Containing Cargo Risk
A U.S. company that imported high-tech goods from China recently conducted a security audit on its cargo operation. It found a significant vulnerability in an unlikely place. The problem was that although all of the company’s goods were searched and secured before they left China, they were then stacked on a single pallet to be flown to Los Angeles. Once in the United States, the cargo had to be broken down by airport workers and reshipped via numerous airlines to its final destinations. During this reshipping process, various people, unknown to the company, had the opportunity to steal or tamper with cargo. They could even potentially use the company’s containers to transport a terrorist weapon within the United States.
To minimize risk, company representatives visited the Chinese cargo terminal where the company’s goods originated and negotiated to have its freight treated differently. Under the new arrangement employees from the manufacturing company delivered the goods to the cargo terminal and then, with direction from terminal workers, they divided the cargo into batches—grouped by common final destination once in the United States—and encased each batch in secure netting. This way, the facility receiving the goods would not need to open and repackage pallets and the facility staff could easily tell whether the cargo had been compromised by checking whether the netting had been disturbed.
This is but one example of how companies are working to better secure cargo against possible theft and attack or misuse by terrorists. The challenge they face is considerable because of the number of players involved in the supply chain, the global logistics, and the sheer volume of cargo involved. American businesses imported 23.5 million loaded cargo containers in 2004—90 percent via seaport.
The risk of damage from a terrorist being able to smuggle a weapon of mass destruction (WMD) into a container extends far beyond the harm that could be wreaked on the ports of entry themselves. “Every major U.S. container port contains other critical infrastructure such as energy refineries, chemical facilities, and power plants. And all of them are close to large urban population centers,” Council on Foreign Relations analyst Stephen E. Flynn explained at a recent congressional hearing.
The government is addressing the threat through various strategies that cover all modes of transport and all players in the supply chain (see sidebar). It is in the private sector, however, that success or failure will really be determined.
Steps to Success
There are several key steps that companies must take to ensure strong cargo security. They include: assign responsibility, integrate the program, audit for compliance, background screen, build relationships, and use technology well.
Assign responsibility. A key first step toward ensuring cargo security is to make sure that the company designates a high-level person who will have ownership of the issue internally. Charles Forsaith, the director of corporate security for Purdue Pharma in Stanford, Connecticut, says that his company began its program by creating a dedicated cargo security position within corporate security and making it a director-level position.
Integrate. The next step is to ensure that the security program is fully integrated into the company’s business planning. For example, the business development group within Purdue Pharma, which manufactures and ships controlled narcotics such as OxyContin, consults with security before entering into business deals with customers or vendors.
This is a recent change at the company. “It wasn’t always this way,” says Forsaith. “What would happen is that corporate security would be told there is a problem after it occurred. Now, security is involved from the beginning so such problems can be eliminated before they occur.”
Audit. A prime factor in making security’s involvement in the process meaningful is good data—the security team must have a way of assessing whether customers and vendors can be relied on to maintain the security of the supply chain. The way to do that is through the security audit.
Forsaith conducts audits of all of Purdue Pharma’s customers and contractors. The company’s right to conduct an audit is part of the contract from the beginning. “We conduct regularly scheduled and unscheduled audits of the way that they do business with us to ensure that they maintain their contractual obligations,” he says.
Screen. Background screening of employees is another critical component of a cargo security program. In fact, it’s required of those participating in the government’s Customs-Trade Partnership Against Terrorism (C-TPAT) program and will soon be required of their vendors.
These checks have taken on even greater significance now because the increased volume of cargo being shipped has coincided with a decrease in wages for transportation workers, which drives away higher-quality candidates.
“I can’t emphasize how big a problem it is,” says John Tabor, director of corporate security for National Retail Systems, Inc., in Secaucus, New Jersey. “If a trucker is doing well, he is making 70 cents on the dollar. Once fuel prices are deducted, most truckers are making no money at all.”
The result is a labor shortage, says Tabor. Tabor’s company, which provides transportation services for retailers such as Best Buy and Kmart, is responsible for protecting the more than 8,000 trailers in which company goods are shipped from 30 cargo terminals around the country, Tabor says his company has addressed the risk by ramping up its preemployment screening.
