Learning Center
Plans & pricing Sign in
Sign Out

Best practices in Transportation Security


									Irvin Varkonyi                           TLA Conference                                        6/3/04

       Best practices in Transportation Security
Do we all agree on the definition of Transportation Security? Roget’s Thesaurus states that

security means assurance, freedom, reliance, sureness, and surety. Does this have sufficient

clarity? Perhaps we really mean Transportation Protection? Again, Roget’s states that protection

means defense, guarding, invulnerability, safety, stability, strength and SECURITY. Popular

lexicon uses the word security but it is insufficient to convey a pro-active approach. We don’t

mean to become embroiled in semantics but we need to build a foundation which is solid. The

subject of this panel is not to address the symptoms of transportation vulnerabilities but to

attempt a root cause analysis that can lead to systemic changes which reduce the factors that

create vulnerabilities.

Cargo theft in transportation should be considered equally with other potential disruptions

including terrorism. Why are criminals increasingly attracted to hijacking tractor trailers? The

retail value of a 40ft trailer of cigarettes exceeds a million dollars. The penalty, should the thief

get caught can be minimal, reflecting the lack of laws against major theft. Why should a criminal

seek to smuggle narcotics which is more closely watched and where he may face life

imprisonment? With greater emphasis by the Federal government on protecting us from

terrorism via cargo imports into the country, is there sufficient attention to watching our trucks or

rails against thieves as well as domestic based terrorists?

I have ten areas of transportation protection in ten minutes which I hope will stimulate you to

look at your organizations, as well as your organizations’ customers and vendors. This

presentation is primarily oriented toward cargo movement with one area on passenger

transportation security.

George Mason University No reproduction without permission                                              1
Irvin Varkonyi                            TLA Conference                                       6/3/04

    A. The transportation security professional

The supply chain is a phrase coined in the 1980’s to express the relationships which companies

developed to maximize efficiency in the production and distribution of products utilizing

outsourced vendors, transporters and distributors. Cargo transportation is a component of the

supply chain. Passenger transportation is a component of the national economy and is

responsible for fulfilling the needs for citizens to travel for business or pleasure.

Do we all actually agree on the definition of the supply chain? We increasingly hear the term at

conferences which discuss supply chain security. We see these terms in all types of publications.

Do we do a good job to define the term for non-supply chain professionals such as your security

professionals? How much training has security staff received in the business operations of their

firms? How much attention has been paid to provide them skills in understanding their

employer’s supply chain? Do they participate in professional associations such as the National

Cargo Security Council or the American Society for Industrial Security?

There are various organizations and private institutions which are looking at melding the

disciplines of transportation/logistics with that of physical security, including possible professional

certification such as a “Certified Security Logistics Professional.” I urge you to support training

and education of your security professionals in the challenges of the modern supply chain in

which transportation, your business, is a key component.

    B. Threats to transportation

When you raise the subject of threats in a public forum, such as this conference, isn’t the

tendency to think of terrorism? That’s good in a way but not so good if we exaggerate the risk of

George Mason University No reproduction without permission                                            2
Irvin Varkonyi                           TLA Conference                                      6/3/04

terrorism by understating other threats. I suggest an all hazards approach, which is the approach

that the Dept of Homeland Security now follows. Threats can originate by natural phenomena,

such as weather, accidental occurrences such as haz-mat spills and intentional actions, including

terrorism and theft.

How layered is your business continuity plan and how well will it work to fulfill your obligation to

your customers, your employees and your shareholders? More importantly, how layered is the

planning of your sub-contractors, those to whom you have outsourced many functions? Do you

use disaster logistics to insure continuity? In early 2002, the Council of Logistics Management

published, “Securing the Supply Chain,” co-authored by Drs Keith Helferich and Robert Cook who

advocated five steps to follow to make a resilient supply chain: Planning, Detection, Mitigation,

Response and Recovery.

The book acknowledges we can’t prevent all types of disasters, such as hurricanes or completely

eliminate accidents, such as haz- mat spills on Interstate highways. Perhaps we can’t even stop a

determined enough terrorist? But we can do better to detect problems earlier, commit resources

to mitigate the effects of a disaster and insure we recover from the disaster. By understanding an

all hazard approach to threats, we will minimize the disruptions from them. This is the essence of

transportation security/preparedness.

