varkonyi paper (microsoft word document)

Irvin Varkonyi TLA Conference 6/3/04

Best practices in Transportation Security

Do we all agree on the definition of Transportation Security? Roget’s Thesaurus

states that security means assurance, freedom, reliance, sureness, and surety. Does

this have sufficient clarity? Perhaps we really mean Transportation Protection?

Again, Roget’s states that protection means defense, guarding, invulnerability,

safety, stability, strength and SECURITY. Popular lexicon uses the word security but

it is insufficient to convey a pro-active approach. We don’t mean to become

embroiled in semantics but we need to build a foundation which is solid. The subject

of this panel is not to address the symptoms of transportation vulnerabilities but to

attempt a root cause analysis that can lead to systemic changes which reduce the

factors that create vulnerabilities.

Cargo theft in transportation should be considered equally with other potential

disruptions including terrorism. Why are criminals increasingly attracted to hijacking

tractor trailers? The retail value of a 40ft trailer of cigarettes exceeds a million

dollars. The penalty, should the thief get caught can be minimal, reflecting the lack of

laws against major theft. Why should a criminal seek to smuggle narcotics which is

more closely watched and where he may face life imprisonment? With greater

emphasis by the Federal government on protecting us from terrorism via cargo

imports into the country, is there sufficient attention to watching our trucks or rails

against thieves as well as domestic based terrorists?

I have ten areas of transportation protection in ten minutes which I hope will

stimulate you to look at your organizations, as well as your organizations’ customers

and vendors. This presentation is primarily oriented toward cargo movement with

one area on passenger transportation security.

George Mason University No reproduction without permission 1


A. The transportation security professional

The supply chain is a phrase coined in the 1980’s to express the relationships which

companies developed to maximize efficiency in the production and distribution of

products utilizing outsourced vendors, transporters and distributors. Cargo

transportation is a component of the supply chain. Passenger transportation is a

component of the national economy and is responsible for fulfilling the needs for

citizens to travel for business or pleasure.

Do we all actually agree on the definition of the supply chain? We increasingly hear

the term at conferences which discuss supply chain security. We see these terms in

all types of publications. Do we do a good job to define the term for non-supply chain

professionals such as your security professionals? How much training has security

staff received in the business operations of their firms? How much attention has been

paid to provide them skills in understanding their employer’s supply chain? Do they

participate in professional associations such as the National Cargo Security Council or

the American Society for Industrial Security?

There are various organizations and private institutions which are looking at melding

the disciplines of transportation/logistics with that of physical security, including

possible professional certification such as a “Certified Security Logistics Professional.”

I urge you to support training and education of your security professionals in the

challenges of the modern supply chain in which transportation, your business, is a

key component.

B. Threats to transportation



When you raise the subject of threats in a public forum, such as this conference, isn’t

the tendency to think of terrorism? That’s good in a way but not so good if we

exaggerate the risk of terrorism by understating other threats. I suggest an all

hazards approach, which is the approach that the Dept of Homeland Security now

follows. Threats can originate by natural phenomena, such as weather, accidental

occurrences such as haz-mat spills and intentional actions, including terrorism and

theft.

How layered is your business continuity plan and how well will it work to fulfill your

obligation to your customers, your employees and your shareholders? More

importantly, how layered is the planning of your sub-contractors, those to whom you

have outsourced many functions? Do you use disaster logistics to insure continuity?

In early 2002, the Council of Logistics Management published, “Securing the Supply

Chain,” co-authored by Drs Keith Helferich and Robert Cook who advocated five steps

to follow to make a resilient supply chain: Planning, Detection, Mitigation, Response

and Recovery.

The book acknowledges we can’t prevent all types of disasters, such as hurricanes or

completely eliminate accidents, such as haz- mat spills on Interstate highways.

Perhaps we can’t even stop a determined enough terrorist? But we can do better to

detect problems earlier, commit resources to mitigate the effects of a disaster and

insure we recover from the disaster. By understanding an all hazard approach to

threats, we will minimize the disruptions from them. This is the essence of

transportation security/preparedness.

