Supply Chain

 

 

https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspxSupply Chain StrategiesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-02-01T05:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx, Holly Gilbert Stowell<p>​Take almost any product you have purchased in a store or used at home or work in the last week. Chances are, that object moved thousands of miles from where it was originally manufactured to the place where it was ultimately purchased or delivered to you. Organizations have intricate supply chain networks that are constantly moving every day around the world, and having an efficient supply chain security program ensures that movement of goods is not interrupted or compromised. </p><p>Security professionals must take a detailed look at the vendors who supply their assets and understand how those goods will be handled and ultimately implemented into their company’s operations or services. Following is a look at how a children’s hospital in Alabama applied supply chain security best practices to weather an unexpected storm, as well as provide for day-to-day operations. In addition, supply chain experts discuss lessons learned from their own experience of conducting risk assessments, following standards, and vetting suppliers and transporters to better protect company property. ​</p><h4>Alabama Children’s </h4><p>When a snowstorm hit Birmingham, Alabama, on January 28, 2014, the city was caught unawares. The snowfall, which quickly turned to ice, left thousands stranded on highways or in their offices. Children were stuck at school, their parents unable to pick them up. The event became known as “Snowpocalypse,” and news service AL.com called it “the winter storm that brought Birmingham to its knees.” </p><p>Hospitals were affected by the storm as well, including Children’s of Alabama. The pediatric center encountered vulnerabilities in its supply chain during that event it hadn’t previously considered, says Dennis Blass, CPP, PSP, director of safety and security at the hospital. </p><p><strong>Lessons learned. </strong>Every year the hospital conducts a hazards vulnerability assessment for its supply chain to find out where it can improve safety and security. “Once you identify your hazards and your vulnerabilities–the things that are dangerous to you or the things that you’re weak in–then you start peeling those back,” he says. “If we identify hazards that we need to correct, then we probably are going to create a management plan to correct those issues.” </p><p>Many displaced people in the community turned to the hospital for shelter when they had nowhere else to go. “We have a very prominent position in the Birmingham skyline, so if things look bad, the hospital looks like a place to go and get help–as it is,” Blass says. There were also clinic patients who had come to the hospital that morning for a routine checkup, planning to leave; many of them were stuck because of the snowstorm, which began around 10:30 a.m. local time.</p><p>Instead of being filled to the normal capacity of 300 people—the number of beds in the hospital—there were roughly  about 600 people who spent about 48 hours at the facility to ride out the storm.</p><p>The number of people at the hospital exposed one unforeseen vulnerability—obtaining clean linens from its supplier, which is separated from the hospital by a chain of mountains. “The supplier can wash the linens, but they can’t deliver them to us…we ended up making it, but that was a close call,” says Blass.</p><p>“We could handle supplies for patients, but we had a lot of people who just came to the hospital because it was a warm place to be,” according to Blass. “That had impacts on the amount of food that got consumed, and it had impacts on the amount of linens we went through. Just things that people need, supplies like toilet paper, things you don’t think a lot of.” </p><p>For those who weren’t patients, the hospital served smaller meals than normal; “sandwiches and soup, as opposed to meat and potatoes,” Blass says, to stretch resources. </p><p>The main drug supplier for the hospital is located in the same region, so obtaining critical medicine was not a concern during the storm. The hospital also has plenty of diesel fuel tanks, and can go for days without restocking. Only the insufficient linens, which must be sent off to a facility for proper sanitation before being returned to the hospital, turned out to be an issue.</p><p>“We did an after-action report on that experience, so we…put it in our emergency management plans for the future,” he notes.</p><p>The hospital’s emergency plans help ease any supply chain shortages. The institution follows the hospital incident command system (HICS) which assigns temporary duties to leadership during an emergency. For example, during the snowstorm, the chief operating officer of the hospital assumes the role of incident commander; an information officer is assigned to keep the community informed of hospital activities; and the plan also incorporates a medical officer, logistics chief, and planning chief. </p><p>During the incident, this system helped ensure proper patient care and as few gaps in the supply chain as possible. “Food was getting tight,” Blass says, and the food warehouses are not located near the hospital. “Because of the command structure, leadership can say, ‘okay you have a company credit card, we’ll contact the bank and raise your limit from $500 to $5,000 or whatever you need.’”</p><p>The U.S. Joint Commission, which certifies and accredits healthcare bodies, requires that hospitals have a group with representatives from various divisions that evaluates the standard of care they are providing to patients. Alabama Children’s has an environment of care committee that meets once a month to complete this requirement. “Our environment of care committee looks at things like safety, security, and resource management,” says Blass. “We have to meet the Joint Commission’s standard, and it surveys us every three years.” </p><p>Representatives on the team at Alabama Children’s include staff from the pharmacy, medical team, facilities, human resources, dining services, and more. This team ensures that there aren’t any gaps in the supply chain that would interrupt the hospital’s daily operations. As a rule, Blass says that having enough supplies for 96 hours will allow the facility to continue operating smoothly and efficiently. This includes a variety of items that the environment of care team must carefully think through and document. “You’re talking about water, fuel, basic sanitary supplies, and then you start talking about medicine and those things necessary for a hospital to run,” he says. </p><p>And there can be more than one type of each supply, a detail that, if overlooked, could mean life or death. “We have pumps that pump air, we have pumps that pump blood, we have pumps that pump saline, we have pumps that do many different things. You have to have all the things needed to make those supplies work for 96 hours,” he notes. </p><p>Keeping track of inventory is critical to determine whether the hospital has a sufficient supply of each item. Blass says that the hospital is moving toward a perpetual inventory system, where a new item is ordered as soon as one is pulled off the shelf. </p><p>There is a downside to stocking too many items, which is why it’s a delicate balance between having 96 hours’ worth of supplies and more than enough. “Space is expensive. And if you want to have enough water for four days, how much water is that? Where do you put it? How do you keep it fresh?” He adds that the hospital must be thoughtful in its policies and procedures on maintaining its inventory to avoid any issues.  </p><p>Thankfully, Blass notes, t​he 2014 snowstorm only lasted 48 hours. “The size of the surge exceeded our plan, but the length of the surge was shorter than our plans, so it all worked out,” he says. </p><p>And not every element of securing the supply chain is tangible; the information and communication pieces are also critical. “Every day we’re getting blood supplies in, and other kinds of materials that must be treated very carefully,” he says. Special instructions need to be followed in many cases. For example, there may be medicine that must be stored at a precise temperature until 30 minutes before it’s dispensed. That information must be communicated from the pharmacist to the supplier, and sometimes to security, who can give special access to the supplier when it delivers the drugs. </p><p>Blass is a member of the ASIS International Supply Chain and Transportation Security Council. He helped develop an American National Standards Institute (ANSI)/ASIS standard for supply chain security, Supply Chain Risk Management: A Compilation of Best Practices Standard (SCRM), which was released in July 2014. The standard provides supply chain security guidelines for companies, and has illustrations of what exemplary supply chain models look like.</p><p><strong>Best practices.</strong> Marc Siegel, former chair of the ASIS Global Standards Initiative, also participated in the creation of the ANSI/ASIS standard, which provides explanations of how to look at managing risk in the supply chain. “It’s based on the experiences of companies that have very sophisticated supply chain operations,” he tells Security Management. “The companies that put it together were really looking at having a document that they could give to their suppliers, to help them look at themselves and think of things that they should be doing and preparing for.” </p><p>Siegel is now director of security and resilience projects for the homeland security graduate program at San Diego State University. He promotes supply chain mapping, which takes a risk management–based approach to supply chain security. “Traditionally, a lot of security people have looked at supply chain as logistics security,” he says, “whereas companies with major supply chain considerations have been moving more into an enterprise risk management perspective.” These organizations take an across-the-board look at risks that could create a disruption in the supply chain, asking themselves what the specific things are that could interrupt or prevent them from manufacturing or delivering their product. </p><p>Siegel says there is a disproportionate focus on bad actors and intentional acts as threats to the supply chain, when more often it’s a natural disaster or accident that causes the most significant disruptions. “The broader risk management perspective is also looking at, ‘Is there a potential for a storm, is there a potential for political disorder, or instability in a region, that can cause a delay in processing?’” Only then, he says, are companies efficiently mapping out all the factors that could introduce uncertainty.</p><p>Maintaining a broader perspective will keep organizations from fixating on two of the most common hangups in supply chain security. “You have people who fixate on ‘everything is a threat,’ and you have people who fixate on ‘everything is a vulnerability,’ and if you only fixate on those two things you’re going to miss a lot of stuff,” Siegel says.</p><p>Blass agrees. “When we start that annual hazards vulnerability assessment, I’m going to look through the standard and notes I’ve written myself to make sure I’ve got everything covered,” he notes. “You can never rest and say, ‘well, we’re safe and secure and we don’t have to do anything else,’ because the threats keep changing.”   ​</p><p>--</p><h4>Sidebar: assess risk<br></h4><p> </p><div>​For the co​rporation that produces the F-35 fighter jet and other advanced technologies for the U.S. government, supply chain security is of utmost importance. “The threats that we face are universal in nature due to the size and the complexity of our supply chain,” says Vicki Nichols, supply chain security lead for Lockheed Martin’s Aeronautics business. </div><div><br> </div><div>Lockheed Martin Aeronautics assesses the supply chain in a number of categories, but Nichols works most closely with cargo security. “The threats there are cargo disruption, unmanifested cargo, and anti-Western terrorism,” she notes. </div><div><br> </div><div>The division conducts a risk assessment of its international suppliers. “We look at what type of products they provide us and how vulnerable that product is to manipulation or intellectual property theft, and we look at country risk,” she says.  </div><div><br> </div><div>The company sends a questionnaire to its suppliers, and comes up with an overall score for each of them based on 10 criteria, including country risk and transportation mode. In many cases, it also sends field personnel to evaluate the supplier’s facility. “If we know we have eyes and ears going in and out of the facility, and those people are trained to recognize red flags, then we know we have a lower threat because of our presence,” she says. </div><div><br> </div><div>After one such site check at a facility in Italy, Lockheed Martin Aeronautics determined that the use of technology was warranted to further enhance security. “The concern was that the area was known for introduction of unmanifested cargo—weapons, cargo disruption,” she notes. “We began to look at tamper-evident technologies, and track-and-trace devices that would allow us to know if someone had opened or tampered with the freight.”  </div><div><br> </div><div>Lockheed Martin has a corporate supply chain security council that meets at least once a month to provide updates and discuss any issues that arise. Representatives from the company include human resources, personnel security, physical security, and counterintelligence. Stakeholders from major partner organizations are also invited to participate.</div><div><br> </div><div>Lockheed Martin Aeronautics also works closely with law enforcement and federal intelligence sources who disseminate relevant information to the company. “We subscribe to some intelligence data that is cargo-specific, so we issue a spotlight report about three times a week just to keep people engaged and aware of the threats in the supply chain,” she notes. </div><div><br> </div><div>Supplier engagement is also critical, Nichols says, so the company stays in touch with about 120 suppliers internationally. </div><div><br> </div><div>Sometime in 2017, Lockheed Martin Aeronautics plans to purchase a software management tool that will release supplier questionnaires in the native language for countries it does business with. It will tap existing resources such as “Supplier Wire” to offer training to the supply base. “This will be another evolution on how we can engage, rather than just sending them to a website,” Nichols says. “I think it’s important for our supply base to see how seriously we take security, so they will take it seriously as well.”​</div><div><br> </div><h4>sidebar: consult standards<br></h4><p> </p><p>​Laura Hains, CPP, operations manager, supply chain security and consulting at Pinkerton, member of the ASIS International Supply Chain and​ Transportation Security Council, says that companies should research whether their partners and suppliers are following major supply chain security protocols, like those put out by ASIS, and others such as the Transported Asset Protection Association (TAPA) standards for trucking companies. “TAPA is one of the big authorities on trucking, so if a company says they are TAPA certified, that to me says that they follow protocol,” she says. </p><p>Other standards include the National Strategy for Global Supply Chain Security which U.S. President Barack Obama signed in 2012 and was designed to enhance public-private partnerships. Arthur Arway, CPP, author of Supply Chain Security: A Comprehensive Approach, says the framework seeks to combine input from government and industry on protecting the transport of goods to and from the United States. “I think the government is far more willing to seek out subject matter experts and all the different modes and companies that may transport goods into the United States for their help,” he says. Arway adds the document is relatively recent, and that it could take a while before it is widely adopted. </p><p>Though terrorism is an uncommon threat to the supply chain, it must always be a consideration. Hains gives the example of vehicular attacks. In Nice, France, on July 14, 2016, Tunisia native Mohamed Lahouaiej Bouhlel drove a 19-ton cargo truck into a crowd of Bastille Day festival-goers. That attack killed 86 people and injured more than 400. New York police also warned of possible vehicular terrorism against the 2016 Macy’s Thanksgiving Day Parade. “A small company truck—that could be a target,” notes Hains. “So everybody has to think about terrorism because it’s out there.”</p><p>Another standard at the national level seeking to combat terrorism within the supply chain is the U.S. Customs Trade Partnership Against Terrorism (C-TPAT). The program is voluntary for private industry, but Arway says the national standards as a whole are seeing global adoption.​</p><p>“Standards have come a long way in how they’ve been able to incorporate security into the movement of goods,” he notes. “Many countries have accepted these programs into their own supply chain security programs.”​</p>

