CASSANDRA compendium. Private sector perspectives on risk management (Ch. 5) and crime prevention and security management in supply chains (Ch. 6)

Summary: Chapters 5 & 6 of the CASSANDRA compendium provide a general overview on supply chain security risk management from the private sector perspective. Explaining the essentials of supply chain risk management, Chapter 5 introduces commonly used risk management models and tools (e.g., risk matrices and risk registers), discusses various classifications of supply chain risks, and elaborates current trends of risks and risk management in the supply chain context. Chapter 6 focuses on specific challenges of supply chain security risks – the risks that arise from intentional, man-made criminal activities such as terrorism, theft, trafficking, and sabotage. The chapter explains a few early classifications of supply chain security risks (e.g., motive-based typology and taxonomies based on private sector perspectives). Following the classifications of security risks, the chapter puts forth a few models for managing security risks in the supply chain context (e.g., the 8-layer model for supply chain security management). The chapter concludes with a detailed case study on security management of an international security company and a comparison of supply chain security management and the total quality management (TQM) management philosophy. The CASSANDRA compendium is available for download: www.cassandra-project.eu. Review by Toni Männistö (CBRA)

[s2If is_user_logged_in()]

Full review: Previous observatory entries have already shown the relevance of the CASSANDRA compendium to the community of supply chain management professionals. The compendium’s chapters 5 & 6 give a brief summary of risk management and security risk management in the context of international supply chains. The contents of the chapters are relevant and useful for people involved in FP7 CORE project, especially for those involved in work packages 3 (Multi-method Threat and Vulnerability Analysis Suite) and 4 (SC Situational Awareness Tools & Maps).

Chapter 5 elaborates a set of common supply chain risk management tools. The model of Waters (2007) summarises rather obvious three steps of the risk management process: identifying risks, analysing risks and responding to risks. The model proposes, for example, that managers can identify supply chain risks through analysis of past events, collection of opinions, and through operational analysis. The model also calls for managerial attention to prerequisites of successful risk management – mutual trust, cooperation and information exchange among relevant stakeholders involved in supply chain management – and highlights importance of continuous monitoring and controlling the risk management process. The chapter concludes with the four classic approaches to risk management: risk avoidance, risk reduction, risk transfer (e.g., insurance and contractual agreements), and acceptance. The classifications of supply chain risks include typologies focusing on risk sources (natural hazards operational failure and terrorism), risk consequences (e.g., risk to operations, risk to reputation and risk to profits), and objects of vulnerability (e.g., information, materials, personnel and financial flows).

The chapter on crime prevention and security management (Ch. 6) in supply chains provides a concise summary on supply chain security management from the private sector perspective. The chapter starts by describing some early classifications of supply chain security risks. A motive-based taxonomy classifies such risks into the three categories: economic crime (profit as motive), other crime types (ideological, emotional and other reasons as motive) and facilitating crime that covers activities that do not bring direct crime benefits but help committing other rewarding crime crimes later on. (e.g., document fraud, bribery and use of intimidation). The chapter’s next section elaborates ways to mitigate security risks in the global supply chains, highlighting the key ideas of the so-called 8-layer model for supply chain security management (the model incorporates multiple aspects of risk assessment, hands-on design and planning, implementation of a variety of technologies, procedures, and incentives as well as preparation for dealing with the consequences of supply chain crime). The chapter provides also a case study with an international tobacco company that runs high security risk supply chain operations. The section also contrasts, rather interestingly, principles of security management against the fundaments of the total quality management (TQM) management philosophy. The chapter continues with a brief review of regulations (e.g., EU customs security and aviation security regulations) and standards on supply chain security management (World Customs Organization’s SAFE framework of standards, and industry standards of the Transported Asset Protection Association).

Reference

Hintsa, J. and Uronen, K. (Eds.) (2012), “Common assessment and analysis of risk in global supply chains “, Compendium of FP7-project CASSANDRA, Chapters 5 & 6

CORE2007

[/s2If]

Hold on, before blaming it on the OGAs!

