Part Three – Physical Security, Instruments of International Traffic, and Seal Security
As part of our ongoing coverage of the CTPAT Minimum Security Criteria revision, the BSI intelligence team, partnered with BSI Senior Supply Chain Risk Consultant Mr. Tony Pelli, will be providing detailed reporting and analysis of the revision through a multi-part series in SCREEN. This blog post contains the third part in the series and covers the revisions to physical security, instruments of international traffic (also known as conveyance security), and seal security. For compilations of our previous analysis covering the new MSC categories and the reasons for the revisions, see "CTPAT MSC Revision - Part One" and “CTPAT MSC Revision – Part Two.”
With the release of the final criteria, CBP not only softened some of the original draft physical security requirements, but also invoked a major “first” for the organization. For the first time, and to provide more useful guidance, CBP divided the requirements into items that “must” be met to obtain certification and measures that “should” be implemented. However, a question remains as to how CBP supply chain security specialists will score “musts” and “shoulds.” Obviously, to obtain CTPAT certification, suppliers will need to meet all the “must” requirements, but it is not yet clear how many “should” requirements are considered “good enough.”
The draft physical security criteria had several strict requirements concerning cameras, some of which remained in the final version of the revision. As covered in our previous series, several physical technology measures, such as cameras, are now cheaper and more sophisticated, a core reason behind CBP’s inclusion of the additional requirements concerning cameras. What was once an unusual or unreasonable standard in camera capabilities and cost is now a relative norm.
However, there are several new “must” criteria concerning security cameras that could prove to be a challenge. One of these new “must” requirements for security cameras concerns periodic reviews of camera footage for verifying that cargo security procedures are followed in accordance with relevant laws and regulations. BSI Senior Supply Chain Risk Consultant Mr. Tony Pelli stated that this practice is very uncommon. The requirement is not merely about reviewing live camera feeds and having trained security personnel monitor the camera feeds, the requirement suggests that suppliers should, at various intervals, pull and review camera footage from instances when containers are loaded and stuffed in order to look for irregularities or problems with the cargo loading or security procedures. The requirement does not designate necessary intervals for conducting such reviews. However, as a “must,” it is a relatively strict requirement.
The requirement makes sense, however, from an improvement on security practices perspective. If camera footage is reviewed and proper security measures are not followed, a company can note the weaknesses and provide targeted training to rectify any security gaps.
As noted, however, the practice of reviewing old camera footage is currently not standard. By instituting a “must” requirement for reviewing camera footage, CTPAT is now able to further drive security practices globally. This is a phenomenon that BSI witnessed following the initial implementation of the CTPAT program. For example, in 2001-2002, when CTPAT was first formulated, a seven-point container inspection was uncommon at most facilities. A seven-point container inspection may have been conducted in high risk areas with imminent concerns, such as drug trafficking in Mexico, but was not a common occurrence. Most facilities exporting globally are now familiar with the idea of a seven-point container inspection due to the implementation of CTPAT. In that vein, it is feasible that the new concepts contained within the revised MSC, including the required review of camera footage, could become an industry standard in five or ten years.
Many of the requirements in the physical security category that moved into “should” are the more prescriptive requirements and many of those requirements are centered around cameras and procedures for physical security technology. One such example of a “should” as opposed to a “must” is if a company uses cameras then said cameras “should” be equipped with either an alarm or notification feature that signifies a failure to operate. While cameras with such features are available and in-use in many places, the primary method for knowing that a camera is not working is still typically determined when the feed does not appear on the monitoring system. An alarm or notification of failure feature is typically reserved for high-end camera systems and is a relatively uncommon feature that may be less widely used in some countries such as Vietnam or India. Other “should” requirements are moving toward more of a prescriptive Transported Asset Protection Association (TAPA) standard. For example, another “should” requirement is for facilities to have an alternate power source for cameras and any physical security technology.
CBP also softened the requirement to retain camera footage for a specified period. CBP likely softened this requirement due to restrictions in Europe concerning personal information, where if you record someone’s face you are deemed to be in possession of that person’s personal information. There are legal restrictions in Europe on retaining said personal information. CBP states in the requirement to retain camera footage for a sufficient period of time but does not specify an exact time span such as 30 to 45 days.
Another physical security requirement involves perimeter fencing, which is a “should” due to the setup of some warehouses, it is not always possible to have fencing around the entire outside of the facility. For example, in some other countries there are “condominium warehouses,” which involves warehouses directly next to each other to the extent that it would be challenging to fence in cargo handling areas.
Having said that, there are still new “musts” regarding physical security technology. CBP states that cameras “must” cover key import and export processes for the facility, which is a new “must” that wasn’t in the previous requirements. Previously, CBP did not state specific areas requiring camera coverage and did not require that physical security technology be physically secured from unauthorized access, requiring that controls for the cameras are in a secured area and not open in the facility. Further, controlling access to a facility and maintaining adequate lighting at a facility remain “musts.”