Supply Chain

 

 

https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspx2017-02-01T05:00:00ZSupply Chain Strategies
https://sm.asisonline.org/Pages/The-Usual-Suspects.aspx2016-08-01T04:00:00ZThe Usual Suspects
https://sm.asisonline.org/Pages/Book-Review---Diamond-Mine-Security.aspx2016-07-29T04:00:00ZBook Review: Diamond Mine Security
https://sm.asisonline.org/Pages/In-the-Public-Interest.aspx2016-05-01T04:00:00ZIn the Public Interest
https://sm.asisonline.org/Pages/Slavery-in-the-Supply-Chain.aspx2015-12-17T05:00:00ZSlavery in the Supply Chain
https://sm.asisonline.org/Pages/Port-Protection.aspx2015-02-01T05:00:00ZPort Protection
https://sm.asisonline.org/Pages/Strategic-Shrink-Reduction.aspx2015-02-01T05:00:00ZStrategic Shrink Reduction
https://sm.asisonline.org/Pages/Linking-Crime-and-Terrorism.aspx2015-01-01T05:00:00ZLinking Crime and Terrorism
https://sm.asisonline.org/Pages/Supply-Chain-Security.aspx2014-10-01T04:00:00ZSupply Chain Security: A Comprehensive Approach
https://sm.asisonline.org/Pages/Protecting-Food-Imports.aspx2014-07-01T04:00:00ZProtecting Food Imports
https://sm.asisonline.org/Pages/Supply-Chain-Resources.aspx2014-06-01T04:00:00ZSupply Chain Resources
https://sm.asisonline.org/Pages/security-and-loss-prevention-introduction-sixth-edition-0013394.aspx2014-05-01T04:00:00ZSecurity and Loss Prevention: An Introduction, Sixth Edition
https://sm.asisonline.org/Pages/asset-tracking-trends-0013104.aspx2014-02-01T05:00:00ZAsset Tracking Trends
https://sm.asisonline.org/Pages/Getting-the-Goods.aspx2013-09-01T04:00:00ZGetting the Goods
https://sm.asisonline.org/Pages/loss-prevention-0012628.aspx2013-08-01T04:00:00ZGlobal Retail Crime and Loss Prevention Trends
https://sm.asisonline.org/Pages/digital-edition-cover-story-uncovering-art_E2_80_99s-dark-past-0012457.aspx2013-02-01T05:00:00ZDigital Edition Cover Story: Uncovering Art’s Dark Past
https://sm.asisonline.org/Pages/The-Fight-Against-Food-Fraud.aspx2012-12-01T05:00:00ZThe Fight Against Food Fraud
https://sm.asisonline.org/Pages/report-billions-dollars-worth-smartphones-lost-annually-009733.aspx2012-03-23T04:00:00ZReport: Billions of Dollars Worth of Smartphones Lost Annually
https://sm.asisonline.org/Pages/Planning-for-Disaster.aspx2012-03-01T05:00:00ZPlanning for Disaster
https://sm.asisonline.org/Pages/flash-mobs-emerging-threat-retailers-008891.aspx2011-08-11T04:00:00ZFlash Mobs: An Emerging Threat to Retailers

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspxSupply Chain Strategies<p>​Take almost any product you have purchased in a store or used at home or work in the last week. Chances are, that object moved thousands of miles from where it was originally manufactured to the place where it was ultimately purchased or delivered to you. Organizations have intricate supply chain networks that are constantly moving every day around the world, and having an efficient supply chain security program ensures that movement of goods is not interrupted or compromised. </p><p>Security professionals must take a detailed look at the vendors who supply their assets and understand how those goods will be handled and ultimately implemented into their company’s operations or services. Following is a look at how a children’s hospital in Alabama applied supply chain security best practices to weather an unexpected storm, as well as provide for day-to-day operations. In addition, supply chain experts discuss lessons learned from their own experience of conducting risk assessments, following standards, and vetting suppliers and transporters to better protect company property. ​</p><h4>Alabama Children’s </h4><p>When a snowstorm hit Birmingham, Alabama, on January 28, 2014, the city was caught unawares. The snowfall, which quickly turned to ice, left thousands stranded on highways or in their offices. Children were stuck at school, their parents unable to pick them up. The event became known as “Snowpocalypse,” and news service AL.com called it “the winter storm that brought Birmingham to its knees.” </p><p>Hospitals were affected by the storm as well, including Children’s of Alabama. The pediatric center encountered vulnerabilities in its supply chain during that event it hadn’t previously considered, says Dennis Blass, CPP, PSP, director of safety and security at the hospital. </p><p><strong>Lessons learned. </strong>Every year the hospital conducts a hazards vulnerability assessment for its supply chain to find out where it can improve safety and security. “Once you identify your hazards and your vulnerabilities–the things that are dangerous to you or the things that you’re weak in–then you start peeling those back,” he says. “If we identify hazards that we need to correct, then we probably are going to create a management plan to correct those issues.” </p><p>Many displaced people in the community turned to the hospital for shelter when they had nowhere else to go. “We have a very prominent position in the Birmingham skyline, so if things look bad, the hospital looks like a place to go and get help–as it is,” Blass says. There were also clinic patients who had come to the hospital that morning for a routine checkup, planning to leave; many of them were stuck because of the snowstorm, which began around 10:30 a.m. local time.</p><p>Instead of being filled to the normal capacity of 300 people—the number of beds in the hospital—there were roughly  about 600 people who spent about 48 hours at the facility to ride out the storm.</p><p>The number of people at the hospital exposed one unforeseen vulnerability—obtaining clean linens from its supplier, which is separated from the hospital by a chain of mountains. “The supplier can wash the linens, but they can’t deliver them to us…we ended up making it, but that was a close call,” says Blass.</p><p>“We could handle supplies for patients, but we had a lot of people who just came to the hospital because it was a warm place to be,” according to Blass. “That had impacts on the amount of food that got consumed, and it had impacts on the amount of linens we went through. Just things that people need, supplies like toilet paper, things you don’t think a lot of.” </p><p>For those who weren’t patients, the hospital served smaller meals than normal; “sandwiches and soup, as opposed to meat and potatoes,” Blass says, to stretch resources. </p><p>The main drug supplier for the hospital is located in the same region, so obtaining critical medicine was not a concern during the storm. The hospital also has plenty of diesel fuel tanks, and can go for days without restocking. Only the insufficient linens, which must be sent off to a facility for proper sanitation before being returned to the hospital, turned out to be an issue.</p><p>“We did an after-action report on that experience, so we…put it in our emergency management plans for the future,” he notes.</p><p>The hospital’s emergency plans help ease any supply chain shortages. The institution follows the hospital incident command system (HICS) which assigns temporary duties to leadership during an emergency. For example, during the snowstorm, the chief operating officer of the hospital assumes the role of incident commander; an information officer is assigned to keep the community informed of hospital activities; and the plan also incorporates a medical officer, logistics chief, and planning chief. </p><p>During the incident, this system helped ensure proper patient care and as few gaps in the supply chain as possible. “Food was getting tight,” Blass says, and the food warehouses are not located near the hospital. “Because of the command structure, leadership can say, ‘okay you have a company credit card, we’ll contact the bank and raise your limit from $500 to $5,000 or whatever you need.’”