Developing key standards for rail security at ProRail
Posted: 20 February 2013 | | No comments yet
ProRail, the Dutch Rail Infrastructure Manager has recently developed standards for rail security: risk based, all hazard and fit for an open system. What were the considerations to develop a dedicated set of standards, which methodology is used and what will be the way forward?
The government policy for rail security in the Netherlands is to integrate safety and security. This government policy was published in 2010 and is valid for the period until 20202. The security approach was developed in cooperation between the government and the railway sector. The policy focuses on common principles, a common methodology, clear responsibilities of the government and the railway sector and specific targets for the period until 2015. An evaluation in 2015 could lead to additional targets for both government and the railway sector.
A national policy was developed because there is no European or international legislation for railway security. Specific standards are not available. There was a need to clarify positions and expectations of the government and the railway sector. The legislation and standards for maritime and aviation security are not fit for use for railways because of major differences: an open (rail) versus closed system (maritime and aviation), essential differences in the processes and of course differences in hazards and threats, in type of incidents and in responsibilities. The policy supports the railways in focusing their approach for security. They do not prescribe what to do in terms of measures.
The approach on security was mainly focused on specific incidents that will cause disruptions within operations. Compared to other types of hazards, security does not score high in terms of probability and effects. Therefore the focus on security was limited. Hazards and threats were managed from a practical point of view. The approach is not based on a specific methodology. Managing security is purely seen as a major cost driver for the organisation. There is awareness of positive long-term effects in terms of reduction of dispunctuality, customer satisfaction for staff, passengers and shippers. In the short-term, the effects on investment might look substantial. If the implementation is spread over one or two decades the costs for an integrated security approach are relative.
The development of a national security policy started after the National Coordinator of Counterterrorism launched its National Alert System. This system is focused on the protection of the most risk full objects in vital sectors against terrorism. Vital objects in the Dutch Rail Infrastructure became part of this alert system3. The principle behind the system is simple. It concentrates on four levels of preparation: baseline and three threat levels: light, medium and high. For all of these levels it is expected that vital infrastructures should prepare appropriate measures. The measures in one of the three threat levels are related to the type of attacks that were expected. But how are these baselines defined? And, after being prepared for the three threat levels, the question had to be answered: is only a focus on low probability/high effects incidents (i.e. terrorism and sabotage) enough? What is really needed for the preparation of all kinds of security hazards and threats?
The first step was to define security: “All measures and features to protect the assets against identified security threats and incidents, caused by human behaviour and acting, that can possibly affect the state, nature or functionality of any object, process, policy, information or integrity of staff.” We do realise that this is quite a broad definition. In fact it is all about “human behaviour, conscious or unconscious, that can affect the rail system in any way”. This definition includes, for example, suicides and also intentional behaviour to cause damage.
The second step was to make the Board aware of the level of risk of the different security hazards. This was ensured by an integrated risk management process based on Enterprise Risk Management. All types of security incidents were plotted in a risk matrix and scored in green, yellow or red. Based on the principles behind the safety and security management system (SMS) red risks should have the attention of the Board, yellow risks should be solved by the business units and green risks can be part of the continuous improvement in the daily process. We realised that the management of security hazards differs from safety management. If the focus is only on one specific ‘red’ risk and not on the other security risks, inefficiency and ineffectiveness can be the result. An integrated approach focused on the implementation of lines of defence for all identified security incidents for the different types of assets promises to be more effective and efficient. We developed a matrix for all different types of assets within the responsibility of the Rail Infrastructure Manager to have an overview of these types of risks.