In the past, only one check was done per finalist; now the company does two. The preliminary check is done by an outside service provider. It covers the applicant’s job history for the previous seven years and includes a federal criminal background check. Then to make sure that nothing was missed, Tabor and his staff conduct a second screening. This second check focuses on the applicant’s previous places of residence. A criminal background check for each county and state the applicant lived in is part of this second screening.
While this double-checking raises the cost of background screening from $30 to $60 per prospective employee, it has paid off more than once, says Tabor. For example, it uncovered arrest records on applicants from other localities.
Tabor does not restrict this second check to a specific number of years or places. By conducting the second check in-house, Tabor can follow the records until he is satisfied.
Build relationships. Another element of a cargo security program is relationship-building with government and industry groups to leverage resources and share intelligence. One goal of Tabor’s cargo security program was enhanced communication with law enforcement agencies around the country. Tabor first developed a master list of federal, state, and local officials who could provide information and expertise.
Armed with this list, Tabor began attending conferences and scheduling one-on-one meetings. According to Tabor, the plan has paid off in both current threat information and trend analysis for specific terminals.
Professional associations are, of course, also a source of useful networking and information sharing. For example, companies participating in the government’s C-TPAT program must obtain assurances that overseas factories have at least the required minimum security procedures in place. Many of these companies are working with the same overseas factories. It makes no sense for those factories to be required to complete assessments for each U.S. importer.
To help address this problem, the International Cargo Security Council (ICSC) developed an audit program that the factory can conduct that includes information required for most government programs. “The factory can conduct the assessment, and then use the same one for all of their clients,” says Barry Wilkins, managing director of Pinkerton Consulting and Investigations in Raleigh, North Carolina. This expedites the process for everyone.
Technology
Companies are using new technology both alone and combined with existing resources to enhance the security of the supply chain. (For some of the problems of overreliance on technology, however, see “The Dr. Who Conundrum,” page 112). Communications technology, seals, GPS, RFID, and smart boxes are just some of the security tools being used.
Communications. Enhancing communications equipment has been a primary concern for some organizations. For example, Purdue Pharma just built its own state-of-the-art center for tracking cargo via the global tracking system adapted from the Global Positioning System (GPS). The center, which is set up like a law-enforcement control center, is responsible for security at the facility where it is located as well as for tracking cargo within the United States.
“A lot of companies contract with an outside firm to track cargo,” says Forsaith. “We would much rather do it ourselves.”
RFID. Hailed by some as the ultimate solution to cargo security issues, RFID is not without problems. For example, tags from one manufacturer that have been placed inside cargo containers may not work with readers along the supply chain if they are from another manufacturer.
Another problem arises because the containers are stacked during transit. It is not possible for the radio frequency signal from the reader to penetrate numerous containers to read the tags and verify that a company’s specific container is there. Even if the RFID system could read each cargo container perfectly, experts note, the technology would only verify that the container was there, not whether the cargo had been tampered with.
Proponents of the technology believe that RFID technology, in conjunction with some alarm devices that could be placed within cargo containers, would help ensure the integrity of that container through the supply chain. The government is currently testing this technology combination, says Wilkins.
Devices using RFID consist of an electromagnetic chip that can be placed on cargo containers or on particular items, and a reader that can communicate with that chip using specific radio frequencies. The reader stores an itinerary of where that chip is located, and thus, where the cargo has been.
The readers can only scan chips from a relatively short distance—usually less than 90 feet—so they cannot be used for continuous tracking in the way that GPS can. (More on GPS technology later.) By putting RFID chips on containers and then providing readers (either fixed or hand-held) to port officials, a company can verify each stop the cargo makes and determine whether it is on track.
While RFID is not particularly useful for protecting cargo containers in its current form, the dual-use aspect of RFID—for security and inventory control—makes it potentially the most cost-effective approach to security and, therefore, an attractive security option if the kinks can be worked out.
Already some applications are successfully deployed. For example, Purdue Pharma uses the RFID chips on select, high-profile products and in conjunction with Wal-Mart and H.D. Smith—a wholesale distributor of narcotics. Purdue Pharma is able to use the information to ensure that the product is delivered to its final destination.