</p><p>The U.S. Joint Commission, which certifies and accredits healthcare bodies, requires that hospitals have a group with representatives from various divisions that evaluates the standard of care they are providing to patients. Alabama Children’s has an environment of care committee that meets once a month to complete this requirement. “Our environment of care committee looks at things like safety, security, and resource management,” says Blass. “We have to meet the Joint Commission’s standard, and it surveys us every three years.” </p><p>Representatives on the team at Alabama Children’s include staff from the pharmacy, medical team, facilities, human resources, dining services, and more. This team ensures that there aren’t any gaps in the supply chain that would interrupt the hospital’s daily operations. As a rule, Blass says that having enough supplies for 96 hours will allow the facility to continue operating smoothly and efficiently. This includes a variety of items that the environment of care team must carefully think through and document. “You’re talking about water, fuel, basic sanitary supplies, and then you start talking about medicine and those things necessary for a hospital to run,” he says. </p><p>And there can be more than one type of each supply, a detail that, if overlooked, could mean life or death. “We have pumps that pump air, we have pumps that pump blood, we have pumps that pump saline, we have pumps that do many different things. You have to have all the things needed to make those supplies work for 96 hours,” he notes. </p><p>Keeping track of inventory is critical to determine whether the hospital has a sufficient supply of each item. Blass says that the hospital is moving toward a perpetual inventory system, where a new item is ordered as soon as one is pulled off the shelf. </p><p>There is a downside to stocking too many items, which is why it’s a delicate balance between having 96 hours’ worth of supplies and more than enough. “Space is expensive. And if you want to have enough water for four days, how much water is that? Where do you put it? How do you keep it fresh?” He adds that the hospital must be thoughtful in its policies and procedures on maintaining its inventory to avoid any issues.  </p><p>Thankfully, Blass notes, t​he 2014 snowstorm only lasted 48 hours. “The size of the surge exceeded our plan, but the length of the surge was shorter than our plans, so it all worked out,” he says. </p><p>And not every element of securing the supply chain is tangible; the information and communication pieces are also critical. “Every day we’re getting blood supplies in, and other kinds of materials that must be treated very carefully,” he says. Special instructions need to be followed in many cases. For example, there may be medicine that must be stored at a precise temperature until 30 minutes before it’s dispensed. That information must be communicated from the pharmacist to the supplier, and sometimes to security, who can give special access to the supplier when it delivers the drugs. </p><p>Blass is a member of the ASIS International Supply Chain and Transportation Security Council. He helped develop an American National Standards Institute (ANSI)/ASIS standard for supply chain security, Supply Chain Risk Management: A Compilation of Best Practices Standard (SCRM), which was released in July 2014. The standard provides supply chain security guidelines for companies, and has illustrations of what exemplary supply chain models look like.</p><p><strong>Best practices.</strong> Marc Siegel, former chair of the ASIS Global Standards Initiative, also participated in the creation of the ANSI/ASIS standard, which provides explanations of how to look at managing risk in the supply chain. “It’s based on the experiences of companies that have very sophisticated supply chain operations,” he tells Security Management. “The companies that put it together were really looking at having a document that they could give to their suppliers, to help them look at themselves and think of things that they should be doing and preparing for.” </p><p>Siegel is now director of security and resilience projects for the homeland security graduate program at San Diego State University. He promotes supply chain mapping, which takes a risk management–based approach to supply chain security. “Traditionally, a lot of security people have looked at supply chain as logistics security,” he says, “whereas companies with major supply chain considerations have been moving more into an enterprise risk management perspective.” These organizations take an across-the-board look at risks that could create a disruption in the supply chain, asking themselves what the specific things are that could interrupt or prevent them from manufacturing or delivering their product. </p><p>Siegel says there is a disproportionate focus on bad actors and intentional acts as threats to the supply chain, when more often it’s a natural disaster or accident that causes the most significant disruptions. “The broader risk management perspective is also looking at, ‘Is there a potential for a storm, is there a potential for political disorder, or instability in a region, that can cause a delay in processing?’” Only then, he says, are companies efficiently mapping out all the factors that could introduce uncertainty.</p><p>Maintaining a broader perspective will keep organizations from fixating on two of the most common hangups in supply chain security. “You have people who fixate on ‘everything is a threat,’ and you have people who fixate on ‘everything is a vulnerability,’ and if you only fixate on those two things you’re going to miss a lot of stuff,” Siegel says.</p><p>Blass agrees. “When we start that annual hazards vulnerability assessment, I’m going to look through the standard and notes I’ve written myself to make sure I’ve got everything covered,” he notes. “You can never rest and say, ‘well, we’re safe and secure and we don’t have to do anything else,’ because the threats keep changing.”   ​</p><p>--</p><h4>Sidebar: assess risk<br></h4><p> </p><div>​For the co​rporation that produces the F-35 fighter jet and other advanced technologies for the U.S. government, supply chain security is of utmost importance. “The threats that we face are universal in nature due to the size and the complexity of our supply chain,” says Vicki Nichols, supply chain security lead for Lockheed Martin’s Aeronautics business. </div><div><br> </div><div>Lockheed Martin Aeronautics assesses the supply chain in a number of categories, but Nichols works most closely with cargo security. “The threats there are cargo disruption, unmanifested cargo, and anti-Western terrorism,” she notes. </div><div><br> </div><div>The division conducts a risk assessment of its international suppliers. “We look at what type of products they provide us and how vulnerable that product is to manipulation or intellectual property theft, and we look at country risk,” she says.  </div><div><br> </div><div>The company sends a questionnaire to its suppliers, and comes up with an overall score for each of them based on 10 criteria, including country risk and transportation mode. In many cases, it also sends field personnel to evaluate the supplier’s facility. “If we know we have eyes and ears going in and out of the facility, and those people are trained to recognize red flags, then we know we have a lower threat because of our presence,” she says. </div><div><br> </div><div>After one such site check at a facility in Italy, Lockheed Martin Aeronautics determined that the use of technology was warranted to further enhance security. “The concern was that the area was known for introduction of unmanifested cargo—weapons, cargo disruption,” she notes. “We began to look at tamper-evident technologies, and track-and-trace devices that would allow us to know if someone had opened or tampered with the freight.”  </div><div><br> </div><div>Lockheed Martin has a corporate supply chain security council that meets at least once a month to provide updates and discuss any issues that arise. Representatives from the company include human resources, personnel security, physical security, and counterintelligence. Stakeholders from major partner organizations are also invited to participate.