    C. Quality is security

Quality found its true meaning when the US economy was rocked several decades ago by

competition from Japan. They raised the bar, thereby lowering the boom on us. Money back

guarantees? No way, our transportation firms used to say. Guaranteed delivery? Are you

kidding? Well that is certainly behind us today. The transportation industry exemplifies today’s

marketplace reality. If quality is imbedded in the best companies, then so must be security.

George Mason University No reproduction without permission                                             3
Irvin Varkonyi                          TLA Conference                                      6/3/04

“We must make security a core business value… the private sector has built in quality, safety,

health and productivity as essential, central elements of institutional culture and mission…security

must become a part of the competitiveness equation.” (Creating Opportunity out of Adversity,”

Proceedings of the National Symposium on Competitiveness and Security," October 2002)

Studies at Stanford University demonstrate that quality means security. “Supply Chain without

Tears,” co-authored by Hua Lee and Michael Wolfe (Supply Chain Management Review, Jan.

2003.) quantifies this truism. Costs spent for security turn into savings by improving productivity

and lowering risk. The Lee/Wolfe study found that the use of smart containers, which provide

electronic visibility in the supply chain, reduce more costly manual efforts to track cargo. These

containers decrease the risk of theft, leading to lower insurance premiums. Estimated savings

per container per trip was over $300, the authors estimated.

    D. Government compliance – A floor or ceiling?

I’m nearly halfway through and only now do I mention CTPAT. Have I forgotten to offer yet

another summary on top of hundreds many of you may have heard on the Customs Trade

Partnership Against Terrorism, a private-public sector partnership? CTPAT is the creation of a

private sector group, called COAC (Customs Operations Advisory Council) established by the US

Treasury before 9/11 to help improve customs processes. After 9/11, COAC was used to help

design a private/public partnership to protect our country from imports potentially penetrated by

terrorists’ devices. CTPAT was intended to stave off government regulations. CTPAT is voluntary.

Does CTPAT equate to security? Does approval as CTPAT by the Bureau for Customs and Border

Protection (CBP) mean that you are secure? Do you seek to be approved for CTPAT because it

makes you more secure? Or are you interested in CTPAT because of the carrot which CBP holds

George Mason University No reproduction without permission                                           4
Irvin Varkonyi                         TLA Conference                                      6/3/04

in front of you? CBP continually emphasizes the incentives for CTPAT companies to get ahead of

importers who are not CTPAT.

My answer is yes, you are more secure when you complete the CTPAT application, then you were

at least before you embarked on CTPAT. To become CTPAT, you’ve spent a certain amount of

time to internally audit your processes, and that of your trading partners to comply with the

seven major aspects of CTPAT:

       Procedural Security

       Physical Security

       Access Control

       Personnel Security

       Education and Training

       Manifest procedures

       Conveyance security

But where are the standards for CTPAT against which you can benchmark your organization?

There aren’t standards. Where is the corporate responsibility for implementing CTPAT? Every

company does it differently. Some assign this to Legal; some to Marketing; some to Quality

control; some to an ad hoc committee. Neither industry nor the government has agreed on this.

Thus how do you evaluate a completed CTPAT application? There are two significant vulnerable

areas with CTPAT:

       There is neither a real process nor requirements to audit your trading partners. How

        familiar should a company be with the facilities, employees and processes of their

        partners? CTPAT allows you to send a mere letter to your vendors requiring them to

        abide by your commitment to CTPAT. No inspection of their facilities is required. No

        contractual language is required.

George Mason University No reproduction without permission                                       5
Irvin Varkonyi                           TLA Conference                                       6/3/04

       Validation of companies (due diligence) with approved CTPAT applications is weak. CBP

        validation is the task of determining the truthfulness of an applicant. It is not referred to

        as an audit. It is hard to determine the number of validated companies. Most of what I

        hear indicate validation is in the low hundreds, out of over 5,000 CTPAT approved

        organizations. Who are the validators? Senior customs inspectors retrained as supply

        chain experts in a two week training program. Is anyone expelled from CTPAT? Hardly.

CTPAT is a good effort but it should be viewed as a floor with respect to efforts to be more

secure. It should not be regarded as a ceiling. There are certainly advantages to be CTPAT, if

you take it seriously. But it is likely that many organizations which embark on CTPAT do so to

gain the advantages of expedited import entry lane. In the event of a port shut down, due to a

disruption, CBP states that the CTPAT approved containers will have first crack at clearing

customs. How will that work with tens of thousands of containers on hundreds of vessels

crowded around the Port of Los Angeles/Long Beach?

