Varkonyi Paper (Microsoft Word Document)


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Varkonyi Paper (Microsoft Word Document)

  1. 1. Irvin Varkonyi TLA Conference 6/3/04 Best practices in Transportation Security Do we all agree on the definition of Transportation Security? Roget’s Thesaurus states that security means assurance, freedom, reliance, sureness, and surety. Does this have sufficient clarity? Perhaps we really mean Transportation Protection? Again, Roget’s states that protection means defense, guarding, invulnerability, safety, stability, strength and SECURITY. Popular lexicon uses the word security but it is insufficient to convey a pro-active approach. We don’t mean to become embroiled in semantics but we need to build a foundation which is solid. The subject of this panel is not to address the symptoms of transportation vulnerabilities but to attempt a root cause analysis that can lead to systemic changes which reduce the factors that create vulnerabilities. Cargo theft in transportation should be considered equally with other potential disruptions including terrorism. Why are criminals increasingly attracted to hijacking tractor trailers? The retail value of a 40ft trailer of cigarettes exceeds a million dollars. The penalty, should the thief get caught can be minimal, reflecting the lack of laws against major theft. Why should a criminal seek to smuggle narcotics which is more closely watched and where he may face life imprisonment? With greater emphasis by the Federal government on protecting us from terrorism via cargo imports into the country, is there sufficient attention to watching our trucks or rails against thieves as well as domestic based terrorists? I have ten areas of transportation protection in ten minutes which I hope will stimulate you to look at your organizations, as well as your organizations’ customers and vendors. This presentation is primarily oriented toward cargo movement with one area on passenger transportation security. George Mason University No reproduction without permission 1
  2. 2. Irvin Varkonyi TLA Conference 6/3/04 A. The transportation security professional The supply chain is a phrase coined in the 1980’s to express the relationships which companies developed to maximize efficiency in the production and distribution of products utilizing outsourced vendors, transporters and distributors. Cargo transportation is a component of the supply chain. Passenger transportation is a component of the national economy and is responsible for fulfilling the needs for citizens to travel for business or pleasure. Do we all actually agree on the definition of the supply chain? We increasingly hear the term at conferences which discuss supply chain security. We see these terms in all types of publications. Do we do a good job to define the term for non-supply chain professionals such as your security professionals? How much training has security staff received in the business operations of their firms? How much attention has been paid to provide them skills in understanding their employer’s supply chain? Do they participate in professional associations such as the National Cargo Security Council or the American Society for Industrial Security? There are various organizations and private institutions which are looking at melding the disciplines of transportation/logistics with that of physical security, including possible professional certification such as a “Certified Security Logistics Professional.” I urge you to support training and education of your security professionals in the challenges of the modern supply chain in which transportation, your business, is a key component. B. Threats to transportation When you raise the subject of threats in a public forum, such as this conference, isn’t the tendency to think of terrorism? That’s good in a way but not so good if we exaggerate the risk of George Mason University No reproduction without permission 2
  3. 3. Irvin Varkonyi TLA Conference 6/3/04 terrorism by understating other threats. I suggest an all hazards approach, which is the approach that the Dept of Homeland Security now follows. Threats can originate by natural phenomena, such as weather, accidental occurrences such as haz-mat spills and intentional actions, including terrorism and theft. How layered is your business continuity plan and how well will it work to fulfill your obligation to your customers, your employees and your shareholders? More importantly, how layered is the planning of your sub-contractors, those to whom you have outsourced many functions? Do you use disaster logistics to insure continuity? In early 2002, the Council of Logistics Management published, “Securing the Supply Chain,” co-authored by Drs Keith Helferich and Robert Cook who advocated five steps to follow to make a resilient supply chain: Planning, Detection, Mitigation, Response and Recovery. The book acknowledges we can’t prevent all types of disasters, such as hurricanes or completely eliminate accidents, such as haz- mat spills on Interstate highways. Perhaps we can’t even stop a determined enough terrorist? But we can do better to detect problems earlier, commit resources to mitigate the effects of a disaster and insure we recover from the disaster. By understanding an all hazard approach to threats, we will minimize the disruptions from them. This is the essence of transportation security/preparedness. C. Quality is security Quality found its true meaning when the US economy was rocked several decades ago by competition from Japan. They raised the bar, thereby lowering the boom on us. Money back guarantees? No way, our transportation firms used to say. Guaranteed delivery? Are you kidding? Well that is certainly behind us today. The transportation industry exemplifies today’s marketplace reality. If quality is imbedded in the best companies, then so must be security. George Mason University No reproduction without permission 3
