varkonyi paper (microsoft word document)
Post on 20-May-2015
190 Views
Preview:
TRANSCRIPT
Irvin Varkonyi TLA Conference 6/3/04
Best practices in Transportation Security
Do we all agree on the definition of Transportation Security? Roget’s Thesaurus
states that security means assurance, freedom, reliance, sureness, and surety. Does
this have sufficient clarity? Perhaps we really mean Transportation Protection?
Again, Roget’s states that protection means defense, guarding, invulnerability,
safety, stability, strength and SECURITY. Popular lexicon uses the word security but
it is insufficient to convey a pro-active approach. We don’t mean to become
embroiled in semantics but we need to build a foundation which is solid. The subject
of this panel is not to address the symptoms of transportation vulnerabilities but to
attempt a root cause analysis that can lead to systemic changes which reduce the
factors that create vulnerabilities.
Cargo theft in transportation should be considered equally with other potential
disruptions including terrorism. Why are criminals increasingly attracted to hijacking
tractor trailers? The retail value of a 40ft trailer of cigarettes exceeds a million
dollars. The penalty, should the thief get caught can be minimal, reflecting the lack of
laws against major theft. Why should a criminal seek to smuggle narcotics which is
more closely watched and where he may face life imprisonment? With greater
emphasis by the Federal government on protecting us from terrorism via cargo
imports into the country, is there sufficient attention to watching our trucks or rails
against thieves as well as domestic based terrorists?
I have ten areas of transportation protection in ten minutes which I hope will
stimulate you to look at your organizations, as well as your organizations’ customers
and vendors. This presentation is primarily oriented toward cargo movement with
one area on passenger transportation security.
George Mason University No reproduction without permission 1
Irvin Varkonyi TLA Conference 6/3/04
A. The transportation security professional
The supply chain is a phrase coined in the 1980’s to express the relationships which
companies developed to maximize efficiency in the production and distribution of
products utilizing outsourced vendors, transporters and distributors. Cargo
transportation is a component of the supply chain. Passenger transportation is a
component of the national economy and is responsible for fulfilling the needs for
citizens to travel for business or pleasure.
Do we all actually agree on the definition of the supply chain? We increasingly hear
the term at conferences which discuss supply chain security. We see these terms in
all types of publications. Do we do a good job to define the term for non-supply chain
professionals such as your security professionals? How much training has security
staff received in the business operations of their firms? How much attention has been
paid to provide them skills in understanding their employer’s supply chain? Do they
participate in professional associations such as the National Cargo Security Council or
the American Society for Industrial Security?
There are various organizations and private institutions which are looking at melding
the disciplines of transportation/logistics with that of physical security, including
possible professional certification such as a “Certified Security Logistics Professional.”
I urge you to support training and education of your security professionals in the
challenges of the modern supply chain in which transportation, your business, is a
key component.
B. Threats to transportation
George Mason University No reproduction without permission 2
Irvin Varkonyi TLA Conference 6/3/04
When you raise the subject of threats in a public forum, such as this conference, isn’t
the tendency to think of terrorism? That’s good in a way but not so good if we
exaggerate the risk of terrorism by understating other threats. I suggest an all
hazards approach, which is the approach that the Dept of Homeland Security now
follows. Threats can originate by natural phenomena, such as weather, accidental
occurrences such as haz-mat spills and intentional actions, including terrorism and
theft.
How layered is your business continuity plan and how well will it work to fulfill your
obligation to your customers, your employees and your shareholders? More
importantly, how layered is the planning of your sub-contractors, those to whom you
have outsourced many functions? Do you use disaster logistics to insure continuity?
In early 2002, the Council of Logistics Management published, “Securing the Supply
Chain,” co-authored by Drs Keith Helferich and Robert Cook who advocated five steps
to follow to make a resilient supply chain: Planning, Detection, Mitigation, Response
and Recovery.
The book acknowledges we can’t prevent all types of disasters, such as hurricanes or
completely eliminate accidents, such as haz- mat spills on Interstate highways.
Perhaps we can’t even stop a determined enough terrorist? But we can do better to
detect problems earlier, commit resources to mitigate the effects of a disaster and
insure we recover from the disaster. By understanding an all hazard approach to
threats, we will minimize the disruptions from them. This is the essence of
transportation security/preparedness.