If your responsibility is to evaluate government compliance requirements, I suggest that CTPAT

be put into context as only one component of many to make your business safe.

There are other government programs besides CTPAT which will help importers to expedite

customs clearances. CBP’s Advance Manifest Rules require a 24 hour advance notification for

vessels before they depart their foreign port; a four hour rule for aircraft departing with air cargo.

This allows CBP’s Terrorist Threat Center to evaluate the likely risks of cargo well before they hit

our shores. If they feel there may be a threat, due to some anomaly with one or more pieces of

cargo, they will direct that that vessel or aircraft to not depart. Compliance with this obligatory

regulation will do much to help expedite the customs clearance process with or without CTPAT.

These new regulations have spurred new software tools to provide transporters greater visibility

of their cargo. Advance notification has had a very positive effective on productivity as well as

allowing them to comply with government regulations. This has benefited the bottom line.

George Mason University No reproduction without permission                                            6
Irvin Varkonyi                           TLA Conference                                       6/3/04

Other Government programs include CSI, the Container Security Initiative. This program intends

to encourage compliance by foreign ports to institute security procedures favored by DHS. It

decreases the likelihood of containers leaving their ports with explosives, bio-toxins or other

terrorist devices.

Operation Safe Commerce is a pilot program integrating a variety of voluntary and regulatory

Government programs to evaluate where the threats are in cargo imports. Upon completion of

the pilot, it will direct government and the private sector to reduce those threats. FAST is a

program on our northern border meant to expedite Canadian imports into this country. If you are

CTPAT, you are eligible to apply for FAST. A Radio Frequency Identification (RFID) tag, similar to

an EZPASS type device is in the cab of the trucker. It transmits data to CBP in advance of the

truck reaching the border to allow Customs agents to evaluate potential threats, if any, of the

cargo on the truck.

    E. Sarbanes Oxley

The Sarbanes-Oxley Act is popularly perceived as a reaction against the financial excesses of

firms such as Enron. It is that. It is more than that. I am a bit hesitant to try to discuss SOA in

front of hundreds of lawyers but I would like to use SOA to support that best practices which

maximize transportation security and preparedness are in the best interests of the shareholders,

the employees and the customers.

SOA seeks to reduce risk to shareholders. In an article published last March by Anthony Ghosen,

a key point is made about risk management: “Section 409 of SOA is focused on the definition of

“materiality” and the management of material variance, which is in essence a large part of the

premise for enterprise risk management. The challenge…is to foresee issues of materiality and

George Mason University No reproduction without permission                                            7
Irvin Varkonyi                          TLA Conference                                      6/3/04

be able to report them in a timely manner. This creates a distinct potential advantage to the

company that manages risk (materiality) better than its industry competitors…”

Does a publicly traded corporation, which does not manage risk well, subject its senior managers

and its board of directors to possible action by shareholders or law enforcement? In the event of

a terrorist action, will it be enough for the CEO to claim that because they were approved for

CTPAT, that they managed well the risks of global trade? Or will it be contended that CTPAT is

insufficient to manage risk? Should the company have been more diligent in designing its global

supply chain, managing its transportation and distribution partners? In other words, is CTPAT a

floor on managing risk and security while the ceiling is fulfilling SOA? Ghosen states:

“The letter of the law (SOA) is simply that a company identifies materiality and makes that sure

that it is visible at any time a venture, investment or operational event occurs where materiality

(loss) has occurred…the spirit of the law, however, puts CEOs in control when they can

demonstrate how a material event is identified through operational data monitoring, coupled with

real-time, integrated risk profiles long before the 3 to 5 day 8k reporting window arrives. How

that event is managed can allay the concerns of institutional investors and management, thus

moving the company back into their natural profile for risk-taking.”

We now read about SOA in publications including Global Logistics and Supply Chain Strategies,

Disaster Recovery, Chief Security Officer, as well as financial publications. Shareholders must

however decide on the trade offs between security and cost. They may be conflicted, uncertain

how much security to imbed in the enterprise at what expense.

George Mason University No reproduction without permission                                           8
Irvin Varkonyi                           TLA Conference                                       6/3/04

    F. Facility certification – Technology Asset Protection Association

Discussing transportation security/preparedness is popularly perceived as a problem of terrorism.