It is common since many years already that the global customs community is pointing their “blaming finger” to other government agencies – OGAs – when it comes to identifying root causes behind too long cargo release times at sea ports and other border crossing points, high costs for importers and exporters to conduct international trade, and so forth. Now, without denying this as a plausible scenario, the CBRA research team proposes to take one step backwards, by first building a solid framework for analyzing and deeply understanding what is actually happening at the borders with Customs and all the other agencies, before rushing to conclusions on “who is to be blamed for poor / expensive cross-border performance…”. Therefore – for both educational purposes (FP7-CORE, work package 19.1) and for analytical purposes (Border Agency Cooperation study with the Organization of Islamic Cooperation, OIC), we have produced the following “universal border control task list” – naturally understanding that a perfect single universal list cannot exist. The list is first exploited during April-May 2016 in the OIC Embassy survey (here in Switzerland), to explore who is responsible for specific cross-border controls in various OIC member countries, and to what extent customs is performing tasks on behalf of other (border) agencies. Later, we plan to use the this as a “de-facto border agency control check-list” in our future studies, across the globe.

Again, the first step before analyzing which agencies to blame, is all about understanding what are the typical cross-border control tasks all about, considering all three task categories:

  • Border control tasks which typically cover all commodities;
  • Border control tasks which typically focus on specific commodities; and
  • Other border agency control areas.

 

Now, lets go through all three of them, starting with the first one, and followed by the other two:

Border control tasks which typically cover all commodities:

  • Calculation and collection of indirect border taxes:
    • customs duties
    • sales / value added taxes
    • excise taxes
  • Calculation and collection of other import/ transit/ export fees and taxes (e.g. environmental fee at export)
  • Compilation of trade statistics

Border control tasks which typically focus on specific commodities:

  • Control of import quota restricted products
  • Calculation and granting of export subsidies
  • Control of product safety / conformity of goods / trading standards (please separate agencies per product category, if necessary)
  • Control of food, drinks, cigarettes, pharmaceuticals (including for general health and safety purposes)
  • Control of energy related materials / products (e.g. oil and coal, could be for export taxation purposes etc.)
  • Enforcement of intellectual property rights / fight against copyright infringements / anti-counterfeit
  • Control of plant diseases, pests and extraneous species (i.e., phytosanitary controls)
  • Animal quarantine and controls (i.e. veterinary controls, including pet controls)
  • Control of any biohazards (including deliberate ones)
  • Control of CITES protected species (i.e. endangered fauna and flora)
  • Control of natural resources under license requirements, harvesting quotas etc. (including specific fish, wood, minerals, diamonds etc.)
  • Control of cultural artifacts (stolen / looted, and/or illicitly traded)
  • Control of any stolen goods (including vehicles, machinery, cargo etc.)
  • Fight against drugs / illicit narcotics trafficking (including pre-cursors)
  • Control of waste flows (including those in the Basel Convention on transboundary movements)
  • Control of dual use / strategic goods
  • Control of dangerous goods / hazardous materials
  • Control of explosives and weapons:
    • explosives (including pre-cursors)
    • small arms and light weapons
    • defense / war materials
  • Control of nuclear and radioactive materials

Other border agency control areas:

  • Conveyance / cargo transport security and safety controls:
    • for maritime, including sea ports
    • for aviation, including airports
    • other modes: road, rail, inland waterways etc.
  • Traveler, crew and immigration controls:
    • visa and passport controls
    • trafficking of human beings and people smuggling
    • asylum seekers
    • passenger cars and vehicles in terms of temporary admission
  • Control of weight of cargo (including for road safety purposes)
  • Cash controls (cash smuggling and counterfeit currency)
  • Cyber security (customs and supply chain IT systems, critical infrastructure IT etc.)

 blog-270416-2

 

Dear CBRA Blog and CBRA Monthly readers: we kindly invite your inputs to make the list more comprehensive / better in the future, so please send us an email with your ideas, to cbra@cross-border.org . And thanks already now to the multiple experts from national Customs administrations and international organizations for your valuable help so far– it has been great working with you on all these studies, keeping them as pragmatic as possible… (detailed acknowledgements will be published later). And it goes without saying that soon we will start looking on the next-step aspects on customs versus other government agencies, in the context cross-border supply chain costs and delays – please stay tuned for more!