C. Quality is security
George Mason University No reproduction without permission 3
Irvin Varkonyi TLA Conference 6/3/04
Quality found its true meaning when the US economy was rocked several decades
ago by competition from Japan. They raised the bar, thereby lowering the boom on
us. Money back guarantees? No way, our transportation firms used to say.
Guaranteed delivery? Are you kidding? Well that is certainly behind us today. The
transportation industry exemplifies today’s marketplace reality. If quality is imbedded
in the best companies, then so must be security.
“We must make security a core business value… the private sector has built in
quality, safety, health and productivity as essential, central elements of institutional
culture and mission…security must become a part of the competitiveness equation.”
(Creating Opportunity out of Adversity,” Proceedings of the National Symposium on
Competitiveness and Security," October 2002)
Studies at Stanford University demonstrate that quality means security. “Supply
Chain without Tears,” co-authored by Hua Lee and Michael Wolfe (Supply Chain
Management Review, Jan. 2003.) quantifies this truism. Costs spent for security turn
into savings by improving productivity and lowering risk. The Lee/Wolfe study found
that the use of smart containers, which provide electronic visibility in the supply
chain, reduce more costly manual efforts to track cargo. These containers decrease
the risk of theft, leading to lower insurance premiums. Estimated savings per
container per trip was over $300, the authors estimated.
D. Government compliance – A floor or ceiling?
I’m nearly halfway through and only now do I mention CTPAT. Have I forgotten to
offer yet another summary on top of hundreds many of you may have heard on the
Customs Trade Partnership Against Terrorism, a private-public sector partnership?
CTPAT is the creation of a private sector group, called COAC (Customs Operations
George Mason University No reproduction without permission 4
Irvin Varkonyi TLA Conference 6/3/04
Advisory Council) established by the US Treasury before 9/11 to help improve
customs processes. After 9/11, COAC was used to help design a private/public
partnership to protect our country from imports potentially penetrated by terrorists’
devices. CTPAT was intended to stave off government regulations. CTPAT is
voluntary.
Does CTPAT equate to security? Does approval as CTPAT by the Bureau for Customs
and Border Protection (CBP) mean that you are secure? Do you seek to be approved
for CTPAT because it makes you more secure? Or are you interested in CTPAT
because of the carrot which CBP holds in front of you? CBP continually emphasizes
the incentives for CTPAT companies to get ahead of importers who are not CTPAT.
My answer is yes, you are more secure when you complete the CTPAT application,
then you were at least before you embarked on CTPAT. To become CTPAT, you’ve
spent a certain amount of time to internally audit your processes, and that of your
trading partners to comply with the seven major aspects of CTPAT:
Procedural Security
Physical Security
Access Control
Personnel Security
Education and Training
Manifest procedures
Conveyance security
But where are the standards for CTPAT against which you can benchmark your
organization? There aren’t standards. Where is the corporate responsibility for
implementing CTPAT? Every company does it differently. Some assign this to Legal;
some to Marketing; some to Quality control; some to an ad hoc committee. Neither
George Mason University No reproduction without permission 5
Irvin Varkonyi TLA Conference 6/3/04
industry nor the government has agreed on this. Thus how do you evaluate a
completed CTPAT application? There are two significant vulnerable areas with CTPAT:
There is neither a real process nor requirements to audit your trading
partners. How familiar should a company be with the facilities, employees and
processes of their partners? CTPAT allows you to send a mere letter to your
vendors requiring them to abide by your commitment to CTPAT. No inspection
of their facilities is required. No contractual language is required.
Validation of companies (due diligence) with approved CTPAT applications is
weak. CBP validation is the task of determining the truthfulness of an
applicant. It is not referred to as an audit. It is hard to determine the number
of validated companies. Most of what I hear indicate validation is in the low
hundreds, out of over 5,000 CTPAT approved organizations. Who are the
validators? Senior customs inspectors retrained as supply chain experts in a
two week training program. Is anyone expelled from CTPAT? Hardly.
CTPAT is a good effort but it should be viewed as a floor with respect to efforts to be
more secure. It should not be regarded as a ceiling. There are certainly advantages
to be CTPAT, if you take it seriously. But it is likely that many organizations which
embark on CTPAT do so to gain the advantages of expedited import entry lane. In the
event of a port shut down, due to a disruption, CBP states that the CTPAT approved
containers will have first crack at clearing customs. How will that work with tens of
thousands of containers on hundreds of vessels crowded around the Port of Los
Angeles/Long Beach?