</div><div><br> </div><div>Lockheed Martin Aeronautics also works closely with law enforcement and federal intelligence sources who disseminate relevant information to the company. “We subscribe to some intelligence data that is cargo-specific, so we issue a spotlight report about three times a week just to keep people engaged and aware of the threats in the supply chain,” she notes. </div><div><br> </div><div>Supplier engagement is also critical, Nichols says, so the company stays in touch with about 120 suppliers internationally. </div><div><br> </div><div>Sometime in 2017, Lockheed Martin Aeronautics plans to purchase a software management tool that will release supplier questionnaires in the native language for countries it does business with. It will tap existing resources such as “Supplier Wire” to offer training to the supply base. “This will be another evolution on how we can engage, rather than just sending them to a website,” Nichols says. “I think it’s important for our supply base to see how seriously we take security, so they will take it seriously as well.”​</div><div><br> </div><h4>sidebar: consult standards<br></h4><p> </p><p>​Laura Hains, CPP, operations manager, supply chain security and consulting at Pinkerton, member of the ASIS International Supply Chain and​ Transportation Security Council, says that companies should research whether their partners and suppliers are following major supply chain security protocols, like those put out by ASIS, and others such as the Transported Asset Protection Association (TAPA) standards for trucking companies. “TAPA is one of the big authorities on trucking, so if a company says they are TAPA certified, that to me says that they follow protocol,” she says. </p><p>Other standards include the National Strategy for Global Supply Chain Security which U.S. President Barack Obama signed in 2012 and was designed to enhance public-private partnerships. Arthur Arway, CPP, author of Supply Chain Security: A Comprehensive Approach, says the framework seeks to combine input from government and industry on protecting the transport of goods to and from the United States. “I think the government is far more willing to seek out subject matter experts and all the different modes and companies that may transport goods into the United States for their help,” he says. Arway adds the document is relatively recent, and that it could take a while before it is widely adopted. </p><p>Though terrorism is an uncommon threat to the supply chain, it must always be a consideration. Hains gives the example of vehicular attacks. In Nice, France, on July 14, 2016, Tunisia native Mohamed Lahouaiej Bouhlel drove a 19-ton cargo truck into a crowd of Bastille Day festival-goers. That attack killed 86 people and injured more than 400. New York police also warned of possible vehicular terrorism against the 2016 Macy’s Thanksgiving Day Parade. “A small company truck—that could be a target,” notes Hains. “So everybody has to think about terrorism because it’s out there.”</p><p>Another standard at the national level seeking to combat terrorism within the supply chain is the U.S. Customs Trade Partnership Against Terrorism (C-TPAT). The program is voluntary for private industry, but Arway says the national standards as a whole are seeing global adoption.​</p><p>“Standards have come a long way in how they’ve been able to incorporate security into the movement of goods,” he notes. “Many countries have accepted these programs into their own supply chain security programs.”​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Retail-Theft-Inc.aspxRetail Theft, Inc.<p>On any given day in any given location in the world, there is a retail boss taking stock of his or her organization and planning mission strategy. Priority number one for this boss is hitting the number goals for the rest of the fiscal year. Although sales are strong, and orders are coming in daily, filling these orders has become a midyear crisis. Issues with sourcing are putting profits at risk. Staffing problems are further complicating matters. On top of all of this, there is external pressure on the organization by an oversight group wanting answers to key questions.</p><p>The above scenario, while common, does not come from the boardroom of a conventional retail company. It's a picture of the issues facing an organized retail crime (ORC) syndicate that targets conventional brick-and-mortar retail locations and steals billions of dollars in merchandise each year. </p><p>The impact of organized crime on retail is devastating. The National Retail Federation estimates that ORC results in $30 billion in losses for retailers every year. Retail expert Richard Hollinger found in a recent study that retail shrinkage—the portion of inventory that is lost or stolen—cost the industry $37.14 billion last year, or 1.5 percent of total retail industry sales. The National Shrink Database, developed by CAP Index and LP Innovations, indicates that the problem with shrink is endemic. The developers surveyed 52 retailers and discovered an average retail shrink in excess of 2 percent of sales.  </p><p>"ORC is definitely a problem that keeps me up at night," says Mike Silveira, vice president of loss prevention for CVS Health, based in Woonsocket, Rhode Island.</p><p>Nonetheless, the industry is not taking the losses lying down, and retailers have come together to wage a war against ORC. In this battle, companies are joining forces with government and law enforcement officials to launch operations designed to identify and prosecute those committing ORC. There are also new technological tools, and even a think tank for the development of loss prevention strategies.</p><h4>Structure</h4><p>An ORC syndicate is an organized group of criminals who attack retail. But unlike most organized crime groups, ORC teams are usually streamlined with minimal layers of leadership. This is by design; the fewer moving parts, the more likely they can avoid collapse when an operative is captured and provides evidence to prosecutors. A typical ORC cell consists of only three layers: boss, boosters, and fence.</p><p><strong>The boss.</strong> The boss keeps the organization afloat. He or she cultivates orders, determines which merchandise to steal, and selects boosters and fences to source and sell products. The boss keeps out of day-to-day theft activity, so as not to jeopardize the cell's existence. </p><p><strong>Boosters.</strong> Boosters are shoplifters. The term derives from shoplifting techniques used in the past in which "booster boxes" were designed to act as vessels to conceal and transport merchandise out of a store. Boosters are the plague of retailers; often working in teams, they adjust well to preventive measures and understand how traditional surveillance works. A good booster can clean out a retailer of prime high-dollar merchandise in a matter of minutes, then return to do it again once shelves are restocked. Boosters also burglarize and steal from retail warehouse facilities, distribution hubs, transit shipments, and storage facilities.</p><p>Boosters can be broken down into three categories. A level one booster is often a drug addict who receives, on average, 20 cents for every dollar's worth of stolen items. A level one booster steals merchandise valued at between $650 and $1,000 per day and, usually, earns only enough to support a drug habit.</p><p>Level two boosters work in groups of two or three and travel in wider areas to steal. They may cross state lines to look for jurisdictions with lax shoplifting laws, then bring back the goods to their home base to fence. These boosters usually make 25 cents on the dollar.</p><p>Level three boosters may be recruited by the ORC cells for full-time shoplifting. They typically travel the country for weeks or months at a time, stealing to fill specific orders. These boosters are usually not addicts and see their work as a career position. Level three boosters receive the greatest compensation for theft, more than 25 cents on the dollar, the exact amount depending on factors such as length of relationship, geography, items stolen, and supply and demand.</p><p><strong>Fence.