C. Quality is security



Quality found its true meaning when the US economy was rocked several decades

ago by competition from Japan. They raised the bar, thereby lowering the boom on

us. Money back guarantees? No way, our transportation firms used to say.

Guaranteed delivery? Are you kidding? Well that is certainly behind us today. The

transportation industry exemplifies today’s marketplace reality. If quality is imbedded

in the best companies, then so must be security.

“We must make security a core business value… the private sector has built in

quality, safety, health and productivity as essential, central elements of institutional

culture and mission…security must become a part of the competitiveness equation.”

(Creating Opportunity out of Adversity,” Proceedings of the National Symposium on

Competitiveness and Security," October 2002)

Studies at Stanford University demonstrate that quality means security. “Supply

Chain without Tears,” co-authored by Hua Lee and Michael Wolfe (Supply Chain

Management Review, Jan. 2003.) quantifies this truism. Costs spent for security turn

into savings by improving productivity and lowering risk. The Lee/Wolfe study found

that the use of smart containers, which provide electronic visibility in the supply

chain, reduce more costly manual efforts to track cargo. These containers decrease

the risk of theft, leading to lower insurance premiums. Estimated savings per

container per trip was over $300, the authors estimated.

D. Government compliance – A floor or ceiling?

I’m nearly halfway through and only now do I mention CTPAT. Have I forgotten to

offer yet another summary on top of hundreds many of you may have heard on the

Customs Trade Partnership Against Terrorism, a private-public sector partnership?

CTPAT is the creation of a private sector group, called COAC (Customs Operations



Advisory Council) established by the US Treasury before 9/11 to help improve

customs processes. After 9/11, COAC was used to help design a private/public

partnership to protect our country from imports potentially penetrated by terrorists’

devices. CTPAT was intended to stave off government regulations. CTPAT is

voluntary.

Does CTPAT equate to security? Does approval as CTPAT by the Bureau for Customs

and Border Protection (CBP) mean that you are secure? Do you seek to be approved

for CTPAT because it makes you more secure? Or are you interested in CTPAT

because of the carrot which CBP holds in front of you? CBP continually emphasizes

the incentives for CTPAT companies to get ahead of importers who are not CTPAT.

My answer is yes, you are more secure when you complete the CTPAT application,

then you were at least before you embarked on CTPAT. To become CTPAT, you’ve

spent a certain amount of time to internally audit your processes, and that of your

trading partners to comply with the seven major aspects of CTPAT:

Procedural Security

Physical Security

Access Control

Personnel Security

Education and Training

Manifest procedures

Conveyance security

But where are the standards for CTPAT against which you can benchmark your

organization? There aren’t standards. Where is the corporate responsibility for

implementing CTPAT? Every company does it differently. Some assign this to Legal;

some to Marketing; some to Quality control; some to an ad hoc committee. Neither



industry nor the government has agreed on this. Thus how do you evaluate a

completed CTPAT application? There are two significant vulnerable areas with CTPAT:

There is neither a real process nor requirements to audit your trading

partners. How familiar should a company be with the facilities, employees and

processes of their partners? CTPAT allows you to send a mere letter to your

vendors requiring them to abide by your commitment to CTPAT. No inspection

of their facilities is required. No contractual language is required.

Validation of companies (due diligence) with approved CTPAT applications is

weak. CBP validation is the task of determining the truthfulness of an

applicant. It is not referred to as an audit. It is hard to determine the number

of validated companies. Most of what I hear indicate validation is in the low

hundreds, out of over 5,000 CTPAT approved organizations. Who are the

validators? Senior customs inspectors retrained as supply chain experts in a

two week training program. Is anyone expelled from CTPAT? Hardly.

CTPAT is a good effort but it should be viewed as a floor with respect to efforts to be

more secure. It should not be regarded as a ceiling. There are certainly advantages

to be CTPAT, if you take it seriously. But it is likely that many organizations which

embark on CTPAT do so to gain the advantages of expedited import entry lane. In the

event of a port shut down, due to a disruption, CBP states that the CTPAT approved

containers will have first crack at clearing customs. How will that work with tens of

thousands of containers on hundreds of vessels crowded around the Port of Los

Angeles/Long Beach?

