Designing Mass Transit Security
© 2008 FrontLine Security (Vol 3, No 2)

Across Canada, mass transit ­systems are the lifeblood of our cities, with ever-increasing numbers of commuters using them daily. They are also vulnerable to a variety of natural and man-made disasters – ranging from floods, fires and earthquakes, to terrorist attacks. To guard against widespread disruption, as well as to mitigate the effects of disasters when they strike, requires a well-designed and resilient Command and Control system. This article presents the basic security ­principles used in designing or renovating command and control (C2) systems for mass transit. Recent experience with such a project, involving the Montréal subway Le Métro, will illustrate these principles.

The detailed work involved in designing and building C2 systems for mass transit is covered in a number of excellent codes and standards, issued by both NFPA (NFPA 130, for example) and our own Canadian Standards Association. However, it is very useful to go “back to the basics” when looking at the C2 challenges of something as complex as a mass transit system. Five security ­principles are offered as guidelines in this case:

  • Design redundancy in systems.
  • Separate Main from Alternate Control Centres.
  • Layer security, both physical and electronic.
  • Provide timely “Situational Awareness.”
  • Design capacity for growth or enhancement to face additional threats.

Redundant Systems
Redundant systems ensure that continuity of service is common in many fields of endeavour – from NASA to power grids. In the case of command and control of mass transit, redundancy is achieved both by using a number of alternate means of communication and by ensuring that there are multiple paths for each of these communication channels. For example, Le Métro in Montréal uses both underground radio and telephone systems for voice communication between stations and its two control centres. Each of these systems can act as a back-up for the other, should there be a system-wide failure in either. There is also provision for re-routing within both systems if only a portion of the network is damaged. This ensures that no disruption occurs in voice communication between stations and control centres in the event of an emergency. In the highly unlikely circumstance that both telephone and radio are knocked out, there remains a separate Public Address system in all stations, and both command centres, that can be used to communicate with passengers and staff.

A similar approach was taken for data transmission. As shown in Figure 1, double linkages to each of the control centres effectively provide a total of four parallel paths for information flow. Should one of the two control centres be knocked out, two ways remain for data to be transmitted across the system.

Separate Control Centres
Clearly, both the main and back-up control centre should be fully equipped to handle all daily transit operations as well as emergency response. It is also vital to have enough geographical separation between the two such that an attack or other disaster will not shut down both centres at the same time. Exactly how far apart the two centres should be is of course dependant on the local situation, but a good way to determine this distance is to analyze the effects of a variety of events such as bomb blasts, gas main leaks, fires, and floods on one of the control centres. Once the radius of these effects is calculated, a safe location for the other control centre can be determined.

Layering of Security
This aspect of mass transit security deals primarily with the threat of terrorist or criminal attack rather than a catastrophic natural event. Successful protection of a mass transit system must include both physical and cyber security, since modern transit operations are regulated electronically.

Whether physical or electronic, the concept of layered protection applies: there must be a number of lines of defense around key assets.

Electronically, a combination of password protection, encryption, firewalls and network intrusion detection systems should be used to complicate life for anyone attempting a cyber attack. The principle is to closely guard any access to the network, and trigger alarms the moment any unauthorized entry is detected.

Similarly, key physical locations should have a single point of entry, robust identification and access control, and an airlock system, or equivalent, to provide a further check on individuals seeking access.

Protection against blast and fire is another consideration. If the control centre is vulnerable enough, terrorist or criminal organizations may simply choose a cruder means of disabling it through explosives. Therefore. blast walls, fire-resistant materials and the actual design of the control centre itself – such as locating it underground with an independent power supply – are important elements in ensuring the survival and continued operation of  the control centre in the event of an attack. A model of  such a control centre is shown in Figure 2.

Situational Awareness
This term, in the context of mass transit security, refers to being fully aware at all times of possible disruptions to the system, whether caused by deliberate action or ­accident.

Comprehensive surveillance ­systems, good communications with ­emergency and police services, and a clear, regularly updated picture of current threats, are the cornerstones of good situational awareness.

Situational awareness ideally means the ability to anticipate and prevent an attack or disruption, but it also must be maintained in the aftermath of such occurrences. The tragic 2005 attacks on the London transit system clearly show how critical situational awareness is. In hindsight, it is easy to argue, as with 9/11, that these attacks could have been foreseen. The debate over that issue (including many improbable theories) will likely continue for years, however, it is in the aftermath of 7/7 that we can learn some lessons about situational awareness.

The quick response of emergency, fire and police services was essential in calming the public and mitigating the effects of these attacks. This was due, in large part, to the emphasis London transit authorities placed on working closely with these services. The legacy of 30 years of IRA bombings in London, including the 18 February 1996 suicide bombing of a double-decker bus, meant that the transit authorities were in many ways ‘battle-hardened.’ The response to these attacks was swift and comprehensive, as was the alerting of all other transit systems across the UK. Had there been a wider plan to disrupt the entire country, this swift reaction would have saved many lives; as it was, it helped to strengthen the determination of Britons in general, and Londoners in particular, to carry on with their lives in spite of these attacks.

This is the goal of situational awareness; terrorism feeds on ignorance and fear, so the faster the actual situation is determined, assessed, and dealt with, the faster the transit system and the general population can return to normal. The whole system was back in operation within 24 hours. This is miraculous. Would the same occur in our big cities? We certainly hope so.

Capacity for Growth
At first glance, this may seem an odd criterion for transit security. However, it reflects the fact that we are constantly learning about new and different threats to transit systems – and each time a weakness is exposed in London, Madrid, Tokyo or elsewhere, it makes sense to enhance our level of protection in that area.

A case in point is surveillance cameras in Montréal’s Le Métro. The level of coverage across the system with approximately 1300 cameras is very good, however, the design includes the potential for adding up to 500 additional cameras for counter-­terrorism purposes. There is similar room for growth in the data transmission area, and the physical design of control centres also caters to possible expansion. It is easy, and definitely cheaper, to build only the capacity that is needed today, to deal with the known threats. Unfortunately, we are compelled in these past few years to expect the unexpected. Our command, control, and especially surveillance systems, must be flexible enough to adapt to whatever new method of attack terrorists or criminal organizations decide to throw at us. Built-in growth capacity helps attain this.

Such is the strategic-level overview of some key principles to be used when dealing with the command and control of mass transit systems. I have deliberately avoided discussing specific technologies and giving detailed descriptions of the various sub-­systems involved, as such considerations, though important, should be secondary to a clear understanding of the aim.

The aim, of course, is to protect Canadians by making our urban mass transit systems as resilient to terrorist attack or natural disaster as possible. Although the illustrative examples in this article refer exclusively to lessons learned while renovating Le Métro in Montreal, I think most cities are well on their way to building similar command and control systems for their transit operations. We should all try to achieve the level of response and the amazingly quick return to full operation that the London transit system accomplished in July 2005. Otherwise, if transit is indeed the lifeblood of our cities, we are in danger of a serious hemorrhage.  

Peter Holt is a retired Brigadier-General and Professional Engineer who works as a Strategic Advisor for Dessau Inc. Dessau partnered with the STM in a Public-Private Partnership to renovate Le Métro.
© FrontLine Security 2008