UNITED24 - Make a charitable donation in support of Ukraine!

Homeland Security

Go to report table of contents

Table B-1. Effective Practices for Access Control - Transit Agency #1
Table B-2. Effective Practices for Access Control - Transit Agency #2
Table B-3. Effective Practices for Access Control - Transit Agency #3
Table B-4. Effective Practices for Access Control - U.S. Agency

Appendix B. Case Studies of Transit Security Intiatives

The following four case studies illustrate transit security initiatives. Three studies of large transit agencies examine threats, constraints, and issues that impact facility security, in particular access management. One study of a federal government agency examines how state-of-the-art security technology and detailed security procedures can keep unauthorized persons from entering a facility.

Case study researchers interviewed managers at each of the agencies and conducted an extensive literature search; sources are listed in the References appendix.

Case 1 - Transit Agency #1

Transit Agency #1 created a Terrorism/Security Task force shortly after September 11, 2001, made up of five agency managers and led by the head of security. The task force made 122 recommendations.

The agency is currently planning two small pilot programs; one with a company manufacturing chemical detection systems, the other with a research lab that uses technology to track the frequency of particulates present in subway stations. This agency is also working with an engineering firm on a cleanup system that will use electrically charged droplets, consisting of a mixture of bleach and water, for post-incident response after a chemical/biological incident or attack.

Table B-1 summarizes effective practices for access control in the OCC and rail maintenance facilities at Transit Agency #1. One key practice is training employees to be aware of threatening situations. Several community involvement programs have started to observe and report suspicious behavior occurring within the transit system. Surveillance cameras are a supplementary reporting source. In addition, all agency employees and vendors must carry and display identification badges in all agency buildings and facilities.

Another key practice is gate control. Although fences are used around the maintenance yards, there is no gate control. The transit agency police have roving patrols that cover the yard and maintenance facilities. There is also a police patrol at stations that focuses on the main system areas of the system, i.e. subways in the downtown business districts, and K-9 patrols are used throughout the system.

Table B-1. Effective Practices for Access Control - Transit Agency #1
Category Practices
Policies/Procedures Form Terrorism/Security Task Force to identify security improvements

Include representation from all departments

Ensure Police/Security Department review every new construction project to assess design aspects

Apply CPTED and SCP principles and techniques

Provide terrorism/security training for all employees

Perform periodic safety/terrorism drills

Share anti-terrorism training programs and briefings with other transit organizations
Credentials/Identification Issue identification badges to all vendors, requiring

Possession of permanent address>
Immigration clearance
Separate picture ID
Renew badges periodically

Require all employees to carry and display identification badges in all buildings

Perform background checks on all employees
Control Techniques Install fencing around maintenance yards

Emphasize need for attention to suspicious activity to all employees if gates are not controlled

Ensure police patrol all stations

Block gates' access at night, such as with a parked bus
Surveillance Install surveillance cameras throughout stations and the rest of the system

Implement "observe and report" programs with local community groups taking advantage of youth services where possible

Use K-9 patrols
Sensors Install chemical detection systems at major stations

Install biological hazard detection systems at major stations

Install sensors on trains for wider coverage
Information Processing / Systems Integration Use radio frequency technology to communicate sensor data to Control Center

Case 2 - Transit Agency #2

Transit Agency #2 uses a smart card for access control to a number of facilities, including the revenue-processing center and headquarters. The same smart card technology is also used as one form of fare collection.

Table B-2 summarizes effective practices for access control. One key practice is using a dual access control system at the agency's revenue processing facility to transition to the new smart card system. Other key practices include supplementing the smart card access control system with other measures, such as surveillance cameras, intrusion detection, security patrol activity, and employee awareness. Training is an important transit priority, along with emergency preparedness; a key practice is all employees must carry and display identification badges in all buildings and facilities.

The primary access control measure in minimizing risks in the transit paid areas is by training employees to be aware of threatening situations. This is supplemented with the use of surveillance cameras. Using smart fare cards, the movement of riders can be tracked for forensic purposes (at the risk of violating privacy).

Table B-2. Effective Practices for Access Control - Transit Agency #2
Category Practices
Policies/Procedures Use dual system to transition from present access control to new system

Use separate compartmentalized access control systems for different facilities and/or functions

Employ hardware and software methods

Use same credential (smart card) for different functions, including facility access control, parking garage access control, and transit fare collection

Use strict privacy guidelines to prevent unauthorized use of individual data

Institute training programs

Focus on emergency response measures
Credentials/Identification Use smart card as the main individual credential

Allow different levels of accessibility via smart card system

Issue smart cards to all employees
Control Techniques Use contactless radio frequency technology

Use turnstiles with smart card readers
Surveillance Install surveillance cameras at entrance and other critical locations

Use surveillance cameras for multiple functions when appropriate
Sensors Install intrusion detection system with sensors at critical locations such as on windows
Information Processing / Systems Integration Use Wiegand backbone for card management and control

Integrate the security system with the fire system (presently fire signal sent to police monitor; in the future, the fire signal will automatically bring up camera)

Case 3 - Transit Agency #3

Transit Agency #3 uses a smart card for access control to a number of facilities, including their revenue processing center, headquarters, maintenance, and repair yard and training facility. The agency also uses the smart card to access their automatic fare collection (AFC) equipment for service, repair, and security checks. The facilities and AFC application represent different compartmentalized activities. The card systems at these facilities are separate and run independently with their own computer.

Table B-3 summarizes effective access control practices at the facility and for AFC applications. One key practice is using the smart card to provide enhanced security for entering sensitive areas, such as the revenue processing facility, headquarters, and training facility, supplemented with other measures, such as surveillance cameras, barrier gates, elevator control, security patrol activity, and employee awareness. Training and emergency preparedness are also important practices. All employees are required to carry and display identification badges in all buildings and facilities. Background checks are performed on all employees and strict card recovery procedures are in place for employees who leave the agency.