  4. 4. Irvin Varkonyi TLA Conference 6/3/04 “We must make security a core business value… the private sector has built in quality, safety, health and productivity as essential, central elements of institutional culture and mission…security must become a part of the competitiveness equation.” (Creating Opportunity out of Adversity,” Proceedings of the National Symposium on Competitiveness and Security," October 2002) Studies at Stanford University demonstrate that quality means security. “Supply Chain without Tears,” co-authored by Hua Lee and Michael Wolfe (Supply Chain Management Review, Jan. 2003.) quantifies this truism. Costs spent for security turn into savings by improving productivity and lowering risk. The Lee/Wolfe study found that the use of smart containers, which provide electronic visibility in the supply chain, reduce more costly manual efforts to track cargo. These containers decrease the risk of theft, leading to lower insurance premiums. Estimated savings per container per trip was over $300, the authors estimated. D. Government compliance – A floor or ceiling? I’m nearly halfway through and only now do I mention CTPAT. Have I forgotten to offer yet another summary on top of hundreds many of you may have heard on the Customs Trade Partnership Against Terrorism, a private-public sector partnership? CTPAT is the creation of a private sector group, called COAC (Customs Operations Advisory Council) established by the US Treasury before 9/11 to help improve customs processes. After 9/11, COAC was used to help design a private/public partnership to protect our country from imports potentially penetrated by terrorists’ devices. CTPAT was intended to stave off government regulations. CTPAT is voluntary. Does CTPAT equate to security? Does approval as CTPAT by the Bureau for Customs and Border Protection (CBP) mean that you are secure? Do you seek to be approved for CTPAT because it makes you more secure? Or are you interested in CTPAT because of the carrot which CBP holds George Mason University No reproduction without permission 4
  5. 5. Irvin Varkonyi TLA Conference 6/3/04 in front of you? CBP continually emphasizes the incentives for CTPAT companies to get ahead of importers who are not CTPAT. My answer is yes, you are more secure when you complete the CTPAT application, then you were at least before you embarked on CTPAT. To become CTPAT, you’ve spent a certain amount of time to internally audit your processes, and that of your trading partners to comply with the seven major aspects of CTPAT: • Procedural Security • Physical Security • Access Control • Personnel Security • Education and Training • Manifest procedures • Conveyance security But where are the standards for CTPAT against which you can benchmark your organization? There aren’t standards. Where is the corporate responsibility for implementing CTPAT? Every company does it differently. Some assign this to Legal; some to Marketing; some to Quality control; some to an ad hoc committee. Neither industry nor the government has agreed on this. Thus how do you evaluate a completed CTPAT application? There are two significant vulnerable areas with CTPAT: • There is neither a real process nor requirements to audit your trading partners. How familiar should a company be with the facilities, employees and processes of their partners? CTPAT allows you to send a mere letter to your vendors requiring them to George Mason University No reproduction without permission 5
  6. 6. Irvin Varkonyi TLA Conference 6/3/04 abide by your commitment to CTPAT. No inspection of their facilities is required. No contractual language is required. • Validation of companies (due diligence) with approved CTPAT applications is weak. CBP validation is the task of determining the truthfulness of an applicant. It is not referred to as an audit. It is hard to determine the number of validated companies. Most of what I hear indicate validation is in the low hundreds, out of over 5,000 CTPAT approved organizations. Who are the validators? Senior customs inspectors retrained as supply chain experts in a two week training program. Is anyone expelled from CTPAT? Hardly. CTPAT is a good effort but it should be viewed as a floor with respect to efforts to be more secure. It should not be regarded as a ceiling. There are certainly advantages to be CTPAT, if you take it seriously. But it is likely that many organizations which embark on CTPAT do so to gain the advantages of expedited import entry lane. In the event of a port shut down, due to a disruption, CBP states that the CTPAT approved containers will have first crack at clearing customs. How will that work with tens of thousands of containers on hundreds of vessels crowded around the Port of Los Angeles/Long Beach? If your responsibility is to evaluate government compliance requirements, I suggest