TWIC Affects Ports
Security act regulates who has access to maritime industries
- By Kim Rahfaldt
- Sep 01, 2011
The Maritime Transportation Security Act of 2002 required the Department
of Homeland Security to secure America’s ports by implementing
regulations that prevents most individuals from having unescorted
access to secure facilities and vessels. The law mandates that
all individuals who qualify for unescorted access receive a biometric
credential to show proof of identification. Born from this directive was the Transportation
Workers Identity Credential (TWIC), issued to individuals who meet the
TWIC holders present their cards to a port’s security staff member, who performs
a visual inspection to ensure the person is the same one pictured on the card.
If a person passes this step, he is allowed unescorted access into a port’s secure areas.
TWIC is administered by the Transportation Security Administration (TSA)
and the U.S. Coast Guard.
TWIC Pilot Program
The SAFE Port Act of 2006 created a TWIC pilot program to test the business
processes, technology implemented and operational impact entailed in the deployment
of TWIC readers. The ports and operators selected to participate in the program,
which began in August 2008, received security grants to fund reader planning,
installation, infrastructure and administration.
The program was implemented in a three-phase approach. First, initial technical
testing determined whether selected biometric readers met TWIC specifications.
Second, an early operational assessment evaluated readers at test sites. Pilot
participants chose, installed and implemented readers as part of normal business
practices. Finally, tests and evaluations were performed to determine the operational
and technical effect of deploying TWIC readers.
Some of the program’s early challenges included the difficulty of integrating
TWIC readers with physical access control systems (PACS), shorter contactless
card read ranges than expected, inconsistent LCD messages among different readers,
integrating facility operator requirements with PACS, slow-running PACS and
failed cards. The Coast Guard has said that the final ruling on the success of the
TWIC Pilot Program will come in late 2012.
One of the pilot participants chose AMAG Technology’s Symmetry Security
Management System. L-1 Identity Solutions’ 4G PIV-TWIC extreme biometric
readers housed in an enclosure are installed at the port’s main entrance. Truck
drivers present their cards to the reader, which verifies and allows access if all other
business purposes are met.
If a driver’s card does not meet all the requirements, he is denied access. The port found that Symmetry met its operational needs flexibly in the pilot and would be a
good partner to provide a future solution when the final rule is established.
How TWIC Has Affected Ports
TWIC has significantly affected all ports regardless of whether they were selected
to participate in the pilot program. Whether it’s following government mandates
to meet anticipated TWIC requirements, working closely with labor, choosing security
products to best meet those needs or finding the funding to comply, ports
and their operators have had their hands full in the past several years trying to get
the most bang for their buck while providing the tightest security.
Port security departments are figuring out how to move forward to implement
TWIC in the most efficient, secure and cost-effective way. Some ports think they
can accomplish this by waiting for the final rule on the program before investing
time and money in a security infrastructure.
Others are taking action now, applying for grant money to start purchasing
security products now so that when the final rule is made, they will already have
preparations underway. Ports operators following this line of thinking reason
that taking action now will put them ahead of the game, rather than waiting
until the last minute to scramble for grant money when the final rule comes out,
if any is available.
They can start researching products and considering which security solutions
best meet their needs.
“Ports can use grant money for many things, including upgrading camera systems,
purchasing biometric handheld readers and PIVCheck Plus software so they
can authenticate and register TWIC cards into their access control system,” said
Geri Castaldo, CEO of Codebench. “In some cases, they are purchasing brandnew
access control systems.”
To meet TWIC requirements, ports must choose security products from the
TSA Initial Capability Evaluation (ICE) list to install. Manufacturers have developed
products specifically to meet this demand, so ports have several choices.
Ports have always needed tight security to prevent unauthorized access and security.
When ports add the TWIC component to their security programs, they are restricted
to choosing fixed or handheld readers from the TSA ICE list. While these
products are all approved to work with the TWIC, the products sometimes do not
integrate with existing security systems. As a result, some ports have to remove
perfectly functional security management systems and purchase new systems that
integrate with selected readers.
While some costs may be offset by grant money, replacing existing security
infrastructure is still expensive and time-consuming. Ports must research which
access control, video surveillance and intrusion detection systems integrate with
which readers. Installation and training on the final system also takes time.
In the absence of a final rule from TSA and the Coast Guard, ports are left to
determine for themselves how they should budget for security upgrades. Grant
funding is beginning to dry up and was significantly slashed in the latest federal
budget. From understanding what the government will enforce to selecting the
right products, ports have come to rely on their systems integration partners more
than ever to help them navigate through this process.
In the early days, when ports began to install systems to comply with MTSA
requirements, they were looking to purchase specialized systems that relied on a
single vendor and integrator. Unfortunately, those businesses may not be around
these many years later to service the system. In 2004 and 2005, ports began to adopt
a more integrated approach once they realized systems were more complex and required
more integration, long-term operations and specialized upkeep to maintain.
They also recognized that technology changes rapidly and that they would need
a partner to help them keep abreast of technology that will affect their facility.