The Transportation Lawyers Association would be among those most informed that the subject

encompasses much more than terrorism. Cargo theft occurring within a facility or somewhere in

the supply chain during a change in custody is a much more likely occurrence than terrorism.

A favorite saying of law enforcement is that cargo at rest is cargo at risk, whether in a warehouse

or a truck that has stopped at a highway rest stop. The Guidelines for Cargo Security and Loss

Control, issued by the National Cargo Security Council, provides a good summary on the best

ways to insure cargo security:

       Obligation of authority – Delegation of duties to security staff while responsibility for

        security remains with senior management

       Inventory Management – Identify and account for all inventory

       Security costs – Trade offs must be decided between the costs and level of security

       Level of protection – A trade off between customer and government requirements

       Environmental factors – Consideration of facility location, local law enforcement and risk

       Coordinated activities – Multi-customer facility usage requires coordination by


The Technology Asset Protection Association (TAPA) is made up of approximately five hundred

organizations whose primary business products are high value hi-technology or the transportation

of such products. Begun in 1997, its membership took off after 9/11. TAPA now stipulates

contractual requirements for its transportation partners for facilities to meet or exceed their


George Mason University No reproduction without permission                                           9
Irvin Varkonyi                           TLA Conference                                    6/3/04

TAPA’s requirements come with a good deal of grief from many transportation companies,

perhaps some of whom are here today. Some carriers, such as FedEx and UPS have problems

with TAPA as they do not accept TAPA standards. TAPA is not felt to be knowledgeable enough

and does not understand how these two huge firms insure the security of their customers’ cargo.

Other transporters have complained about the costs of meeting TAPA’s standards but have gone

ahead to comply in order to maintain and acquire new business. The results are mixed if TAPA

has succeeded in significantly improving loss prevention. Some speculate that as the facilities

become more hardened, they do become safer, as the thieves move on toward truck hi-jacking

or driver falsification to beat the system.

    G. RFID technology

RFID tags work as passive or active devices. Passive devices must pass through a scanner in

order for information to be obtained about the item which holds the tag. Active devices transmit

information over distances. There are many leading firms including Savi Technology, which

appears to have the lock on the Department of Defense and Matrics which works with Savi as

well as commercial accounts.

Radio Frequency Identification has accelerated its market penetration primarily for three reasons:

       Costs have continued to decrease making the RFID tags cheaper

       Demonstrated productivity gains are gained from greater visibility of products moving

        through the supply chain

       Security is enhanced by identifying the location of transportation assets and cargo


There is a lot of collaboration in the RFID industry. The Auto-ID Center is

George Mason University No reproduction without permission                                        10
Irvin Varkonyi                           TLA Conference                                      6/3/04

a not-for-profit group established by MIT to develop a system for using the Internet to identify

goods anywhere in the world, using the electronic product code, or EPC. It is funded by large

companies who want to use RFID to track goods and who believe an open standard is critical.

Wal-Mart and the Department of Defense have been in the news with RFID tag requirements

imposed on their suppliers and vendors. They are the tip of the iceberg represented by RFID.

    H. Passenger Transportation – Public and Private

Public transportation systems in the country include automated guideway, rail, bus, ferry and

paratrasnit modes. Commercial systems move passengers via air, maritime and a variety of

surface means.

The Federal Transit Administration commissioned the Transportation Research Board to study the

vulnerability of public transportation. The problem is extensive because of the characteristics of

public transportation:

       Large volumes of passengers moved within enclosed spaces

       Predictable, fixed routes

       Fixed access points

       Unique hazards (i.e. traction power, confined spaces)

       Susceptible to systemic impacts

Some of these characteristics are found in private transportation systems as well. I believe

security becomes more complicated for passengers when cargo and passengers are mixed

together. As in the supply chain, which is no stronger than its weakest link, so it is with the

conveyance of passengers and cargo in the same conveyance. Whatever you do to screen

George Mason University No reproduction without permission                                         11
Irvin Varkonyi                            TLA Conference                                     6/3/04

passengers and their baggage, the safety of transportation assets will be dependent on actions

which safeguard both passengers and cargo. This is not the case today. Certainly passengers

who intend to turn their conveyance into an explosive with a specific target have greater risk

than cargo which can explode without the ability to target a specific geographically point. But the

knowledge that is present with the air cargo industry is not sufficient for mixed passenger/cargo


In the public sector, what are the limits of security measures? Is there anything more that can be

done than the announcements we hear in subway and rail stations to watch for bags left alone?