If your responsibility is to evaluate government compliance requirements, I suggest

that CTPAT be put into context as only one component of many to make your

business safe.



There are other government programs besides CTPAT which will help importers to

expedite customs clearances. CBP’s Advance Manifest Rules require a 24 hour

advance notification for vessels before they depart their foreign port; a four hour rule

for aircraft departing with air cargo. This allows CBP’s Terrorist Threat Center to

evaluate the likely risks of cargo well before they hit our shores. If they feel there

may be a threat, due to some anomaly with one or more pieces of cargo, they will

direct that that vessel or aircraft to not depart. Compliance with this obligatory

regulation will do much to help expedite the customs clearance process with or

without CTPAT. These new regulations have spurred new software tools to provide

transporters greater visibility of their cargo. Advance notification has had a very

positive effective on productivity as well as allowing them to comply with

government regulations. This has benefited the bottom line.

Other Government programs include CSI, the Container Security Initiative. This

program intends to encourage compliance by foreign ports to institute security

procedures favored by DHS. It decreases the likelihood of containers leaving their

ports with explosives, bio-toxins or other terrorist devices.

Operation Safe Commerce is a pilot program integrating a variety of voluntary and

regulatory Government programs to evaluate where the threats are in cargo imports.

Upon completion of the pilot, it will direct government and the private sector to

reduce those threats. FAST is a program on our northern border meant to expedite

Canadian imports into this country. If you are CTPAT, you are eligible to apply for

FAST. A Radio Frequency Identification (RFID) tag, similar to an EZPASS type device is

in the cab of the trucker. It transmits data to CBP in advance of the truck reaching

the border to allow Customs agents to evaluate potential threats, if any, of the cargo

on the truck.



E. Sarbanes Oxley

The Sarbanes-Oxley Act is popularly perceived as a reaction against the financial

excesses of firms such as Enron. It is that. It is more than that. I am a bit hesitant to

try to discuss SOA in front of hundreds of lawyers but I would like to use SOA to

support that best practices which maximize transportation security and preparedness

are in the best interests of the shareholders, the employees and the customers.

SOA seeks to reduce risk to shareholders. In an article published last March by

Anthony Ghosen, a key point is made about risk management: “Section 409 of SOA is

focused on the definition of “materiality” and the management of material variance,

which is in essence a large part of the premise for enterprise risk management. The

challenge…is to foresee issues of materiality and be able to report them in a timely

manner. This creates a distinct potential advantage to the company that manages

risk (materiality) better than its industry competitors…”

Does a publicly traded corporation, which does not manage risk well, subject its

senior managers and its board of directors to possible action by shareholders or law

enforcement? In the event of a terrorist action, will it be enough for the CEO to claim

that because they were approved for CTPAT, that they managed well the risks of

global trade? Or will it be contended that CTPAT is insufficient to manage risk? Should

the company have been more diligent in designing its global supply chain, managing

its transportation and distribution partners? In other words, is CTPAT a floor on

managing risk and security while the ceiling is fulfilling SOA? Ghosen states:

“The letter of the law (SOA) is simply that a company identifies materiality and

makes that sure that it is visible at any time a venture, investment or operational

event occurs where materiality (loss) has occurred…the spirit of the law, however,



puts CEOs in control when they can demonstrate how a material event is identified

through operational data monitoring, coupled with real-time, integrated risk profiles

long before the 3 to 5 day 8k reporting window arrives. How that event is managed

can allay the concerns of institutional investors and management, thus moving the

company back into their natural profile for risk-taking.”

We now read about SOA in publications including Global Logistics and Supply Chain

Strategies, Disaster Recovery, Chief Security Officer, as well as financial publications.

Shareholders must however decide on the trade offs between security and cost. They

may be conflicted, uncertain how much security to imbed in the enterprise at what

expense.

F. Facility certification – Technology Asset Protection Association

Discussing transportation security/preparedness is popularly perceived as a problem

of terrorism. The Transportation Lawyers Association would be among those most

informed that the subject encompasses much more than terrorism. Cargo theft

occurring within a facility or somewhere in the supply chain during a change in

custody is a much more likely occurrence than terrorism.

