Final Report Summary - IMCOSEC (Integrated approach to improve the supply chain for container transport and integrated security simultaneously)
Executive summary:
There are two conflicting trends in global transportation that have to be reconciled as effectively as possible - assuring both free trade and transport security. On the one hand huge efforts have been made to eliminate trade barriers in order to ensure free trade and cargo flow within regions and globally (such as the European single market or free trade area agreements). On the other hand additional security requirements such as checking the integrity of containers, their contents or third parties as well as advance data reports have the negative effects on the efficiency of business operations in supply chains.
Main objective of IMCOSEC was to determine a basic concept and strategic roadmap for a large scale demonstration on security of supply chains. The basic concept should provide an approach which considers the needs of stakeholders to minimise the impact of cost and time being practicable for commercial operators and enterprises. The aim was to create a win-win solution between industry and supervision whereby the level of security is at an optimum level balancing effectiveness with practicality within the regulatory framework. Thus IMCOSEC was not aiming at introducing as much security as possible, rather than as much as needed, practicable and acceptable.
IMCOSEC was guided by the following approach:
- identification and categorisation of security regulations, standards and trends;
- identification of security gaps based on a generic process model for supply chains using a resilience matrix approach and threat trees;
- identification and assembly of security projects, technologies and industry needs;
- elaboration of target processes for minimising identified gaps;
- provision of a roadmap for demonstration activities where target processes and supporting technologies can establish efficiency, effectiveness and acceptance.
Acceptance by the industry and public authorities is one of the most important issues regarding the roadmap. Therefore, all the above steps were discussed and validated by the project's advisory board and in workshops involving additional stakeholders from private and public end-users.
The basic vision of the strategic roadmap developed and agreed in IMCOSEC is that by focusing on the threats for and security of business processes, supply chain security and civil security is increased simultaneously. Because of the importance of logistics in global economy, a reliable and sustainable transport of goods is vital for European business to develop resilience against political, strategic, economic and environmental threats. The security of business processes implies to provide flexible, unharmed, cost-effective and reliable transport of goods to support European industry and Member States in global competition. The aim is to highlight the correlation between securing business and civil security showing the benefits for global trade and European industry and community in a big demonstration initiative.
Project context and objectives:
Project background:
Events of 9 / 11 changed security perception
The events of 9 / 11, and the resulting reaction from concerned governments, placed a great emphasis on securing supply chains. The focus has been shifted from cargo theft to terrorist attacks. Furthermore, because of the integration of world trade, the high volumes of containers and the routinely performed cargo inspections provide opportunities for criminal activities, e.g. smuggling of unauthorised goods into a container at several stages of the supply chain.
Compliance with variety of new security rules imply major challenges for companies
Taking the above paragraph into account, a variety of different unilateral and multilateral security measures and regulations, as well as other security initiatives have been developed or are under consideration in countries worldwide. Given that world trade is largely dependent on maritime and containerised transport, the focus has been directed at enhancing maritime transport chains and at addressing the particular challenges posed by containerised supply chains. The different regulations and initiatives in various countries and from various international and multinational organisations and governments pose a challenge on companies to comply with these requirements and can add tremendously to the costs of the exchange of goods on a global scale. Prior to 9 / 11, governmental focus was mainly on trade facilitation and harmonisation of trade rules and practices. After 9 / 11, global trade has experienced an extreme change in paradigms from facilitation and harmonisation to security and anti-terrorist measures. At cargo security, prior to 9 / 11, customs authorities were responsible primarily for clearing imported goods, after goods arrived at the border. Today pre-arrival information in a defined quality is state-of-the-art, sometimes requested even before cargo is loaded onto means of transport enabling refusal of single containers to be unloaded at destination port.
Lack of practicable solutions considering security and efficiency simultaneously
Numerous research projects, funded on national and international level, have been initiated to foster research in and development of organisational and technological solutions, to increase the security of supply chains and to facilitate the application of security solutions. As most of them have been ruled by technology providers, forwarders or ports, they are lacking of practicable solutions for the main stakeholders of supply chains - the consignors. Moreover the projects have a focus either on security or efficiency, but not on security and efficiency at the same time. Due to the relative secure climate in the European Union (EU), there was no need for a combined focus on security and efficiency. This can be especially seen in the projects that deal with the integration of supply chain partners. A lot of research projects have been dedicated to the improvement of the integration of supply chain partners to enhance safety, efficiency, capability and reliability. But the simultaneous emphasis on both - security and efficiency - is missing in most projects.
Fragmentation and data sharing
The topics of supply chain and security are both very complex. The overall platform concepts disregard the existing fragmentation in supply chains and the lack of interoperability. This is not only related to technology issues but rather concerns different industries and countries as there is global competition and mistrust between e.g. national economies, industries and customs administrations. Most of these platform concepts are driven by technology providers and dependent on proprietary software and modules. Because of this, overall data platform concepts have not succeeded yet achieving acceptance and to overcome problems on data sharing amongst the multiple partners of international supply chains. The partners are often not about to share data as the sovereignty of data is not satisfyingly defined and considered yet.
New technologies not suitable for Small and medium-sized enterprise (SME)s
Furthermore, especially in Seventh Framework Programme (FP7), a lot of projects can be found that put the emphasis on the development of new technologies. Therefore, a lot has been done in the development of new technologies which increase security in supply chains when applied. But these technologies have in common that due to their concept and costs they can only be used for niches and are not suitable for trade, especially for SMEs so far. In order to use Radiofrequency identification (RFID) for instance it is necessary to invest in infrastructure. Therefore, technologies are only accepted by a small number of stakeholders so far. There is a need for solutions that could be implemented on a global scale and for main cargo types.
Lack of well-functioning information flows
One more issue which impacts in most cases all trade partners in international supply chains is a lack of smooth and seamless electronic, paper based and verbal information flows. Coming from traditional differences between countries and trade partners, problems like different time sones, language specific translations or meanings of words, and differences in cultural behaviours can influence as well as the missing common notion for security and safety standards international supply chains.
Imbalances in global workforce, technology usage and shift of employment
Human behavioural aspects are especially relevant considering the complex and dynamic environments in which international supply chains take place. Looking from the geo-political differentiation of active global trading countries, it is necessary to mention also the imbalance in global workforce and technology usage in different countries, as well as employment shift from 'less' paid to 'better' paid countries or areas. People at various organisational levels, with diversified background, culture and security comprehension, are in charge of designing, planning and managing supply chain activities and processes. These factors may affect the development of common understanding of 'secure behaviour' inside international supply chains which link different countries.
Lower security standards and efficiency in countries with less paid employees
Countries with less paid employees usually have lower standards and lower education is conceivable. This might result in low security standards and efficiency being imported into EU countries. This could be overcome by exporting common high standards elsewhere.
Loose of overall view due to ad hoc regulations
Consequently, approaches based on collaboration, trust sharing, strategic knowledge management between actors in inter-organisational networks can result in improving security and efficiency of the whole system. Upcoming and recent security issues resulted, as well, in ad hoc and over focused regulations losing the overall view. In order to assure that European business keeps competitive, ways of securing and strengthening supply chains have to be found so that the exchange of goods is not hindered, but the efficiency and security in supply chains is well increased.
Objectives:
IMCOSEC performed a risk based approach to identify and characterise the security gaps. Preventive measures have been discussed and a guiding concept for demonstrations in phase II has been specified to provide a concept for an impact free and secure supply chain cost effectively and without impinging on performance. The focus was on creating a win-win solution between industry and supervision whereby the level of security is at an optimum level balancing effectiveness with practicality within the regulatory framework. Thus IMCOSEC was not aiming at introducing as much security as possible, rather than as much as needed, suitable and acceptable.
IMCOSEC objectives
- Determine a basic concept and roadmap for a large scale demonstration. This should be feasible for users and stakeholders and needs to minimise the impact of cost and time for commercial operators and enterprises.
- Achieve common understanding on risks, gaps, target processes and suitable technologies of the supply chain
This allows stakeholders to develop a realistic and sustainable research and demonstration strategy focusing on useable technologies and processes based on an open platform concept reducing threats at weak points along the supply chain.
These major objectives are reflected by the definition of demands on the roadmap:
be practicable for users and stakeholders;
- minimise impact of cost and time for commercial operators and enterprises;
explain security needs and subsequent impact on the weak points of the supply chain;
enable realistic and sustainable research strategy;
transfer security methods to stakeholders;
focus on useable technologies and processes;
- easy to understand;
presentable to political and foreign authorities;
reduce threats towards weak points of the supply chain;
guarantees the security of the goods produced and transported;
consider major transport corridors (United States, Asia, trans European, continental transport.
Project results:
WP1: Processes and regulations
Definition of project boundaries
At the beginning of the project IMCOSEC, the following overall project boundaries were defined:
- The types of Intermodal loading unit (ILU)s considered are ISO containers, swap bodies and semi-trailers. Namely excluded ILUs are air cargo containers and goods transport via pipelines.
- Cargo types are differentiated into ordinary cargo including empty units and specially regulated goods (dangerous cargo and excised goods) and high-value goods.
- All surface based modes of transport are investigated, therefore rail, road and water (IWW, SSS, maritime shipping) are included. Air transport was not part of the investigation.
- The area to be looked at was settled as area inside the external boundaries of the European Commission (EC), candidates and associated countries, but regions and countries which influence or threaten European trade were also taken into account.
