hijacking or robbery occurs due to limited prevention measures 8 (Low) On-site security personnel, incident response procedures Low Documents, security employees Security team, Transit police N/A Unsafe train operation due to poor staff performance 15 (Medium) PTC system implemented more thoroughly, better policies and training Medium Circuitry, manuals, documents, labor, contractors Property Owner, Training management PTC system maintenance as needed Unsafe environment due to lack of physical security 20 (High) Install fences around tracks, onsite security personnel High Fences, contractors, security employees, contracts, labor Property owner Maintenance on fences if damaged 32 GRADING RUBRIC Peer Reviewer: Assign total points here for composition, contribution, subject knowledge and APA citations. Write specific comments into student’s paper. Section _________ st 1 Author Name (Print): __________________ 2nd Author Name (Print): __________________ 1st Peer Reviewer Name (Print): ________________ 2nd Peer Reviewer Name (Print): ________________ Peer Reviewer Points Max Possible Points 25 25 25 15 (blank) 10 (blank) 100 Instructor Total Points Item Composition - Business professional writing with no grammatical or spelling errors. Contribution - Improves class learning by providing new information or approach to topic under discussion. Subject Knowledge - Knowledge of course content is illustrated by integrating concepts into the essay. Does it appear that you know what you are writing about? Are you aware of aspects of this covered in class? Captions, References and APA Citations - Reference to article, book, or magazine where new information or approach is provided, and appropriate citation in text. Must follow APA format!!! In-Text Cite: Includes author/year, sometimes page number Reference List: Each single-spaced with hanging indent, doublespace between citations Captions: Tables/ figures must include complete captions with citation In-class peer review - Thorough and complete with specific comments (i.e. NOT "good job" or "great opening") for what has been done well or what could be done to improve the paper Total INSTRUCTOR/LA GRADER INITIALS ________ 33