If your responsibility is to evaluate government compliance requirements, I suggest
that CTPAT be put into context as only one component of many to make your
business safe.
George Mason University No reproduction without permission 6
Irvin Varkonyi TLA Conference 6/3/04
There are other government programs besides CTPAT which will help importers to
expedite customs clearances. CBP’s Advance Manifest Rules require a 24 hour
advance notification for vessels before they depart their foreign port; a four hour rule
for aircraft departing with air cargo. This allows CBP’s Terrorist Threat Center to
evaluate the likely risks of cargo well before they hit our shores. If they feel there
may be a threat, due to some anomaly with one or more pieces of cargo, they will
direct that that vessel or aircraft to not depart. Compliance with this obligatory
regulation will do much to help expedite the customs clearance process with or
without CTPAT. These new regulations have spurred new software tools to provide
transporters greater visibility of their cargo. Advance notification has had a very
positive effective on productivity as well as allowing them to comply with
government regulations. This has benefited the bottom line.
Other Government programs include CSI, the Container Security Initiative. This
program intends to encourage compliance by foreign ports to institute security
procedures favored by DHS. It decreases the likelihood of containers leaving their
ports with explosives, bio-toxins or other terrorist devices.
Operation Safe Commerce is a pilot program integrating a variety of voluntary and
regulatory Government programs to evaluate where the threats are in cargo imports.
Upon completion of the pilot, it will direct government and the private sector to
reduce those threats. FAST is a program on our northern border meant to expedite
Canadian imports into this country. If you are CTPAT, you are eligible to apply for
FAST. A Radio Frequency Identification (RFID) tag, similar to an EZPASS type device is
in the cab of the trucker. It transmits data to CBP in advance of the truck reaching
the border to allow Customs agents to evaluate potential threats, if any, of the cargo
on the truck.
George Mason University No reproduction without permission 7
Irvin Varkonyi TLA Conference 6/3/04
E. Sarbanes Oxley
The Sarbanes-Oxley Act is popularly perceived as a reaction against the financial
excesses of firms such as Enron. It is that. It is more than that. I am a bit hesitant to
try to discuss SOA in front of hundreds of lawyers but I would like to use SOA to
support that best practices which maximize transportation security and preparedness
are in the best interests of the shareholders, the employees and the customers.
SOA seeks to reduce risk to shareholders. In an article published last March by
Anthony Ghosen, a key point is made about risk management: “Section 409 of SOA is
focused on the definition of “materiality” and the management of material variance,
which is in essence a large part of the premise for enterprise risk management. The
challenge…is to foresee issues of materiality and be able to report them in a timely
manner. This creates a distinct potential advantage to the company that manages
risk (materiality) better than its industry competitors…”
Does a publicly traded corporation, which does not manage risk well, subject its
senior managers and its board of directors to possible action by shareholders or law
enforcement? In the event of a terrorist action, will it be enough for the CEO to claim
that because they were approved for CTPAT, that they managed well the risks of
global trade? Or will it be contended that CTPAT is insufficient to manage risk? Should
the company have been more diligent in designing its global supply chain, managing
its transportation and distribution partners? In other words, is CTPAT a floor on
managing risk and security while the ceiling is fulfilling SOA? Ghosen states:
“The letter of the law (SOA) is simply that a company identifies materiality and
makes that sure that it is visible at any time a venture, investment or operational
event occurs where materiality (loss) has occurred…the spirit of the law, however,
George Mason University No reproduction without permission 8
Irvin Varkonyi TLA Conference 6/3/04
puts CEOs in control when they can demonstrate how a material event is identified
through operational data monitoring, coupled with real-time, integrated risk profiles
long before the 3 to 5 day 8k reporting window arrives. How that event is managed
can allay the concerns of institutional investors and management, thus moving the
company back into their natural profile for risk-taking.”
We now read about SOA in publications including Global Logistics and Supply Chain
Strategies, Disaster Recovery, Chief Security Officer, as well as financial publications.
Shareholders must however decide on the trade offs between security and cost. They
may be conflicted, uncertain how much security to imbed in the enterprise at what
expense.
F. Facility certification – Technology Asset Protection Association
Discussing transportation security/preparedness is popularly perceived as a problem
of terrorism. The Transportation Lawyers Association would be among those most
informed that the subject encompasses much more than terrorism. Cargo theft
occurring within a facility or somewhere in the supply chain during a change in
custody is a much more likely occurrence than terrorism.