A favorite saying of law enforcement is that cargo at rest is cargo at risk, whether in

a warehouse or a truck that has stopped at a highway rest stop. The Guidelines for

Cargo Security and Loss Control, issued by the National Cargo Security Council,

provides a good summary on the best ways to insure cargo security:



Obligation of authority – Delegation of duties to security staff while

responsibility for security remains with senior management

Inventory Management – Identify and account for all inventory

Security costs – Trade offs must be decided between the costs and level of

security

Level of protection – A trade off between customer and government

requirements

Environmental factors – Consideration of facility location, local law

enforcement and risk

Coordinated activities – Multi-customer facility usage requires coordination by

management

The Technology Asset Protection Association (TAPA) is made up of approximately five

hundred organizations whose primary business products are high value hi-technology

or the transportation of such products. Begun in 1997, its membership took off after

9/11. TAPA now stipulates contractual requirements for its transportation partners for

facilities to meet or exceed their standards.

TAPA’s requirements come with a good deal of grief from many transportation

companies, perhaps some of whom are here today. Some carriers, such as FedEx

and UPS have problems with TAPA as they do not accept TAPA standards. TAPA is not

felt to be knowledgeable enough and does not understand how these two huge firms

insure the security of their customers’ cargo. Other transporters have complained

about the costs of meeting TAPA’s standards but have gone ahead to comply in order

to maintain and acquire new business. The results are mixed if TAPA has succeeded

in significantly improving loss prevention. Some speculate that as the facilities

become more hardened, they do become safer, as the thieves move on toward truck

hi-jacking or driver falsification to beat the system.



G. RFID technology

RFID tags work as passive or active devices. Passive devices must pass through a

scanner in order for information to be obtained about the item which holds the tag.

Active devices transmit information over distances. There are many leading firms

including Savi Technology, which appears to have the lock on the Department of

Defense and Matrics which works with Savi as well as commercial accounts.

Radio Frequency Identification has accelerated its market penetration primarily for

three reasons:

Costs have continued to decrease making the RFID tags cheaper

Demonstrated productivity gains are gained from greater visibility of products

moving through the supply chain

Security is enhanced by identifying the location of transportation assets and

cargo movement

There is a lot of collaboration in the RFID industry. The Auto-ID Center is

a not-for-profit group established by MIT to develop a system for using the Internet to

identify goods anywhere in the world, using the electronic product code, or EPC. It is

funded by large companies who want to use RFID to track goods and who believe an

open standard is critical.

Wal-Mart and the Department of Defense have been in the news with RFID tag

requirements imposed on their suppliers and vendors. They are the tip of the iceberg

represented by RFID.

H. Passenger Transportation – Public and Private



Public transportation systems in the country include automated guideway, rail, bus,

ferry and paratrasnit modes. Commercial systems move passengers via air, maritime

and a variety of surface means.

The Federal Transit Administration commissioned the Transportation Research Board

to study the vulnerability of public transportation. The problem is extensive because

of the characteristics of public transportation:

Large volumes of passengers moved within enclosed spaces

Predictable, fixed routes

Fixed access points

Unique hazards (i.e. traction power, confined spaces)

Susceptible to systemic impacts

Some of these characteristics are found in private transportation systems as well. I

believe security becomes more complicated for passengers when cargo and

passengers are mixed together. As in the supply chain, which is no stronger than its

weakest link, so it is with the conveyance of passengers and cargo in the same

conveyance. Whatever you do to screen passengers and their baggage, the safety of

transportation assets will be dependent on actions which safeguard both passengers

and cargo. This is not the case today. Certainly passengers who intend to turn their

conveyance into an explosive with a specific target have greater risk than cargo

which can explode without the ability to target a specific geographically point. But

the knowledge that is present with the air cargo industry is not sufficient for mixed

passenger/cargo aircraft.