</strong> The fence is the retail arm of the ORC operation. After merchandise is stripped of evidence that it originated from a brick-and-mortar retailer and  sometimes repackaged, it is offered to outlets for sale. Today, legitimate sites, such as Amazon, eBay, Craigslist, and Back Page, have unintentionally become vehicles for fences, with stolen goods sold to unsuspecting customers. However, these online outlets are now working to identify and close off fencing operations. For example, eBay has a substantial ORC task force in place. The company has hired investigators and implemented processes that track illicit transactions. The company also works closely with retailers to connect the criminal dots along the retail pipeline.</p><p>Fences have also found great success in setting up their own brick-and-mortar retail stores selling stolen goods. Other favorite venues for fences are flea markets, pawn shops, and smaller mom-and-pop retailers.</p><p>Generally, fences follow a simple strategy. The boss gets orders and determines items that are popular for resale. Based on this information, the boss conducts research to pinpoint where the items are sold, sending boosters into whatever retail store is necessary to fulfill the orders. The boss then has the stolen merchandise delivered to the fence. The fence either prepares the items for sale to specific buyers or sells them on the open market. </p><h4>Challenges</h4><p>Jerry Biggs, director of the Organized Retail Crime Division at Walgreens, says that ORC groups that are stealing, cleaning, and reselling merchandise back into the retail pipeline are a huge financial challenge for his company.</p><p>The scale of the problem makes it difficult to combat. Some boosters are able to hit a retail outlet and in minutes leave with hundreds of dollars in merchandise. They are back at it the next day. Biggs cites one particular case involving Walgreens, in which the fence sold and shipped out $65,000 in merchandise weekly. When apprehended, he had racked up approximately $900,000 in stolen goods for the year. Moreover, this was not the work of a large ORC operation, but rather a mid-tier one. He corroborated that drug use is a factor—90 percent of the level one and two boosters arrested in his company's cases are stealing to support addiction.</p><p>Silveira agrees about the challenge posed by ORC. "Sometimes our stolen merchandise ends up back in the retail pipeline. When a $25 item is stolen and the fence has minimal dollars invested in the product, the margins are substantial," he says. </p><p> ORC operations also threaten retailers who are not national in scope. But for these smaller retailers, including regional chains, it can be difficult to marshal the resources to fight and overcome ORC activity, as they typically do not have the budget, manpower, or tools that larger retailers possess.</p><p>Mark Gaudette, CPP, director of loss prevention for Big Y Foods, headquartered in Springfield, Massachusetts, says the problem of ORC runs deep for his regional chain. In Gaudette's view, one of the challenges is in communicating the scope of ORC as a grassroots operation to law enforcement officials. Gaudette struggles to educate law enforcement that "we are not dealing with the average shoplifter," he says. </p><p>Since Big Y is a 64-store chain, it deals with more than 60 different law enforcement agencies in multiple states, 15 district attorneys' offices, and 30 regional state attorneys' offices. Boosters often sell through fences in multijurisdictional areas, which complicates prosecutions. "The challenge is getting these agencies to move on taking down fencing operations, as it requires an enormous amount of investigative surveillance and financial resources that they just don't have," Gaudette says. </p><p>The solution? "Formulate a grassroots response," he advises. "We have dedicated one of our store detectives as our court representative to file, present evidence, and testify on all of our ORC cases. We have developed retail asset protection groups regionally to share ORC evidence and activity information, such as photographs, video, and [bulletins], that help smaller retailers get convictions and become more aware of trending data in real time. It is useful to know what the other retailers in the area are experiencing in order to best protect our products and businesses." </p><p>In addition, Gaudette says that federal lawmakers in Washington have refused to give law enforcement agencies more tools needed to fight retail theft. Thus, advocacy for such tools must continue. "It is a situation we must all stay vigilant on, and force the issue that ORC is not just a petty crime," he says. </p><h4>Initiatives</h4><p>According to retired Walmart loss prevention executive Richard A. Wells, his company undertook the first retail initiative to attack ORC in the early 1990s. Wells was charged with developing a team to tackle the early onset of organized crime hitting his company's stores, and he established an investigative task force in June 1992. It consisted of two investigators.</p><p>In 1994, the task force cracked its first major ORC case. Crime teams in Texas, Oklahoma, and Kentucky were charged, and $26,000 in stolen merchandise from multiple retailers was recovered. The case was successfully prosecuted. In 1995, Walmart realized its first million-dollar bust. In 1996, the company developed its own advanced criminal investigative school, which was designed to teach loss prevention management, including better execution of surveillance and evidence-gathering to increase the success of ORC prosecutions.</p><p>In 2001, the search for solutions in the fight against ORC led to the creation of a think tank of sorts—the Loss Prevention Research Council (LPRC). Founded by a group of retailers, including Target, Walmart, CVS, and Home Depot, the LPRC has conducted more than 40  projects, including beta testing for loss prevention technologies, researching shoplifting dynamics, and providing testimony for proposed legislation. </p><p>Under Director Read Hayes, research scientist at the University of Florida in Gainesville, the LPRC recently created an ORC working group. Led by Publix's John Hawthorne, the group will examine and take stock of the ORC landscape and coordinate with other ORC working groups around the industry to help bring data and new solutions to the forefront. </p><p>"The retail industry needs to know the real numbers relating to internal and external shrink, and how ORC affects the external loss category.  We then need to find solutions that work at eradicating ORC activity," Hayes says.</p><h4>Cooperation</h4><p>Large retailers such as Safeway, Walmart, Target, CVS, and Walgreens all have specialized ORC teams, dedicated to the identification, investigation, and prosecution of ORC cells. The teams also work at educating law enforcement and government officials on the ORC operations and how best to eradicate the problem.</p><p>"We have identified hotspots where ORC activity is ongoing, and we have aggressively addressed this challenge by developing a strong ORC team comprising former law enforcement officers and retail investigators who are working across the retail dynamic making cases and shutting down these illegal operations," says Silveira. </p><p>In addition to these specialized teams, multistore joint task forces and other joint initiatives have also been set up to combat ORC. These joint-effort operations have resulted in some of the most successful outcomes in cases against ORC, according to Kathleen Smith, vice president of loss prevention for Safeway, who also sits on the ASIS Retail Loss Prevention Council. In Smith's view, ORC eradication starts with a strong internal team that also partners with other retailers. </p><p>One such task force—composed of retailers like Albertsons, CVS, Rite Aid, Target, Von's, Walgreens, and Walmart—successfully fought ORC operations in Long Beach, California, in a mission titled "Operation Spring Cleaning," which culminated in March 2013. More than 100 loss prevention agents were involved in this sting, as well as numerous law enforcement personnel. The effort led to 71 arrests and netted merchandise stolen from 43 retail companies, including cosmetics, groceries, clothing, and alcohol.