• Military
• WMD
• Intelligence

• Security Menu                     

• Systems
• Industry
• Operations
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Links

• Space

Go to report table of contents

Table B-1. Effective Practices for Access Control - Transit Agency #1
Table B-2. Effective Practices for Access Control - Transit Agency #2
Table B-3. Effective Practices for Access Control - Transit Agency #3
Table B-4. Effective Practices for Access Control - U.S. Agency

Appendix B. Case Studies of Transit Security Intiatives

The following four case studies illustrate transit security initiatives. Three studies of large transit agencies examine threats, constraints, and issues that impact facility security, in particular access management. One study of a federal government agency examines how state-of-the-art security technology and detailed security procedures can keep unauthorized persons from entering a facility.

Case study researchers interviewed managers at each of the agencies and conducted an extensive literature search; sources are listed in the References appendix.

Case 1 - Transit Agency #1

Transit Agency #1 created a Terrorism/Security Task force shortly after September 11, 2001, made up of five agency managers and led by the head of security. The task force made 122 recommendations.

The agency is currently planning two small pilot programs; one with a company manufacturing chemical detection systems, the other with a research lab that uses technology to track the frequency of particulates present in subway stations. This agency is also working with an engineering firm on a cleanup system that will use electrically charged droplets, consisting of a mixture of bleach and water, for post-incident response after a chemical/biological incident or attack.

Table B-1 summarizes effective practices for access control in the OCC and rail maintenance facilities at Transit Agency #1. One key practice is training employees to be aware of threatening situations. Several community involvement programs have started to observe and report suspicious behavior occurring within the transit system. Surveillance cameras are a supplementary reporting source. In addition, all agency employees and vendors must carry and display identification badges in all agency buildings and facilities.

Another key practice is gate control. Although fences are used around the maintenance yards, there is no gate control. The transit agency police have roving patrols that cover the yard and maintenance facilities. There is also a police patrol at stations that focuses on the main system areas of the system, i.e. subways in the downtown business districts, and K-9 patrols are used throughout the system.

Table B-1. Effective Practices for Access Control - Transit Agency #1

Category	Practices
Policies/Procedures	Form Terrorism/Security Task Force to identify security improvements Include representation from all departments Ensure Police/Security Department review every new construction project to assess design aspects Apply CPTED and SCP principles and techniques Provide terrorism/security training for all employees Perform periodic safety/terrorism drills Share anti-terrorism training programs and briefings with other transit organizations
Credentials/Identification	Issue identification badges to all vendors, requiring Possession of permanent address> Immigration clearance Separate picture ID Renew badges periodically Require all employees to carry and display identification badges in all buildings Perform background checks on all employees
Control Techniques	Install fencing around maintenance yards Emphasize need for attention to suspicious activity to all employees if gates are not controlled Ensure police patrol all stations Block gates' access at night, such as with a parked bus
Surveillance	Install surveillance cameras throughout stations and the rest of the system Implement "observe and report" programs with local community groups taking advantage of youth services where possible Use K-9 patrols
Sensors	Install chemical detection systems at major stations Install biological hazard detection systems at major stations Install sensors on trains for wider coverage
Information Processing / Systems Integration	Use radio frequency technology to communicate sensor data to Control Center

Case 2 - Transit Agency #2

Transit Agency #2 uses a smart card for access control to a number of facilities, including the revenue-processing center and headquarters. The same smart card technology is also used as one form of fare collection.

Table B-2 summarizes effective practices for access control. One key practice is using a dual access control system at the agency's revenue processing facility to transition to the new smart card system. Other key practices include supplementing the smart card access control system with other measures, such as surveillance cameras, intrusion detection, security patrol activity, and employee awareness. Training is an important transit priority, along with emergency preparedness; a key practice is all employees must carry and display identification badges in all buildings and facilities.

The primary access control measure in minimizing risks in the transit paid areas is by training employees to be aware of threatening situations. This is supplemented with the use of surveillance cameras. Using smart fare cards, the movement of riders can be tracked for forensic purposes (at the risk of violating privacy).

Table B-2. Effective Practices for Access Control - Transit Agency #2

Category	Practices
Policies/Procedures	Use dual system to transition from present access control to new system Use separate compartmentalized access control systems for different facilities and/or functions Employ hardware and software methods Use same credential (smart card) for different functions, including facility access control, parking garage access control, and transit fare collection Use strict privacy guidelines to prevent unauthorized use of individual data Institute training programs Focus on emergency response measures
Credentials/Identification	Use smart card as the main individual credential Allow different levels of accessibility via smart card system Issue smart cards to all employees
Control Techniques	Use contactless radio frequency technology Use turnstiles with smart card readers
Surveillance	Install surveillance cameras at entrance and other critical locations Use surveillance cameras for multiple functions when appropriate
Sensors	Install intrusion detection system with sensors at critical locations such as on windows
Information Processing / Systems Integration	Use Wiegand backbone for card management and control Integrate the security system with the fire system (presently fire signal sent to police monitor; in the future, the fire signal will automatically bring up camera)

Case 3 - Transit Agency #3

Transit Agency #3 uses a smart card for access control to a number of facilities, including their revenue processing center, headquarters, maintenance, and repair yard and training facility. The agency also uses the smart card to access their automatic fare collection (AFC) equipment for service, repair, and security checks. The facilities and AFC application represent different compartmentalized activities. The card systems at these facilities are separate and run independently with their own computer.

Table B-3 summarizes effective access control practices at the facility and for AFC applications. One key practice is using the smart card to provide enhanced security for entering sensitive areas, such as the revenue processing facility, headquarters, and training facility, supplemented with other measures, such as surveillance cameras, barrier gates, elevator control, security patrol activity, and employee awareness. Training and emergency preparedness are also important practices. All employees are required to carry and display identification badges in all buildings and facilities. Background checks are performed on all employees and strict card recovery procedures are in place for employees who leave the agency.