How effect are such English only announcements which I hear in Washington and New York.

Will we ever need to get to the level of passenger security as in Israel where public and private

passenger transportation terminals used a layered, perimeter approach which is based on

profiling of people standing around the terminal as well as those who seek to enter?

    I.      Intelligent Transportation Systems and Cargo Security

Intelligent Transportation Systems have become feasible as the wireless communication industry

has taken off. Examples of ITS are the announcement boards on highways which inform you of

traffic congestion (which you may already be in!); sensors placed on traffic signals that detect

traffic flow and change the lights to speed the busier lanes along; smart traffic stations which

monitor regional transportation patterns and which can connect to private wireless networks to

transmit information to truck drivers to change their routes in the event of congestion or


George Mason University No reproduction without permission                                         12
Irvin Varkonyi                           TLA Conference                                       6/3/04

These systems will be used to increase security in fixed areas where cargo interacts with

transportation assets, where employees move within facilities and where cargo has ingress and

egress points. Some of these include:

        Smart cards – using coded information, photos

        Biometrics – identifying individuals based upon biological data

        Automatic Vehicle Identification – using RFID tags to identify vehicles

        Map Databases – use for traffic and incident analyses

        Vehicle Classification Sensors – automatically detect the class of a vehicle

        Weigh-in Motion Technology – ability to weigh as trucks move at highway speed (so why

         are there still weigh stations on our highways?)

        Spatial Geo-Location – identify specific location of vehicles

There is a great focus at CBP to develop the SMART Container, a container which can be

monitored electronically and can alert the supply chain when something has occurred to divert it

from its planned route. Essentially, a smart container is like a car with a lo-jack. Why is this of

benefit? Knowing when and where the container deviates from its planned route allows quick

response by law enforcement. When the container is hijacked and the doors are ripped off, the

container will alert those watching it electronically. This is meant to discourage thieves from

ripping off the contents as well as terrorists from inserting deadly devices into it.

There are systems now operating for the Department of Defense which track movement of

transportation assets in real time against a background of the transportation infrastructure. Data

is fed from nearly two hundred sources including police, fire, traffic, hospitals, etc to allow

monitoring of potential disruptive factors to allow for changes en route. Private sector asset

tracking systems are also available.

    J.   New IMO regulations and 33CFR

George Mason University No reproduction without permission                                            13
Irvin Varkonyi                           TLA Conference                                       6/3/04

Effective next month, the maritime community will be faced with compliance with three major

sets of regulations. The International Maritime Organization’s new International Ship & Port

Facility Security Code (ISPS), Safety of Lives at Sea (SOLAS) amendments and the Title 33 of the

Code of Federal Regulations for Navigation and Navigable Waters. These are addressing maritime

security and adding an extensive amount of responsibility on the maritime community. These are

not voluntary.

They focus on a number of areas:

       The port to vessel interface

       Cargo manifest rules

       Seamen employed by vessel operators

       Emergency Response Management

       Access controls

       Security planning

Implementation is a challenge. It will require a great deal of personnel training. As has often

been occurring with our headlong leap into quick fixes, today’s training is oriented at the

symptoms. The Maritime Institute of Technology and Graduate Studies in Baltimore put on a two

day conference on this issue emphasizing the human factors which make the maritime industry

more secure. However, the training appears to neglect on how to determine the decision-making

level of the maritime Security Officer. Is security a core value or is it a matter of compliance, well

down the corporate ladder?

I also believe that we have not come face to face with two real issues of maritime safety:

       Flags of convenience – Why is it acceptable to flag our vessels in countries which may

        also appear high on global terror lists

George Mason University No reproduction without permission                                         14
Irvin Varkonyi                          TLA Conference                                    6/3/04

       Foreign Seamen – Why is it acceptable to hire seamen from nations high on global terror


Why? The source of disruption, such as cargo theft and terrorism may often be an inside job.

How much is served to harden the outside when the spark to light the disruption is already on

the inside?

It has been a pleasure to be with you. I hope I have stimulated more discussion on defining

transportation security and looking at opportunities to better secure your companies, if you are

carriers and know more about the transportation industry, if you are a customer of these carriers.

    Thank you.

    Irvin Varkonyi, Adjunct Professor

    Transportation Policy, Operations and Logistics, George Mason University, Arlington, VA, 703 863-9686

George Mason University No reproduction without permission                                      15

To top