TWIC Affects Ports

Security act regulates who has access to maritime industries

The Maritime Transportation Security Act of 2002 required the Department of Homeland Security to secure America’s ports by implementing regulations that prevents most individuals from having unescorted access to secure facilities and vessels. The law mandates that all individuals who qualify for unescorted access receive a biometric credential to show proof of identification. Born from this directive was the Transportation Workers Identity Credential (TWIC), issued to individuals who meet the eligibility requirements.

TWIC holders present their cards to a port’s security staff member, who performs a visual inspection to ensure the person is the same one pictured on the card. If a person passes this step, he is allowed unescorted access into a port’s secure areas. TWIC is administered by the Transportation Security Administration (TSA) and the U.S. Coast Guard.

TWIC Pilot Program
The SAFE Port Act of 2006 created a TWIC pilot program to test the business processes, technology implemented and operational impact entailed in the deployment of TWIC readers. The ports and operators selected to participate in the program, which began in August 2008, received security grants to fund reader planning, installation, infrastructure and administration.

The program was implemented in a three-phase approach. First, initial technical testing determined whether selected biometric readers met TWIC specifications. Second, an early operational assessment evaluated readers at test sites. Pilot participants chose, installed and implemented readers as part of normal business practices. Finally, tests and evaluations were performed to determine the operational and technical effect of deploying TWIC readers.

Some of the program’s early challenges included the difficulty of integrating TWIC readers with physical access control systems (PACS), shorter contactless card read ranges than expected, inconsistent LCD messages among different readers, integrating facility operator requirements with PACS, slow-running PACS and failed cards. The Coast Guard has said that the final ruling on the success of the TWIC Pilot Program will come in late 2012.

One of the pilot participants chose AMAG Technology’s Symmetry Security Management System. L-1 Identity Solutions’ 4G PIV-TWIC extreme biometric readers housed in an enclosure are installed at the port’s main entrance. Truck drivers present their cards to the reader, which verifies and allows access if all other business purposes are met.

If a driver’s card does not meet all the requirements, he is denied access. The port found that Symmetry met its operational needs flexibly in the pilot and would be a good partner to provide a future solution when the final rule is established.

How TWIC Has Affected Ports
TWIC has significantly affected all ports regardless of whether they were selected to participate in the pilot program. Whether it’s following government mandates to meet anticipated TWIC requirements, working closely with labor, choosing security products to best meet those needs or finding the funding to comply, ports and their operators have had their hands full in the past several years trying to get the most bang for their buck while providing the tightest security.

Port security departments are figuring out how to move forward to implement TWIC in the most efficient, secure and cost-effective way. Some ports think they can accomplish this by waiting for the final rule on the program before investing time and money in a security infrastructure.

Others are taking action now, applying for grant money to start purchasing security products now so that when the final rule is made, they will already have preparations underway. Ports operators following this line of thinking reason that taking action now will put them ahead of the game, rather than waiting until the last minute to scramble for grant money when the final rule comes out, if any is available.

They can start researching products and considering which security solutions best meet their needs.

“Ports can use grant money for many things, including upgrading camera systems, purchasing biometric handheld readers and PIVCheck Plus software so they can authenticate and register TWIC cards into their access control system,” said Geri Castaldo, CEO of Codebench. “In some cases, they are purchasing brandnew access control systems.”

To meet TWIC requirements, ports must choose security products from the TSA Initial Capability Evaluation (ICE) list to install. Manufacturers have developed products specifically to meet this demand, so ports have several choices.

TWIC Challenges
Ports have always needed tight security to prevent unauthorized access and security. When ports add the TWIC component to their security programs, they are restricted to choosing fixed or handheld readers from the TSA ICE list. While these products are all approved to work with the TWIC, the products sometimes do not integrate with existing security systems. As a result, some ports have to remove perfectly functional security management systems and purchase new systems that integrate with selected readers.

While some costs may be offset by grant money, replacing existing security infrastructure is still expensive and time-consuming. Ports must research which access control, video surveillance and intrusion detection systems integrate with which readers. Installation and training on the final system also takes time. In the absence of a final rule from TSA and the Coast Guard, ports are left to determine for themselves how they should budget for security upgrades. Grant funding is beginning to dry up and was significantly slashed in the latest federal budget. From understanding what the government will enforce to selecting the right products, ports have come to rely on their systems integration partners more than ever to help them navigate through this process.

In the early days, when ports began to install systems to comply with MTSA requirements, they were looking to purchase specialized systems that relied on a single vendor and integrator. Unfortunately, those businesses may not be around these many years later to service the system. In 2004 and 2005, ports began to adopt a more integrated approach once they realized systems were more complex and required more integration, long-term operations and specialized upkeep to maintain.

They also recognized that technology changes rapidly and that they would need a partner to help them keep abreast of technology that will affect their facility.

“Our maritime customers are more aware of the technology available and how critical a strong partnership with their systems integrator is,” said G4S Technology’s vice president of business development, Misty Stine. “They are relying on their systems integrators to help them find a TWIC-compliant security solution.” Systems integrators, in turn, need to find security management systems that work cooperatively to meet a port’s security objectives. These security management manufacturers must deliver flexible products that can meet the different operational requirements on sites. They look for companies that have forward and backward compatibility, professional services departments and relationships with TSA ICE list partners.

Beneficial Products
With all the products and integration options available on the market, port security managers must choose the best solutions to meet their complex needs.