that CTPAT be put into context as only one component of many to make your business safe. There are other government programs besides CTPAT which will help importers to expedite customs clearances. CBP’s Advance Manifest Rules require a 24 hour advance notification for vessels before they depart their foreign port; a four hour rule for aircraft departing with air cargo. This allows CBP’s Terrorist Threat Center to evaluate the likely risks of cargo well before they hit our shores. If they feel there may be a threat, due to some anomaly with one or more pieces of cargo, they will direct that that vessel or aircraft to not depart. Compliance with this obligatory regulation will do much to help expedite the customs clearance process with or without CTPAT. These new regulations have spurred new software tools to provide transporters greater visibility George Mason University No reproduction without permission 6
  7. 7. Irvin Varkonyi TLA Conference 6/3/04 of their cargo. Advance notification has had a very positive effective on productivity as well as allowing them to comply with government regulations. This has benefited the bottom line. Other Government programs include CSI, the Container Security Initiative. This program intends to encourage compliance by foreign ports to institute security procedures favored by DHS. It decreases the likelihood of containers leaving their ports with explosives, bio-toxins or other terrorist devices. Operation Safe Commerce is a pilot program integrating a variety of voluntary and regulatory Government programs to evaluate where the threats are in cargo imports. Upon completion of the pilot, it will direct government and the private sector to reduce those threats. FAST is a program on our northern border meant to expedite Canadian imports into this country. If you are CTPAT, you are eligible to apply for FAST. A Radio Frequency Identification (RFID) tag, similar to an EZPASS type device is in the cab of the trucker. It transmits data to CBP in advance of the truck reaching the border to allow Customs agents to evaluate potential threats, if any, of the cargo on the truck. E. Sarbanes Oxley The Sarbanes-Oxley Act is popularly perceived as a reaction against the financial excesses of firms such as Enron. It is that. It is more than that. I am a bit hesitant to try to discuss SOA in front of hundreds of lawyers but I would like to use SOA to support that best practices which maximize transportation security and preparedness are in the best interests of the shareholders, the employees and the customers. SOA seeks to reduce risk to shareholders. In an article published last March by Anthony Ghosen, a key point is made about risk management: “Section 409 of SOA is focused on the definition of George Mason University No reproduction without permission 7
  8. 8. Irvin Varkonyi TLA Conference 6/3/04 “materiality” and the management of material variance, which is in essence a large part of the premise for enterprise risk management. The challenge…is to foresee issues of materiality and be able to report them in a timely manner. This creates a distinct potential advantage to the company that manages risk (materiality) better than its industry competitors…” Does a publicly traded corporation, which does not manage risk well, subject its senior managers and its board of directors to possible action by shareholders or law enforcement? In the event of a terrorist action, will it be enough for the CEO to claim that because they were approved for CTPAT, that they managed well the risks of global trade? Or will it be contended that CTPAT is insufficient to manage risk? Should the company have been more diligent in designing its global supply chain, managing its transportation and distribution partners? In other words, is CTPAT a floor on managing risk and security while the ceiling is fulfilling SOA? Ghosen states: “The letter of the law (SOA) is simply that a company identifies materiality and makes that sure that it is visible at any time a venture, investment or operational event occurs where materiality (loss) has occurred…the spirit of the law, however, puts CEOs in control when they can demonstrate how a material event is identified through operational data monitoring, coupled with real-time, integrated risk profiles long before the 3 to 5 day 8k reporting window arrives. How that event is managed can allay the concerns of institutional investors and management, thus moving the company back into their natural profile for risk-taking.” We now read about SOA in publications including Global Logistics and Supply Chain Strategies, Disaster Recovery, Chief Security Officer, as well as financial publications. Shareholders must however decide on the trade offs between security and cost. They may be conflicted, uncertain how much security to imbed in the enterprise at what expense. George Mason University No reproduction without permission 8