- Threats which endanger supply chains are defined as theft of cargo from inside or the whole ILU, smuggling (insertion of illicit goods before sealing at stuffing place or after sealing already in voyage and extraction in voyage or after unsealing) and terrorism in general. Terrorism means in this case the manipulation of transport in order to accomplish terrorist activities. The 'Trojan Horse Scenario' was excluded since this cannot be avoided by b2b-releationships. Further business oriented threats are counterfeit goods to be inserted, either by exchanging original goods against counterfeit goods and theft, since consumers might change to another brand if wanted goods are not available.
Creation of a generic transport model
A generic transport model representing essential processes and activities along investigated ILU transport chains was created (see Figure 1 below). In order to form a comprehensive and understandable model of today´s transport, a business process model tool (Qualiware Lifecycle Manager) was used to illustrate the ILU supply chain processes.
The model starts at the (last) consignor who inserts cargo into the ILU and ends at the (first) consignee who extracts cargo out of the ILU. Between these two end-points one or multiple transport steps might occur with one or multiple transport modes. Each transport step starts and ends in a terminal. Only the undisturbed chain of action was considered.
The transport model was amended in the course of the project due to a shift towards data security and goods (counterfeit) security which led to additional organisational processes preceding stuffing of an ILU.
But the illustration of undisturbed flow of goods and information is half the truth. Interruptions of the transport process can be of various kinds (theft, smuggle, terrorist activities, human and technological failure and force majeure), which all lead to similar problems. Securing the organisational part and data flow against unauthorised data access and strengthening supply chains to have more resilient and reliable haulage which might react on short notice due to cordoning off roads / rail tracks / waterways / hubs / terminals or whole areas because of incidents of various types is getting more important.
Identification and categorisation of security regulations, standards and trends
The identification and summary of existing relevant security regulations, standards and trends provides an insight into the multiplicity and diversity of security initiatives and programmes, which are relevant to the IMCOSEC project. The rules were classified and described following a clear structure.
There were 42 security programmes considered as relevant. These security programmes have been classified into different categories, according to:
- Originating actor: International organisations, governments or private cooperations.
Geographical area: EU, North America and Asia.
- Enforceability: Compulsory or voluntary programmes or under way.
An overview of security regulations and programmes is given. Not all of the 42 investigated security regulations and programmes are shown as this would have led to a cluttered illustration. Instead of this, the overview categorises the regulations and programmes into mandatory legislation and voluntary initiatives and shows the multitude of programmes which were initiated and implemented by customs agencies.
At international level, United Nations and its specialised agencies adopted several International conventions and resolutions and gave recommendations to enhance security in international trade and supply chains. Some of the measures were prepared after 9 / 11, some are amendments to long-established conventions.
On (inter-)governmental level, 9/11 precipitated changes in security measures. Prior to these events, governmental focus was mainly on trade facilitation and harmonisation of trade rules and practices. After 9/11, global trade has experienced an extreme change in paradigms from facilitation and harmonisation to security and anti-terrorist measures. At cargo security, prior to 9 / 11, customs authorities were responsible primarily for clearing imported goods, after goods arrived at the border. Today pre-arrival information is state of the art, sometimes requested even before cargo is loaded onto means of transport. Temporary duty free import of ILUs is allowed and regulated by the Istanbul Convention. Some of the governmental programmes are mandatory some are voluntary, but even the voluntary governmental programmes create pressure for companies to participate.
There are also voluntary programmes that were initiated by companies and their industry partners or representatives. Those collaborative programmes predominantly seek to reduce smuggling and theft of goods. But also standardisation organisations develop standards addressing security in supply chains, such as standards on high security seals.
Most security regulations are concerned with ISO containers which do not represent all ILU types and there are no special security regulations for empty units’ transport.
The non-compliance of voluntary security programmes leads to enormous waiting times and delays. Thus, the so-called voluntary initiatives can be better categorised necessary programmes in order to maintain competitiveness within the international supply chains. Established programmes often create a demand by business partners and/or markets to be compliant.
The different stakeholders and their underlying interests add to the complexity of securing international logistics and supply chains. An issue on which many stakeholders concur is that governmental regulations and initiatives should be harmonised and that a mutual recognition of certification programmes should be achieved. It is a precondition that requirements of different initiatives correspond or - if not - all stakeholders agree on specific details of each programme. Here the issue of mutual recognition becomes difficult, as programmes' stakeholders prioritise at the expense of what others feel is important, and vice versa.
WCO appeals to national customs administrations to cooperate and develop mechanisms to achieve mutual recognition in order to reduce or eliminate efforts which would be otherwise needed. Until now, the progress of AEO and similar programmes to reach mutual recognition has been slow.
Generally, it can be said that a lot of security regulations exist already and therefore there is no need for new regulations, but rather for mutual recognition and standardisation among national governments especially concerning their implementation.
WP2: Security threats for the supply chain
Identification of security threats along the supply chain
The main objective of this topic was to identify security threats and weak points along the supply chain of ILUs via a resilience matrix. This was carried out via tasks which included the incorporation of process information, previous projects, initiatives and technologies, the discussion with stakeholders on threat scenarios, a workshop and the exchange of contributory information with other work packages at meetings.
Our approach was to examine what arrangements are in place within an organisation for dealing with specific threats and to also examine cross-cutting arrangements like those for training and staff management.
A key feature of the tool is its ability to take into account inter-dependencies and interactions between arrangements for distinct threats.
For example, there are obvious links between an organisation's response to terrorism and its response to crime more generally.
A second feature is the inter- dependency between arrangements for dealing with threats and cross cutting arrangements, for example between arrangements for training staff to deal with terrorism and arrangements for training more generally.
Furthermore, the matrix allows for the application of 'weightings' or 'importances' to threats.
The performance or 'utility' of the organisation is measured against a 3x3 matrix (known as an 'effects matrix'), where the columns of the matrix represent the utility of the organisation with respect to its people, its processes and its physical assets and the rows represent the utility with respect to where these are targeted in terms of prevention, preparation and protection.
Each entry in an 'effects matrix' is rated to represent the utility of the organisation's arrangements relevant to that entry. Normally this is based upon a rating in the range 0 to 5 - where 0 represents poor or no arrangements and 5 represents excellent arrangements. There are proprietary algorithms within the matrix tool that allow for the calculation of overall ratings for resilience taking into account the dependencies and weightings.
For the purposes of the IMCOSEC project it was clearly necessary to adjust the matrix approach to represent security rather than resilience and to allow for differences in dependencies, but in essence a similar approach was taken.
The IMCOSEC matrix approach comprises:
- taxonomy of threats which could be used within the matrix;
- the categorisation of preventive measures - which refer to as 'firewalls' - as 'informational' or 'physical';
- the provision of 'threat trees' showing 'needs' for the accomplishment of breaking into a firewall at any particular 'step' within the supply chain. These 'needs' were coloured (based on a scoring system) to produce 'security trees' to indicate the ease or otherwise that the 'need' could be achieved;
- stakeholder involvement to agree what 'controls' stop, prevent or mitigate the 'attacks' at present, and whether they are 'informational' or 'physical';
- a scored rating to indicate how effective the 'controls' are.
From the process described above it is possible to identify the gaps in the security of the supply chain and the seriousness of those gaps.
The key to the process is the need to include the views and ideas of stakeholders in the IMCOSEC resilience matrix. In the interests of simplicity, industry measures against threats can be divided between physical firewalls such as packing security, container integrity and access security (fences) and informational firewalls such as container identification, container location and informational security (data).
The process for identifying the level of importance of specific threats to the supply chain was guided via a focus group and workshop consultation where stakeholders identified the 'attractiveness to the criminal' of a particular threat and the 'ease of implementation'. It was concluded that amongst the many threats to which the industry is vulnerable, theft and smuggling are the highest priority.
The scoring of the 'needs' (derivation of the algorithms) to deal with the threats is not a simple matter of assigning weighting factors in the traditional manner of a resilience matrix. This is due to the dependencies between safeguards; the required 'needs' to break down the safeguards and the logical construction of how the 'needs' must be achieved.
The process required the building of 'threat trees' where the 'needs' to accomplish a threat are identified with Security AND (SAND) gates and Security OR (SOR) gates. The former show if all of the 'Needs' in the threat tree must be fulfilled. The latter indicate only one 'Need' is required to accomplish the threat.
Having built the 'threat trees' the scoring takes place using a combination of algorithms fed with information from stakeholders and experts which leads to the 'security tree'.
Analysis of container security has been undertaken for the two threats of theft from a container (by insider or third party with access to an insider) and smuggling (by insider or third party with access to an insider) for the China to Europe corridor on routes involving road, rail, sea and barge transport. The effectiveness (or not) of the informational and physical firewalls was rated. Physical security measures also need to be targeted at locations where container transport may be interrupted (e.g. rest areas) or where containers may be stored pending on-transport.
One of the key lessons learnt during the research process was the complexity of the supply chain industry with numerous stakeholders but complicated by their independence from each other. During the project the resilience matrix was successfully adapted to take this into account together with the dependencies between safeguards previously mentioned. Therefore the threats have been adequately identified.
WP3: Projects, initiatives and technologies
Identification and assembly of security projects, technologies and industry needs
Another task of the IMCOSEC project was to identify and assemble the state-of-the-art in supply chain research and existing initiatives which are relevant to the IMCOSEC-project in terms of security, efficiency, logistics and information management.