In addition to implementing TWICs and smart card readers, installing integrated video is important to a port’s security management system. Not only do ports obtain information from the readers themselves via the FIPS 201-compliant access control system, but they also have a video management system with cameras that support the reader visually. Local cameras record transactions and tie them to the access control database. The TWIC is designed to keep the wrong people out of the port terminals, and video records every transaction. “I found that when ports first started looking at security systems, they were only looking at systems that support TWIC,” said LVS Consulting President TJ Hicks. “Once we started discussing other components, they became much more motivated to implement alarm management, video, intrusion, analytics, etc.”

Ports also need to capture forensic information. For example, if a truck driver presents his card to the reader and there is a failure, an integrated system identifies the person, and the video visually captures what went wrong. Maybe there was a biometric failure or another reason why access was denied. Video will help security staff manage discrepancies.

Introducing one security management system that can satisfy all requirements became very attractive to port facility operations staff. They said they would rather manage one system from one company than manage three or four separate security systems -- separate access control, video and intrusion-detection systems -- and the three or four contractors that accompany that type of setup.

“These facility security officers don’t have a technical security group working for them,” Hicks said. “Putting all security systems on one platform makes managing security much easier.”

In addition to truck drivers transporting containers in and out of terminals and a large perimeter to secure, ports also have administration buildings to protect. Seaports would benefit from installing an integrated access control and intrusion detection product. Again, they would monitor one system rather than two, and the administration building would be part of the same security management system as the perimeter and other areas of the port, simplifying security management. If port employees don’t require TWICs, local access cards can be encoded and issued to employees. If the system is designed properly, these local cards can work for access control and employee identification, but they can never substitute for TWICs in the eyes of TSA and the Coast Guard.

Since the implementation of TWIC, the use of handheld readers has increased. Rugged handheld readers offer flexibility and a secure, mobile option for access control. They offer the same functions as a standard smart card reader. They can validate that the cardholder is really the card owner, and they can check the TWIC card number against the TWIC Canceled Card List (formerly known as the TWIC Hot List) to ensure the card has not been revoked. Some handheld readers can download information from the PACS database so that the operator can see other information about the cardholder, such as a photo and access rights, when a TWIC is read. This capability offers many advantages to ports:

Perimeter protection. Security guards can use handheld readers on the perimeter where there is no fence. They can check TWICs as people enter to verify a person’s identity and the card’s authenticity. This is useful for cruise ship terminals where the interest of commerce typically prohibits the installation of tall fences; such facilities are reconfigured when people are embarking or disembarking from a ship as well as when there are no ships in the berth.

“Depending on what ship is docked, workers may come in at a certain time through one door. Yet at another time of day that same door is used as an exit for passengers,” said AMAG Technology Product Manager Adam Shane. “Ports need to be very nimble in how they configure and reconfigure their facility. Sometimes the best solution is handheld readers.”

Ports are often a few miles long. “Large terminals often don’t have a security infrastructure that reaches the back gate located a mile away,” said Hicks. “Maybe 50 trucks go through the back gate, versus the 3,500 that use the front gate. Handheld readers are perfect for that environment because they save money on infrastructure and wiring.”

Registration. Ports have found they can purchase more-advanced software, such as Codebench’s OMNICheck Plus mobile software, to increase security. The software will verify the person and synchronize the handheld reader’s database with the port’s access control database. By pulling the information from the access control system and loading it onto the handheld reader, the security guard will know much more about that person.

“Security guards will be able to view a photo of the person on the handheld reader and know whether or not that person is registered in the access control system, and if they are in the access control system, are they allowed access right now?” Castaldo said. “It’s not just a spot-check; it’s more than that.”

Spot-Checking. The Coast Guard is authorized to spot-check individuals, and using handheld readers is a great way to make sure someone is who he says he is. A person must be within 10 minutes of his TWIC at all times. If a guardsman requests to see a card, it must be produced within 10 minutes before the person questioned can move on. The card has to be validated visually to gain unescorted access to a secure area.

Expertise Required
The TWIC pilot program will demonstrate how the throughput of trucks and people change and affect commerce as workers must meet higher levels of authentication to gain access. Ports will need the expertise of systems integrators and security consultants to navigate through integration capabilities, the myriad products on TSA’s ICE list and government requirements so they can invest in robust, FIPS 201-approved security management systems to protect their operations, staff and assets.

“I encourage any manufacturer and systems integrator that wants to participate in the TWIC market to sit down with a port facility security officer and talk to them about their operations,” Hicks said. “Their operations are different than what is seen in any other vertical market, and manufacturers and systems integrators have to do their homework.”

This article originally appeared in the September 2011 issue of Security Today.


  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • Global IT Outage Cause by Faulty Update from Cybersecurity Provider CrowdStrike

    Systems are starting to come back online after a global IT outage on Friday disrupted everything from airline operations to banks and 911 call centers. Read Now

  • Securing the Flow of Operations

    The transportation industry is a complex and dynamic environment where efficient management of physical keys, vehicles and shared devices is critical to ensuring smooth operations, reducing costs and maintaining security. Every day, more transportation facilities are using modern electronic key and asset management systems to better secure, audit and manage the important assets that keep operations running smoothly. Read Now

  • The Recipe for Stadium Security

    The threat landscape of stadium security is fluid. Today’s venues and stadiums have operational security 24/7, hosting sporting events, community events, concerts, conventions and more – each with a unique visitor base and each with unique security risks. Read Now

Featured Cybersecurity


New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3