Governmental actors in supply chains & Governmental procedures, compliance and risk management – CASSANDRA Compendium Chapters 4 & 7, 2012 (CORE2007c)

Summary: The fourth and seventh chapters of the CASSANDRA compendium elaborate on the roles of government agencies in international logistics and supply chain security (SCS). A broad range of government actors – customs, police agencies, border guards and many others – play a crucial role in enforcing and facilitating cross-border traffic through the global supply chains. These government agencies are critical stakeholders to be involved in the development, design and implementation of the two central CASSANRA concepts: the end-to-end data pipeline and the risk-based approach to cargo inspections and company audits. The CASSANDRA compendium highlights that there are important differences in the national laws and regulations, even within the European Union, that complicate international government collaboration. The differences in the legal framework and organisational cultures must be taken into account when designing new SCS solutions in the CASSANDRA and other projects. The CASSANDRA compendium is available for download: www.cassandra-project.eu. Review by Toni Männistö (CBRA)

[s2If is_user_logged_in()]

Full review: The CASSANDRA compendium describes how the role of government agencies in the cross-border supply chain operations is changing. The trading community and high-level policy-makers are strongly advocating trade facilitation, to make international commerce faster, more cost-efficient and less cumbersome. To address the demand for trade facilitation, many border control agencies are adopting risk-based approaches for controlling cross-border trade and travel. They exploit information increasingly to identify and target high-risk cross-border movements while facilitating low-risk traffic. To further lowering administrative hurdles to the cross-border trade, many government agencies are eliminating duplicative and redundant reporting requirements and building modern ICT systems to enable fast and reliable digital exchange of data and information.

Many law enforcement agencies are also facing budget cuts and increasing work loads, which forces them to look for new ways to increase productivity. Increased collaboration among border control agencies has been proposed as a solution for boosting productivity. The efforts towards further coordinated border management (CBM) are clearly manifested as joint-border control posts, regional single window systems (an online interface enabling trading companies, customs and other border control agencies to exchange trade-related information) and mutual recognition agreements (MRA) that harmonize customs and security related regulatory requirements across jurisdictions.

Reference: Hintsa, J. and Uronen, K. (Eds.) (2012), “Common assessment and analysis of risk in global supply chains “, Compendium of FP7-project CASSANDRA, Chapters 4 & 7

 

CORE2007

[/s2If]

Supply Chain Security: Survey on Law Enforcement Agencies’ Training Needs, 2015 (CORE1112)

Summary: In a recent study, a joint CBRA-INTERPOL research team investigates what kind of training material would help law enforcement agencies to fight crime in the context of global supply chains. The team conducted a pilot survey at the LE TrainNet Meeting (Networking Meeting of the Law Enforcement training institutions) which took place in Baku, Azerbaijan, 28- 29 April 2015. Findings of the pilot survey will be used to launch a large EU-wide survey on law enforcement agencies’ training needs regarding supply chain security. The survey findings also guide production of new training and educational material that the FP7 CORE is currently producing. The reviewed document is available for download here: https://hicl.org. Review by Toni Männistö (CBRA)

[s2If is_user_logged_in()]

Full review: The article concludes that law enforcement agencies generally recognise supply chain security training as a worthwhile investment for their organisations. In partuclar, the law enforcement agencies call for new supply chain related training material especially regarding narcotics and drug precursor trafficking, corruption financial crimes and tax evasion, trafficking in human beings, trafficking in counterfeit goods, terrorism and cybercrime. They advocate increasing use of modern training techniques and tools, such as e-learning, case-based teaching, and role-playing exercises.

Other findings show that law enforcement agencies consider it very useful to develop new training and educational material that would help them to enable and encourage multi-agency collaboration, for example data sharing between police agencies and customs.  The survey respondents also expressed their interest in new training material that would focus on human factors of transnational crime (e.g., motives and underlying social dynamics) and intelligence-led policing.

It is important to notice that only 16 people responded to the Baku pilot survey. The response rate was 23.2%, given there were 69 delegates registered for the LEA TrainNet meeting. The relatively low number of respondents and the relatively low response rate indicate that there is a definite need for a larger EU-wide follow-up survey.

Reference: Hintsa, J., Ahokas, J., Gallagher, R., and Männistö, T., (2015), ”Supply Chain Security: Survey on Law Enforcement Agencies’ Training Needs”, Proceedings of the Hamburg International Conference of Logistics (HICL), September 24-25, 2015, Hamburg.

 

CORE1112

[/s2If]

Cooperation experiences of the Canada Border Services Agency, July 2012 (CORE2011)

Summary: The Canada Border Services Agency (CBSA) has a dual mandate (1) to facilitate cross-border movements of cargo and people and (2) to protect security and safety of the Canadian people. The agency seeks to provide integrated border services, by closely cooperating with other Canadian border control agencies as well as with foreign customs administrations. The reviewed document is available for download here: Customs Cooperation Case Study for Canada.

