Presented as part of ABA’s BISC & BusMARC 2021 Virtual Safety & Maintenance Series The American Bus Association’s Bus Industry Safety Council (BISC) and Bus Maintenance Repair Council’s (BusMARC) 2021 Virtual Safety & Maintenance Series offered a sequence of educational webinars early this year, covering a variety of industry-related topics. As part of their ongoing educational webinar series, the ABA hosted a virtual meeting with presenters Lee Allen, a Surface Division Cybersecurity Lead with the TSA’s Office of Security Policy & Industry Engagement/Surface Division, and Benjamin Gilbert, a cybersecurity advisor with the Cybersecurity and Infrastructure Security Agency (CISA). Formed in 2018 as the newest federal agency under the Department of Homeland Security, CISA’s mission is simply, but broadly, to lead the national effort to understand and manage risk to the nation’s critical infrastructure. Because of this, CISA is often considered the nation’s risk advisor. The agency’s motto is “Defend Today and Secure Tomorrow.” “When looking at today’s risk landscape, as the nation’s risk advisor at CISA, we can do more to advance the national risk management agenda than any other single place in the U.S. government right now,” Gilbert explained. “Particularly now, it is important to understand that for critical infrastructure – whether with transportation, financial services, law enforcement, healthcare providers, retail, or virtually any other industry – risk of cyber-attacks have increased. And that risk of cyber-attacks carries with it an increased risk of operational impacts as well.” Methodology of a Cyber Attack Our world today has forced many organizations, large and small, to move toward a remote working operating environment in order to maintain their operations. Moving toward a new hybrid or remote-only operating environment adds new technology and added complexity to the current operating environment. These newly added technologies increase the attack surface.  According to Gilbert, migrating to remote operations means organizations are now becoming more reliant on technology for day-to-day operations. With widespread disruptions, utilizing this technology means a potentially greater impact to operations.  “When you are looking at today’s threat landscape and understanding the different cybersecurity threats that are out there, it is important to understand that it’s no longer the ‘kid in the basement,’” Gilbert said. “It’s really more of a sophisticated team of cybersecurity experts and hackers that carry out a cyber-attack in a very methodical way.” Gilbert explained that, regardless of what type of cyber-attack you might be dealing with, all attacks generally flow through a single methodology, almost always starting with external reconnaissance.  “There are a variety of tools out there, including social networking sites, that are used to gather as much open-source intelligence and then build a profile of any given targeted organization,” Gilbert explained. “Once they gather enough information, they carry out their initial attack, their initial compromise. Roughly 90 percent of the time, that compromise comes through a phishing email. It is essentially a social engineering attack through digital means.” Once the victim or would-be employee in that organization clicks on a link or malicious file and starts the initial compromise, the threat actor then works to escalate permissions, establish a foothold, and maintain a presence on that workstation. From there, they pivot through the organization and begin conducting internal reconnaissance network discovery, continuing to do so until they understand and learn the high-value assets in the organization’s operating environment.  Once they understand those high value assets in the operating environment and have gathered enough information, they then work to complete their mission – either through data exfiltration or ransomware attack.  “It doesn’t matter whether it a very sophisticated cyber-attack or just a quick and dirty cyber-attack,” Gilbert said. “The threat actors use the same methodology. It is also important to understand that these attacks can be, by and large, prevented just by carrying out very basic protective measures, or what we call ‘the essentials.’” Protective Measures You cannot protect what you do not know you have. According to Gilbert, IT security professionals in leadership should keep an inventory of all IT access – prioritizing access according to what is most critical to the organization’s operations. “Deploy antivirus on servers and workstations,” Gilbert said. “Even that old computer in the corner that is collecting dust and is maybe turned on once per month. Threat actors seek out those systems because they can use that a sort of command center to pivot throughout the network.”  Gilbert also recommends turning on logging for all network appliances, service, and servers; backing up data regularly using known, secure, well-tested, and accessible backup solutions; implementing strong patch management practices; implementing strong user management practices to include strong password policies; having a cyber incident response plan in place; implementing strong and innovative security awareness training; implementing a secure network architecture; and lastly, conducting internal audits and periodic cyber assessments – from strategic-based assessments, to risk-based assessments, to very technical and tactical-based cyber assessments. “Cybersecurity is everybody’s business,” Gilbert said. “Everyone in the organization should be participating in cybersecurity awareness and training. Everyone should be aware of your digital footprint and know the end-user security features available to you. In today’s operating environment, we take our home with us to work, and we take our work with us back to home. Because of this we have to be prepared to protect ourselves and our organizations.”

