Finding The Danger In The Data

• By Sharon J. Watson
• Apr 07, 2008

Serving as the Coast Guard’s Senior Operations Captain in the Port of New York and New Jersey immediately following the attacks of Sept. 11, 2001, profoundly influenced how Ed Merkle approaches his current job as director of port security and emergency operations for the Virginia Port Authority (VPA) in Norfolk.

“The events of that day were fresh in the hearts and minds of everyone on my staff,” he said. Merkle’s staff and crew, most of whom had witnessed the 9/11 attacks, were emotionally invested in their work. They were united in a key conclusion: to prevent further attacks, they had to make sense of more security data more quickly.

“It’s not enough to know after the fact,” Merkle said.“You have to put together so many pieces.”

To detect dangers lurking in its security data, Merkle and the VPA are implementing Situator, situation management software from Orsus. Situator pulls together data from the VPA’s disparate security systems, including access control and video, to provide Merkle and port police an integrated view of what’s happening in the facility. It also prompts them to follow their own defined procedures for handling various situations and ensuring consistent responses and detailed records.

“I wanted a company that understood the world of terrorism but also knew that you need to keep operating,” Merkle said. Orsus, with dual headquarters in New York and Or Yehuda, Israel, he said, got it. “They understood the world of terrorism. They understood the world of response.”

Balancing Commerce And Security

The key challenge isn’t the amount of information; it’s the question of what to do with it. Merkle must provide the best security without disrupting the flow of commerce.That is a critical balancing act for the VPA, a state agency that owns and operates three general cargo marine terminals: Norfolk International Terminals, Newport News Marine Terminal and Portsmouth Marine Terminal. A fourth, the Virginia Inland Port, is 200 miles inland, in Front Royal. Combined, these four terminals constitute the Port of Virginia.

The Port and the maritime industry built on it are responsible for 340,000 jobs throughout the state and more than $41 billion in total revenue. Last year, the Port handled 2,289 ship calls and 366,739 tons of break bulk cargo.

Each terminal is a welter of round-the-clock activity: they are hubs for international shipping lines, shipping and logistics firms and agents, stevedores, motor freight and delivery services, rail freight, and port crew and employees.

By the time Merkle arrived in 2004, the agency had spent about $22 million on a video surveillance network and an access control system to comply with the Transportation Safety Act of 2002 and to secure the port. It also had built a new security facility, leaving within it space for a new command center.

Merkle’s goal was for the command center to support proactive security measures as compared to general policing and forensic analysis of events.

“I wanted to stop anything from happening,” Merkle said, “and there’s a different set of things you have to do to make that transition.”

He said even a simple deterrent, such as a fence, takes on a new role when prevention is the goal. Under a policing strategy, a physical patrol could find a section of cut or torn fence. But with 10 miles of fence at the Port, such patrols would take too long to find the opening, then figure out who came through it and why.

“You need to know immediately,” Merkle said,“and that pushes you into technology.”

Rules-Based Knowledge

Specifically, it pushed Merkle and the VPA toward situation management software to help them make sense of their data streams and to get more from the resources they had.

For instance, Merkle notes that the VPA’s access control system monitors well but doesn’t differentiate the severity of alarms it generates. He points out that a front door breach is more critical than an open closet door on the sixth floor -- unless the closet is suddenly opened in the middle of the night.

“You need a rules-based system to do those differentiations,” Merkle said. “Otherwise, every one of your sensors winds up being on the same level.”

Bringing more sense to the Port’s huge security data streams would be a formidable task. For example, the Port’s access control system, from Lenel Systems International Inc. of Rochester, N.Y., processes more than 5,000 transactions daily. In addition, the Port will implement the federally mandated Transportation Worker Identification Credential program this summer.

The Port also operates a network of 250 IP-based video cameras. But the existing video control room was geared toward forensic use, and the plan for an emergency involved being able to add manpower to view incoming feeds.

“But that only works if you know the threat is coming,” Merkle said. In finding software that would help identify threats hidden in his data streams, Merkle wanted “state of the market, not state of the art,” he said. Merkle also wanted a company large enough to have the expertise required to build a robust, flexible system, yet small enough that he personally would know the people working on his implementation. “Situation management is a long-term relationship,” he said.

The VPA selected Situator for its functionality and open architecture. Orsus has a growing library of interfaces to security systems and software, as well as computing and mobile devices. Merkle said the cost of Situator is covered by his $2.1 million budget to outfit his control room, which in turn is largely covered by a $3 million Department of Homeland Security grant.

Easy Technology, Hard Rules

Implementing the Situator software, including integrating the Lenel access control system and the video network, took about two days, said Lung Cheng, technology services division supervisor for Virginia International Terminals Inc., the port operating company owned by VPA.