[s2If is_user_logged_in()]

Full review: Forms of cooperation depend on needs of the partner agencies, but the cooperation typically includes:

  1. Participation in and cooperation with international organizations: CBSA participates and cooperates in various committees and working groups, especially as part of the WCO, WTO and Asia-Pacific Economic Cooperation.
  1. Technical Assistance and Capacity Building (TACB): The CBSA is an active contributor to least-developed countries and global capacity building such as the Columbus Programme from the WCO. CBSA´s TACB focuses on two areas: (i) senior decision makers seeking to modernize their border administration and (ii) technical level design for operational and field personnel.
  1. CBSA Liaison Officers: Canada has over 60 liaison officers in more than 40 countries around the world, who are in charge of cooperation-related tasks including training transport personnel and combating fraud.
  1. CBSA Science and Engineering Directorate (Lab): Multilaterally, the Lab helps to disseminate information and intelligence on new trends in critical areas including narcotics. Bilaterally, CBSA Lab expertise and best practices have contributed to contraband detection, while supporting multiple countries in exploiting new instruments and technologies.
  1. Customs Cooperation with the United States: After the September 11, 2001 event, Canada and US increased security and compliance measures that obviously slowed down cross-border trade and travel. To reduce such negative impacts, both countries signed the Smart Border Declaration in 2001, and engaged in the Security and Prosperity Partnership in 2005. The CBSA and the US Customs and Border Protection (CBP) developed the Framework for Co-operative Border Management, that aimed to enhance facilitation while maintaining security, and managing risk by dealing with threats as close to the point of origin as possible. Other US-Canadian cooperation forms have been developed with the objective of expanding and enhancing the benefits of trusted trader and traveller programs; coordinating investments in infrastructure and technology; simplifying business reporting requirements; enhancing screening of cargo and travellers at the perimeter to improve facilitation within the both countries; improving information sharing between both governments; and eliminating double inspections for air cargo and passenger baggage.

CORE2011

[/s2If]

Interview with Dr. Vittoria Luda di Cortemiglia

CBRA Interview with Dr. Vittoria Luda di Cortemiglia, Program Coordinator with the Emerging Crimes Unit at the United Nations Interregional Crime and Justice Research Institute, UNICRI, Torino, Italy.

Hi Vittoria, and thanks for joining a CBRA Interview – can you first tell a bit who are you and what you do?

I am the Programme Coordinator of the UNICRI Emerging Crimes Unit. Since joined the U.N. in 2001, I have been in charge of the coordination of a number of applied-research programmes in the field of illicit trafficking and emerging crimes, including environmental crimes, cybercrimes, counterfeiting, and organized crime in general.  I am UNICRI Focal Point for Strategic Approach to International Chemicals Management, SAICM, as well as UNICRI Focal Point within the UN Inter-Agency Coordination Group on Human Trafficking, ICAT.

Can you explain us bit more about UNICRI, including the governance model and the research areas?

UNICRI is a United Nations entity created by the Economic and Social Council of the United Nations, ECOSOC, in 1967 to assist Intergovernmental, Governmental and Non-Governmental Organizations in formulating and implementing improved policies in the field of criminal justice. The Institute is part of the United Nations Crime Prevention and Criminal Justice Program, which report annually through the UN Commission on Crime Prevention and Criminal Justice, CCPCJ, to the ECOSOC.

UNICRI is involved in research projects and capacity building activities in a broad number of areas, ranging from environmental crimes; human trafficking; trafficking in goods and products – including precious metals, pesticides, counterfeiting as well as chemicals, biological, radiological and nuclear risks; terrorism and foreign fighters; hate crimes and hate speech; cyber-security; urban security; violence against women; and, maritime piracy.

UNICRI, CBRA and other partners have just finished a 2-year FP7-project called CWIT, focusing on identifying and quantifying criminal and non-compliance problems and proposing solutions against illicit trade and logistics in electronic waste materials. What was the biggest thing you learned during the project, and which of our recommendations you find as most important when moving to the future?

The CWIT project has been a great experience from a personal as well as professional point of view, as gave me the possibility to work side by side with a number of wonderful professionals from the WEEE industry, enforcement agencies, international organisations, lawyers, academia and consultants specialised in supply chain security.