  9. 9. Irvin Varkonyi TLA Conference 6/3/04 F. Facility certification – Technology Asset Protection Association Discussing transportation security/preparedness is popularly perceived as a problem of terrorism. The Transportation Lawyers Association would be among those most informed that the subject encompasses much more than terrorism. Cargo theft occurring within a facility or somewhere in the supply chain during a change in custody is a much more likely occurrence than terrorism. A favorite saying of law enforcement is that cargo at rest is cargo at risk, whether in a warehouse or a truck that has stopped at a highway rest stop. The Guidelines for Cargo Security and Loss Control, issued by the National Cargo Security Council, provides a good summary on the best ways to insure cargo security: • Obligation of authority – Delegation of duties to security staff while responsibility for security remains with senior management • Inventory Management – Identify and account for all inventory • Security costs – Trade offs must be decided between the costs and level of security • Level of protection – A trade off between customer and government requirements • Environmental factors – Consideration of facility location, local law enforcement and risk • Coordinated activities – Multi-customer facility usage requires coordination by management The Technology Asset Protection Association (TAPA) is made up of approximately five hundred organizations whose primary business products are high value hi-technology or the transportation of such products. Begun in 1997, its membership took off after 9/11. TAPA now stipulates George Mason University No reproduction without permission 9
  10. 10. Irvin Varkonyi TLA Conference 6/3/04 contractual requirements for its transportation partners for facilities to meet or exceed their standards. TAPA’s requirements come with a good deal of grief from many transportation companies, perhaps some of whom are here today. Some carriers, such as FedEx and UPS have problems with TAPA as they do not accept TAPA standards. TAPA is not felt to be knowledgeable enough and does not understand how these two huge firms insure the security of their customers’ cargo. Other transporters have complained about the costs of meeting TAPA’s standards but have gone ahead to comply in order to maintain and acquire new business. The results are mixed if TAPA has succeeded in significantly improving loss prevention. Some speculate that as the facilities become more hardened, they do become safer, as the thieves move on toward truck hi-jacking or driver falsification to beat the system. G. RFID technology RFID tags work as passive or active devices. Passive devices must pass through a scanner in order for information to be obtained about the item which holds the tag. Active devices transmit information over distances. There are many leading firms including Savi Technology, which appears to have the lock on the Department of Defense and Matrics which works with Savi as well as commercial accounts. Radio Frequency Identification has accelerated its market penetration primarily for three reasons: • Costs have continued to decrease making the RFID tags cheaper • Demonstrated productivity gains are gained from greater visibility of products moving through the supply chain • Security is enhanced by identifying the location of transportation assets and cargo movement George Mason University No reproduction without permission 10
  11. 11. Irvin Varkonyi TLA Conference 6/3/04 There is a lot of collaboration in the RFID industry. The Auto-ID Center is a not-for-profit group established by MIT to develop a system for using the Internet to identify goods anywhere in the world, using the electronic product code, or EPC. It is funded by large companies who want to use RFID to track goods and who believe an open standard is critical. Wal-Mart and the Department of Defense have been in the news with RFID tag requirements imposed on their suppliers and vendors. They are the tip of the iceberg represented by RFID. H. Passenger Transportation – Public and Private Public transportation systems in the country include automated guideway, rail, bus, ferry and paratrasnit modes. Commercial systems move passengers via air, maritime and a variety of surface means. The Federal Transit Administration commissioned the Transportation Research Board to study the vulnerability of public transportation. The problem is extensive because of the characteristics of public transportation: • Large volumes of passengers moved within enclosed spaces • Predictable, fixed routes • Fixed access points • Unique hazards (i.e. traction power, confined spaces) • Susceptible to systemic impacts Some of these characteristics are found in private transportation systems as well. I believe security becomes more complicated for passengers when cargo and passengers are mixed together. As in the supply chain, which is no stronger than its weakest link, so it is with the George Mason University No reproduction without permission 11
  12. 12. Irvin Varkonyi TLA Conference 6/3/04 conveyance of passengers and cargo in the same conveyance. Whatever you do to screen passengers and their baggage, the safety of transportation assets will be dependent on actions which safeguard both passengers and cargo. This is not the case today. Certainly passengers who intend to turn their conveyance into an explosive with a specific target have greater risk than cargo which can explode without the ability to target a specific geographically point. But the knowledge that is present with the air cargo industry is not sufficient for mixed passenger/cargo aircraft. In the public sector, what are the limits of security measures? Is there anything more that can be done than the announcements we hear in subway and rail stations to watch for bags left alone? How effect are such English