Orsus provided a custom interface to the Lenel gateway. Integrating that system and the video went quickly because both systems are IP-based, Cheng said. Further, Situator required no additional bandwidth, running on the Port of Virginia’s wide area network, based on a synchronous optical network-based (Sonet) double ring fiber solution from Verizon and Cisco switches and routers.

“The whole implementation was painless,” Cheng said. “The most time-consuming part was entering the security policies and procedures.”

That task is handled by the end users, though, not IT.

“It’s a very easy-to-use interface,” Cheng said.

With Situator, users must clearly define what type of incoming data constitutes an incident requiring a response. Then users have to determine how they would respond in that situation.They then write these procedures into Situator, so if or when such an incident occurs, the system can prompt the user through the procedures they’ve already defined, such as sending a page,

Merkle’s goal was a command center that would support proactive security measures as compared to general policing and forensic analysis, making a phone call or dispatching officers.

“Situator requires a precise definition of what a trigger event is,” said Rafi Bhonker, vice president of sales and marketing at Orsus. “You can create these triggers and combine them with logic to create more sophisticated triggers.”

Playign By The Rules

To define rules for Situator, Merkle assembled an implementation team that included a dispatcher, whom he called the first information filter; the senior operations captain; the facilities security captain; an IT professional and two consultants, one a Coast Guard command center veteran and the other a police officer to work with the port police.

Merkle said some rules decisions are very clear while others require thought and debate about what an appropriate security response would be. Does a door propped open always indicate criminal activity and merit an intense response? Or did an employee leave the door open because he needs two hands to bring in a heavy box?

“We’ve found nuances,” Merkle said. For example, one shredder room had an access control device on the door and was creating alerts because employees could enter, shred their papers and exit in under a minute.Yet disabling the alarm would be a problem.

“You have to think through every possible scenario because you don’t want to miss one,” he said. “But you don’t want to create a burden of alarms so you miss what’s important. You also don’t want to build a system so complicated that you do keystrokes for what people can do in their heads. When you need to follow a certain set of steps, that’s when you use the system.”

Situator also enables VPA to meet its regulatory requirements with greater ease. Merkle said VPA is bound by local, state and federal regulations, so it must make sure its responses are consistent. He said if maritime security (MARSEC) levels increase, say, from MARSEC 1 to MARSEC 2,VPA has to meet certain action and reporting obligations. Further, if an incident does occur, reports must be filed.

“It’s very hard to go back and reconstruct what you did and when you did it because so much is happening in the first 60 minutes,” Merkle said. Situator provides the necessary audit trail.

Merkle said the software’s user interface is intuitive, a big benefit to dispatchers who are used to working with a simple radio and phone dispatch system.

“You’re trying to minimize the amount of training time on software designed to improve productivity,” he said. The software provides a graphic view of the security components, down to individual elements, such as a door. Functions, such as opening the door remotely, are generally accomplished with a mouse-click. Operators usually need to see a procedure just once to learn it.

“That’s a powerful asset,” he added.

Future Views

Situator now overlays the Port of Virginia’s access control and video networks, and fire safety system integration is under way. Merkle would like to bring in the HVAC systems functions as well.

His immediate goal is to bring smarter video analytics into Situator.VPA’s existing analytics had been causing too many false alarms. Merkle said accurate alarms will be a challenge for any analytics package, given that the ports are open 24/7, with a great deal of movement.

“Change is a constant here,” he said. In addition, Merkle foresees a day when Situator could send alerts to other port personnel, such as notifying maintenance workers that pressure is rising in a piece of equipment. Situator also could tie into other security systems in use at the Port, such as RFID-based container and logistics security systems. But such data would have to be vetted for meaningfulness. Merkle likens the various security systems in use by various entities to skyboxes in a large sports arena.

“A door open in our skybox might not be important to the rest of the arena,” he said. “Still, there are endless possibilities of what you can build under a common framework.”

But fully exploiting Situator’s abilities requires a mindshift.

“We security directors have been hesitant to give up control,” said Merkle, who said his team worked as partners with IT staff on Situator. Giving control to IT personnel or sharing cameras and data with local law enforcement agencies and possibly even VPA customers enables connections among all types of systems.

Those connections will help his department’s role evolve, Merkle said.

“We’re becoming much more operationally intertwined,” he said, explaining that security personnel are the first greeters at the Port as well as the last faces seen.“We have a role in port operations, in promotion, in marketing.”

Yet despite the power of the technology to make those connections and help the VPA prevent security problems, Merkle emphasizes that effective security still comes down to the brains behind it.

“Situator’s a great piece of software,” he said, “but we still have to write all the rules that go into it.”