The objectives of the project were quite ambitious, as CWIT aimed at identifying the policy, regulatory, procedural and technical gaps as observed in today’s business environment, and at suggesting tangible improvements. The CWIT team produced set of recommendations to support the European Commission, law enforcement authorities and industry practitioners in countering the illegal trade of WEEE in and from Europe.

With regards to the recommendations which I consider particularly important are the ones related to the necessity of establishing robust and uniform legal framework and relevant implementation. As mentioned in the final CWIT report, without a clear and comprehensive legislative base, enforcers and prosecutors are powerless to address illegal WEEE flows. At the very minimum, a clear and global definition of what constitutes WEEE is the basis for improving detection, inspection, and enforcement and sentencing rates related to illegal WEEE trade.

In parallel, harmonisation and enhancement of penalty system is needed to increase the effectiveness of the existing legal framework.  In fact, penalties for the illegal trade in e-waste vary greatly in terms of monetary fines and prison durations. Today, the participation in WEEE illegal activities does not appear risky to offenders due to the low probability of being prosecuted and sentenced. Even when successfully prosecuted, penalties foreseen in legislation and penalties applied in court decisions are typically very low. For these reasons, it is important to also enhance prosecuting and sentencing, so that WEEE trade and environmental crimes in general are not considered a low- priority/low sentenced area.

UNICRI kindly invited CBRA to Torino last October to join a 2-day workshop on “Illicit Pesticides, Organized Crime and Supply Chain Integrity”. Can you elaborate on this emerging supply chain crime area, including about the estimated size and the negative socio-economic consequences of the problem?

Illicit pesticides cover a wide variety of products, including obsolete pesticides, unauthorized imports, counterfeit or fake pesticides; re- or up-labelled pesticides and refilled containers. Estimates of the illicit pesticides penetration of the legal market range from 10 to 25% – both in the EU and at international level-, representing several billion annually (USD 6-10 billion at global level and USD 1.1 billion at European level).

Besides the evident risks for human safety and health and environmental risks, illicit pesticides also pose serious threats to the economies and security. The agricultural market is extremely important for a large number of countries and companies and might be jeopardize by the introduction of illicit pesticides which can deeply affect the local and national economies. The economic losses have multiple sources and victims and long-term consequences, in particular possible loss of harvest/crop, soil and water contamination affecting the cultivable lands, decrease in innovation, reputation challenges with a decrease of exports, etc. The penetration of the pesticides market by criminal actors, including organised crime groups attracted by high profits and low risk of detection, prosecution and sentencing is another worrying trend.

Do you foresee opportunities for future research projects in the field of illicit pesticides?

Many national and international actors are becoming more and more aware of the threats posed by illicit pesticides to the legal supply chain. The attention and awareness of the problem is increasing at international level. In particular, the World Customs Organisation and the Organisation for Economic Co-operation and Development are becoming increasingly active in the field and it would be interesting to establish joint actions so as to raise awareness, capacities and response to secure the legal supply chain of such products. Indeed, through this research, we realised that the issue of illicit pesticide is neither well acknowledged nor well-documented. Our study is one of the first detailing the mechanisms and trends in the trafficking of illicit pesticides, the involvement of criminal actors, networks and organised crime groups and related criminal activities, as well as identifying the risks for the supply chain and pesticide markets.

UNICRI is very interested in continue working with partners, including CBRA, on this issue. The report details a number of initiatives which UNICRI stands ready to launch supporting countries in addressing the challenges of illicit pesticides, in particular research, raising stakeholders’ awareness, training and technical assistance programmes, supporting in capacity building activities and reinforcing national and international cooperation.

Thanks Vittoria for this interview – and we are of course more than willing to join a project-team on this highly important illicit pesticides trade and supply chains -topic

FP7-CORE Education – Two new diagrams

Today’s CBRA Blog presents two new diagrams which have been recently designed and developed in the context of FP7-CORE Education and training work (Work package 19.1). The information visualized in the diagram is based on CBRA’s supply chain security research work since year 2001, particularly from the past 5-6 years.

Some background information on the first diagram of crime types in global supply chains has been presented before for example in CBRA’s Blog of 13 October 2014 – Crime taxonomies from Athens. In the center of this diagram we list the crime types – including document fraud and cybercrime – which in the supply chain criminal context are performed in order to succeed with the actual economic or ideological crime, e.g. cargo theft or terrorism.