Presented as part of ABA’s BISC & BusMARC 2021 Virtual Safety & Maintenance Series As part of the ongoing Virtual Safety & Maintenance series, the American Bus Association (ABA) hosted an educational webinar addressing why and how companies can implement a fatigue risk management program (FMP), reduce fatigue-related accidents, and what we can learn from past accidents and severe crashes. The webinar was presented by Mike Fox, senior highway crash investigator with the National Transportation Safety Board (NTSB).  The NTSB is an independent federal agency charged by Congress with investigating every civil aviation accident in the United States, and significant accidents in other modes of transportation including marine, rail, pipeline, and highway. In addition, the NTSB carries out special studies concerning transportation safety issues, provides assistance to victims and their family members impacted by major transportation disasters, and makes recommendations to the industry as well as the government on what steps can be taken to avoid similar accidents in the future. Every two years, the NTSB publishes the “Most Wanted List,” a premiere advocacy tool that identifies the top safety improvements that can be made across all modes to prevent accidents, minimize injuries, and save lives in the future.  “It takes approximately 12 to 18 months to complete an investigation,” Fox said. “In addition to the on-scene investigation, our investigators conduct follow up investigations and interviews. We also perform testing or research and then we have an involved report-writing process.”  The NTSB produces two types of reports. A brief, which is a modified report, or a full report that results in a public board meeting in Washington. The NTSB has issued over 200 fatigue related recommendations across all modes.  Investigating Fatigue During the initial days of a crash investigation, the NTSB analyzes all the physical evidence at the crash site utilizing a 3D scanner to map the scene to determine the driver’s input and actions during the crash sequence. Fox said median crossover, run of the road, over correction steering, and little or no braking at the end of a traffic queue are possible signs of fatigue crashes.  A thorough examination of the driver and carrier’s Hours of Service (HOS) compliance are performed – including a reconstruction of the driver’s most recent 72-hour history prior to the crash and reviewing all rest periods which were available to the driver leading up to the crash. Finally, all available electronic records for the driver are examined, which would include the driver’s Electronic Logging Device (ELD), any on-board recording devices, as well as the driver’s cell phone records.  The second phase of investigating fatigue is conducted during a ‘human factors’ investigation. “We usually start with the driver’s DOT physical and see if the driver has had a restricted medical certificate,” Fox said. “We will also obtain the driver’s medical records and see if the driver was on any medications at the time of the crash. We will also get the driver’s toxicology.” Highlight Crash Investigations On October 6th, 2018, in Schoharie, NY, a 2001 Ford Excursion stretch limousine operated by Prestige Limousine was traveling southbound on Route 30, approaching the intersection of state route 30A. The limo was occupied by a 53-year-old driver and 17 passengers. The limo was traveling down a steep grade as indicated by the red arrow. The driver was unable to slow or stop the vehicle. He went through the intersection and into the parking lot of a local restaurant. The limo struck a parked car and two pedestrians standing in lot before landing in a ravine and colliding with an earthen embankment. As a result of this crash, the driver and all the passengers of the limo were fatally injured. Two pedestrians that were struck in the parking lot were also killed, resulting in 20 total fatalities.  “We held a board meeting for the Schoharie, New York, limousine crash,” Fox said. “And we determined the probable cause of the Schoharie crash was Prestige Limousine’s egregious disregard for safety in dispatching a stretch limousine with an Out-of-Service order resulting in the failure of its brake system while descending a steep grade of New York State Route 30.” According to Fox, additional contributing factors included New York State DOT’s ineffective oversight of Prestige Limousine, despite its knowledge of the carrier’s multiple repair verification process. Further contributing to the crash was the New York DMV’s inadequate oversight of state license inspection stations and its failure to properly register the limousine – which enabled Prestige to circumvent the state’s safety regulations.  “There were numerous safety recommendations that came out of this report,” Fox said. “Of note, two were that the Federal Motor Carrier Safety Administration (FMCSA) provide guidance and best practices to states to enforce carrier compliance with state-issued Out-of-Service orders, and prevent vehicles and drivers from continuing to operate without authority after being cited for out of service violations.” “We also issued two recommendations to New York State,” he continued, “requiring the New York DOT to implement their recommendations cited in the New York State’s Comptroller report to address vehicle repair certification requirements and improve carrier compliance with Out-of-Service violations and enforce actions for Out-Of-Service vehicles.”   