Databases served as main source of information for the as-is inventory of projects and developments for the improvement of supply chain security and / or efficiency. The identified security projects have a focus at least on one of the three aspects of security, efficiency or safety. The analysed projects can also be assigned to four different themed clusters:
- Cluster 1: Development of guidelines for future security research. The projects assigned to this cluster deal with the development of guidelines for future research projects in the field of security or the organisation of security research conferences to share knowledge in this field.
- Cluster 2: Development of new technology. These projects emphasise the development of new technologies to increase security.
- Cluster 3: Integration of supply chain partners. For improving the integration of supply chain partners, the identified projects suggest different types of platforms, equipment, and technology.
- Cluster 4: Integration of communication, data or information flow. The projects of this cluster concentrate on methods to improve the integration of communication, data and information flows of supply chain members.
The results show that there are a substantial number of projects that deal with the issues of security or efficiency in supply chains. However, the projects have a focus either on security OR efficiency, but not on SAND efficiency at the same time. This can especially be seen in the projects that deal with the integration of supply chain partners. A lot of projects have been dedicated to the improvement of the integration of supply chain partners to enhance safety, efficiency, capability and reliability. Another group of projects deal with the establishment of security rules, policies, procedures, standards and the organisation of networking activities (e.g. security conferences that give the possibility to share security knowledge and best-practice). However, some of the projects address very specific tasks, while others have rather a short or mid-term, but no long-term view.
Furthermore a lot of projects can be found that put the emphasis on the development of new technologies. Therefore, a lot has been done in the development of new technologies that should increase security in supply chains. The next step would be the demonstration of these technologies in real supply chains.
Besides the identification of research projects, the relevant technologies were identified and categorised as follows:
- container security devices: Identification, positioning, communication (data transfer techniques and data format), sensing methods;
- inspection methods.
Regarding the identification methods, the three technologies Optical character recognition (OCR), Radio-frequency Identification (RFID) and International mobile equipment identity (IMEI) were analysed. The result was that even if OCR/RFID/IMEI would eliminate human reading (identification) errors, due to the absence of an international convention using (passive or active) RFID tags or IMEI (GSM modems) on containers, today OCR is the only usable identification technology, but also OCR shows considerable shortcomings in data reading accuracy.
Even though today very accurate multi-standard Global navigation satellite system (GNSS) and Satellite-based augmentation system (SBAS) chipsets are available, the Line of sight (LOS) (e.g. in stacks on terminals and vessels) cannot be guaranteed and the lack of sovereignty remains to be considered. However, where available, the omnidirectional but less accurate mobile phone Location-based services (LBS) are 100 % sovereign, even on seagoing vessels as more and more have an on-board mobile phone system. As mobile phone licenses are granted by a sovereign government, by law, the operators need to provide governmental access to the data / voice transported over their network.
Methods that were identified for sensing methods are with light, temperature range, acoustic, acceleration, shock, motion, humidity, location, digital, analogue and by communication port.
For a fast, cheap and governmental acceptable implementation of a container security device, today the only logical technological combination seems to be mobile phone based for identification, positioning and communication. However, if there would be an operational need for rural and/or maritime coverage GNSS & SatCom may be added, but this increases the problem of battery capacity and sovereignty.
In regard to the inspection methods, the three common methods of inspection are building up on each other. However, they are not the same. While 100 % cargo screening is possible, 100 % scanning and physical inspections would not only lead to tremendous backlogs at points of inspection, but also to an increased financial burden for all stakeholders involved. In addition, most locations that are sensible places for x-ray inspection, do not offer sufficient spare place for the installation and operation of X-ray devices.
In the course of the project, the industry needs were also outlined. ILU based transport chains within the European customs area historically show the greatest degree of security. The picture becomes somewhat different when intercontinental cargo flows – connecting developed countries with developing regions – are included in the examination as containers taking part in inter-continental traffic are more frequently used for illicit purposes. Security concerns of industry players today mostly focus on the loss of cargo (theft), while Trojan horse type breaches of security are substantially less frequent and terrorist misuse of ILUs has never occurred, respectively detected in Europe and currently recorded breaches of security do not reach significant proportions.
Technologies and other organisational solutions applied today, or considered for implementation by the industry players in the foreseeable future relate to either one of the following three considerations:
- adherence to best-practice benchmarks;
- improving cargo security (counter-theft measures); and
- satisfaction of (new) legislative requirements.
In summary, the very competitive transport-industry operates on razor thin margins. Resources of industry players are focused on improving efficiency, and thus competitiveness, to satisfy the expectations of clients for productivity improvements, while protecting the minimal margins. If one specific mode or method of transport will be subject to considerable security regulations while competing modes do not underlie such controls, this would create a not acceptable distortion of competition.
WP4: Gap analysis to improve the supply chain
Analysis of security gaps of the supply chain
This issue was based on the results worked out during the previous work steps in IMCOSEC. On this basis the aim was to:
- identify and describe security gaps of the supply chain;
- identify and prioritise a set of suitable measures to improve problem areas.
In regard of the different transport steps and various threats the weakest points of the supply chain were identified. These weakest points (theft / smuggling at stuffing, stripping and on road with insider involvement), considered as primary starting points when heading to improve the supply chain, were further investigated to answer the question: How was it possible that an incident did happen?
Heading to the aim 'identify and describe gaps in the supply chain transport', it was first necessary to investigate what is considered as being a gap in real logistics chains. The public discussion with stakeholders of different backgrounds (logistics, security and public authorities) showed that currently there is no common definition of what a gap is in the supply chain and neither which gaps need to be closed, but all agree that there are endangerments of supply chains by various threats.
As in logistics the cost-pressure is extremely high and the discussion about costs dominates in general the debates on security topics, the company 's willingness to be more proactive is strongly related to the cost efficiency of additional security measures. It was reported by the stakeholders that if the implementation and operational costs are too high in the company's perception rather losses and damages are accepted. The participants of the workshop defined primary problem areas and parameters to take into account when describing gaps. Those parameters were defined as the following gap categories: physical, technologies, processes, data security and reliability.
These gap categories were used to create a description scheme enabling a consistent presentation of the gap category failures that might occur at the addressed steps. These failures were considered as being very simple (e.g. the absence of appropriate physical security measures) or also more complex (insider access to not sufficiently secured data systems). The assessment was made by separating prevention and detection issues. Most of the security measures can only support one or the other. Therefore the integration in suitable processes and maybe the combination with other measures is necessary, a singular implementation is not contributing to a higher security level of the chain.
The discussion and further research showed that there are a lot of opportunities for criminals to tamper the container, the container contents or the container data. The ease of the achievement of criminal actions is highly increasing when insiders are involved. With regard to the gap analysis this is a crucial point, due to the fact that an insider involvement is thinkable for each step of the chain. This overall nature of this issue was taken as reason to range the identified gap areas in different levels. The insider involvement, more generally considered as 'human factor', was classified as an overall gap. A second overall gap identified is the 'Fragmentation of supply chain security and unbalance between responsibility and impact'. This is an issue inherent to the supply chain and related to logistic reasons in means of the high sophisticated division of labour to enhance competitive and reliable transport of goods. But resulting from this separation occurs the issue, that the one being responsible for securing the container contents on a specific transport step is not necessarily the one being the most affected in case of an incident, the same for the fact, that the one bearing the costs for securing the container will maybe not be the one having the benefits from it. These two issues touch the basics of the supply chain organisation and structure and must be taken always into account when discussing the general supply chain security level.
When addressing the single transport steps, partly strong differences between the different steps emerge, but in general the identified problems tend to some similar gap descriptions. When an incident is not detected or the detection is retarded so that an efficient response initiation is missed, failures of technologies, the inappropriate achievement of relevant processes or the low reliability of staff members can be the cause for it.
In this context the process category is highly important and a key factor, because a reported detection of an incident is useless when there is no suitable communication process linked or no checking process required.
For prevention issues the data security and physical barriers, as well as the well-motivated and trained staff are most important. Due to the nature of some steps, e.g. the road infrastructure relevant for the trucking, a physical protection is hardly feasible, but when other categories fail at the same time (relevant data gathered by the criminals), the gap area is increasing and also does the ease of a container tampering.
Figure 5 demonstrates an example for an assessed gap area, the incident being the theft of container contents during the road transport against the background of insider involvement. Failures of the gap categories are referring to the prevention of this incident. The strength of failures of the different categories were assessed in a pure qualitative manner as being not existent (0), low (1), medium (2) or high (3). The fact of insider involvement causes the height of potential failures in the given categories. The figure shows that it is a combination of failures that enables the tampering of the container and that aspects of the whole gap area must be considered when heading to mitigate the gaps. Isolated approaches will only mitigate a part of the gap area.
A multitude of measures that are dedicated to prohibit or at least mitigate such incidents were collected and classified. The list is based on the collection of regulations and initiatives, the summary on existing and applied technologies as well as on the statements of the workshop participants and the supplement by the project partners. The aim was a prioritisation of the collected measures to get an overview on how they practically work in real logistics. To display the impact of those measures on the transport flow an assessment based on a Delphi study in which the project partners were asked to evaluate the contribution to competitiveness and security of the measures in a predefined scheme. In a second round accompanied by a discussion on the evaluated measures in order to identify outliers by mistakes, the opportunity to changes was given. The background was to see if measures are useful to improve the security level of the chain and practice relevant efficiency factors simultaneously, which would lead to a higher acceptance by stakeholders of the supply chain.
