A Practitioner's Guide to Effective Maritime and Port Security

MICHAEL EDGERTON is a security and risk manager based in the Middle East with more than twenty-five years of experience in maritime security, security risk management, critical infrastructure protection, and crisis management. He has advised national governments, agencies, and corporations on security matters and has performed strategic-level, risk-based assessments of critical infrastructure, including system resiliency, business continuity, and recoverability. Prior to entering the private sector, Mr. Edgerton served in the United States Coast Guard and United States Navy as a commissioned officer specializing in security and intelligence.

Introduction xiii

Foreword xvii

Part OneThe International Maritime Operating Environment

Chapter 1 Unique Characteristics of Ports and International Shipping 3

Introduction 3

The Multinational Nature of Shipping and Business Driversin Port Operations 6

Flag States 7

Vessel Registries 7

Types of Vessel Registries 8

Implications for Security 10

Third Country Owners 11

Implications for Security 11

Multinational Crews 13

Implications for Security 14

Port States 14

Regulatory Requirements 16

International Treaties and Codes 16

Oversight Mechanisms 18

Ship-Port Relationships 19

The Supply Chain 20

Just-in-Time Delivery 20

The Components of a Maritime Supply Chain 21

Regulatory Issues 22

Intermodal Links 24

Chapter 2 The Criticality of Ports: Why and How They Matter 27

Introduction 27

Geopolitical Considerations 27

Trade Routes 27

Trade Chokepoints 28

Sea Lines of Communication 30

Ports 33

Ports as Targets 34

Ports as Conduits 36

Cargo Theft 38

Smuggling 40

Ports as Borders 41

Intermodal Connections 42

Part TwoThreats to Ports and the Maritime Domain

Chapter 3 Threats 47

Introduction 47

Threats by States 49

State Actors 49

Conventional Military Attacks Against Ports 49

Conventional Attacks Against Supply Chains 51

Asymmetric Attacks 52

State Proxies 56

Proxy Tactics 57

Nonstate Actors 58

Terrorism 61

Criminal Activity 62

Piracy 67

Terrorism, State Actors, and Criminal Nexus 68

Part ThreeCurrent Approaches to Maritime and Port Security

Chapter 4 Approaches to Security Policy Development 73

Introduction 73

Political Considerations 73

Commercial Interests 74

Costs of Implementation 74

Increased Government Oversight 74

Potential Delays 75

Domestic Political Constituencies 76

Container Screening 77

Port Security Grants 79

Measuring the Effectiveness of Security Measures 81

Deterrence 81

Punishment 81

Denial 82

Consequence Management 84

Measurement of Activity vs. Effectiveness 87

Measurement of Activity 87

Resources Expended 87

Measurement of Criminal Activity 88

How to Measure Effectiveness 91

Why Don’t We Do This Already? 92

The Maritime Context of Assessing Deterrence 93

Lack of a Risk Approach 94

What is Risk? 95

Dynamic Risk 96

Pure Risk 96

Fundamental Risk 97

Particular Risk 97

Components of Security Risk 97

Threat 97

Vulnerability 98

Consequence 98

Risk Management 99

The Weaknesses of Current Risk Management Approaches 99

Lack of Understanding of Security Risk Components 100

Lack of a Process to Determine Risk Tolerances 100

Tendency Towards Risk Aversion or Avoidance 101

Focus on Risk Mitigation (Reduction) instead of

Risk Treatment 101

viii Contents

Lack of Recognition of Critical Nodes in the

Maritime Domain 101

Overquantifying Security Risk 102

Tendency to Use the Rubric of All-hazard Risk 104

A Propensity to Minimize the Element of Threat in Performing

Security Risk Assessments 104

Chapter 5 A Critique of Current Maritime Security Measuresand Approaches 107

Introduction 107

Regulations and Their Limits 108

The ISPS Code 109

Supply Chain Security 112

International Organization for Standardization 116

Lack of Recovery Planning for Key Maritime

Supply Chain Components 117

A Disjointed International Regulatory Environment 117

Overreliance on Technology 118

Maritime Domain Awareness (MDA) 118

The Fallacy of 100 Percent Container Screening 120

The 'Magic' of Closed Circuit TV (CCT V) 121

Failure to 'Fire for Effect' 122

The Staten Island Barge Explosion 122

Minimizing the Importance of Understanding Threat 123

Hurricane Katrina--the Wrong Lesson Learned 124

Assessing Threat is Hard 126

Why Understanding Threat Matters 126