A favorite saying of law enforcement is that cargo at rest is cargo at risk, whether in
a warehouse or a truck that has stopped at a highway rest stop. The Guidelines for
Cargo Security and Loss Control, issued by the National Cargo Security Council,
provides a good summary on the best ways to insure cargo security:
George Mason University No reproduction without permission 9
Irvin Varkonyi TLA Conference 6/3/04
Obligation of authority – Delegation of duties to security staff while
responsibility for security remains with senior management
Inventory Management – Identify and account for all inventory
Security costs – Trade offs must be decided between the costs and level of
security
Level of protection – A trade off between customer and government
requirements
Environmental factors – Consideration of facility location, local law
enforcement and risk
Coordinated activities – Multi-customer facility usage requires coordination by
management
The Technology Asset Protection Association (TAPA) is made up of approximately five
hundred organizations whose primary business products are high value hi-technology
or the transportation of such products. Begun in 1997, its membership took off after
9/11. TAPA now stipulates contractual requirements for its transportation partners for
facilities to meet or exceed their standards.
TAPA’s requirements come with a good deal of grief from many transportation
companies, perhaps some of whom are here today. Some carriers, such as FedEx
and UPS have problems with TAPA as they do not accept TAPA standards. TAPA is not
felt to be knowledgeable enough and does not understand how these two huge firms
insure the security of their customers’ cargo. Other transporters have complained
about the costs of meeting TAPA’s standards but have gone ahead to comply in order
to maintain and acquire new business. The results are mixed if TAPA has succeeded
in significantly improving loss prevention. Some speculate that as the facilities
become more hardened, they do become safer, as the thieves move on toward truck
hi-jacking or driver falsification to beat the system.
George Mason University No reproduction without permission 10
Irvin Varkonyi TLA Conference 6/3/04
G. RFID technology
RFID tags work as passive or active devices. Passive devices must pass through a
scanner in order for information to be obtained about the item which holds the tag.
Active devices transmit information over distances. There are many leading firms
including Savi Technology, which appears to have the lock on the Department of
Defense and Matrics which works with Savi as well as commercial accounts.
Radio Frequency Identification has accelerated its market penetration primarily for
three reasons:
Costs have continued to decrease making the RFID tags cheaper
Demonstrated productivity gains are gained from greater visibility of products
moving through the supply chain
Security is enhanced by identifying the location of transportation assets and
cargo movement
There is a lot of collaboration in the RFID industry. The Auto-ID Center is
a not-for-profit group established by MIT to develop a system for using the Internet to
identify goods anywhere in the world, using the electronic product code, or EPC. It is
funded by large companies who want to use RFID to track goods and who believe an
open standard is critical.
Wal-Mart and the Department of Defense have been in the news with RFID tag
requirements imposed on their suppliers and vendors. They are the tip of the iceberg
represented by RFID.
H. Passenger Transportation – Public and Private
George Mason University No reproduction without permission 11
Irvin Varkonyi TLA Conference 6/3/04
Public transportation systems in the country include automated guideway, rail, bus,
ferry and paratrasnit modes. Commercial systems move passengers via air, maritime
and a variety of surface means.
The Federal Transit Administration commissioned the Transportation Research Board
to study the vulnerability of public transportation. The problem is extensive because
of the characteristics of public transportation:
Large volumes of passengers moved within enclosed spaces
Predictable, fixed routes
Fixed access points
Unique hazards (i.e. traction power, confined spaces)
Susceptible to systemic impacts
Some of these characteristics are found in private transportation systems as well. I
believe security becomes more complicated for passengers when cargo and
passengers are mixed together. As in the supply chain, which is no stronger than its
weakest link, so it is with the conveyance of passengers and cargo in the same
conveyance. Whatever you do to screen passengers and their baggage, the safety of
transportation assets will be dependent on actions which safeguard both passengers
and cargo. This is not the case today. Certainly passengers who intend to turn their
conveyance into an explosive with a specific target have greater risk than cargo
which can explode without the ability to target a specific geographically point. But
the knowledge that is present with the air cargo industry is not sufficient for mixed
passenger/cargo aircraft.
In the public sector, what are the limits of security measures? Is there anything more
that can be done than the announcements we hear in subway and rail stations to
George Mason University No reproduction without permission 12
Irvin Varkonyi TLA Conference 6/3/04
watch for bags left alone? How effect are such English only announcements which I
hear in Washington and New York.