After analysing the results, these two categories were identified:
- measures mainly related to the human factor (training, leadership, security manager, human guards); and
- ensures related to technology (CSD for identification, prevention of breaking and entering, and monitoring conditions and movements, RFID).
Moreover, it can be noted that no measures have been evaluated as having a full contribution to competitiveness and/or to security; this confirms that, in order to effectively improve supply chains in terms of both factors, the implementation of bundles of measures addressing different weaker points is needed.
Resulting from that, a qualitative prioritisation of the measures, following the score of the contributions to competitiveness and security, has been evaluated.
The identified gaps and problem areas in combination with the weaker points present the primary targets for solution based approaches and shall show where urgent needs for improvements are identified. Improvement measures have to provide at the same time gains of security and economic factors as well to assure a minimum acceptance by stakeholders from logistics. Despite this, it was stated by the stakeholders and recognised during the investigation process, that single measures are mostly not efficient enough to prohibit incidents of theft and smuggling. Hence, one of the major results of the work is that for a successful improvement of supply chain security a reasonable combination of measures is necessary. Furthermore the focus must be set on the link to appropriate responses that should be initiated after an incident was detected. The absence of an appropriate and fast response decreases enormously the value of a good detection.
The assessment of existing security measures with regard to their contribution to efficiency and security showed that there are very few single measures that can improve both simultaneously. But a combination of measures might be able to contribute efficiently to both, security and efficiency and hence increase the competitiveness of the company and the supply chain.
WP5: Target processes and supporting technologies
Definition of target processes for reducing security gaps in supply chains
Firstly, a definition for 'target process' has been provided, to ensure a common understanding of the object of the analysis. In particular, target process has been defined as a bundle of solutions / measures / actions that can be added to the current process to reduce the identified gaps in supply chains.
Secondly, for each identified gap, some basic concepts to minimise the gaps have been outlined along with lists of possible activities to be included in the target processes. This was reached by preliminary work before the third IMCOSEC workshop in Berlin, the workshop accomplishment and the analysis of workshop results. Before the workshop, an in-depth literature review, personal experiences and ideas from IMCOSEC partners as well as results from previous work packages and workshops were used to define possible activities to reduce the identified gaps. A bottom-up approach was used: first, for each gap, a list of activities to be included into the target processes were defined, then concepts that are common to different activities were outlined. These partial results have been presented to relevant stakeholders, aiming at validating these ideas and collecting further insights on target processes and on suitable measures and technologies to implement them. The target processes and technologies were, at this stage, necessarily quite generic and therefore without evaluating specific organisations within the ILU supply chain. A number of assumptions were made about organisational capability and behavioural competences of those supply chain organisations.
Target processes address gaps, therefore the development of target processes was established in the gap analysis. The gap analysis resulted in the identification of two levels of gaps, i.e. overall gaps and dedicated gaps.
The two identified overall gaps relate to 'human factor' and 'Fragmentation of supply chain security and unbalance between responsibility and impact' while dedicated gaps refer to smuggling and thefts at facilities and on the road. As a consequence, since the definition of target processes establishes the foundations on the results of gap analysis, two kinds of target processes have been identified:
- target processes addressing overall gaps, i.e. bundles of solutions/measures/actions that can be put in place to fill the overall gaps;
- target processes i.e. bundles of solutions/measures/actions addressing dedicated gaps.
Two main basic concepts, corresponding to two target processes, have been outlined for reducing the gap 'human factor' :
- development of a security culture;
- human behaviour and security related performance measurement.
Two main concepts, corresponding to two target processes, have been outlined for reducing the gap 'Fragmentation of supply chain security and unbalance between risk and responsibilities':
- collaboration with authorities and trading partners;
- alignment of costs and benefits to responsibilities.
However, it should be noted that due to its complexity, additional target processes are required to close or reduce this gap.
One main concept to minimise the two dedicated gaps has been outlined as 'Secure the logistics processes and the business'. Although the main concept is the same, it should be adapted for the gap in question.
Finally, it has been noted that actions and solutions relating to human factors (e.g. train and educate employees, recruitment and selection criteria, identification and control of process responsibilities) were among the most preferred proposals suggested by participants for all the identified gaps. It was concluded that addressing the overall gap 'human factor', which was identified as the biggest issue of supply chain security, is of primary importance in order to successfully reduce the other gaps. This is probably due to the fact that most problems are due to lack of awareness about security and to people that consciously break security requirements or personally perform criminal.
Therefore, it can be suggested that, when addressing whichever of the other gaps, it is necessary to put in place the target process addressing the gap 'human factor' accompanied by other target processes that are specific for the gap in question. Furthermore, as there is a hierarchy between overall and dedicated gaps, it can be stated there is also a hierarchy between target processes aimed at mitigating overall and dedicated gaps. In particular, as mentioned above, the target process addressing the gap 'human factor' is a condition for successfully mitigating both the other overall gap 'Fragmentation of supply chain security and unbalance between responsibilities and impact' and the dedicated gaps 'Smuggling and theft at facility' and 'Smuggling and theft on road'. Furthermore, implementing the target process addressing the overall gap 'Fragmentation of supply chain security and unbalance between responsibilities and impact' supports the successful mitigation of the dedicated gaps.
Starting from defined target processes, a characterisation of such target processes was performed, with the aim of evaluating their impact in terms of performance improvement, In particular, among the performances of the ILU supply chain that are of interest, security is one of specific relevance. Then, since target processes aim at reaching not as much security as possible, but as much as needed, suitable and acceptable by stakeholders, they were analysed in terms of their impact on other relevant supply chain performances, i.e. efficiency, capacity and transparency. Finally, special attention was paid to the human and organisational factors, as well as to social and ethical issues, analysing in depth the impact of the implementation of target processes on organisational and personal behaviours, practices and culture.
WP6: Strategic roadmap
Achievement of a common understanding on the roadmap
A workshop was organised to present the results and discuss possibilities to fine tune the roadmap. The results of the workshop were the reflection on strategic research needs and the identification and summary of possible demonstrations. In this way, new ideas from parties that are not directly involved in the development of the roadmap could be integrated to enhance the roadmap.
Goal of the final workshop was to achieve a common understanding on the roadmap. Therefore, more than 40 external participants representing different international stakeholders of the supply chain ranging from consignors and consignees, logistics service providers, terminal operators and technology providers to customs, police and governmental representatives met for the final workshop in Brussels. The goal of the workshop was to guarantee that the roadmap meets the needs of the different stakeholders in the supply chain.
In the course of the workshop, the IMCOSEC results of the previous work packages and workshops were shown. This was followed by the presentation of a consignor showing the perspective on security from an industry point of view.
Then, the workshop participants had the possibility to state their ideas for the demonstration phase and research needs in smaller group discussions. In this way, valuable insights, feedbacks and inputs resulting from the experience and the knowledge of the different participants were gathered and further considered for and incorporated into the roadmap. After the discussions in smaller groups, the group moderators summarised the main points to all participants to give them the possibility to comment on the ideas for possible demonstrations.
Some of the ideas are stated below and are in line with the results of the IMCOSEC project consortium:
- consider all stakeholders of the supply chain, so also the consignors and consignees;
- consider the human factor and cultural aspects;
- consider container security as the exchange of goods in containers is vital on a global scale, but it should be kept an eye on the costs of security for the involved business;
- consider technologies which use a standard;
- consider data security.
After the group discussion, the basic vision and main ideas of the roadmap were presented to the workshop participants. The participants were asked for their view and comments and at the end of the workshop, a common understanding regarding the roadmap was achieved, which includes the focus on the threats for business processes. In this way, supply chain security can become more secure while civil security is increased as well. The aim of the strategic roadmap is to highlight the correlation between securing business and civil security showing the benefits for global trade and European industry and community. In conclusion, the presented basic idea on the roadmap meets stakeholder's needs and contains most important issues. Therefore the goal of the final workshop was achieved and the developed roadmap was evaluated and approved by all participants who represented different stakeholders of the supply chain.
Potential impact:
Potential impact and dissemination activities
From the beginning the project’s intended impact was to involve additional stakeholders into the project progress, to share views and expertise and to achieve acceptance of the results. Basically the challenge of motivating and incorporating stakeholders of the supply chain and of the security sector into the project progress was achieved by some major instruments and measures which encouraged these objectives.
- more than 20 partner meetings;
- five thematic workshops – three of them were public;
- two Advisory Board meetings in order to achieve acceptance of results within the stakeholder community;
- dissemination activities: website (online since May 2010), IMCOSEC brochure (1 000 copies), newsletters (1 500 copies), project description and advertisement (public service review no. 26 / 27);
- presentations (e.g. SRC '10);
- communication to EC and additional partners.
Within the project the IMCOSEC consortium and the additional stakeholders involved in the advisory boards pool their outstanding expertise, complemented by international workshops in order to ensure acceptance and European wide awareness of the defined roadmap for the demonstrations. That is why IMCOSEC's technological approach is broadminded aiming for practical solutions with economical security gains in order to achieve acceptance. Furthermore the vast organisational and network partners of the consortium partners were used to exchange knowledge and support the European wide awareness.
To ensure relevant impact not only for the roadmap of phase I but also for the big demonstrations planned for phase II several topics have been considered to be covered by the IMCOSEC roadmap. These topics covered by the defined roadmap are:
- problem statement and overall objective;
- why a roadmap;
- basic vision and common understanding;
- bundles of activities forming target processes;
- key elements of demonstrations;
- organisational framework of demonstrations;
- outlook.