The left area of the circle lists four examples of crime types, which typically are of primary concern for supply chain companies: cargo theft, sabotage, parallel trade and product specification fraud. With such crime types it is commonly up to the companies to prevent, to detect and to react – of course, law enforcement agencies can be called for any time there is reasonable suspicion of such activities (and naturally in certain cases the government agencies may even be the first ones to detect and react, e.g. in case of armed robberies and truck hijackings).

The right area of the circle deals with supply chain incidents where the authorities typically focus on prevention, detection and reaction: fraud in indirect border taxes; trafficking / violations in cross-border restrictions and prohibitions; human trafficking; and exploitation of illicit labor. From supply chain perspective one can characterize them as “a priori non-disruptive illegal activities – only if / after authorities detect the violations, the supply chain is disrupted and the involved supply chain companies can get in trouble”.

Lastly, on the bottom area of the circle, we list four supply chain crime areas where the prevention typically is in strong interest of both supply chain companies and governmental agencies – and, the detection and (instant) reaction varies on case-by-case basis: counterfeiting, sales channel violations, sea piracy and terrorism. Counterfeiting hits revenues on both sides of the equation, and, with many products can also be health damaging or even lethal. Not having proper sales licenses, and/or selling to unauthorized buyers – for example cigarettes and alcohol, dual use and strategic goods etc. – can again harm both the involved companies and the society as a whole. And of course, sea pirates hijacking cargo ships; bombs exploding and bringing planes down; and terrorists attacking critical supply chain infrastructures, all are in the best interest of both companies and government agencies to prevent, to detect, and to react – in the fastest and most effective possible manner.

blog10.03.161

The second new educational diagram below depicts the negative socio-economic impact areas – six in total – caused by twelve typical smuggling and trafficking activities. The data behind it has been presented before e.g. in CBRA’s Blog of 14 January 2015 – Socio-economic damages. Inside the square we present the six societal impact areas – the larger the area, the more links there are between the trafficking activities and the negative impacts. As an example of a “big area”, seven different types of trafficking typically lead into increasing market place distortions and/or unfair competition. In the other extreme, only trafficking in stolen cultural products leads to losses in cultural heritage.

blog10.03.162

That’s all for the CBRA Blog today – please let us know if you see this type of visualization as beneficial when teaching and learning about the big picture of supply chain security!  Thanks, Juha Hintsa ( email: cbra@cross-border.org )

CEN Supply Chain Security — Good Practice Guide for Small and Medium Sized Operators, 2012 (CORE1030)

Summary: This is a guidance document for small and medium sized enterprises, SMEs. on how to apply a supply chain security approach to their operations in order to mitigate the risk of criminal activities. It gives an overview of the main crime types occurring in the supply chain along with some countermeasures, as well as the supply chain security initiatives, and the compliance requirements thereof. The document is available for purchase e.g. at:   http://shop.bsigroup.com/ProductDetail/?pid=000000000030258778  (link tested on 3 March 2016)

[s2If is_user_logged_in()]

Full review: The recommended supply chain strategy rests on a six-step approach. The first step is to define a context for the supply chain, crime prevention and security management activities taking into consideration the security sensitiveness, the geography and transport modes, and the main stakeholders involved in the supply chain operation. The second step is to make a threat and vulnerability analysis with regard to terrorist and other criminal threats in the supply chain. The main criteria included are the gaps existing in enhanced security, the high-risk crime types, and the potential consequences of crime occurrences. The third step covers the regulatory framework, the major aspects being the regulations and programs required for successful business operations, expectations of customers and suppliers, requirements laid down by insurance providers, and relevant government authorities. The fourth step refers to an overall security plan, taking into account the physical security, data security, human resources security (including selection, training, and exit procedures), business partner security (including selection, and auditing), and process control and monitoring of deviations. The fifth step involves implementing into practice concrete security measures, investment in technologies, procurement of services, in-house solutions and so forth. The final step is to monitor and measure the security performance and take appropriate corrective actions.

Five supply chain crime types have been elucidated in this guide. These include:  Property theft (cargo theft, intellectual property breaches); targeted damage (terrorism, sabotage); cross-border duty and tax fraud; illegitimate transporting, exporting and/or importing (smuggling of prohibited and restricted goods, people smuggling); and crime facilitation (document forgery, bogus companies, cybercrime). For each crime type, the main focus should be on the issue (main features and typical sectors/products involved), scope of the problem and actions to mitigate risks.