</p><p>Another recent case, "Operation Thin Man," executed in Colorado Springs, Colorado, was a joint initiative involving the security divisions of Safeway, Target, Home Depot, and eBay. The operation was an example of the complex web of agencies sometimes needed to bring ORC criminals to justice. Federal agencies, including the U.S. Postal Inspection Service and the Bureau of Alcohol, Tobacco, Firearms and Explosives, were part of the operation. Other participants included the Colorado Springs Metro Drug Task Force, Colorado Springs Police Department, El Paso County (Colorado) Sheriff's Department, Fountain (Colorado) Police Department, and the attorney's office for the Fourth Judicial District.</p><p>"We are getting better at identifying the ORC cases, and law enforcement is getting better at understanding how ORC works," says Smith. </p><h4>Tools</h4><p>Besides joint initiatives, retailers are also focused on technological tools in their fight against organized crime. While these tools help deter theft in general, the technologies are being developed primarily to ebb the tide of ORC damage.   </p><p>More traditional tools, such as electronic article surveillance and employee greeters, are being supplemented by new innovations, such as enhanced CCTV with identity validation, shopping cart lockdown devices, and units that keep track of items on the shelf. Other tools limit the number of items a shopper can take at once. These can be as simple as a ratcheted device that dispenses one item at a time, or a device that requires a store associate to dispense additional units. These were designed to deter shelf sweeping—taking a whole shelf full of merchandise in one fell swoop. </p><p>At T-Mobile, for example, the loss prevention division has engaged with multiple vendors to develop an identity validation video tool, aimed at shortening the time it takes to close cases on organized retail criminals. The tool essentially combines video analytics with facial recognition; T-Mobile uses the 3VR video analytics platform with facial recognition video technology. The video expedites the prosecutorial process by identifying criminals stealing from T-Mobile locations across the entire country. According to T-Mobile, the tool has helped reduce theft and has saved the company money. </p><p>Silveira says he looks for tools that will help his stores keep high-loss goods without compromising sales. "It is critically important to balance sales and loss protection," he says. "We are tasked to mitigate loss without impacting sales. This is something my team focuses on when looking at new solutions."</p><h4>Future Efforts</h4><p>Although these tools, efforts, and initiatives have been effective in individual situations, overall ORC continues to cost retailers billions. Will it ever be possible to significantly limit the damage?</p><p>The answer is complicated. First, retailers need to understand that this problem is not limited to just their bottom line, but instead affects all retailers. A booster stymied at one chain will simply move on to another. Thus, joining forces with other companies is essential to mitigating ORC on a national level. This collective effort also requires greater focus on quantifying the ORC problem and breaking down its true financial impact on retail.</p><p>Efforts to educate and assist law enforcement, as well as state and federal lawmakers, on why ORC is not merely your grandfather's shoplifters must continue. "Most states have strong laws on shoplifting and felony theft as it applies to organized crime," Biggs says. "Strengthening existing shoplifting laws in all states, and seeing that they are properly enforced, is key." </p><p>Deterrence must also improve. Eliminating the opportunity for boosters to steal is critical. If theft is mitigated, the flow of goods for resale dries up.</p><p>Consumers should take heed when buying products from a nontraditional retailer. If the item is packaged as new, is unopened, and sells for less than one would pay at a traditional retailer, there's a good chance that the consumer is funding ORC activity. Moreover, cosmetics and unexpired goods sold at flea markets have most certainly been bought from an ORC network. No producer of retail products offloads such goods at a discount to small operators.</p><p>"Too many people turn a blind eye for a good deal, fully knowing that the items they are buying at discount have to have a backstory. We need to put an end to the pipelining of ORC goods by refusing to support their illegal activity," Biggs says. </p><p>Of course, as retailers strengthen their defenses, ORC groups will modify their techniques to keep their illegal activity afloat. However, in the war against ORC, retailers gain the upper hand by continuing to join forces and staying focused on prosecutions. There is much more work to do, but ORC cells are being put on notice by the retailers focused on eradicating them.</p><p>"We know who you are, and we are onto you," Biggs says. "It may not be today, but soon we will be knocking on your door."  </p><p>Keith Aubele, CPP, is a former director of loss prevention for Walmart and former global vice president of loss prevention for Home Depot. He is the founder & CEO of Retail Loss Prevention Group, Inc., based in Bentonville, Arkansas, and is a member of ASIS.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Port-Protection.aspxPort Protection<p>​<span style="line-height:1.5em;">It was Christmas Eve in Tampa, Florida, and Laura Hains, CPP, a Customs and Border Protection (CBP) supervisor, was awoken by a phone call: “Laura, we have an anomaly. You need to come in.” She drove to Port Tampa Bay, the largest port in Florida, where she worked as a cargo and port security specialist. When she arrived, the crew filled her in on the details: a shipping container of crackers from Italy had arrived at the port, and a standard scan had revealed a large, dark mass in the center of the container. The mass was recorded on the scanners as possible radiological material.</span></p><p><em>Oh gosh, this is it,</em> Hains thought.</p><p>By the time Hains had called all the people who needed to know, it was Christmas Day. Officials were hopping on expensive last-minute flights to Tampa, and local law enforcement was called to the scene. Hains and her team opened the back of the container and began unloading it. As the supervisor, Hains offered to climb in first. It took almost two hours of rearranging and removing boxes to reach the center of the container, and each step Hains took destroyed the cargo beneath her feet. She dug down, looking for the anomaly…and discovered a crate of wine the shippers had sent as a Christmas present. </p><p>Hains has seen a lot in her 20-plus years in the port security industry, and fortunately most of her experiences have been as benign as the Christmas incident. However, she says it’s only a matter of time until some group takes advantage of the maritime supply chain to debilitate a U.S. port, or worse.</p><p>“The fear is that out of the 4 million containers that arrive in U.S. ports each year from around the world, all it takes is one to bring a dirty bomb,” Hains said during a maritime security session at the ASIS International 60th Annual Seminar and Exhibits.</p><p>And Hains is not the only one with concerns about port security. The Government Accountability Office (GAO) recently published reports and testified before Congress about the challenges faced by port security programs, as well as the need for the U.S. Department of Homeland Security (DHS) to address port cybersecurity. </p><p>Stephen Caldwell—who last month retired as director of homeland security and justice at GAO—spearheaded the two reports, Progress and Challenges with Selected Port Security Programs and DHS Needs to Better Address Port Cybersecurity. He says that one issue plaguing U.S. ports is the failure to assess various security programs.</p><p> “There are a lot of challenges in developing meaningful performance measures,” Caldwell says. “In terms of the security measures you have in place and your ability to measure the things you have in place, there are real difficulties in measuring things like deterrents and security.”