Protect Your Ports, Terminals and Intermodal Connectors: Key Considerations for Security Risk Assessments and Compliance Guidelines

Authors: Jim Lindell Brice Hilyer

Coupling compliance requirements with a detailed facility assessment provides a distinct advantage for port and terminal operators in all aspects of required insurance coverages.

The creation and implementation of an effective and comprehensive security protection plan requires forethought, planning, continual evaluation, excellent management and diligent leadership for two main reasons:

• Ports and commercial terminals pose unique and challenging security problems: 24/7 operations; commerce in dangerous and high-value cargo; multiple private companies occupying the same workspace; and a diverse workforce of international transportation workers, contractors, visitors and employees fulfilling many different roles.
• Ports, terminals, and intermodal connectors play an outsized part in our supply chain and economic wellbeing. With most imports and exports passing through ports, ports are a lynchpin of interdependent supply chains. Reducing uncertainty from human-made threats has never been more important.

A look at regulatory requirements for ports and terminals

Regulatory requirements for protection of port facilities, commercial vessels and Outer Continental Shelf (offshore oil and gas) facilities have increased significantly since the terrorist attacks of September 11, 2001.

The Maritime Transportation Security Act. In November 2002, the US Congress passed the Maritime Transportation Security Act (MTSA). This act addressed vulnerabilities in the maritime industry and directed the US Department of Transportation to develop security measures for domestic maritime facilities and the vessels that call there. This task was given to the Department of Homeland Security when the US Coast Guard was moved to the new department in 2003 and is outlined in the Code of Federal Regulations (CFR) Title 33, Chapter 1, Subchapter H, Parts 101 through 107.¹

The MTSA reinforces the national and global importance of security for the marine transportation system and provides a fairly consistent framework for ensuring the security of maritime commerce and US domestic ports. The goal of the MTSA is to prevent a transportation security incident (TSI), which is any incident that results in:

• Significant loss of life
• Environmental damage
• Transportation system disruption
• Economic disruption to a particular area

International Ship and Port Facility Security code. While the US was working to develop a commercial maritime security program, the International Maritime Organization (IMO) was looking at the problem from a global perspective. The IMO enacted the International Ship and Port Facility Security (ISPS) Code in December 2002. It's closely aligned with the MTSA to combat acts of maritime terrorism and piracy.

Many parts of these two regulatory codes are identical and contribute to protecting against a wide range of threats, including piracy, stowaways, smuggling, hijacking, theft and willful damage. The key principles of both the MTSA and the ISPS Code are:

• Access control
• Control of restricted areas
• Secure handling of cargo
• Delivery of stores/supplies to a vessel
• Security monitoring
• Security policies and procedures
• Security training and exercises

There are differences between the US and international regulatory codes:

• The US Coast Guard stipulates that all regulated vessel and facility owners and/or operators must conduct in-depth performance-based security assessments of their operations to identify security weaknesses and vulnerabilities. The language used is "a risk-based methodology." The US Coast Guard defines risk-based decision-making as a systematic and analytical process that measures the likelihood of a security breach.
• The ISPS Code doesn't specify measures that each port facility and ship must take to ensure their safety from terrorism because of the many different types, sizes and business models of these vessels and facilities. Instead, it outlines "a standardized, consistent framework for evaluating risks, enabling governments to offset changes in threat with changes in vulnerability for ships and port facilities." For port facilities, the requirements include port facility security plans, port facility security officers and certain security equipment.

The facility security assessment

While the 33 CFR outlines a facility security assessment (FSA) checklist,² it doesn't define or offer how to conduct a performance-based security assessment. The importance of a well-planned and executed FSA can't be overstated. A comprehensive, in-depth assessment examines the factors of risk-threats, vulnerabilities and consequences in detail and lays the foundation for the security plans. All security-related decisions regarding physical protection systems — policy and procedures, security officer roles and training and electronic security systems — are based on the performance and protection objectives established in the FSA.

Widely regarded as the most effective performance-based risk assessment, it's one the Nuclear Regulatory Commission used to protect nuclear facilities. Developed over 50 years by researchers at Sandia National Laboratory at Los Alamos, New Mexico, the design and evaluation of physical protection systems (PPSs) is the methodology in use for every nuclear facility in the US. While designed to this high standard, it can apply to almost any physical security problem, be it schools, hospitals, factories, office buildings, executives, or ports and terminals.