In the public sector, what are the limits of security measures? Is there anything more

that can be done than the announcements we hear in subway and rail stations to



watch for bags left alone? How effect are such English only announcements which I

hear in Washington and New York.

Will we ever need to get to the level of passenger security as in Israel where public

and private passenger transportation terminals used a layered, perimeter approach

which is based on profiling of people standing around the terminal as well as those

who seek to enter?

I. Intelligent Transportation Systems and Cargo Security

Intelligent Transportation Systems have become feasible as the wireless

communication industry has taken off. Examples of ITS are the announcement

boards on highways which inform you of traffic congestion (which you may already

be in!); sensors placed on traffic signals that detect traffic flow and change the lights

to speed the busier lanes along; smart traffic stations which monitor regional

transportation patterns and which can connect to private wireless networks to

transmit information to truck drivers to change their routes in the event of

congestion or accident.

These systems will be used to increase security in fixed areas where cargo interacts

with transportation assets, where employees move within facilities and where cargo

has ingress and egress points. Some of these include:

Smart cards – using coded information, photos

Biometrics – identifying individuals based upon biological data

Automatic Vehicle Identification – using RFID tags to identify vehicles

Map Databases – use for traffic and incident analyses

Vehicle Classification Sensors – automatically detect the class of a vehicle



Weigh-in Motion Technology – ability to weigh as trucks move at highway

speed (so why are there still weigh stations on our highways?)

Spatial Geo-Location – identify specific location of vehicles

There is a great focus at CBP to develop the SMART Container, a container which can

be monitored electronically and can alert the supply chain when something has

occurred to divert it from its planned route. Essentially, a smart container is like a

car with a lo-jack. Why is this of benefit? Knowing when and where the container

deviates from its planned route allows quick response by law enforcement. When the

container is hijacked and the doors are ripped off, the container will alert those

watching it electronically. This is meant to discourage thieves from ripping off the

contents as well as terrorists from inserting deadly devices into it.

There are systems now operating for the Department of Defense which track

movement of transportation assets in real time against a background of the

transportation infrastructure. Data is fed from nearly two hundred sources including

police, fire, traffic, hospitals, etc to allow monitoring of potential disruptive factors to

allow for changes en route. Private sector asset tracking systems are also available.

J. New IMO regulations and 33CFR

Effective next month, the maritime community will be faced with compliance with

three major sets of regulations. The International Maritime Organization’s new

International Ship & Port Facility Security Code (ISPS), Safety of Lives at Sea (SOLAS)

amendments and the Title 33 of the Code of Federal Regulations for Navigation and

Navigable Waters. These are addressing maritime security and adding an extensive

amount of responsibility on the maritime community. These are not voluntary.



They focus on a number of areas:

The port to vessel interface

Cargo manifest rules

Seamen employed by vessel operators

Emergency Response Management

Access controls

Security planning

Implementation is a challenge. It will require a great deal of personnel training. As

has often been occurring with our headlong leap into quick fixes, today’s training is

oriented at the symptoms. The Maritime Institute of Technology and Graduate

Studies in Baltimore put on a two day conference on this issue emphasizing the

human factors which make the maritime industry more secure. However, the

training appears to neglect on how to determine the decision-making level of the

maritime Security Officer. Is security a core value or is it a matter of compliance, well

down the corporate ladder?

I also believe that we have not come face to face with two real issues of maritime

safety:

Flags of convenience – Why is it acceptable to flag our vessels in countries

which may also appear high on global terror lists

Foreign Seamen – Why is it acceptable to hire seamen from nations high on

global terror lists

Why? The source of disruption, such as cargo theft and terrorism may often be an

inside job. How much is served to harden the outside when the spark to light the

disruption is already on the inside?



It has been a pleasure to be with you. I hope I have stimulated more discussion on

defining transportation security and looking at opportunities to better secure your

companies, if you are carriers and know more about the transportation industry, if

you are a customer of these carriers.

Thank you.

Irvin Varkonyi, Adjunct Professor

Transportation Policy, Operations and Logistics, George Mason University,

Arlington, VA

[email protected], 703 863-9686


mailto:[email protected]

varkonyi paper (microsoft word document)

Documents