This guidebook has chosen eight security initiatives for illustration purposes. It explains the context of each initiative, whom it is meant for, and some basic requirements and the implications. These are as follows:

  • Import Control System (ICS) in the EU (a systems tool meant for the lodging and processing of Entry Summary Declarations, and for the exchange of messages across national customs agencies, economic operators and the European Commission).
  • Export Control System (ECS) in the EU (introduces EU procedures to computerize and control indirect exports and to implement the EU safety and security regulations);
  • Maritime Security Legislation, International Ship and Port Facility Security (ISPS) Code in the EU (International regulations to ensure the security of maritime transportation are being issued by the International Maritime Organization, IMO, in the International Ship and Port Facility Security Code);
  • Aviation Security Legislation, Air Cargo Supply Chains in the EU (three categories of aviation security legislation exist in the EU- Framework regulation, supplementing regulations, and implementing regulations-all targeted towards civil aviation security).
  • European Union Authorized Economic Operator, EU AEO (operators involved in international trade of goods certified as complying with WCO or equivalent supply chain security standards);
  • Regulated agent, Known consignor and Account consignor in the EU (Specific “trusted trader” status existing in the European air cargo supply chains);
  • ISO 28000 Series of Standards on Supply Chain Security Management Systems (address potential security issues at all stages of the supply process, e.g. terrorism, fraud and piracy);
  • Transported Asset Protection Association (TAPA) in Europe (fighting cargo crime using real-time intelligence and the latest preventative measures).

CORE1030

[/s2If]

Review on “MARITIME CRITICAL INFRASTRUCTURE PROTECTION – DHS Needs to Better Address Port Cybersecurity”, Report to the Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate, United States Government Accountability Office, June 2014 (CORE1098)

CORE1098-Summary: Actions taken by the Department of Homeland Security (DHS) and two of its component agencies, the U.S. Coast Guard and Federal Emergency Management Agency (FEMA), as well as other federal agencies, to address cybersecurity in the maritime port environment have been limited. Report is available at: http://www.gao.gov/assets/670/663828.pdf

[s2If is_user_logged_in()]

Full review: While the Coast Guard initiated a number of activities and coordinating strategies to improve physical security in specific ports, it has not conducted a risk assessment that fully addresses cyber-related threats, vulnerabilities, and consequences. Coast Guard officials stated that they intend to conduct such an assessment in the future, but did not provide details to show how it would address cybersecurity. Until the Coast Guard completes a thorough assessment of cyber risks in the maritime environment, the ability of stakeholders to appropriately plan and allocate resources to protect ports and other maritime facilities will be limited.

Maritime security plans required by law and regulation generally did not identify or address potential cyber-related threats or vulnerabilities. This was because the guidance issued by Coast Guard for developing these plans did not require cyber elements to be addressed. Officials stated that guidance for the next set of updated plans, due for update in 2014, will include cybersecurity requirements. However, in the absence of a comprehensive risk assessment, the revised guidance may not adequately address cyber-related risks to the maritime environment.

The degree to which information-sharing mechanisms (e.g., councils) were active and shared cybersecurity-related information varied. Specifically, the Coast Guard established a government coordinating council to share information among government entities, but it is unclear to what extent this body has shared information related to cybersecurity. In addition, a sector coordinating council for sharing information among nonfederal stakeholders is no longer active, and the Coast Guard has not convinced stakeholders to reestablish it. Until the Coast Guard improves these mechanisms, maritime stakeholders in different locations are at greater risk of not being aware of, and thus not mitigating, cyber-based threats.

Under a program to provide security-related grants to ports, FEMA identified enhancing cybersecurity capabilities as a funding priority for the first time in fiscal year 2013 and has provided guidance for cybersecurity-related proposals. However, the agency has not consulted cybersecurity-related subject matter experts to inform the multi-level review of cyber-related proposals—partly because FEMA has downsized the expert panel that reviews grants. Also, because the Coast Guard has not assessed cyber-related risks in the maritime risk assessment, grant applicants and FEMA have not been able to use this information to inform funding proposals and decisions. As a result, FEMA is limited in its ability to ensure that the program is effectively addressing cyber-related risks in the maritime environment.