ProRail, the Dutch Rail Infrastructure Manager has recently developed standards for rail security: risk based, all hazard and fit for an open system. What were the considerations to develop a dedicated set of standards, which methodology is used and what will be the way forward? The government policy for rail security in the Netherlands is to integrate safety and security. This government policy was published in 2010 and is valid for the period until 20202. The security approach was developed in cooperation between the government and the railway sector. The policy focuses on common principles, a common methodology, clear responsibilities of the government and the railway sector and specific targets for the period until 2015. An evaluation in 2015 could lead to additional targets for both government and the railway sector. A national policy was developed because there is no European or international legislation for railway security. Specific standards are not available. There was a need to clarify positions and expectations of the government and the railway sector. The legislation and standards for maritime and aviation security are not fit for use for railways because of major differences: an open (rail) versus closed system (maritime and aviation), essential differences in the processes and of course differences in hazards and threats, in type of incidents and in responsibilities. The policy supports the railways in focusing their approach for security. They do not prescribe what to do in terms of measures. The approach on security was mainly focused on specific incidents that will cause disruptions within operations. Compared to other types of hazards, security does not score high in terms of probability and effects. Therefore the focus on security was limited. Hazards and threats were managed from a practical point of view. The approach is not based on a specific methodology. Managing security is purely seen as a major cost driver for the organisation. There is awareness of positive long-term effects in terms of reduction of dispunctuality, customer satisfaction for staff, passengers and shippers. In the short-term, the effects on investment might look substantial. If the implementation is spread over one or two decades the costs for an integrated security approach are relative. The development of a national security policy started after the National Coordinator of Counterterrorism launched its National Alert System. This system is focused on the protection of the most risk full objects in vital sectors against terrorism. Vital objects in the Dutch Rail Infrastructure became part of this alert system3. The principle behind the system is simple. It concentrates on four levels of preparation: baseline and three threat levels: light, medium and high. For all of these levels it is expected that vital infrastructures should prepare appropriate measures. The measures in one of the three threat levels are related to the type of attacks that were expected. But how are these baselines defined? And, after being prepared for the three threat levels, the question had to be answered: is only a focus on low probability/high effects incidents (i.e. terrorism and sabotage) enough? What is really needed for the preparation of all kinds of security hazards and threats? The first step was to define security: “All measures and features to protect the assets against identified security threats and incidents, caused by human behaviour and acting, that can possibly affect the state, nature or functionality of any object, process, policy, information or integrity of staff.” We do realise that this is quite a broad definition. In fact it is all about “human behaviour, conscious or unconscious, that can affect the rail system in any way”. This definition includes, for example, suicides and also intentional behaviour to cause damage. The second step was to make the Board aware of the level of risk of the different security hazards. This was ensured by an integrated risk management process based on Enterprise Risk Management. All types of security incidents were plotted in a risk matrix and scored in green, yellow or red. Based on the principles behind the safety and security management system (SMS) red risks should have the attention of the Board, yellow risks should be solved by the business units and green risks can be part of the continuous improvement in the daily process. We realised that the management of security hazards differs from safety management. If the focus is only on one specific ‘red’ risk and not on the other security risks, inefficiency and ineffectiveness can be the result. An integrated approach focused on the implementation of lines of defence for all identified security incidents for the different types of assets promises to be more effective and efficient. We developed a matrix for all different types of assets within the responsibility of the Rail Infrastructure Manager to have an overview of these types of risks.
ProRail, the Dutch Rail Infrastructure Manager has recently developed standards for rail security: risk based, all hazard and fit for an open system. What were the considerations to develop a dedicated set of standards, which methodology is used and what will be the way forward?
The government policy for rail security in the Netherlands is to integrate safety and security. This government policy was published in 2010 and is valid for the period until 20202. The security approach was developed in cooperation between the government and the railway sector. The policy focuses on common principles, a common methodology, clear responsibilities of the government and the railway sector and specific targets for the period until 2015. An evaluation in 2015 could lead to additional targets for both government and the railway sector.
A national policy was developed because there is no European or international legislation for railway security. Specific standards are not available. There was a need to clarify positions and expectations of the government and the railway sector. The legislation and standards for maritime and aviation security are not fit for use for railways because of major differences: an open (rail) versus closed system (maritime and aviation), essential differences in the processes and of course differences in hazards and threats, in type of incidents and in responsibilities. The policy supports the railways in focusing their approach for security. They do not prescribe what to do in terms of measures.
The approach on security was mainly focused on specific incidents that will cause disruptions within operations. Compared to other types of hazards, security does not score high in terms of probability and effects. Therefore the focus on security was limited. Hazards and threats were managed from a practical point of view. The approach is not based on a specific methodology. Managing security is purely seen as a major cost driver for the organisation. There is awareness of positive long-term effects in terms of reduction of dispunctuality, customer satisfaction for staff, passengers and shippers. In the short-term, the effects on investment might look substantial. If the implementation is spread over one or two decades the costs for an integrated security approach are relative.
The development of a national security policy started after the National Coordinator of Counterterrorism launched its National Alert System. This system is focused on the protection of the most risk full objects in vital sectors against terrorism. Vital objects in the Dutch Rail Infrastructure became part of this alert system3. The principle behind the system is simple. It concentrates on four levels of preparation: baseline and three threat levels: light, medium and high. For all of these levels it is expected that vital infrastructures should prepare appropriate measures. The measures in one of the three threat levels are related to the type of attacks that were expected. But how are these baselines defined? And, after being prepared for the three threat levels, the question had to be answered: is only a focus on low probability/high effects incidents (i.e. terrorism and sabotage) enough? What is really needed for the preparation of all kinds of security hazards and threats?
