Maryland Transit Administration (MTA) Central Control Center

AECOM performed Security Threat and Vulnerability Assessment (TVA) for the Central Control Center (CCC) of Maryland Transit Administration (MTA) in Baltimore, Maryland.  The CCC houses the operations control center for several modes of MTA transit systems including heavy rail, light rail and bus transit systems. The TVA encompassed inspection of the facility and surrounding site and neighborhood, and review of as-built design drawings and specifications, operating and maintenance procedures, encompassing multi-discipline review of structural, electrical, civil and systems engineering.  The physical site and documentation review and inspection was aimed at identifying vulnerabilities of MTA assets to a wide range of security threats. Among the systems reviewed were various voice and data communications, supervisory control and data acquisition, access control, surveillance and alarm systems, information technology and network communications.

The threat and vulnerability assessment encompassed identifying MTA assets for protection, review of their criticality to MTA operations, and quantitative ranking of each asset. Multiple threats were analyzed, encompassing a wide range of credible threats including FBI-defined crimes, terrorist acts, improvised explosive devices attacks in various delivery methods, cybersecurity attacks, internal (employee-induced) and external threats, and other credible threats. The consequences and severity of an impact as a result of one of these threats was assessed based on the impacts to MTA operations as well as to the affected population/ community. This assessment was used to determine an initial risk index.

The process was then repeated to yield a residual risk index after implementation of a comprehensive list of corrective and mitigation measures. These included a wide range of improvements including structural hardening, enhanced systems for surveillance, surveillance software analytics and alarm systems, access control, intrusion detection and alarm, redundancy in critical infrastructure for both facility and systems elements, and a wide range of procedural mitigation measures encompassing operations and maintenance for various MTA and MDOT operations and systems, information technology, network communications, and human resources and personnel protocols and procedures to mitigate internal and external threats.