Will we ever need to get to the level of passenger security as in Israel where public
and private passenger transportation terminals used a layered, perimeter approach
which is based on profiling of people standing around the terminal as well as those
who seek to enter?
I. Intelligent Transportation Systems and Cargo Security
Intelligent Transportation Systems have become feasible as the wireless
communication industry has taken off. Examples of ITS are the announcement
boards on highways which inform you of traffic congestion (which you may already
be in!); sensors placed on traffic signals that detect traffic flow and change the lights
to speed the busier lanes along; smart traffic stations which monitor regional
transportation patterns and which can connect to private wireless networks to
transmit information to truck drivers to change their routes in the event of
congestion or accident.
These systems will be used to increase security in fixed areas where cargo interacts
with transportation assets, where employees move within facilities and where cargo
has ingress and egress points. Some of these include:
Smart cards – using coded information, photos
Biometrics – identifying individuals based upon biological data
Automatic Vehicle Identification – using RFID tags to identify vehicles
Map Databases – use for traffic and incident analyses
Vehicle Classification Sensors – automatically detect the class of a vehicle
George Mason University No reproduction without permission 13
Irvin Varkonyi TLA Conference 6/3/04
Weigh-in Motion Technology – ability to weigh as trucks move at highway
speed (so why are there still weigh stations on our highways?)
Spatial Geo-Location – identify specific location of vehicles
There is a great focus at CBP to develop the SMART Container, a container which can
be monitored electronically and can alert the supply chain when something has
occurred to divert it from its planned route. Essentially, a smart container is like a
car with a lo-jack. Why is this of benefit? Knowing when and where the container
deviates from its planned route allows quick response by law enforcement. When the
container is hijacked and the doors are ripped off, the container will alert those
watching it electronically. This is meant to discourage thieves from ripping off the
contents as well as terrorists from inserting deadly devices into it.
There are systems now operating for the Department of Defense which track
movement of transportation assets in real time against a background of the
transportation infrastructure. Data is fed from nearly two hundred sources including
police, fire, traffic, hospitals, etc to allow monitoring of potential disruptive factors to
allow for changes en route. Private sector asset tracking systems are also available.
J. New IMO regulations and 33CFR
Effective next month, the maritime community will be faced with compliance with
three major sets of regulations. The International Maritime Organization’s new
International Ship & Port Facility Security Code (ISPS), Safety of Lives at Sea (SOLAS)
amendments and the Title 33 of the Code of Federal Regulations for Navigation and
Navigable Waters. These are addressing maritime security and adding an extensive
amount of responsibility on the maritime community. These are not voluntary.
George Mason University No reproduction without permission 14
Irvin Varkonyi TLA Conference 6/3/04
They focus on a number of areas:
The port to vessel interface
Cargo manifest rules
Seamen employed by vessel operators
Emergency Response Management
Access controls
Security planning
Implementation is a challenge. It will require a great deal of personnel training. As
has often been occurring with our headlong leap into quick fixes, today’s training is
oriented at the symptoms. The Maritime Institute of Technology and Graduate
Studies in Baltimore put on a two day conference on this issue emphasizing the
human factors which make the maritime industry more secure. However, the
training appears to neglect on how to determine the decision-making level of the
maritime Security Officer. Is security a core value or is it a matter of compliance, well
down the corporate ladder?
I also believe that we have not come face to face with two real issues of maritime
safety:
Flags of convenience – Why is it acceptable to flag our vessels in countries
which may also appear high on global terror lists
Foreign Seamen – Why is it acceptable to hire seamen from nations high on
global terror lists
Why? The source of disruption, such as cargo theft and terrorism may often be an
inside job. How much is served to harden the outside when the spark to light the
disruption is already on the inside?
George Mason University No reproduction without permission 15
Irvin Varkonyi TLA Conference 6/3/04
It has been a pleasure to be with you. I hope I have stimulated more discussion on
defining transportation security and looking at opportunities to better secure your
companies, if you are carriers and know more about the transportation industry, if
you are a customer of these carriers.
Thank you.
Irvin Varkonyi, Adjunct Professor
Transportation Policy, Operations and Logistics, George Mason University,
Arlington, VA
ivarkony@gmu.edu, 703 863-9686
George Mason University No reproduction without permission 16
top related