Project website: http://www.imcosec.eu
There are two conflicting trends in global transportation that have to be reconciled as effectively as possible - assuring both free trade and transport security. On the one hand huge efforts have been made to eliminate trade barriers in order to ensure free trade and cargo flow within regions and globally (such as the European single market or free trade area agreements). On the other hand additional security requirements such as checking the integrity of containers, their contents or third parties as well as advance data reports have the negative effects on the efficiency of business operations in supply chains.
Main objective of IMCOSEC was to determine a basic concept and strategic roadmap for a large scale demonstration on security of supply chains. The basic concept should provide an approach which considers the needs of stakeholders to minimise the impact of cost and time being practicable for commercial operators and enterprises. The aim was to create a win-win solution between industry and supervision whereby the level of security is at an optimum level balancing effectiveness with practicality within the regulatory framework. Thus IMCOSEC was not aiming at introducing as much security as possible, rather than as much as needed, practicable and acceptable.
IMCOSEC was guided by the following approach:
- identification and categorisation of security regulations, standards and trends;
- identification of security gaps based on a generic process model for supply chains using a resilience matrix approach and threat trees;
- identification and assembly of security projects, technologies and industry needs;
- elaboration of target processes for minimising identified gaps;
- provision of a roadmap for demonstration activities where target processes and supporting technologies can establish efficiency, effectiveness and acceptance.
Acceptance by the industry and public authorities is one of the most important issues regarding the roadmap. Therefore, all the above steps were discussed and validated by the project's advisory board and in workshops involving additional stakeholders from private and public end-users.
The basic vision of the strategic roadmap developed and agreed in IMCOSEC is that by focusing on the threats for and security of business processes, supply chain security and civil security is increased simultaneously. Because of the importance of logistics in global economy, a reliable and sustainable transport of goods is vital for European business to develop resilience against political, strategic, economic and environmental threats. The security of business processes implies to provide flexible, unharmed, cost-effective and reliable transport of goods to support European industry and Member States in global competition. The aim is to highlight the correlation between securing business and civil security showing the benefits for global trade and European industry and community in a big demonstration initiative.
Project context and objectives:
Project background:
Events of 9 / 11 changed security perception
The events of 9 / 11, and the resulting reaction from concerned governments, placed a great emphasis on securing supply chains. The focus has been shifted from cargo theft to terrorist attacks. Furthermore, because of the integration of world trade, the high volumes of containers and the routinely performed cargo inspections provide opportunities for criminal activities, e.g. smuggling of unauthorised goods into a container at several stages of the supply chain.
Compliance with variety of new security rules imply major challenges for companies
Taking the above paragraph into account, a variety of different unilateral and multilateral security measures and regulations, as well as other security initiatives have been developed or are under consideration in countries worldwide. Given that world trade is largely dependent on maritime and containerised transport, the focus has been directed at enhancing maritime transport chains and at addressing the particular challenges posed by containerised supply chains. The different regulations and initiatives in various countries and from various international and multinational organisations and governments pose a challenge on companies to comply with these requirements and can add tremendously to the costs of the exchange of goods on a global scale. Prior to 9 / 11, governmental focus was mainly on trade facilitation and harmonisation of trade rules and practices. After 9 / 11, global trade has experienced an extreme change in paradigms from facilitation and harmonisation to security and anti-terrorist measures. At cargo security, prior to 9 / 11, customs authorities were responsible primarily for clearing imported goods, after goods arrived at the border. Today pre-arrival information in a defined quality is state-of-the-art, sometimes requested even before cargo is loaded onto means of transport enabling refusal of single containers to be unloaded at destination port.
Lack of practicable solutions considering security and efficiency simultaneously
Numerous research projects, funded on national and international level, have been initiated to foster research in and development of organisational and technological solutions, to increase the security of supply chains and to facilitate the application of security solutions. As most of them have been ruled by technology providers, forwarders or ports, they are lacking of practicable solutions for the main stakeholders of supply chains - the consignors. Moreover the projects have a focus either on security or efficiency, but not on security and efficiency at the same time. Due to the relative secure climate in the European Union (EU), there was no need for a combined focus on security and efficiency. This can be especially seen in the projects that deal with the integration of supply chain partners. A lot of research projects have been dedicated to the improvement of the integration of supply chain partners to enhance safety, efficiency, capability and reliability. But the simultaneous emphasis on both - security and efficiency - is missing in most projects.
Fragmentation and data sharing
The topics of supply chain and security are both very complex. The overall platform concepts disregard the existing fragmentation in supply chains and the lack of interoperability. This is not only related to technology issues but rather concerns different industries and countries as there is global competition and mistrust between e.g. national economies, industries and customs administrations. Most of these platform concepts are driven by technology providers and dependent on proprietary software and modules. Because of this, overall data platform concepts have not succeeded yet achieving acceptance and to overcome problems on data sharing amongst the multiple partners of international supply chains. The partners are often not about to share data as the sovereignty of data is not satisfyingly defined and considered yet.
New technologies not suitable for Small and medium-sized enterprise (SME)s
Furthermore, especially in Seventh Framework Programme (FP7), a lot of projects can be found that put the emphasis on the development of new technologies. Therefore, a lot has been done in the development of new technologies which increase security in supply chains when applied. But these technologies have in common that due to their concept and costs they can only be used for niches and are not suitable for trade, especially for SMEs so far. In order to use Radiofrequency identification (RFID) for instance it is necessary to invest in infrastructure. Therefore, technologies are only accepted by a small number of stakeholders so far. There is a need for solutions that could be implemented on a global scale and for main cargo types.
Lack of well-functioning information flows
One more issue which impacts in most cases all trade partners in international supply chains is a lack of smooth and seamless electronic, paper based and verbal information flows. Coming from traditional differences between countries and trade partners, problems like different time sones, language specific translations or meanings of words, and differences in cultural behaviours can influence as well as the missing common notion for security and safety standards international supply chains.
Imbalances in global workforce, technology usage and shift of employment
Human behavioural aspects are especially relevant considering the complex and dynamic environments in which international supply chains take place. Looking from the geo-political differentiation of active global trading countries, it is necessary to mention also the imbalance in global workforce and technology usage in different countries, as well as employment shift from 'less' paid to 'better' paid countries or areas. People at various organisational levels, with diversified background, culture and security comprehension, are in charge of designing, planning and managing supply chain activities and processes. These factors may affect the development of common understanding of 'secure behaviour' inside international supply chains which link different countries.
Lower security standards and efficiency in countries with less paid employees
Countries with less paid employees usually have lower standards and lower education is conceivable. This might result in low security standards and efficiency being imported into EU countries. This could be overcome by exporting common high standards elsewhere.
Loose of overall view due to ad hoc regulations
Consequently, approaches based on collaboration, trust sharing, strategic knowledge management between actors in inter-organisational networks can result in improving security and efficiency of the whole system. Upcoming and recent security issues resulted, as well, in ad hoc and over focused regulations losing the overall view. In order to assure that European business keeps competitive, ways of securing and strengthening supply chains have to be found so that the exchange of goods is not hindered, but the efficiency and security in supply chains is well increased.
Objectives:
IMCOSEC performed a risk based approach to identify and characterise the security gaps. Preventive measures have been discussed and a guiding concept for demonstrations in phase II has been specified to provide a concept for an impact free and secure supply chain cost effectively and without impinging on performance. The focus was on creating a win-win solution between industry and supervision whereby the level of security is at an optimum level balancing effectiveness with practicality within the regulatory framework. Thus IMCOSEC was not aiming at introducing as much security as possible, rather than as much as needed, suitable and acceptable.
IMCOSEC objectives
- Determine a basic concept and roadmap for a large scale demonstration. This should be feasible for users and stakeholders and needs to minimise the impact of cost and time for commercial operators and enterprises.
- Achieve common understanding on risks, gaps, target processes and suitable technologies of the supply chain
This allows stakeholders to develop a realistic and sustainable research and demonstration strategy focusing on useable technologies and processes based on an open platform concept reducing threats at weak points along the supply chain.
These major objectives are reflected by the definition of demands on the roadmap:
be practicable for users and stakeholders;
- minimise impact of cost and time for commercial operators and enterprises;
explain security needs and subsequent impact on the weak points of the supply chain;
enable realistic and sustainable research strategy;
transfer security methods to stakeholders;
focus on useable technologies and processes;
- easy to understand;
presentable to political and foreign authorities;
reduce threats towards weak points of the supply chain;
guarantees the security of the goods produced and transported;
consider major transport corridors (United States, Asia, trans European, continental transport.
Project results:
WP1: Processes and regulations
Definition of project boundaries
At the beginning of the project IMCOSEC, the following overall project boundaries were defined:
- The types of Intermodal loading unit (ILU)s considered are ISO containers, swap bodies and semi-trailers. Namely excluded ILUs are air cargo containers and goods transport via pipelines.
- Cargo types are differentiated into ordinary cargo including empty units and specially regulated goods (dangerous cargo and excised goods) and high-value goods.
- All surface based modes of transport are investigated, therefore rail, road and water (IWW, SSS, maritime shipping) are included. Air transport was not part of the investigation.
- The area to be looked at was settled as area inside the external boundaries of the European Commission (EC), candidates and associated countries, but regions and countries which influence or threaten European trade were also taken into account.