Bomb in a Box? 127

Deconstructing the Threat 127

Biological and Chemical Agents 128

Radiological Material 128

The Nuclear Grail 128

The Risk Conundrum 129

The Consequences of not Understanding the Threat 130

Hitting the Bystander 130

Al Qaeda’s View of Saddam’s Iraq and Vice Versa 130

The Threat That Wasn’t 131

The Fallout 131

The Lack of a True Risk-Based Approach 131

Insufficient Focus on System Integrity 135

Transparency 135

Corruption 135

Implications for the Maritime Domain 135

The Impact of Corruption 136

Lack of Incentives for the Private Sector 137

Part FourPrinciples for Effective Maritime and Port Security

Chapter 6 Security as an Enabler 141

Introduction 141

Why is it Important for Security to be an Enabler? 142

Security as a Value-Add 142

A Culture of Security 142

Changing Security’s Image 143

Security a Key Organizational Component 143

Resilience 144

Why Resilience? 145

Risks of Ignoring Resiliency 145

Additional Risks 147

The Benefits of a Resilience Approach 147

Resilience and Maritime Security 149

Resilience Guidance 149

Integrating Security into Resilience 150

The Elements of Resilience 151

The Medical Comparison 155

Enabling Resilience 156

Chapter 7 Standards and Regulations 159

Introduction 159

Review of the ISPS Code 159

The ISPS Code 160

ISPS Code 2.0 161

Use ISO 28000 as the Foundation for a new ISPS Code 162

Considerations 164

Acceptance Issues 164

Implementation Issues 167

Other Implementation Considerations 171

Notional Contents and Structure of a New Code 173

The New Code 174

Chapter 8 Assessing and Managing Risk 177

Introduction 177

ISO 31000 178

Risk Terminology 180

Risk 180

Risk Management 180

Risk Assessment 180

Risk Analysis 180

Risk Appetite or Tolerance 180

Other Definitions 181

Threat 181

Hazards 181

Vulnerability 181

Likelihood 181

Consequence 181

Core Components of Risk 182

Establishing the Risk Management Context 182

Identify Risks 183

Analyze Risks 185

Evaluate Risks 186

Treat Risks 188

Making the Business Case for Risk Treatment 190

What is a Business Case? 192

Composition of the Business Case 192

The Business Case and Risk Treatment 193

Monitor and Review 194

Communicate and Consult 195

Maritime Considerations 197

Chapter 9 Measuring Effectiveness 199

Introduction 199

Measure Effectiveness, Not Security Activity 200

Measurement of Activity 201

Resources Expended 201

Measurement of Criminal Activity 201

Uniform Crime Reporting System 202

CompStat 202

The Black Swan Effect 202

Measuring Effectiveness 203

A Hybrid Solution 203

Ask the Enemy 204

Crunch the Numbers 207

Deterrence as the Primary Measure 207

Deterrence 208

Ensuring Integrity and Countering Corruption 209

Foster Continuous Improvement 210

Chapter 10 Conclusion 211

Appendices

Appendix A Conducting Security Risk Assessments 215

Introduction 215

Risk Assessment Steps 216

Establish the Risk Management Context 217

Identify Risks 217

Analyze Risks 218

Evaluate Risks 218

Conducting Risk Assessments 219

Assessment Team Composition 219

All Assessors 219

Lead Assessor 219

Assessment Team Members 220

Facility Risk Assessment Process 220

Facility Risk Assessment Preparation 221

Written Notification to Facility Operators 221

Planning Assessment Activity 222

Facility Risk Assessment Administration and Logistics 223

Facility Risk Assessment Activity 223

Document Reviews 224

Formal and Informal Interviews 224

Observations 224

Assessment Opening and Closing Meetings 224

Opening Meeting 224

Closing Meeting 225

Facility Assessment Reporting 225

Assessing Vulnerability 225

Assessing Consequence 227

Developing a Risk Rating 227

Appendix B Conducting Threat Assessments 231

Introduction 231

Consistency with ISO 31000 232

Threat Identification 233

Identify the Range of Potential Threat Actors 234

Identify an Extensive List of Threat Actor Characteristics 234

Identify Sources of Threat-Related Information 234

Analyze and Organize Threat-Related Information 238

Threat Evaluation 238

Threat Actors and Scenarios 241

Develop The Design Basis Threat 241

Appendix C Tips for Assessing Risk Appetite 259

Introduction 259

Defining Risk Appetite 259

Risk Appetite and ISO 31000 260

Assessing Risk Appetite 260

Helping a Client Determine Risk Appetite 261

Pairwise Exercise 262

Risk Appetite and Risk Treatment 263

Index 269