Why GAO Did This Study? U.S. maritime ports handle more than $1.3 trillion in cargo annually. The operations of these ports are supported by information and communication systems, which are susceptible to cyber-related threats. Failures in these systems could degrade or interrupt operations at ports, including the flow of commerce. Federal agencies—in particular DHS—and industry stakeholders have specific roles in protecting maritime facilities and ports from physical and cyber threats. GAO’s objective was to identify the extent to which DHS and other stakeholders have taken steps to address cybersecurity in the maritime port environment. GAO examined relevant laws and regulations; analyzed federal cybersecurity-related policies and plans; observed operations at three U.S. ports selected based on being a high-risk port and a leader in calls by vessel type, e.g. container; and interviewed federal and nonfederal officials.

What GAO Recommends? GAO recommends that DHS direct the Coast Guard to (1) assess cyber-related risks, (2) use this assessment to inform maritime security guidance, and (3) determine whether the sector coordinating council should be reestablished. DHS should also direct FEMA to (1) develop procedures to consult DHS cybersecurity experts for assistance in reviewing grant proposals and (2) use the results of the cyber-risk assessment to inform its grant guidance. DHS concurred with GAO’s recommendations.

Full citation:  “MARITIME CRITICAL INFRASTRUCTURE PROTECTION – DHS Needs to Better Address Port Cybersecurity”, Report to the Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate, United States Government Accountability Office, June 2014.

CORE1098

Keywords: Maritime Security, Port Security, Cyber – Security, CBP U.S. – Customs and Border Protection, Coast Guard U.S., DHS-Department of Homeland Security, FEMA-Federal Emergency Management Agency, ISAC-information sharing and analysis center, IT-information technology, MTSA-Maritime Transportation Security Act of 2002, NIPP-National Infrastructure Protection Plan, AFE Port Act-Security and Accountability for Every Port Act of 2006, TSA-Transportation Security Administration

[/s2If]

Review on The Critical Infrastructure Gap: U.S. Port Facilities and Cyber Vulnerabilities, Policy Paper, July 2013, Center for 21st Century Security and Intelligence (CORE1095)

Summary: In a 50-page policy paper by the Brookings Institute and authored by Commander Joseph Kramek of the U.S.Coast Guard and a Federal Executive Fellow at the institute, the current state of affairs related to vulnerabilities at our national seaports is discussed and options to shore up cyber security are presented. In the executive summary, Commander Kramek writes that today’s U.S. port facilities rely as much upon networked computer and control systems as they do upon stevedores to ensure the flow of maritime commerce that the economy, homeland, and national security depend upon. Yet, unlike other sectors of critical infrastructure, little attention has been paid to the networked systems that undergird port operations. Report is available at: http://www.brookings.edu/~/media/research/files/papers/2013/07/02%20cyber%20port%20security%20kramek/03%20cyber%20port%20security%20kramek.pdf

[s2If is_user_logged_in()]

Full review: No cybersecurity standards have been promulgated for U.S. ports, nor has the U.S. Coast Guard, the lead federal agency for maritime security, been granted cybersecurity authorities to regulate ports or other areas of maritime critical infrastructure. In the midst of this lacuna of authority is a sobering fact: according to the most recent National Intelligence Estimate (NIE) the next terrorist attack on U.S. Critical Infrastructure and Key Resources (CIKR) is just as likely to be a cyber attack as a kinetic attack.

The potential consequences of even a minimal disruption of the flow of goods in U.S. ports would be high. The zero-inventory, just-in-time delivery system that sustains the flow of U.S. commerce would grind to a halt in a matter of days; shelves at grocery stores and gas tanks at service stations would run empty. In certain ports, a cyber disruption affecting energy supplies would likely send not just a ripple but a shockwave through the U.S. and even global economy.

Given the absence of standards and authorities, this paper explores the current state of cybersecurity awareness and culture in selected U.S. port facilities. The use of the post-9/11 Port Security Grant Program (PSGP), administered by the Federal Emergency Management Agency, is also examined to see whether these monies are being used to fund cybersecurity projects.

Full citation:   The Critical Infrastructure Gap: U.S. Port Facilities and Cyber Vulnerabilities, Policy Paper, July 2013, Center for 21st Century Security and Intelligence.

CORE1095

Keywords: Maritime Security, Cyber-security, Port Security Grant Program (PSGP), Port facility, Coast Guard, Maritime Transportation Security Act (MTSA).

[/s2If]