- Threats which endanger supply chains are defined as theft of cargo from inside or the whole ILU, smuggling (insertion of illicit goods before sealing at stuffing place or after sealing already in voyage and extraction in voyage or after unsealing) and terrorism in general. Terrorism means in this case the manipulation of transport in order to accomplish terrorist activities. The 'Trojan Horse Scenario' was excluded since this cannot be avoided by b2b-releationships. Further business oriented threats are counterfeit goods to be inserted, either by exchanging original goods against counterfeit goods and theft, since consumers might change to another brand if wanted goods are not available.
Creation of a generic transport model
A generic transport model representing essential processes and activities along investigated ILU transport chains was created (see Figure 1 below). In order to form a comprehensive and understandable model of today´s transport, a business process model tool (Qualiware Lifecycle Manager) was used to illustrate the ILU supply chain processes.
The model starts at the (last) consignor who inserts cargo into the ILU and ends at the (first) consignee who extracts cargo out of the ILU. Between these two end-points one or multiple transport steps might occur with one or multiple transport modes. Each transport step starts and ends in a terminal. Only the undisturbed chain of action was considered.
The transport model was amended in the course of the project due to a shift towards data security and goods (counterfeit) security which led to additional organisational processes preceding stuffing of an ILU.
But the illustration of undisturbed flow of goods and information is half the truth. Interruptions of the transport process can be of various kinds (theft, smuggle, terrorist activities, human and technological failure and force majeure), which all lead to similar problems. Securing the organisational part and data flow against unauthorised data access and strengthening supply chains to have more resilient and reliable haulage which might react on short notice due to cordoning off roads / rail tracks / waterways / hubs / terminals or whole areas because of incidents of various types is getting more important.
Identification and categorisation of security regulations, standards and trends
The identification and summary of existing relevant security regulations, standards and trends provides an insight into the multiplicity and diversity of security initiatives and programmes, which are relevant to the IMCOSEC project. The rules were classified and described following a clear structure.
There were 42 security programmes considered as relevant. These security programmes have been classified into different categories, according to:
- Originating actor: International organisations, governments or private cooperations.
Geographical area: EU, North America and Asia.
- Enforceability: Compulsory or voluntary programmes or under way.
An overview of security regulations and programmes is given. Not all of the 42 investigated security regulations and programmes are shown as this would have led to a cluttered illustration. Instead of this, the overview categorises the regulations and programmes into mandatory legislation and voluntary initiatives and shows the multitude of programmes which were initiated and implemented by customs agencies.
At international level, United Nations and its specialised agencies adopted several International conventions and resolutions and gave recommendations to enhance security in international trade and supply chains. Some of the measures were prepared after 9 / 11, some are amendments to long-established conventions.
On (inter-)governmental level, 9/11 precipitated changes in security measures. Prior to these events, governmental focus was mainly on trade facilitation and harmonisation of trade rules and practices. After 9/11, global trade has experienced an extreme change in paradigms from facilitation and harmonisation to security and anti-terrorist measures. At cargo security, prior to 9 / 11, customs authorities were responsible primarily for clearing imported goods, after goods arrived at the border. Today pre-arrival information is state of the art, sometimes requested even before cargo is loaded onto means of transport. Temporary duty free import of ILUs is allowed and regulated by the Istanbul Convention. Some of the governmental programmes are mandatory some are voluntary, but even the voluntary governmental programmes create pressure for companies to participate.
There are also voluntary programmes that were initiated by companies and their industry partners or representatives. Those collaborative programmes predominantly seek to reduce smuggling and theft of goods. But also standardisation organisations develop standards addressing security in supply chains, such as standards on high security seals.
Most security regulations are concerned with ISO containers which do not represent all ILU types and there are no special security regulations for empty units’ transport.
The non-compliance of voluntary security programmes leads to enormous waiting times and delays. Thus, the so-called voluntary initiatives can be better categorised necessary programmes in order to maintain competitiveness within the international supply chains. Established programmes often create a demand by business partners and/or markets to be compliant.
The different stakeholders and their underlying interests add to the complexity of securing international logistics and supply chains. An issue on which many stakeholders concur is that governmental regulations and initiatives should be harmonised and that a mutual recognition of certification programmes should be achieved. It is a precondition that requirements of different initiatives correspond or - if not - all stakeholders agree on specific details of each programme. Here the issue of mutual recognition becomes difficult, as programmes' stakeholders prioritise at the expense of what others feel is important, and vice versa.
WCO appeals to national customs administrations to cooperate and develop mechanisms to achieve mutual recognition in order to reduce or eliminate efforts which would be otherwise needed. Until now, the progress of AEO and similar programmes to reach mutual recognition has been slow.
Generally, it can be said that a lot of security regulations exist already and therefore there is no need for new regulations, but rather for mutual recognition and standardisation among national governments especially concerning their implementation.
WP2: Security threats for the supply chain
Identification of security threats along the supply chain
The main objective of this topic was to identify security threats and weak points along the supply chain of ILUs via a resilience matrix. This was carried out via tasks which included the incorporation of process information, previous projects, initiatives and technologies, the discussion with stakeholders on threat scenarios, a workshop and the exchange of contributory information with other work packages at meetings.
Our approach was to examine what arrangements are in place within an organisation for dealing with specific threats and to also examine cross-cutting arrangements like those for training and staff management.
A key feature of the tool is its ability to take into account inter-dependencies and interactions between arrangements for distinct threats.
For example, there are obvious links between an organisation's response to terrorism and its response to crime more generally.
A second feature is the inter- dependency between arrangements for dealing with threats and cross cutting arrangements, for example between arrangements for training staff to deal with terrorism and arrangements for training more generally.
Furthermore, the matrix allows for the application of 'weightings' or 'importances' to threats.
The performance or 'utility' of the organisation is measured against a 3x3 matrix (known as an 'effects matrix'), where the columns of the matrix represent the utility of the organisation with respect to its people, its processes and its physical assets and the rows represent the utility with respect to where these are targeted in terms of prevention, preparation and protection.
Each entry in an 'effects matrix' is rated to represent the utility of the organisation's arrangements relevant to that entry. Normally this is based upon a rating in the range 0 to 5 - where 0 represents poor or no arrangements and 5 represents excellent arrangements. There are proprietary algorithms within the matrix tool that allow for the calculation of overall ratings for resilience taking into account the dependencies and weightings.
For the purposes of the IMCOSEC project it was clearly necessary to adjust the matrix approach to represent security rather than resilience and to allow for differences in dependencies, but in essence a similar approach was taken.
The IMCOSEC matrix approach comprises:
- taxonomy of threats which could be used within the matrix;
- the categorisation of preventive measures - which refer to as 'firewalls' - as 'informational' or 'physical';
- the provision of 'threat trees' showing 'needs' for the accomplishment of breaking into a firewall at any particular 'step' within the supply chain. These 'needs' were coloured (based on a scoring system) to produce 'security trees' to indicate the ease or otherwise that the 'need' could be achieved;
- stakeholder involvement to agree what 'controls' stop, prevent or mitigate the 'attacks' at present, and whether they are 'informational' or 'physical';
- a scored rating to indicate how effective the 'controls' are.
From the process described above it is possible to identify the gaps in the security of the supply chain and the seriousness of those gaps.
The key to the process is the need to include the views and ideas of stakeholders in the IMCOSEC resilience matrix. In the interests of simplicity, industry measures against threats can be divided between physical firewalls such as packing security, container integrity and access security (fences) and informational firewalls such as container identification, container location and informational security (data).
The process for identifying the level of importance of specific threats to the supply chain was guided via a focus group and workshop consultation where stakeholders identified the 'attractiveness to the criminal' of a particular threat and the 'ease of implementation'. It was concluded that amongst the many threats to which the industry is vulnerable, theft and smuggling are the highest priority.
The scoring of the 'needs' (derivation of the algorithms) to deal with the threats is not a simple matter of assigning weighting factors in the traditional manner of a resilience matrix. This is due to the dependencies between safeguards; the required 'needs' to break down the safeguards and the logical construction of how the 'needs' must be achieved.
The process required the building of 'threat trees' where the 'needs' to accomplish a threat are identified with Security AND (SAND) gates and Security OR (SOR) gates. The former show if all of the 'Needs' in the threat tree must be fulfilled. The latter indicate only one 'Need' is required to accomplish the threat.
Having built the 'threat trees' the scoring takes place using a combination of algorithms fed with information from stakeholders and experts which leads to the 'security tree'.
Analysis of container security has been undertaken for the two threats of theft from a container (by insider or third party with access to an insider) and smuggling (by insider or third party with access to an insider) for the China to Europe corridor on routes involving road, rail, sea and barge transport. The effectiveness (or not) of the informational and physical firewalls was rated. Physical security measures also need to be targeted at locations where container transport may be interrupted (e.g. rest areas) or where containers may be stored pending on-transport.
One of the key lessons learnt during the research process was the complexity of the supply chain industry with numerous stakeholders but complicated by their independence from each other. During the project the resilience matrix was successfully adapted to take this into account together with the dependencies between safeguards previously mentioned. Therefore the threats have been adequately identified.
WP3: Projects, initiatives and technologies
Identification and assembly of security projects, technologies and industry needs
Another task of the IMCOSEC project was to identify and assemble the state-of-the-art in supply chain research and existing initiatives which are relevant to the IMCOSEC-project in terms of security, efficiency, logistics and information management.