“Our maritime customers are more aware of the technology available and how
critical a strong partnership with their systems integrator is,” said G4S Technology’s
vice president of business development, Misty Stine. “They are relying on
their systems integrators to help them find a TWIC-compliant security solution.” Systems integrators, in turn, need to find security management systems that
work cooperatively to meet a port’s security objectives. These security management
manufacturers must deliver flexible products that can meet the different operational
requirements on sites. They look for companies that have forward and
backward compatibility, professional services departments and relationships with
TSA ICE list partners.
With all the products and integration options available on the market, port security
managers must choose the best solutions to meet their complex needs.
In addition to implementing TWICs and smart card readers, installing integrated
video is important to a port’s security management system. Not only do ports
obtain information from the readers themselves via the FIPS 201-compliant access
control system, but they also have a video management system with cameras that
support the reader visually. Local cameras record transactions and tie them to the
access control database. The TWIC is designed to keep the wrong people out of
the port terminals, and video records every transaction. “I found that when ports
first started looking at security systems, they were only looking at systems that
support TWIC,” said LVS Consulting President TJ Hicks. “Once we started discussing
other components, they became much more motivated to implement alarm
management, video, intrusion, analytics, etc.”
Ports also need to capture forensic information. For example, if a truck driver
presents his card to the reader and there is a failure, an integrated system identifies
the person, and the video visually captures what went wrong. Maybe there was a
biometric failure or another reason why access was denied. Video will help security
staff manage discrepancies.
Introducing one security management system that can satisfy all requirements
became very attractive to port facility operations staff. They said they would rather
manage one system from one company than manage three or four separate security
systems -- separate access control, video and intrusion-detection systems -- and
the three or four contractors that accompany that type of setup.
“These facility security officers don’t have a technical security group working
for them,” Hicks said. “Putting all security systems on one platform makes managing
security much easier.”
In addition to truck drivers transporting containers in and out of terminals and
a large perimeter to secure, ports also have administration buildings to protect.
Seaports would benefit from installing an integrated access control and intrusion
detection product. Again, they would monitor one system rather than two, and the
administration building would be part of the same security management system
as the perimeter and other areas of the port, simplifying security management.
If port employees don’t require TWICs, local access cards can be encoded and
issued to employees. If the system is designed properly, these local cards can work
for access control and employee identification, but they can never substitute for
TWICs in the eyes of TSA and the Coast Guard.
Since the implementation of TWIC, the use of handheld readers has increased.
Rugged handheld readers offer flexibility and a secure, mobile option for access
control. They offer the same functions as a standard smart card reader. They can
validate that the cardholder is really the card owner, and they can check the TWIC
card number against the TWIC Canceled Card List (formerly known as the TWIC
Hot List) to ensure the card has not been revoked. Some handheld readers can
download information from the PACS database so that the operator can see other
information about the cardholder, such as a photo and access rights, when a
TWIC is read. This capability offers many advantages to ports:
Perimeter protection. Security guards can use handheld readers on the perimeter
where there is no fence. They can check TWICs as people enter to verify a
person’s identity and the card’s authenticity. This is useful for cruise ship terminals
where the interest of commerce typically prohibits the installation of tall fences;
such facilities are reconfigured when people are embarking or disembarking from
a ship as well as when there are no ships in the berth.
“Depending on what ship is docked, workers may come in at a certain time
through one door. Yet at another time of day that same door is used as an exit for
passengers,” said AMAG Technology Product Manager Adam Shane. “Ports need
to be very nimble in how they configure and reconfigure their facility. Sometimes
the best solution is handheld readers.”
Ports are often a few miles long. “Large terminals often don’t have a security infrastructure
that reaches the back gate located a mile away,” said Hicks. “Maybe 50
trucks go through the back gate, versus the 3,500 that use the front gate. Handheld
readers are perfect for that environment because they save money on infrastructure
Registration. Ports have found they can purchase more-advanced software,
such as Codebench’s OMNICheck Plus mobile software, to increase security. The
software will verify the person and synchronize the handheld reader’s database
with the port’s access control database. By pulling the information from the access
control system and loading it onto the handheld reader, the security guard will
know much more about that person.
“Security guards will be able to view a photo of the person on the handheld
reader and know whether or not that person is registered in the access control
system, and if they are in the access control system, are they allowed access right
now?” Castaldo said. “It’s not just a spot-check; it’s more than that.”
Spot-Checking. The Coast Guard is authorized to spot-check individuals, and
using handheld readers is a great way to make sure someone is who he says he is.
A person must be within 10 minutes of his TWIC at all times. If a guardsman
requests to see a card, it must be produced within 10 minutes before the person
questioned can move on. The card has to be validated visually to gain unescorted
access to a secure area.
The TWIC pilot program will demonstrate how the throughput of trucks and people
change and affect commerce as workers must meet higher levels of authentication to
gain access. Ports will need the expertise of systems integrators and security consultants
to navigate through integration capabilities, the myriad products on TSA’s ICE
list and government requirements so they can invest in robust, FIPS 201-approved
security management systems to protect their operations, staff and assets.
“I encourage any manufacturer and systems integrator that wants to participate
in the TWIC market to sit down with a port facility security officer
and talk to them about their operations,” Hicks said. “Their
operations are different than what is seen in any other vertical
market, and manufacturers and systems integrators have to do
This article originally appeared in the September 2011 issue of Security Today.