Since transit systems are open systems there is only minimal control of individuals into the paid area including stations, onboard railcars, and on buses. It is these areas where people tend to congregate that a terrorist attack would be most likely. The key practice in addressing this issue is training employees to be aware of threatening situations, supplemented by surveillance cameras to respond to crises and to be used in post-incident examinations (forensics).

Table B-3. Effective Practices for Access Control - Transit Agency #3
Category Practices
Policies/Procedures Use same credential (smart card) for different functions, including facility access control and fare collection system maintenance

Use separate compartmentalized access control systems for different facilities and/or functions

Use smart card for security / integrity investigations

Recover cards when a person is discharged

Remove account numbers from computer

Impose fines for certain cards not turned in

Retrieve cards in person if necessary

Limit parking to fixed range from buildings

Institute training programs

Provide "eyes and ears" training for all employees

Provide bomb training

Use the Security Awareness Training CD from the National Transit Institute

Focus on emergency response measures
Credentials/Identification Use smart card as the main individual credential; include individuals' names and employee numbers

Allow different levels of accessibility via smart card system

Require decals on cars

Perform background checks on all employees; include financial and educational checks

Issue temporary cards

Issue paper passes with sign in / sign out and escort for short term

Use hard plastic IDs for longer term but not for employees
Control Techniques Allow only certain elevators to access sensitive floors

Require elevator-key control to access sensitive floors

Use barrier gates at sensitive facilities
Surveillance Install surveillance cameras at entrance locations

Use surveillance cameras for multiple functions when appropriate

Pilot program using cameras to monitor mouths of tunnels
Sensors Integrate state-of-the-art sensor systems through available contractors

Alarm exits of tunnels
Information Processing / Systems Integration Make sure that facility access control systems that hard-wired and self-contained

Case 4 - United States Governmental Agency

The U.S. agency case study is an example of a highly sensitive facility using state-of-the-art security technology and detailed security procedures to keep unauthorized persons from entering. The current integrated security system combines embedded Wiegand-wire technology identification credentials and readers with various barriers and perimeter security.

Table B-4 summarizes effective practices for access control at the U.S. agency. One key practice is using a layered approach to access management. All automobiles and delivery vehicles must pass through a manned perimeter-screening location. Pop-up or portable barriers are used on the access road to prevent unauthorized vehicles from simply driving past the perimeter screening.

The current access control system at the entrances to the agency's building and to the garage uses embedded Wiegand-wire access credentials. The entrances are laid out so that a person must first display their badge to security personnel for verification then present their credential to the turnstile reader for entrance to the restricted area. Persons in autos must present their credential to security personnel at the parking garage entrance for access. Visitors are first screened outside the facility, signed in by their escort, and again screened in detail by metal detectors and x-ray machines. An authorized person can then escort the visitor through the turnstiles into the secure area. Visitor badges are simple paper badges and require an authorized escort.

The U.S. agency is currently in the process of replacing the Wiegand-wire credential technology with smart card technology and a supporting access control system. The smart cards can be equipped with a microprocessor chip, a fingerprint scan biometric, a variable image, and a picture of the cardholder, and will be color-coded. The smart card will also be used for Public Key Infrastructure and computer logical access using the GSA Smart Card Interoperability Specification. These various identification devices provide redundancy in access control and allow varying levels of authentication. For example, the smart card can be used for entry at turnstiles by simply inserting the card into a reader, but a person's fingerprint will be read at an interior portal to a more sensitive area.

New visitor system badges will be magnetic stripe technology. Future procedures for escorting visitors will link the escort and the visitor in the computer system. The escorts will use their smart cards and the visitors their magnetic cards in tandem at the turnstiles for visitor entry. If readers are installed within the building at various portals, this procedure will show the movement of both the escort and the visitor.

The facility is also equipped with an extensive surveillance system. Numerous cameras observe all entry and exit points as well as the grounds, garage, and building interior. The surveillance system includes an advanced digital video monitoring system that records all video cameras at all times. The state-of-the-art system allows security personnel to control recording at the time of an incident and to review specific video after the incident.

The building is equipped with a command center that is the central point for all access management, surveillance, and intrusion detection systems, including workstations for all security sub-systems. From the command center, the appropriate staff can monitor and respond to security situations.

Another key practice is using an extensive security force at all perimeter access locations, the building entrance, visitor check-in desk, and the turnstiles. Other secured areas within the building requiring card entry may have additional security personnel.

Table B-4. Table B-4. Effective Practices for Access Control - U.S. Agency
Category Practices
Policies/Procedures Use a layered approach to security, with security measures at the perimeter, at entry/egress points, and within the facility

Implement and update thorough identification and pass procedures

Deploy extensive security force throughout the facility to augment technologies used
Credentials/Identification Use Wiegand technology for access control system (current)

Use smart card technology for employee/contractor cards, and Magnetic Stripe for visitor cards (future)

Perform background checks on all non-visitor personnel

Perform criminal background checks on visitors with the new system

Allow different levels of accessibility via smart card system
Control Techniques Use technology as primary means to verify personnel access at readers

Use visual inspection as secondary means to verify personnel access at readers

Install barriers at all entry/egress points

Use X-ray and metal detector equipment at entry/egress points

Require escorts for all visitors
Surveillance Use surveillance cameras extensively throughout facility

Use state-of-the-art digital video recording system
Sensors Implement extensive intrusion detection system throughout the facility
Information Processing / Systems Integration Arrange for dual computer system for card management and control provides, for redundancy

Designate the command center as the central point for all security systems

go to top of the page



NEWSLETTER
Join the GlobalSecurity.org mailing list