Databases served as main source of information for the as-is inventory of projects and developments for the improvement of supply chain security and / or efficiency. The identified security projects have a focus at least on one of the three aspects of security, efficiency or safety. The analysed projects can also be assigned to four different themed clusters:
- Cluster 1: Development of guidelines for future security research. The projects assigned to this cluster deal with the development of guidelines for future research projects in the field of security or the organisation of security research conferences to share knowledge in this field.
- Cluster 2: Development of new technology. These projects emphasise the development of new technologies to increase security.
- Cluster 3: Integration of supply chain partners. For improving the integration of supply chain partners, the identified projects suggest different types of platforms, equipment, and technology.
- Cluster 4: Integration of communication, data or information flow. The projects of this cluster concentrate on methods to improve the integration of communication, data and information flows of supply chain members.
The results show that there are a substantial number of projects that deal with the issues of security or efficiency in supply chains. However, the projects have a focus either on security OR efficiency, but not on SAND efficiency at the same time. This can especially be seen in the projects that deal with the integration of supply chain partners. A lot of projects have been dedicated to the improvement of the integration of supply chain partners to enhance safety, efficiency, capability and reliability. Another group of projects deal with the establishment of security rules, policies, procedures, standards and the organisation of networking activities (e.g. security conferences that give the possibility to share security knowledge and best-practice). However, some of the projects address very specific tasks, while others have rather a short or mid-term, but no long-term view.
Furthermore a lot of projects can be found that put the emphasis on the development of new technologies. Therefore, a lot has been done in the development of new technologies that should increase security in supply chains. The next step would be the demonstration of these technologies in real supply chains.
Besides the identification of research projects, the relevant technologies were identified and categorised as follows:
- container security devices: Identification, positioning, communication (data transfer techniques and data format), sensing methods;
- inspection methods.
Regarding the identification methods, the three technologies Optical character recognition (OCR), Radio-frequency Identification (RFID) and International mobile equipment identity (IMEI) were analysed. The result was that even if OCR/RFID/IMEI would eliminate human reading (identification) errors, due to the absence of an international convention using (passive or active) RFID tags or IMEI (GSM modems) on containers, today OCR is the only usable identification technology, but also OCR shows considerable shortcomings in data reading accuracy.
Even though today very accurate multi-standard Global navigation satellite system (GNSS) and Satellite-based augmentation system (SBAS) chipsets are available, the Line of sight (LOS) (e.g. in stacks on terminals and vessels) cannot be guaranteed and the lack of sovereignty remains to be considered. However, where available, the omnidirectional but less accurate mobile phone Location-based services (LBS) are 100 % sovereign, even on seagoing vessels as more and more have an on-board mobile phone system. As mobile phone licenses are granted by a sovereign government, by law, the operators need to provide governmental access to the data / voice transported over their network.
Methods that were identified for sensing methods are with light, temperature range, acoustic, acceleration, shock, motion, humidity, location, digital, analogue and by communication port.
For a fast, cheap and governmental acceptable implementation of a container security device, today the only logical technological combination seems to be mobile phone based for identification, positioning and communication. However, if there would be an operational need for rural and/or maritime coverage GNSS & SatCom may be added, but this increases the problem of battery capacity and sovereignty.
In regard to the inspection methods, the three common methods of inspection are building up on each other. However, they are not the same. While 100 % cargo screening is possible, 100 % scanning and physical inspections would not only lead to tremendous backlogs at points of inspection, but also to an increased financial burden for all stakeholders involved. In addition, most locations that are sensible places for x-ray inspection, do not offer sufficient spare place for the installation and operation of X-ray devices.
In the course of the project, the industry needs were also outlined. ILU based transport chains within the European customs area historically show the greatest degree of security. The picture becomes somewhat different when intercontinental cargo flows – connecting developed countries with developing regions – are included in the examination as containers taking part in inter-continental traffic are more frequently used for illicit purposes. Security concerns of industry players today mostly focus on the loss of cargo (theft), while Trojan horse type breaches of security are substantially less frequent and terrorist misuse of ILUs has never occurred, respectively detected in Europe and currently recorded breaches of security do not reach significant proportions.
Technologies and other organisational solutions applied today, or considered for implementation by the industry players in the foreseeable future relate to either one of the following three considerations:
- adherence to best-practice benchmarks;
- improving cargo security (counter-theft measures); and
- satisfaction of (new) legislative requirements.
In summary, the very competitive transport-industry operates on razor thin margins. Resources of industry players are focused on improving efficiency, and thus competitiveness, to satisfy the expectations of clients for productivity improvements, while protecting the minimal margins. If one specific mode or method of transport will be subject to considerable security regulations while competing modes do not underlie such controls, this would create a not acceptable distortion of competition.
WP4: Gap analysis to improve the supply chain
Analysis of security gaps of the supply chain
This issue was based on the results worked out during the previous work steps in IMCOSEC. On this basis the aim was to:
- identify and describe security gaps of the supply chain;
- identify and prioritise a set of suitable measures to improve problem areas.
In regard of the different transport steps and various threats the weakest points of the supply chain were identified. These weakest points (theft / smuggling at stuffing, stripping and on road with insider involvement), considered as primary starting points when heading to improve the supply chain, were further investigated to answer the question: How was it possible that an incident did happen?
Heading to the aim 'identify and describe gaps in the supply chain transport', it was first necessary to investigate what is considered as being a gap in real logistics chains. The public discussion with stakeholders of different backgrounds (logistics, security and public authorities) showed that currently there is no common definition of what a gap is in the supply chain and neither which gaps need to be closed, but all agree that there are endangerments of supply chains by various threats.
As in logistics the cost-pressure is extremely high and the discussion about costs dominates in general the debates on security topics, the company 's willingness to be more proactive is strongly related to the cost efficiency of additional security measures. It was reported by the stakeholders that if the implementation and operational costs are too high in the company's perception rather losses and damages are accepted. The participants of the workshop defined primary problem areas and parameters to take into account when describing gaps. Those parameters were defined as the following gap categories: physical, technologies, processes, data security and reliability.
These gap categories were used to create a description scheme enabling a consistent presentation of the gap category failures that might occur at the addressed steps. These failures were considered as being very simple (e.g. the absence of appropriate physical security measures) or also more complex (insider access to not sufficiently secured data systems). The assessment was made by separating prevention and detection issues. Most of the security measures can only support one or the other. Therefore the integration in suitable processes and maybe the combination with other measures is necessary, a singular implementation is not contributing to a higher security level of the chain.
The discussion and further research showed that there are a lot of opportunities for criminals to tamper the container, the container contents or the container data. The ease of the achievement of criminal actions is highly increasing when insiders are involved. With regard to the gap analysis this is a crucial point, due to the fact that an insider involvement is thinkable for each step of the chain. This overall nature of this issue was taken as reason to range the identified gap areas in different levels. The insider involvement, more generally considered as 'human factor', was classified as an overall gap. A second overall gap identified is the 'Fragmentation of supply chain security and unbalance between responsibility and impact'. This is an issue inherent to the supply chain and related to logistic reasons in means of the high sophisticated division of labour to enhance competitive and reliable transport of goods. But resulting from this separation occurs the issue, that the one being responsible for securing the container contents on a specific transport step is not necessarily the one being the most affected in case of an incident, the same for the fact, that the one bearing the costs for securing the container will maybe not be the one having the benefits from it. These two issues touch the basics of the supply chain organisation and structure and must be taken always into account when discussing the general supply chain security level.
When addressing the single transport steps, partly strong differences between the different steps emerge, but in general the identified problems tend to some similar gap descriptions. When an incident is not detected or the detection is retarded so that an efficient response initiation is missed, failures of technologies, the inappropriate achievement of relevant processes or the low reliability of staff members can be the cause for it.
In this context the process category is highly important and a key factor, because a reported detection of an incident is useless when there is no suitable communication process linked or no checking process required.
For prevention issues the data security and physical barriers, as well as the well-motivated and trained staff are most important. Due to the nature of some steps, e.g. the road infrastructure relevant for the trucking, a physical protection is hardly feasible, but when other categories fail at the same time (relevant data gathered by the criminals), the gap area is increasing and also does the ease of a container tampering.
Figure 5 demonstrates an example for an assessed gap area, the incident being the theft of container contents during the road transport against the background of insider involvement. Failures of the gap categories are referring to the prevention of this incident. The strength of failures of the different categories were assessed in a pure qualitative manner as being not existent (0), low (1), medium (2) or high (3). The fact of insider involvement causes the height of potential failures in the given categories. The figure shows that it is a combination of failures that enables the tampering of the container and that aspects of the whole gap area must be considered when heading to mitigate the gaps. Isolated approaches will only mitigate a part of the gap area.
A multitude of measures that are dedicated to prohibit or at least mitigate such incidents were collected and classified. The list is based on the collection of regulations and initiatives, the summary on existing and applied technologies as well as on the statements of the workshop participants and the supplement by the project partners. The aim was a prioritisation of the collected measures to get an overview on how they practically work in real logistics. To display the impact of those measures on the transport flow an assessment based on a Delphi study in which the project partners were asked to evaluate the contribution to competitiveness and security of the measures in a predefined scheme. In a second round accompanied by a discussion on the evaluated measures in order to identify outliers by mistakes, the opportunity to changes was given. The background was to see if measures are useful to improve the security level of the chain and practice relevant efficiency factors simultaneously, which would lead to a higher acceptance by stakeholders of the supply chain.
After analysing the results, these two categories were identified:
- measures mainly related to the human factor (training, leadership, security manager, human guards); and
- ensures related to technology (CSD for identification, prevention of breaking and entering, and monitoring conditions and movements, RFID).