only announcements which I hear in Washington and New York. Will we ever need to get to the level of passenger security as in Israel where public and private passenger transportation terminals used a layered, perimeter approach which is based on profiling of people standing around the terminal as well as those who seek to enter? I. Intelligent Transportation Systems and Cargo Security Intelligent Transportation Systems have become feasible as the wireless communication industry has taken off. Examples of ITS are the announcement boards on highways which inform you of traffic congestion (which you may already be in!); sensors placed on traffic signals that detect traffic flow and change the lights to speed the busier lanes along; smart traffic stations which monitor regional transportation patterns and which can connect to private wireless networks to transmit information to truck drivers to change their routes in the event of congestion or accident. George Mason University No reproduction without permission 12
  13. 13. Irvin Varkonyi TLA Conference 6/3/04 These systems will be used to increase security in fixed areas where cargo interacts with transportation assets, where employees move within facilities and where cargo has ingress and egress points. Some of these include: • Smart cards – using coded information, photos • Biometrics – identifying individuals based upon biological data • Automatic Vehicle Identification – using RFID tags to identify vehicles • Map Databases – use for traffic and incident analyses • Vehicle Classification Sensors – automatically detect the class of a vehicle • Weigh-in Motion Technology – ability to weigh as trucks move at highway speed (so why are there still weigh stations on our highways?) • Spatial Geo-Location – identify specific location of vehicles There is a great focus at CBP to develop the SMART Container, a container which can be monitored electronically and can alert the supply chain when something has occurred to divert it from its planned route. Essentially, a smart container is like a car with a lo-jack. Why is this of benefit? Knowing when and where the container deviates from its planned route allows quick response by law enforcement. When the container is hijacked and the doors are ripped off, the container will alert those watching it electronically. This is meant to discourage thieves from ripping off the contents as well as terrorists from inserting deadly devices into it. There are systems now operating for the Department of Defense which track movement of transportation assets in real time against a background of the transportation infrastructure. Data is fed from nearly two hundred sources including police, fire, traffic, hospitals, etc to allow monitoring of potential disruptive factors to allow for changes en route. Private sector asset tracking systems are also available. George Mason University No reproduction without permission 13
  14. 14. Irvin Varkonyi TLA Conference 6/3/04 J. New IMO regulations and 33CFR Effective next month, the maritime community will be faced with compliance with three major sets of regulations. The International Maritime Organization’s new International Ship & Port Facility Security Code (ISPS), Safety of Lives at Sea (SOLAS) amendments and the Title 33 of the Code of Federal Regulations for Navigation and Navigable Waters. These are addressing maritime security and adding an extensive amount of responsibility on the maritime community. These are not voluntary. They focus on a number of areas: • The port to vessel interface • Cargo manifest rules • Seamen employed by vessel operators • Emergency Response Management • Access controls • Security planning Implementation is a challenge. It will require a great deal of personnel training. As has often been occurring with our headlong leap into quick fixes, today’s training is oriented at the symptoms. The Maritime Institute of Technology and Graduate Studies in Baltimore put on a two day conference on this issue emphasizing the human factors which make the maritime industry more secure. However, the training appears to neglect on how to determine the decision-making level of the maritime Security Officer. Is security a core value or is it a matter of compliance, well down the corporate ladder? I also believe that we have not come face to face with two real issues of maritime safety: • Flags of convenience – Why is it acceptable to flag our vessels in countries which may also appear high on global terror lists George Mason University No reproduction without permission 14
  15. 15. Irvin Varkonyi TLA Conference 6/3/04 • Foreign Seamen – Why is it acceptable to hire seamen from nations high on global terror lists Why? The source of disruption, such as cargo theft and terrorism may often be an inside job. How much is served to harden the outside when the spark to light the disruption is already on the inside? It has been a pleasure to be with you. I hope I have stimulated more discussion on defining transportation security and looking at opportunities to better secure your companies, if you are carriers and know more about the transportation industry, if you are a customer of these carriers. Thank you. Irvin Varkonyi, Adjunct Professor Transportation Policy, Operations and Logistics, George Mason University, Arlington, VA, 703 863-9686 George Mason University No reproduction without permission 15