The last recommendation was issued to the National Limousine Association, requesting that they inform their members of the importance of verifying the safety of all vehicles planned for passenger transportation.  Why Have a Fatigue Management Program? The NTSB has recommended that the industry develop a fatigue management program such as the one modeled after the North American Fatigue Management Program, a four-year collaborative project between U.S. and Canadian governments, motor carriers, the insurance industry, and researchers. The purpose of the project was to raise awareness of driving drowsy and develop a fatigue management education that would be useful for drivers, managers, dispatchers, and family members. According to Fox, there are four key elements of implementing an FMP. The first is safety culture. “Safety culture can be a difficult term to define,” Fox said. “The North American Fatigue Management Program defines safety culture as Read More >

In the spirit of sustainable community transit, the City of Porterville, California, added 12 all-electric micro-transit vans to its fleet in January.  The decision to embrace sustainable micro-transit resulted from an internal analysis at the Porterville Transit System. First, the agency wanted to replace low-performing fixed routes with routes focused on improved mobility and a more direct approach. Secondly, the agency saw an opportunity to expand mobility into areas which were previously not served – due to either lower ridership or poor connectivity to standing fixed routes. “It came down to not only providing better mobility within our community, but also expanding our service area,” said Richard Tree, transit administrator at Porterville Transit System. Tree said the deployment resulted from an informal bid after the agency reviewed the Class 3 Lightning Electric Transit Van by Lightning eMotors. Terry Scholl, business development manager for Lightning eMotors, said the company developed the vans on the Ford Transit 350 HD chassis. NorCal Vans/Driverge of Chico, California, upfitted the fans to meet ADA requirements, per Porterville’s specifications. The vehicle features a range of 120 miles of travel between charges. If the daily mileage requirement exceeds 120 miles, the vehicle allows for a fast charge that will allow for a 50 percent charge in approximately 45 minutes. The vehicle accommodates between 10 and 16 passengers, depending on wheelchair configuration, “As the van operates, it moves quietly through communities without making a lot of noise and without any emissions,” Scholl said. “Since the vehicle operates on the Ford Transit chassis – one of the most widely sold van products on the market – customers can take advantage of the all-electric setup without forgoing the convenience of their local Ford dealer for service requirements.” Embracing Micro-Transit When explaining the micro-transit concept to local officials, Tree said it helped to compare the service to on-demand applications like Uber or Lyft – embracing technology which allowed for quick-trip scheduling, real-time notifications, and efficient routing software. “Sustainability is also vitally important to us, and we saw this as a great opportunity to test this concept and its cost-effectiveness,” Tree said. After a year into the micro-transit operation, Tree said the city is extremely pleased with the community’s acceptance. Ridership has increased month after month, he said, dating back to April of 2020. Furthermore, the agency is pleased with the micro-transit service’s cost-effective operations. “We have seen an interesting phenomenon,” Tree added. “The service was not necessarily intended to hyper-focus on disabled or senior populations, but many of those riders have gravitated toward the micro-transit model. A high percentage of people have moved from Dial-A-Ride to the on-demand service, which allows for additional capacity in our paratransit vehicles.” The vehicles accommodate either a rear-wheelchair arrangement – as found on Porterville’s vans – or can operate with an optional side-door to accommodate both ambulatory and non-ambulatory passengers. Scholl said that Porterville opted for a higher roof height – an option on these vehicles – and passengers have expressed appreciation. Passengers can board without bending over, stand up, and access grab rails. Expanding the Service The service has performed so well in Porterville, Tree said, that local officials are eager to expand micro-transit to each of the county’s eight operators. “We expect on-demand service, with these electric vehicles, to expand throughout the county within this next year or this calendar year,” he said.  In May, Porterville will launch a new partnership with Uber. Tree said the city hopes to take advantage of Uber’s software-as-a-service (SaaS) and global brand in order to take on-demand transit to the next level. “People are coming to understand Uber as second nature,” Tree said. “Our services will be accessible via the Uber app, and riders can make informed decisions on the best trips for them. Then they can pay within that same Uber app.  of what the cheapest trip option is, and they can pay for their ride, all within the Uber app. It is a truly an exciting time for transit in our county.”