The company uses RFID to help reduce losses and counterfeiting. Losses are less likely because the company knows where the product is at each point along the way and counterfeiting is less likely because if the box gets to the other end and has the RFID chip intact, the retailer can be more confident of the product’s true origination point and integrity.
The buyers also benefit from the technology. That’s because the dual role of RFID as an inventory tool allows materials management at Wal-Mart and H.D. Smith to manage their incoming stock better. They can use the RFID to know what products are where, including what items have been sent out to stores or what items are coming in.
Purdue Pharma has also purchased 100 hand-held RFID readers to be donated to law enforcement and cargo security task forces around the country. The readers will allow these groups to immediately identify a Purdue Pharma product that was allegedly stolen or counterfeited. With the readers, law enforcement can get the information from the chip to determine where the product came from and to verify whether it is authentic.
GPS. Global Positioning System (GPS) technology is being adapted for cargo security. Global positioning technology uses 27 satellites to pinpoint a GPS reader anywhere on the globe. The technology, which has been around since the 1970s and became available commercially in the mid-1990s, has become more affordable and more accurate—it can locate an item within the space of one centimeter.
According to a March 2004 market study by Research and Markets, a Dublin, Ireland, consulting firm, sales of GPS technology have grown steadily since 2000 and have seen almost a $1 billion increase from $3.9 billion in 2002 to $4.7 billion in 2003. Analysts predict that the market will hit $10 billion before 2010.
Tabor has recently installed GPS equipment on the company’s tractors and trailers. “Now, when an incident occurs, be it another terrorist attack or even a cargo loss, we have a much better chance of being able to communicate with that trailer and find it,” says Tabor.
The company is also currently testing a new way of deploying GPS units with cargo. Right now, the standard practice is to put the antenna on the trailer or truck—that is what sends the signal back to the monitoring center. But cargo thieves know about GPS technology so they steal a tractor and trailer, pull over to a rest stop, and crack the antenna off the GPS unit so it cannot connect with the satellite tracking the truck.
Tabor is now in the process of testing in-load GPS systems with three different vendors. The company plans to keep the visible GPS units on the trucks and place several units inside the cargo. “The units will be hidden in different locations inside the cargo, so thieves will not know where to go to disable the GPS,” he says.
Some companies also use contracts to mandate GPS use. For example, Purdue Pharma includes a contract clause that requires each of its carriers—all of whom have been thoroughly vetted—to use GPS tracking as well. “This helps keep security consistent across the supply chain,” says Forsaith. “So there are two layers of GPS security in the transportation of these products.”
Smart boxes. The next innovation in cargo security technology is the smart container, or smart box. Companies can create these smart boxes by combining RFID technology with other security products, such as cargo seals. The boxes use RFID in connection with e-seals, which in turn use multiple technologies. An e-seal can use RFID, infrared, or cellular tags, for example.
E-seals take a variety of forms, however, they all have two components: an electronic tag and a reader.
They are armed—turned on—when placed on a cargo container. When the electronic tag is scanned by the reader, the tag will respond by producing either an “all clear” or “error” message to let the user know whether that seal has been tampered with.
In a smart container, an e-seal would be combined with an intrusion detection device inside the container; the intrusion detection would use a light sensor, an infrared sensor, and an acoustic sensor. If any of these devices sense activity, an alarm will be set off and transmitted to a reader at a port authority, for example, or to a central monitoring station.
Under C-TPAT and the DHS’s Advanced Container Security Device program, companies that ship cargo in smart boxes will be eligible for “green lane” status, receiving even fewer checks than other C-TPAT members who do not have smart boxes.
No one has been granted green lane status yet, however, because the government has not defined the standard a container must meet to qualify as a smart box. U.S. Customs officials are currently working with international bodies to develop an open architecture and best practices for the container initiative.
Case study. In addressing cargo security concerns, few companies have been as involved as Target. A charter member of C-TPAT, the company has a constantly evolving program that can serve as an illustration of ongoing cargo security.