Moreover, it can be noted that no measures have been evaluated as having a full contribution to competitiveness and/or to security; this confirms that, in order to effectively improve supply chains in terms of both factors, the implementation of bundles of measures addressing different weaker points is needed.
Resulting from that, a qualitative prioritisation of the measures, following the score of the contributions to competitiveness and security, has been evaluated.
The identified gaps and problem areas in combination with the weaker points present the primary targets for solution based approaches and shall show where urgent needs for improvements are identified. Improvement measures have to provide at the same time gains of security and economic factors as well to assure a minimum acceptance by stakeholders from logistics. Despite this, it was stated by the stakeholders and recognised during the investigation process, that single measures are mostly not efficient enough to prohibit incidents of theft and smuggling. Hence, one of the major results of the work is that for a successful improvement of supply chain security a reasonable combination of measures is necessary. Furthermore the focus must be set on the link to appropriate responses that should be initiated after an incident was detected. The absence of an appropriate and fast response decreases enormously the value of a good detection.
The assessment of existing security measures with regard to their contribution to efficiency and security showed that there are very few single measures that can improve both simultaneously. But a combination of measures might be able to contribute efficiently to both, security and efficiency and hence increase the competitiveness of the company and the supply chain.
WP5: Target processes and supporting technologies
Definition of target processes for reducing security gaps in supply chains
Firstly, a definition for 'target process' has been provided, to ensure a common understanding of the object of the analysis. In particular, target process has been defined as a bundle of solutions / measures / actions that can be added to the current process to reduce the identified gaps in supply chains.
Secondly, for each identified gap, some basic concepts to minimise the gaps have been outlined along with lists of possible activities to be included in the target processes. This was reached by preliminary work before the third IMCOSEC workshop in Berlin, the workshop accomplishment and the analysis of workshop results. Before the workshop, an in-depth literature review, personal experiences and ideas from IMCOSEC partners as well as results from previous work packages and workshops were used to define possible activities to reduce the identified gaps. A bottom-up approach was used: first, for each gap, a list of activities to be included into the target processes were defined, then concepts that are common to different activities were outlined. These partial results have been presented to relevant stakeholders, aiming at validating these ideas and collecting further insights on target processes and on suitable measures and technologies to implement them. The target processes and technologies were, at this stage, necessarily quite generic and therefore without evaluating specific organisations within the ILU supply chain. A number of assumptions were made about organisational capability and behavioural competences of those supply chain organisations.
Target processes address gaps, therefore the development of target processes was established in the gap analysis. The gap analysis resulted in the identification of two levels of gaps, i.e. overall gaps and dedicated gaps.
The two identified overall gaps relate to 'human factor' and 'Fragmentation of supply chain security and unbalance between responsibility and impact' while dedicated gaps refer to smuggling and thefts at facilities and on the road. As a consequence, since the definition of target processes establishes the foundations on the results of gap analysis, two kinds of target processes have been identified:
- target processes addressing overall gaps, i.e. bundles of solutions/measures/actions that can be put in place to fill the overall gaps;
- target processes i.e. bundles of solutions/measures/actions addressing dedicated gaps.
Two main basic concepts, corresponding to two target processes, have been outlined for reducing the gap 'human factor' :
- development of a security culture;
- human behaviour and security related performance measurement.
Two main concepts, corresponding to two target processes, have been outlined for reducing the gap 'Fragmentation of supply chain security and unbalance between risk and responsibilities':
- collaboration with authorities and trading partners;
- alignment of costs and benefits to responsibilities.
However, it should be noted that due to its complexity, additional target processes are required to close or reduce this gap.
One main concept to minimise the two dedicated gaps has been outlined as 'Secure the logistics processes and the business'. Although the main concept is the same, it should be adapted for the gap in question.
Finally, it has been noted that actions and solutions relating to human factors (e.g. train and educate employees, recruitment and selection criteria, identification and control of process responsibilities) were among the most preferred proposals suggested by participants for all the identified gaps. It was concluded that addressing the overall gap 'human factor', which was identified as the biggest issue of supply chain security, is of primary importance in order to successfully reduce the other gaps. This is probably due to the fact that most problems are due to lack of awareness about security and to people that consciously break security requirements or personally perform criminal.
Therefore, it can be suggested that, when addressing whichever of the other gaps, it is necessary to put in place the target process addressing the gap 'human factor' accompanied by other target processes that are specific for the gap in question. Furthermore, as there is a hierarchy between overall and dedicated gaps, it can be stated there is also a hierarchy between target processes aimed at mitigating overall and dedicated gaps. In particular, as mentioned above, the target process addressing the gap 'human factor' is a condition for successfully mitigating both the other overall gap 'Fragmentation of supply chain security and unbalance between responsibilities and impact' and the dedicated gaps 'Smuggling and theft at facility' and 'Smuggling and theft on road'. Furthermore, implementing the target process addressing the overall gap 'Fragmentation of supply chain security and unbalance between responsibilities and impact' supports the successful mitigation of the dedicated gaps.
Starting from defined target processes, a characterisation of such target processes was performed, with the aim of evaluating their impact in terms of performance improvement, In particular, among the performances of the ILU supply chain that are of interest, security is one of specific relevance. Then, since target processes aim at reaching not as much security as possible, but as much as needed, suitable and acceptable by stakeholders, they were analysed in terms of their impact on other relevant supply chain performances, i.e. efficiency, capacity and transparency. Finally, special attention was paid to the human and organisational factors, as well as to social and ethical issues, analysing in depth the impact of the implementation of target processes on organisational and personal behaviours, practices and culture.
WP6: Strategic roadmap
Achievement of a common understanding on the roadmap
A workshop was organised to present the results and discuss possibilities to fine tune the roadmap. The results of the workshop were the reflection on strategic research needs and the identification and summary of possible demonstrations. In this way, new ideas from parties that are not directly involved in the development of the roadmap could be integrated to enhance the roadmap.
Goal of the final workshop was to achieve a common understanding on the roadmap. Therefore, more than 40 external participants representing different international stakeholders of the supply chain ranging from consignors and consignees, logistics service providers, terminal operators and technology providers to customs, police and governmental representatives met for the final workshop in Brussels. The goal of the workshop was to guarantee that the roadmap meets the needs of the different stakeholders in the supply chain.
In the course of the workshop, the IMCOSEC results of the previous work packages and workshops were shown. This was followed by the presentation of a consignor showing the perspective on security from an industry point of view.
Then, the workshop participants had the possibility to state their ideas for the demonstration phase and research needs in smaller group discussions. In this way, valuable insights, feedbacks and inputs resulting from the experience and the knowledge of the different participants were gathered and further considered for and incorporated into the roadmap. After the discussions in smaller groups, the group moderators summarised the main points to all participants to give them the possibility to comment on the ideas for possible demonstrations.
Some of the ideas are stated below and are in line with the results of the IMCOSEC project consortium:
- consider all stakeholders of the supply chain, so also the consignors and consignees;
- consider the human factor and cultural aspects;
- consider container security as the exchange of goods in containers is vital on a global scale, but it should be kept an eye on the costs of security for the involved business;
- consider technologies which use a standard;
- consider data security.
After the group discussion, the basic vision and main ideas of the roadmap were presented to the workshop participants. The participants were asked for their view and comments and at the end of the workshop, a common understanding regarding the roadmap was achieved, which includes the focus on the threats for business processes. In this way, supply chain security can become more secure while civil security is increased as well. The aim of the strategic roadmap is to highlight the correlation between securing business and civil security showing the benefits for global trade and European industry and community. In conclusion, the presented basic idea on the roadmap meets stakeholder's needs and contains most important issues. Therefore the goal of the final workshop was achieved and the developed roadmap was evaluated and approved by all participants who represented different stakeholders of the supply chain.
Potential impact:
Potential impact and dissemination activities
From the beginning the project’s intended impact was to involve additional stakeholders into the project progress, to share views and expertise and to achieve acceptance of the results. Basically the challenge of motivating and incorporating stakeholders of the supply chain and of the security sector into the project progress was achieved by some major instruments and measures which encouraged these objectives.
- more than 20 partner meetings;
- five thematic workshops – three of them were public;
- two Advisory Board meetings in order to achieve acceptance of results within the stakeholder community;
- dissemination activities: website (online since May 2010), IMCOSEC brochure (1 000 copies), newsletters (1 500 copies), project description and advertisement (public service review no. 26 / 27);
- presentations (e.g. SRC '10);
- communication to EC and additional partners.
Within the project the IMCOSEC consortium and the additional stakeholders involved in the advisory boards pool their outstanding expertise, complemented by international workshops in order to ensure acceptance and European wide awareness of the defined roadmap for the demonstrations. That is why IMCOSEC's technological approach is broadminded aiming for practical solutions with economical security gains in order to achieve acceptance. Furthermore the vast organisational and network partners of the consortium partners were used to exchange knowledge and support the European wide awareness.
To ensure relevant impact not only for the roadmap of phase I but also for the big demonstrations planned for phase II several topics have been considered to be covered by the IMCOSEC roadmap. These topics covered by the defined roadmap are:
- problem statement and overall objective;
- why a roadmap;
- basic vision and common understanding;
- bundles of activities forming target processes;
- key elements of demonstrations;
- organisational framework of demonstrations;
- outlook.
Project website: http://www.imcosec.eu