For ports and terminals, this comparison is apt. The Coast Guard maintains security oversight of 2,777 facilities and 13,500 vessels, which must maintain and implement approved security plans. Many of these facilities and vessels handle and store Certain Dangerous Cargoes (CDC), and Especially Hazardous Cargoes (EHC), such as chlorine, anhydrous ammonia, liquified natural gas, liquified petroleum gas and ammonium nitrate. A transportation security incident targeting any of these facilities or vessels could have catastrophic consequences for a populated area, so it makes sense to use the most rigorous risk assessment when designing a new PPS or evaluating a current one.

So, how is it done? Researchers at Sandia National Laboratories describe a process that involves the following three sequential steps.

1. Determine protection objectives

The first step in the process is to determine the protection objectives of the PPS. To formulate these objectives, the assessor must consider three factors:

• The facility: The building, property and surrounding area; operating states; legal, safety constraints; and the corporate goals and objectives.
• The threat: Defining the potential threat is arguably the most important aspect of determining protection objectives because it dictates the performance required of the PPS. Information must be collected to answer three questions about the adversary: What class of adversary is to be considered? What is the range of the adversary's tactics? What are the adversary's capabilities? The outcome of this step will be a threat statement. While somewhat speculative, the assumed threat can be a reasonable assessment of the possible intentions, motivations and physical capabilities of likely adversaries.
• Targets attractive to an adversary: Target identification provides the basis for PPS design by focusing on what to protect. Targets may include people, critical assets or information, or critical areas and processes.

The outcome of these three examinations is the protection objectives. The protection objectives are specific statements describing who may target the facility, what their goals may be and how they could achieve those goals.

2. Design the PPS

The next step in the process, if designing a new PPS, is to determine how best to combine such elements as fences, barriers, sensors, procedures, communication devices and security personnel into a PPS that can achieve the protection objectives. The PPS has three primary functions:

1. Detection is the discovery of an adversary action. Detection can be observation by security guards or employees, but more typically is achieved by surveillance cameras, motion sensors, door alarms, glass break sensors or even entry control processes. It's important to note that detection must be accompanied by assessment. That is, the alarm must be verified or discounted as a false alarm.
2. Delay is the slowing down of adversary progress. Delay can be accomplished by people, barriers, locks or activated devices.
3. Response is the actions the response force takes to prevent adversary success. That is, the response force interrupts the adversary before it reaches its target. This function includes communication to the response force of accurate information about adversary locations and actions.

3. Analyze PPS design

An assessment uses either a compliance-based or performance-based approach to analysis. A compliance-based approach depends on conformance to specific policies or regulations, which dictate the mere presence of PPS equipment, procedures and people. This approach is also called a feature-based system.

In comparison, a performance-based approach evaluates how each component of the PPS performs against the defined threat identified previously and whether it contributes to overall system effectiveness as designed. A performance-based analysis can be either quantitative or qualitative:

• A quantitative analysis relies on performance data for the system components.
• A qualitative analysis is based on the assessor's skill and experience and available information. A qualitative analysis is much more rigorous and often required for high-consequence assets, such as commercial nuclear facilities, commercial power plants and some government facilities.

Both quantitative and qualitative methods use the same six-step process in analysis. Each step should be examined considering the PPS functions — detection, delay and response.

1. Create an adversary sequence diagram (ASD) for all asset locations.
2. Conduct an analysis path.
3. Perform a scenario analysis.
4. Determine a response analysis.
5. Determine system effectiveness.
6. If system effectiveness is unacceptable, develop and analyze upgrades.

The role of the insurance broker

Comprehending the facility assessment process and adhering to international and federal requirements levied on ports and terminals is necessary for a complete going-to-market strategy as an insurance broker. The goal of following and documenting a comprehensive security process is to deliver optimal coverage values to all components involved with operating ports and terminals.

After recognizing security issues during a 33 CFR-based assessment, conducted by an experienced and qualified assessor, the important next series of steps is crucial for the best interest of the client. The first step in the series is to design a roadmap to solve issues. Once the plan for the solutions is solidified, an efficient timeline for achieving and maintaining compliance is then implemented. Diligent monitoring of tasks completed against security issues, coupled with maintaining timeline goals, is the key to providing the best position for the client.

Using the combined components of MTSA, ISPA Code, and FSA in conjunction with the PPS, designing a facility security/compliance model based on the complete analysis of these main factors is the process and leverage the insurance broker can rely on to fully support the client with the peak coverage at the greatest value.