Natural threats

• Hurricane
• Tornado
• Flooding
• Tsunami
• Earthquake

Man-made/accidental threats

• Hazardous material (HAZMAT) spill
• Fire
• Extended power outage
• Transportation network loss
• Operator error
• Loss of data center/networks/IT infrastructure

Intentional acts—delivery vectors

• Container
• Boat
• Cars/trucks
• Swimmer
• Military grade submarines
• Small, radar-dodging, self-propelled semi-submersibles (SPSSs)
• Disgruntled individual authorized to be on the property
• A criminal not authorized to be on property

Weapon threats

• Chemical, biological, radiological, and nuclear (CBRN)
• Enhanced explosives/improvised explosive devices
• Conventional weapons
• Cyber attack

Security response plans

The foundation of all three levels of port security starts with a plan for security and response (S&R plan). The minimum elements of the S&R plan should include the following:

• Identification procedures
• Access control procedures
• Internal security requirements
• Designated restricted areas
• Perimeter security plan
• Security light and maintenance plan
• Security alarms, video surveillance, and communications systems
• A name designated security officer (with contact information)
• Training program for the security force
• Training for employee security awareness
• Security communications, including prearranged agreements with the local police and fire
• Set procedures for upgrading security to Level II and Level III

Recommended procedures

• A set of detailed response procedures for the following scenarios:
  • Unauthorized personnel discovered at the facility
  • Unauthorized or illegally parked or abandoned vehicles in or near the facility
  • Unauthorized vessels moored along the waterfront property
  • Bomb threat
  • Suspicious persons or activity response
  • Mail handling
  • Unknown or suspicious package discovery and response

The USCG has developed guidance for scenario development for vessels based upon a threat matrix table as discussed in the previous chapters. This threat matrix is to be used to develop the vessel security plan. This threat matrix is documented in the USCG Navigation and Vessel Inspection Circular 10-2, entitled Security Measures for Vessels, dated October 21, 2002. The document is available on the Internet at http://www.uscg.mil/hq/cg5/nvic/pdf/2002/10-02.pdf (Appendix B). The minimum scenarios that the Coast Guard mandates for the vessel security plan include those types of attacks that could damage or destroy the vessel (either from contact or from a distance using standoff weapons), sabotage the vessel, control the vessel, create a pollution or toxic material incident under a variety of circumstances, or use the vessel for illegal transport of personnel or weapons.

The following is suggested by the USCG and IMO as being suitable at a minimum for a good security plan. The USCG also strongly suggests that the plan is addressed in the specified order.

Employees

All employees should be required to show an employee/union photo ID prior to entry. Facilities that do not use employee/union photo IDs should cross-reference employee’s identification with employer-supplied access lists. While on the facility, personnel should possess valid identification and present upon request by security/government representative. The facility should have a verification process to ensure employees entering have valid business.

Vendors/contractors/vessel pilots

All vendors/contractors/vessel pilots should be required to show a valid photo ID prior to entry. While on the facility, all vendors/contractors/vessel pilots should possess valid ID and present upon request by security/competent authority/government representative. Vendors, contractors, and pilots visits should be scheduled in advance. If the arrival of vendors, contractors, or pilots is not prearranged, entry should be prohibited until their need to enter is verified by proper authority (as identified in the facility security plan).

The facility should have a verification process to ensure vendors/contractors/vessel pilots entering have valid business. The use of access lists that preauthorize regular contractors, vendors, and pilots to enter the facility or board vessels moored at that facility is permitted in lieu of the daily schedule requirements.

Truck drivers/passengers

All truck drivers (for cargo) and passengers (when allowed by the facility) should be required to show a valid photo ID prior to entry. While on the facility, truck drivers/passengers should present this ID when requested by security/government representative. The facility should have a verification process to ensure drivers entering have valid business (e.g., checking booking numbers).

Visitors (all personnel not falling into other categories)

All visitors should be required to show a photo ID prior to entry. While on the facility, all visitors should be required to have photo ID and present it upon request by security government representative. Visitors should be scheduled in advance. If not, entry should be prohibited until proper authority authorizes visit (as identified in the facility security plan). The facility should have a verification process to ensure visitors entering have a valid purpose for their visit.

Government employees

Government agency representatives should be given access to complete official visits/inspections. Government agency representatives should present their valid government organization ID card to security personnel or competent authority prior to entry.

Granting government employees’ entrance to a facility does not alleviate them from following safety and security protocols. We know of one intrusive EPA inspector who decided that a particular installation was somehow fudging their emission data, and in her eagerness to inspect the incinerator site, she ignored safety and security protocols by refusing to sign in and demanding immediate and unaccompanied access to the site. As a result, she was banned from the site, and the enforcement of that ban was upheld because of her violation of security and safety protocols.

Access to the site is conditioned on observing and following appropriate security, safety, and other protocols.

Vessel personnel access through a facility

Vessel personnel (crewmembers, agents, contractors, vendors, and passengers on freight vessels) should not be permitted to depart or arrive by way of the facility unless their identification is provided in advance.

If not, entry through the facility should be prohibited until authorized by proper security personnel or competent authority in accordance with the facility security plan. All passengers and crew (on passenger ships) should be allowed to depart the vessel in accordance with INS rules. They should proceed directly to their place of work or out of the terminal.