The first step was to define security: “All measures and features to protect the assets against identified security threats and incidents, caused by human behaviour and acting, that can possibly affect the state, nature or functionality of any object, process, policy, information or integrity of staff.” We do realise that this is quite a broad definition. In fact it is all about “human behaviour, conscious or unconscious, that can affect the rail system in any way”. This definition includes, for example, suicides and also intentional behaviour to cause damage.
The second step was to make the Board aware of the level of risk of the different security hazards. This was ensured by an integrated risk management process based on Enterprise Risk Management. All types of security incidents were plotted in a risk matrix and scored in green, yellow or red. Based on the principles behind the safety and security management system (SMS) red risks should have the attention of the Board, yellow risks should be solved by the business units and green risks can be part of the continuous improvement in the daily process. We realised that the management of security hazards differs from safety management. If the focus is only on one specific ‘red’ risk and not on the other security risks, inefficiency and ineffectiveness can be the result. An integrated approach focused on the implementation of lines of defence for all identified security incidents for the different types of assets promises to be more effective and efficient. We developed a matrix for all different types of assets within the responsibility of the Rail Infrastructure Manager to have an overview of these types of risks.
The third step was based on awareness of staff and the public. Focus on technical and technological solutions would not be sufficient to manage the risks. We realised that without proper awareness and training or security organisation we will never reach the level of in control. From a financial perspective it is also a ‘win-win’ situation. Organising training and awareness is relatively low-cost where the presence of security personnel is very expensive and not always effective.
The fourth step was the consideration that, based on consequences for business continuity and the attractiveness of the objects within the rail system, there is a need for differentiated baseline measures. For example, major stations versus small stations in the region. We developed criteria that influence the effect on business continuity and that are important to judge the attractiveness of the objects. Each criterion corresponds with a score. Every object is scored on these criteria and based on the number of points it is categorised in one of the three levels. Basic security level 0 as baseline (approximately 80%), basic security level 1 as intermediate (15%) and level 2 (5%) as the maximum.
For every asset, based on the identified security hazards, based on the risk appetite, the offender profile and the identified modus operandi, a dedicated set of measures are defined: Level 0 with a minimum and level 2 with the highest level of measures. Specific measures in times of threat for terrorism are not included in these basic levels. It is ensured that the basic level measures can be increased quite easily to the specified level in terms of threat as defined by our National Coordinator of Counterterrorism.
These baselines, together with the specified procedures and protocols, are the basis for an object manager to assess the specific situation of any object that should be judged. To guide this manager through all relevant questions a manual was developed.
The fifth step was to build a security catalogue with the following four volumes:
● Part One: the strategic part; philosophy, methodology, approach, risk appetite and objectives
● Part Two: determination of security risks, incident scenarios, offender profiles, relevance for different type of assets. Also the development of the method for basic security levels
● Part Three: specifications for awareness and training, general protocols and procedures and the design of security measures for every type of asset
● Part Four: guideline for object managers how to define the specific measures for an object.
Based on the outcome, the Board will discuss an implementation plan. The proposals will focus on those objects scoring in the highest basic security level. In some years, measures and features shall be implemented for these objects. Measures will be integrated in design rules and will be implemented when assets are maintained, renewed or newly built. The policy will lead to a step-by-step improvement of the management of security. When there are specific threats, like metal theft, dedicated measures will be taken. All other relevant security hazards will be taken in account when identifying the necessary measures.
With this standard, a baseline for security measures within the rail system is set. It is a ‘risk based all hazards’ approach. By defining three levels of basic security levels that focus on the effects of business continuity and the attractiveness of the object, we are taking responsibility.
As member of the European Rail Infra – structure Managers, we will share our experiences and learn from others to improve our approach. The principles behind this methodology can be easily transferred to others, infrastructure managers, railway undertakings or other sectors in public transport. On a European Level, preconditions can be set or created to implement the underlying risk based approach and to share best practices among the participants.
References
1. The methodology described is based on a model developed by the consultancy firm Vertas: www.vertas.nl
2. http://www.government.nl/documents-andpublications/ reports/2012/12/10/the-railways-safety-oftransport- safety-of-work-and-safety-of-life.html
3. PSJ developed a dedicated application for defining the most important objects: The Objective Ranking Tool (ORT). See http://www.psjadvies.nl/ort-en.html based on the thesis http://www.psjadvies.nl/information.html
Biography
Peter Prak has worked at ProRail since 1983. He was appointed as Program Manager for Security in 2006. Peter developed the security model for the Dutch rail infrastructure. He graduated in 2009 with a Master of Security Science and Management from Delft University where he developed a scientific based model to allocate high risk objects related to terrorism. In his own consultancy, PSJ, Peter offers this Objective Ranking Tool (ORT) as a general decision support tool. Peter is also functional specialist in public safety and security at 1 CMI Command in the Dutch Army.