Many of the new and retooled requirements move facilities toward a more prescriptive physical security standard alongside processes, policies, and procedures for the operation and maintenance of such physical security technology. The decreasing cost of physical security technology is driving some of these changes. It is much easier and cheaper to install cameras now; however, that ease has led to another issue where cameras are frequently installed haphazardly and are poorly maintained.
An easy security recommendation several years ago was to simply install more cameras. A facility manager would then install twenty more cameras but would not have any way to know or assess whether those cameras were monitoring relevant areas and what to do when the cameras needed maintenance or repairs. The new physical security requirements acknowledge that security technology is cheaper and more available but provides guidance so that the technology works for the security of the facility.
The BSI intelligence team asked Mr. Pelli to answer two common questions about the physical security category and give us his thoughts:
“Talking about the high-end cameras that may not be available in certain places, is this revision imposing a new level of costs on smaller importers?”
“This is likely one of the few areas of the MSC where the new requirements would impose a cost above and beyond what a company is likely already spending. In the similarly new cybersecurity category, companies are almost certainly already spending in that area. In the areas of seal control and conveyance security, the changes are more process-driven and will not require much in the way of new or expensive resources. The physical security category is the one area where CBP may be imposing new costs. However, it is important to note that CBP uses language in the requirement that says “if cameras are deployed, then…” but does not state that cameras MUST be used. The section discussing camera placement begins “If cameras are used...” Most CTPAT members will drive for their suppliers to use cameras if not already doing so. However, we have done assessments on facilities with no cameras, because worker’s unions decided they wouldn’t allow cameras in those facilities and designed the facility in such a way that members of the security team could see key areas. It is possible to secure an area without cameras and there are other reasons, such as costs, why a facility may not incorporate cameras, which is likely why CBP made this requirement an “if” statement.”
“Can a company be CTPAT certified without using security cameras?”
“There is no language in the revised criteria that mandates the use of cameras. In the first draft of the revision, CBP was highly specific about cameras and likely received pushback from companies with many suppliers in countries such as France and Germany that may not be able to require cameras for several reasons. I would imagine, therefore, that a company could be CTPAT certified without the use of cameras. While some aspects, like physically securing the cargo handling areas and ensuring actual barriers are in place to protect those areas, would be a necessity for certification, a company could make an argument for securing a facility without cameras. Granted, it would likely be more expensive as the facility would need additional personnel and security guards in order to compensate for the absence of cameras. Typically, the first reaction when someone is given a guideline to enhance security is to install more cameras, but as these requirements demonstrate, it is equally important where the cameras are, how they are used, and how they are maintained. The last CTPAT criteria came out in 2005-2006 and so the physical security technologies evolved, and these requirements must speak to challenges associated with those new evolutions.”
Instruments of International Traffic (IIT)
The category traditionally called “conveyance security” is now known as Instruments of International Traffic (IIT). The reasoning for this name change is CTPAT recognizing the variety of transportation modalities and the need for security across the entire modality spectrum. Previously, CTPAT was principally focused on containers traveling via sea, as the initial companies that joined CTPAT were large retailers that imported goods nearly exclusively via sea containers. From the lens of a large retailer, most of their merchandise is neither high-value nor time-sensitive to warrant faster transport. A sea container, despite taking 20+ days to be transported from Asia, is a suitable means of shipping. Due in part to this reason, the volume of sea containers imported into the United States is drastically higher than any other transportation modality, and globally, around 90 percent of all transportation is done by sea containers. Therefore, it made complete sense that CTPAT would be primarily focused on security as it pertains to sea containers. However, as we have seen in this revision, that focus can create issues for conveyance security in general. Industries with higher value goods, such as pharmaceuticals and electronics, typically fly their cargo via air or conduct “less than truckload” shipments from Mexico or Canada into the United States, using different types of transportation instead of fully stuffed sea containers. The acknowledgment of industry use of transportation modes beyond sea container shipping likely explains the name change of the former Conveyance Security category to Instruments of International Traffic.
While the terminology itself may be unfamiliar to most importers, with this category and its name change, CTPAT is merely saying that regardless of how a company imports into the United States, some type of inspection should be conducted on the conveyance before it departs the point of origin. Whether the shipment boards an airplane, a train, or a ship, there should be some sort of inspection of the conveyance. The inspection typically looks like a seven-point-container inspection, the classic CTPAT inspection where the company checks the bottom of the container, the sides of the container, the roof of the container, the exterior roof and sides of the container, the door of the container, and the locking mechanism. In the revised criteria, CTPAT expands this to include, for example, requiring an inspection of a unit-load device, which is typically used in air cargo transportation. If a company is shipping via truck, CTPAT expects an inspection examining different parts of the trailer itself such as the undercarriage, wheels, and locking mechanism. Much of this expansion is due to what CTPAT notices in Mexico, which is the major origin country for goods coming into the United States by ground.