Search requirements

All persons, packages, and vehicles entering or leaving the facility should be subject to search by security personnel or competent authority. Signs should be posted advising personnel of this requirement prior to entry. Random inspections should be conducted on at least 5% of those entering the facility while the facility is at security level I. This excludes containerized cargo.

Acceptable identification

ID cards should be a tamper-resistant and laminated photo identification card. Identification cards should show the relevant details of the holder, for example, name, description, or other pertinent data, and are to be issued by an appropriate control authority such as the Pacific Maritime Association, port authority, facility operator/owner, labor organization, or government agency. Acceptable identification includes:

Access control

Vehicle control

Facility management should develop vehicle access controls. Where possible, establish designated parking areas away from restricted areas. Where practicable, establish exclusionary zones to protect buildings or other potential high-value targets. Fully describe the measures implemented and standards used in the facility security plan. The following guidelines apply:

Automobiles approved for entry onto marine facilities should be controlled regarding their destination and parking.

All vehicles entering or leaving the facilities should be subject to search by security personnel or competent authority. Signs should be posted advising personnel of this requirement prior to entry.

Parking within the facility should be tightly restricted and should be authorized by a strictly enforced gate pass and/or decal system.

Passes or decals should be color or otherwise coded to further restrict access to authorized times and locations.

Parking for employees, dockworkers, and visitors should be restricted to designated areas that are fenced and outside of the cargo handling and designated storage areas.

Parking for vehicles authorized on facility grounds should be restricted largely to port authority, carrier, maintenance, and commercial and government vehicles that are essential within the facility. Parking for these vehicles should be restricted or clearly marked designated parking areas within the perimeter of the facility.

Temporary permits or passes should be issued to vendors and visitors for parking in designated controlled areas.

Rail security

Rail gates that allow access to a terminal should remain locked at all times, unless open and manned for passage of rail cars.

Key/ID/access card control

Controls should be implemented for all keys, facility employee ID cards, cipher locks, and computer systems. Key/ID/access card controls should be implemented to delineate which personnel have access to specific areas. A master ledger should be maintained that records the legitimate holder of each key copy, issuance of which should be controlled by management or security personnel. Locks, locking devices, and key control systems should be inspected regularly and malfunctioning equipment repaired or replaced. Only case-hardened locks and chains should be used, with chains permanently attached to fence posts/gates.

Computer security

Formal guidelines for computer security should be in place for each facility. Computerized information access should be password controlled and should be restricted on a need-to-know basis, which would include dissemination of information no sooner than required. Facilities should take steps to prevent facility equipment from being accessed by nonauthorized personnel.

Security rounds

Security personnel should conduct roving safety and security patrols specific to a facility’s layout including the areas of waterside access.

Security personnel should conduct rounds at least once in a 4 hour period at varying times to prevent predictability. Adequate recordkeeping of the security rounds conducted should be available for inspection.

Barriers

Perimeter areas should be cleared of vegetation and debris that could be used to breach fences. Natural barriers such as water, ravines, etc., can sometimes be effectively utilized as part of the control boundary rather than fences. If used, natural barriers may require supporting safeguards (i.e., security patrols, surveillance, anti-intrusion devices, lighting) especially during high-threat period (security levels II and III).

Fencing

Compliance with IMO Circular 443 or US Customs Regulations is considered equivalent. Fence perimeters should meet the following minimum:

• Security fences and other barriers should be located and constructed so as to prevent the introduction of dangerous substances or devices. Fencing should be 8 ft high, 9 gauge galvanized steel, of 2 in. wide chain link construction topped with an additional 2 ft barbed wire outrigger consisting of three strands of 9 gauge galvanized barbed wire at a 45° outward angle above the fence.
• The effectiveness of a security fence against penetration depends to a large extent on the type of construction employed in its building.
• The bottom of the fence should be within 2 in. of the ground.
• Security fence lines should be kept clear of all obstructions.

Alarms

Intrusion detection systems and alarm devices may be appropriate as a complement to guards and patrols during periods of increased threat. All control and switching systems for alarms and communications systems should be in a restricted access area. Alarms may be local, that is, at the site of the intrusion, provided at a central location or station, or a combination of both. The standard response time by facility personnel to alarms should be no more than 5 minutes.

Video surveillance

Closed-circuit television cameras can be used as a part of the facility security system. When used, cameras should be placed at main entrances and exits and in areas with high-risk and/or high-value cargo. Cameras should be able to record at relatively low levels of light and should have a remote control zoom lens capability when used for surveillance.

Cameras should have video tape recording capabilities and be capable of being monitored at the same time. Cameras should be positioned, with a recording mechanism to video record vehicles and pedestrians entering and exiting the facility.

Communications systems

Security and communications system should be tested once per shift, and a record of results maintained. A means of transmitting emergency signals by radio, direct-line facilities, or other similarly reliable means should be provided at each access point for use by the control and monitoring personnel to contact the police, security control, or an emergency operations center in the event assistance is required.

The facility should ensure adequate backup/emergency power supply in place to operate security and communications systems when the primary power is interrupted. The facility should further have dedicated emergency/security communications system in place. Each person on the security force should be issued equipment and trained on the system operation.