Since transit systems are open systems there is only minimal control of individuals into the paid area including stations, onboard railcars, and on buses. It is these areas where people tend to congregate that a terrorist attack would be most likely. The key practice in addressing this issue is training employees to be aware of threatening situations, supplemented by surveillance cameras to respond to crises and to be used in post-incident examinations (forensics).

Table B-3. Effective Practices for Access Control - Transit Agency #3

Category	Practices
Policies/Procedures	Use same credential (smart card) for different functions, including facility access control and fare collection system maintenance Use separate compartmentalized access control systems for different facilities and/or functions Use smart card for security / integrity investigations Recover cards when a person is discharged Remove account numbers from computer Impose fines for certain cards not turned in Retrieve cards in person if necessary Limit parking to fixed range from buildings Institute training programs Provide "eyes and ears" training for all employees Provide bomb training Use the Security Awareness Training CD from the National Transit Institute Focus on emergency response measures
Credentials/Identification	Use smart card as the main individual credential; include individuals' names and employee numbers Allow different levels of accessibility via smart card system Require decals on cars Perform background checks on all employees; include financial and educational checks Issue temporary cards Issue paper passes with sign in / sign out and escort for short term Use hard plastic IDs for longer term but not for employees
Control Techniques	Allow only certain elevators to access sensitive floors Require elevator-key control to access sensitive floors Use barrier gates at sensitive facilities
Surveillance	Install surveillance cameras at entrance locations Use surveillance cameras for multiple functions when appropriate Pilot program using cameras to monitor mouths of tunnels
Sensors	Integrate state-of-the-art sensor systems through available contractors Alarm exits of tunnels
Information Processing / Systems Integration	Make sure that facility access control systems that hard-wired and self-contained

Case 4 - United States Governmental Agency

The U.S. agency case study is an example of a highly sensitive facility using state-of-the-art security technology and detailed security procedures to keep unauthorized persons from entering. The current integrated security system combines embedded Wiegand-wire technology identification credentials and readers with various barriers and perimeter security.

Table B-4 summarizes effective practices for access control at the U.S. agency. One key practice is using a layered approach to access management. All automobiles and delivery vehicles must pass through a manned perimeter-screening location. Pop-up or portable barriers are used on the access road to prevent unauthorized vehicles from simply driving past the perimeter screening.

The current access control system at the entrances to the agency's building and to the garage uses embedded Wiegand-wire access credentials. The entrances are laid out so that a person must first display their badge to security personnel for verification then present their credential to the turnstile reader for entrance to the restricted area. Persons in autos must present their credential to security personnel at the parking garage entrance for access. Visitors are first screened outside the facility, signed in by their escort, and again screened in detail by metal detectors and x-ray machines. An authorized person can then escort the visitor through the turnstiles into the secure area. Visitor badges are simple paper badges and require an authorized escort.

The U.S. agency is currently in the process of replacing the Wiegand-wire credential technology with smart card technology and a supporting access control system. The smart cards can be equipped with a microprocessor chip, a fingerprint scan biometric, a variable image, and a picture of the cardholder, and will be color-coded. The smart card will also be used for Public Key Infrastructure and computer logical access using the GSA Smart Card Interoperability Specification. These various identification devices provide redundancy in access control and allow varying levels of authentication. For example, the smart card can be used for entry at turnstiles by simply inserting the card into a reader, but a person's fingerprint will be read at an interior portal to a more sensitive area.

New visitor system badges will be magnetic stripe technology. Future procedures for escorting visitors will link the escort and the visitor in the computer system. The escorts will use their smart cards and the visitors their magnetic cards in tandem at the turnstiles for visitor entry. If readers are installed within the building at various portals, this procedure will show the movement of both the escort and the visitor.

The facility is also equipped with an extensive surveillance system. Numerous cameras observe all entry and exit points as well as the grounds, garage, and building interior. The surveillance system includes an advanced digital video monitoring system that records all video cameras at all times. The state-of-the-art system allows security personnel to control recording at the time of an incident and to review specific video after the incident.

The building is equipped with a command center that is the central point for all access management, surveillance, and intrusion detection systems, including workstations for all security sub-systems. From the command center, the appropriate staff can monitor and respond to security situations.

Another key practice is using an extensive security force at all perimeter access locations, the building entrance, visitor check-in desk, and the turnstiles. Other secured areas within the building requiring card entry may have additional security personnel.

Table B-4. Table B-4. Effective Practices for Access Control - U.S. Agency

Category	Practices
Policies/Procedures	Use a layered approach to security, with security measures at the perimeter, at entry/egress points, and within the facility Implement and update thorough identification and pass procedures Deploy extensive security force throughout the facility to augment technologies used
Credentials/Identification	Use Wiegand technology for access control system (current) Use smart card technology for employee/contractor cards, and Magnetic Stripe for visitor cards (future) Perform background checks on all non-visitor personnel Perform criminal background checks on visitors with the new system Allow different levels of accessibility via smart card system
Control Techniques	Use technology as primary means to verify personnel access at readers Use visual inspection as secondary means to verify personnel access at readers Install barriers at all entry/egress points Use X-ray and metal detector equipment at entry/egress points Require escorts for all visitors
Surveillance	Use surveillance cameras extensively throughout facility Use state-of-the-art digital video recording system
Sensors	Implement extensive intrusion detection system throughout the facility
Information Processing / Systems Integration	Arrange for dual computer system for card management and control provides, for redundancy Designate the command center as the central point for all security systems

go to top of the page