</p><p>That’s not surprising, considering the activity that takes place at U.S. maritime ports. More than $1.3 trillion in cargo enters the country by sea annually, and approximately 90 percent of the goods consumed in the United States come by vessel, Hains said. Two ports, the Port of New York and New Jersey and the Port of Los Angeles and Long Beach, receive half of all those containers.</p><p>“As security experts, that should be a little alarming to you, because that means that if those two ports got hit, 50 percent of our container traffic would go down,” Hains noted.</p><p>DHS is the lead federal department when it comes to port security. The Transportation Security Administration (TSA) controls who can enter the ports. The U.S. Coast Guard conducts facility and vessel inspections at ports, and the CBP is involved in screening throughout the global supply chain process.</p><p>Port security, and maritime supply chain security in particular, is dictated by a number of laws and regulations intended to enhance security. Some of these regulations were analyzed in the GAO reports. The Security and Accountability for Every Port Act (SAFE), along with the 9/11 Commission Act, requires DHS to implement 100 percent screening of all cargo that enters U.S. ports, as well as 100 percent physical scanning of high-risk cargo. And the Container Security Initiative (CSI) places CBP officials at selected foreign ports to assess the risks of shipping out of that country. </p><p>Here’s how a shipping container moves from overseas to a U.S. port under the various shipping regulations: Before the cargo container is loaded onto a vessel, its manifest—the list of cargo in the container—is screened by CBP and a risk score is assigned to the container by an automated targeting system. Where it’s coming from, whether it’s from a trusted shipping company, and the type of cargo being shipped are all factors considered. If the score passes a certain threshold, it’s flagged for extra radiation and x-ray scanning, in accordance with the SAFE Port Act. If it passes, the vessel is then sent on its way and eventually arrives in a U.S. port, where, depending on the targeting system score, it may undergo another x-ray or radiation scan. </p><p>This current method concerns Hains. The risk score is based on the manifest, not the cargo itself, and it doesn’t necessarily account for a stop in another country before arriving in the United States. For example, a container could be shipped from Pakistan to Spain, then from Spain to England, put on a new boat in England, and sent to the United States. The CBP officials at the receiving port will only know that the container came from England and may not screen it as thoroughly, Hains explained. </p><p>“These containers and ships move by trust, based on what’s on the manifest, passenger list, and port assessments,” Hains said. “Every day in the United States, vessels arrive and containers arrive, and we believe what it says on the manifest.”</p><p>The GAO also found flaws in the current system. The agency notes that the automated targeting system used to rate containers is based on outdated intelligence information, and Caldwell says the organization is auditing the ranking program to learn more about how effective the practice is. </p><p>Another concern the GAO raised in its reports is the effectiveness of screening mandated by the SAFE Port Act. The law was initially supposed to be implemented in July 2012, but in May 2014 the secretary of homeland security extended the deadline until May 2016. However, only an estimated 4.1 percent of containers are currently x-rayed before they come to the United States. </p><p>“DHS’s position is that this is not doable and not something that really makes sense, but it’s still a statutory requirement and will remain so until the law is revised,” Caldwell explains.</p><p>GAO found that some international privacy laws prevent the sharing of screening information, which makes the SAFE Port Act challenging to implement, Caldwell says. After a container is scanned overseas, communicating the findings becomes difficult due to issues such as who owns the data, whether it can be shared with the United States, and even whether CBP, a private company, or the host government should do the scanning. DHS believes that scanning all cargo, including trusted or low-risk containers, is not the best use of its resources, he explains. </p><p>“Even if you went to that 100 percent scanning, until you look at the details of the implementation, it’s hard to know if it would even improve security,” Caldwell asserts. “If there’s no training standard, then you get the Pakistanis or Indonesians, as well as others, like the Brits and New Zealand, and do they have the same training? Do they have the same level of skill in interpreting those x-ray images?”</p><p>The CSI, which places border patrol officials in foreign ports to conduct risk assessments, is “the biggest boondoggle that the CBP has,” Hains said. According to the GAO report, CBP has not assessed the risks posed by foreign ports that ship cargo to the United States since 2005, which means that many of the 58 foreign ports that participate in the initiative haven’t been assessed for threats in a decade. Both Caldwell and Hains question how well the foreign ports are managed by CBP officials.</p><p>Another concern Caldwell has is the sustainability of the current port security systems. Budget cuts have caused both CBP and Coast Guard personnel to be pulled from port security. </p><p>In June of last year, the GAO released an entire report on port cybersecurity. Like most critical infrastructure, maritime stakeholders rely on numerous types of information and communications technologies to manage cargo, the report states. Port owners and operators are responsible for the cybersecurity of their operations, but the report found that ports are receiving little to no guidance from the federal government. </p><p>The report cites a 2011 cyberattack on the Port of Antwerp as an illustration. In that incident, hackers accessed the computer systems of two container terminals, which allowed them to track and control the movements of certain containers. Criminals in another country would place illegal goods in a container, and once it arrived in Antwerp the hackers could divert it so it would not be screened before it left the port. This went on for two full years until officials arrested nine members of the criminal group in 2013 and seized almost a ton of heroin, as well as firearms and other contraband. </p><p>Caldwell says he was surprised at how weak maritime cybersecurity initiatives are. “There have been national-level strategies and presidential directives that have clearly said, ‘Hey, federal government, you need to start looking at the cyber as well as the physical aspects of security.’ And yet the Coast Guard was not moving smartly.” Since the cybersecurity report came out, Caldwell says the Coast Guard has agreed to take steps to address the cybersecurity threat. </p><p>One way to make the supply chain more secure and consistent is proper training, Hains said. Due to budget cuts and CBP reorganization, it’s increasingly common for immigration officials with little to no customs and shipping training to be put in charge of interpreting the cargo risk assessments. </p><p>A well-trained official should be able to consider not only the manifest and the automated risk assessment score, but the origin of the products, the weight of the crate, and more. Hains said that an experienced official may notice that the container weighs more than it should as indicated by the manifest, or that it’s from a first-time shipping company, even though it’s from a trusted country. These would make the container high-risk, and officials could further scan the cargo before it gets to U.S. shores.</p><p>Another solution Hains advocates for is the implementation of container security devices. She notes that the technology is still new and expensive, but the sensors can be retrofitted onto any container and would alert officials to the presence of numerous chemical tracers, as well as carbon dioxide to detect humans, light sensors to detect whether the container has been compromised, and geofencing to make sure the container or its contents aren’t stolen. </p><p>“It’s the only way we’re going to make ourselves safe,” Hains said.</p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465