Target began by color-coding the world—red, yellow, and green—according to risk, explains Mike Laden, the former corporate security director of Target who helped design the program. Then, corporate security devoted its assets to improving security in the red zones, explains Laden, who now heads his own consulting firm, Trade Innovations.
That type of focused approach helps companies use their limited security resources wisely, he says. “Though we are taught to be suspicious of everyone, there are some countries in the world that have a very low risk of terrorism,” says Laden. “Assets are better used in finding solutions for high-risk situations.”
Another important aspect of the program was its dual-use approach. From the beginning, the company combined security enhancement with other factors key to overall business profitability, says
Laden. This dual-use approach improved the company’s bottom line while increasing security. It ensured that security initiatives would get support from senior management.
For example, Laden and his team established a training program and conducted intensive sessions with Target’s manufacturing partners and other vendors around the world. While one purpose of the training program was to increase cargo security, the training also addressed Customs compliance.
“If you don’t do things right from a Customs perspective, chances are good that your product isn’t going to be where it needs to be when that consumer comes looking for it,” says Laden.
Even minor errors in documentation are enough to stop a shipment, which can hurt a company’s reputation with customers and cost it money. Thus, the training had important bottom-line implications as well as a security focus.
Target’s security team would also routinely hold “blue-sky” meetings. These meetings were designed to foster creative thinking. At one of these meetings, an employee asked: “What kind of assets do we already have at our disposal that can be used for security?”
It became immediately apparent that the company had a whole team of quality-assurance investigators overseas who were constantly looking at all of Target’s 15,000 suppliers, checking minute details of quality. These investigators had never considered security issues before, but management recognized that if they were trained in what to look for, they had the potential to greatly improve security’s reach and effectiveness wherever Target’s goods were being handled.
Security developed a basic questionnaire that these employees could use and then made it a requirement that any Target employee visiting an overseas vendor must complete this security evaluation, filling in information on whether security guards were present, what sort of access controls were used, and whether the employee felt safe in the facility.
While not all businesses have Target’s level of resources, that doesn’t mean they can’t take a similar approach. “Target is a huge company and can afford to do this, but it is all relative,” Laden says. “If you are a small company and have100 shipments a year, you still have agents and freight forwarders who can engage factory owners on a smaller scale.”
Security at Target also conducted a vulnerability assessment of its supply chain to assess where a possible terrorist attack or misuse of cargo shipments might occur. Laden expected the vulnerability to be in the overseas factories where security might be spotty. However, the factories turned out to be of little concern.
Most of the factories Target works with have been in business for decades. They are also shipping not only to Target, but to other major retailers. There was little concern that terrorist activity was brewing when Target employees were witnessing factory workers making products.
Laden found that the real concern was in the trip from the factory to the overseas terminal. Target security found that it had no idea who was transporting that cargo from the factory to the port—the leg of the journey called drayage or local cartage.
“We found that if the products left the factory for a journey of 50 miles and were missing for three days, no flags were raised. No one was tracking this,” explains Laden. “That’s where we focused our efforts.”
As it began looking for a solution, the company worried that it faced an expensive security fix. As it turned out, Target found a way to protect the cargo during the drayage and save money.
Target had been purchasing the manufactured goods only after they arrived at the port, leaving the factory to hire draymen. Target changed the process (through contractual agreements) so that it would purchase the goods at the factory, making it possible for Target to then control the drayage.
Next, using its consolidators in the country, Target hired a vetted company to manage that drayage process and leveraged its buying power to get a good price. “If we found a good, reputable drayman, we made a deal for exclusive rights to Target’s drayage needs,” says Laden. “This brought down the price.”
In turn for the exclusive deal, Target required that the drayage company install GPS equipment and track all loads. The result was that the company simultaneously increased security, saved money, and found a way to measure efficiency as well.
When asked how Laden convinced senior managers at Target to go along with some of the more creative solutions, he said that bringing executives around to his way of thinking was the easy part. “All I had to do was point out to them that we were sitting inside a building with a giant, red bulls-eye on it,” he said. “It was easy for them to realize that, when it comes to cargo security, we did not want to be the target.”
Teresa Anderson is a senior editor at Security Management.