Tying into the discussion of inspections, CTPAT added the agricultural security requirement that BSI previously discussed and that mainly emphasizes the need for a clean container. Customs and Border Protection officials have shown photos of some filthy containers with insect nests, debris, and even animal blood during their presentations. The thinking from CTPAT with the agricultural security requirement is that much of that can be prevented with an expanded seven-point-container inspection, essentially requiring an eight-plus-point-container inspection to ensure a container is clean and dry. If mats are present in the floor of the container or wood is lining the bottom of the trailer, a simple inspection of lifting and inspecting the mats (or wood) would ensure the flooring to be free from contamination and that there are no insect nests or hives in the corner of the trailer, fulfilling the agricultural requirement.
Unrelated to the agriculture requirement, there are other changes to the conveyance requirements. One such addition is the “should” requirement to conduct random searches of conveyances by adding a small toy or another item to the container to see if staff can identify that it does not belong. CTPAT also discusses the concept of incident reporting. Previously, a concern existed that a dock worker may report something suspicious regarding a conveyance to his/her boss, but that information may not make it to security personnel at the facility. CTPAT wants incident reporting structured to ensure information travels to personnel empowered to make changes and encourages incident reporting in the form of an escalation tree from worker to manager to security personnel to possibly law enforcement or CBP if something is wrong with a particular conveyance.
Like with broadening the understanding of conveyance and including multiple modalities by changing the nomenclature from conveyance security to instruments of international traffic, revisions to seal security are also reflective of a broadened understanding of the importance of seals. Originally, security requirements for seals were based on the previously discussed full container model that assumes, for example, a container is fully stuffed in China, travels via sea, and is opened 20+ days later in Los Angeles with a seal that remains undisturbed for the entire journey. However, there are many other ways shipments could arrive into the United States. Companies may be sending partial shipments into the United States or out of another country and the conveyance may be opened multiple times, therefore, proper measures must be taken to still guarantee the integrity of a container.
In general, if there is a direct non-stop shipment to the United States, that portion of the shipment should be sealed. Other portions with direct non-stop travel should also be sealed. However, there are many elements involved in affixing a seal and managing a seal. In the trade environment of today, nefarious actors try to counterfeit seals, tamper with seals, and outright steal seals. Criminals can then use these seals to make illegitimate shipments look legitimate or ensure that tampered shipments appear unmolested. There are multiple ingenious methods to manipulate seals and there are equally important methods to check and ensure seals are legitimate and intact.
Customs and Border Protection wants companies to store seals in a secure and safe location, such as a locked cabinet in a secured office, which is likely one of the better places to store seals. BSI has visited facilities with seals laying out on a table in the open, and that is what CBP hopes to avoid with this category. A company should ensure that only authorized personnel can issue seals and that they keep thorough records of which seals are issued to whom and when this occurred. Instead of issuing seals ad hoc, personnel should note that “Yes, I gave Seal #123 to this person on this date for this specific shipment.” Shipping personnel should also verify that the seal is intact. If a driver stops halfway to a destination because he/she needs rest, the driver should then ensure that the seal is appropriately affixed to the container or trailer and notate that check of the seal when they return to the vehicle. Companies should also employ notification procedures in the event that customs wants to open a shipment at a border crossing or a seal is broken during an inspection by highway patrol. Many times, companies will issue multiple seals to a driver and tell them that if the seal is broken, use a replacement seal and the company will then note which seals a driver has been given and know which possible seals are valid for that shipment. The driver would also be expected to record and notify his or her superiors that customs or highway patrol broke the seal (and not a nefarious actor) and the seal was replaced with a replacement. This notification process should be documented and communicated to all contracted transportation providers.
Finally, when receiving a sealed container, CBP wants to see a VVTT (View, Verify, Tug, Twist & Turn) check conducted, which is to view the seal, ensure the locking mechanism and seal look intact and undamaged, verify the seal number against shipping documents, tug on the seal to ensure the seal is affixed and intact, and twist and turn the seal to ensure it does not fall off. In the past, BSI has recorded cases where criminals have broken seals and then taped or glued seals back together. The VVTT check ensures confidence in the integrity of the seal.
Overall, requirements in seal security relate closely with conveyance security. Conveyance security requires ensuring that companies have a secure box, whether that box is a trailer, unit-load device, or a container. The seal is how companies verify that the shipment has not been tampered with in-transit.
The BSI intelligence team asked Mr. Pelli about whether the changes to seal security will be onerous to implement considering the physical security revisions and give us his thoughts:
“These will be easier than even the physical security changes because, at this point, most people are familiar with these types of inspections. The agriculture piece might be the only category that will require companies to make changes. However, most large shipping/transit companies have pharmaceutical or food and beverage clients that already require these inspections, making extending the service to other customers an easy ask.”