McAllister Yard, NYC.

McAllister Yard, NYC.
McAllister Yard, NYC. Courtesy, Capt. Paul Brown

Friday, June 2, 2017

New Information from MARAD About Maritime Security Communications with Industry

From the April meeting of the National Maritime Security Advisory Committee, new information from MARAD about maritime security communications with industry. Information about the new program can be found at

From this website: The U.S. Maritime Administration has established a new interagency approach to communicating with U.S. maritime industry stakeholders regarding identified maritime security threats. The new system, U.S. Maritime Advisory System, replaces Special Warnings to Mariners (previously generated by the U.S. Department of State’s Office of Transportation Policy), MARAD Advisories (previously generated by the Department of Transportation’s Maritime Administration), and global maritime security focused Marine Safety Information Bulletins (previously generated by the Department of Homeland Security’s U.S. Coast Guard), to more effectively and efficiently communicate with U.S. maritime industry stakeholders and U.S. mariners regarding identified threats in the maritime domain.

Two new instruments will be issued through the System, U.S. Maritime Alerts and U.S. Maritime Advisories. The U.S. Maritime Alert is a new tool that has been developed to expeditiously provide basic information (location, incident type, and date/time) on reported maritime security threats to U.S. maritime industry interests.  In some situations, a U.S. Maritime Alert may be issued to refute unsubstantiated claims. U.S. Maritime Alerts do not contain policy or recommendations for specific courses of action (this type of information is reserved for U.S. Maritime Advisories). A U.S. Maritime Advisory may follow the issuance of a U.S. Maritime Alert and is intended to provide more detailed information, when appropriate, through a “whole-of-government” response to an identified maritime threat.

 Both instruments will normally be transmitted by the National Geospatial-Intelligence Agency, will be emailed to U.S. maritime industry stakeholders, and will be posted to this web portal to inform mariners of identified maritime security threats. Vessel Masters, Company Security Officers, ship operators, U.S. mariners, maritime industry associations, U.S. maritime unions and professional associations, and U.S. mariner related non-governmental organizations are the intended recipients of these messages. Maritime industry stakeholders wishing to be added to the email distribution list for U.S. Maritime Alerts and U.S. Maritime Advisories should email their request to


Please note: This blog always quotes heavily from the sources identified in the opening paragraph. I acknowledge that I should probably be using quotation marks and block indentation. Readers should assume that text is from the source and not original with the blog author unless otherwise stated.

Tuesday, May 2, 2017

Draft NVIC on Cybersecurity Coming Soon

During the April 25-26 2017 meeting of the National Maritime Security Advisory Committee (NMSAC), the Committee was given a regulatory update by U.S. Coast Guard personnel. During this update, the Committee was advised that the draft Navigation and Vessel Inspection Circular (NVIC) on cybersecurity would soon be published. Below are some thoughts on this NVIC and what the Coast Guard has said about the need for a proactive approach to cybersecurity.

During the Maritime Cyber Security Standards Public Meeting on January 15, 2015, discussing the need for voluntary cyber standards, Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy, stated, “The Coast Guard just recently conducted a study about the cost burden to industry of all the regulations that we have published since 1973. We found that 88% of the entire cost burdens of all regulations, over all those years, were due to two regulations, OPA 90 and MTSA. Both of these regulations followed predictable disasters.  The lesson learned should be that we should not wait for an incident to occur that will make us move forward on reactive, more expensive, regulations; we need to be proactive in approaching this. We are here to have a discussion with industry so we can develop a standard together, one that works and is reasonable in terms of the cost benefit.  If we wait until an incident occurs, that opportunity goes away.” (as quoted in Cyber Risk Management, by LCDR Josh Rose & LT Josie Long,

In the Rose/Long AAPA presentation, there was a slide concerning the cybersecurity NVIC. Bullet points about this NVIC content include:
• How do we incorporate cyber into risk assessments?
•What tools are available for industry to use for risk assessments?
•MTS standard terms (definitions)
•What are examples of industrial control systems in the maritime environment (what is the scope of NVIC)?

I think one issue that may be addressed in the NVIC is the link between the NIST framework and the Facility Security Plan (FSP) – incorporation of cyber into facility security assessments; guidance for construction of a possible voluntary cyber annex or new FSP section that directly addresses the Framework elements of identify, protect, detect, respond, and recover; guidance for inspectors who encounter these new sections or annexes in annual compliance inspections or during incident post-review. (We'll see how well my crystal ball is functioning.)

This will be a draft NVIC, probably titled “For review and comment only. Not to be used as final guidance.” As a draft NVIC, it will probably be numbered 17-XX, rather than receiving two numbers as the terminal designation. In the Federal Register notice of its publication, there will probably be a section titled Public Participation and Request for Comments.  In this section, there will probably be sub-sections explaining how to submit comments ad how to view comments and documents. (Lots of probably’s!)

Monday, April 3, 2017

Coast Guard Maritime Commons Clarifies CDC and TWIC Reader Rule

There has been a lot of discussion about facilities who are not in Risk Group A but are concerned that they might be included because they “handle CDC” by truck or railcar away from the MTSA nexus. The TWIC reader final rule seems to indicate that these facilities will be included in the rule (p. 57681), although the rule also states that the facility may  “define its MTSA footprint in such a way as to exclude that area.” It is presumed that this would require a Facility Security Plan (FSP) amendment.

On March 31, 2017, on Coast Guard Maritime Commons, CG-FAC used the blog to push out important information to industry, clarifying the USCG stance on facilities that handle CDC. The blog states that facilities should look to an older Policy Advisory Council decision, 20-04, for guidance on who is and who is not subject to 33 CFR 105.295 and thus included in Risk Group A. I was using Chrome to access Maritime Commons and the link to Homeport was not successful. For other users who also have trouble linking to Homeport, the text of the PAC is included below in its entirety. Scenarios D and E refer directly to facilities who handle their CDC by modes other than maritime.

To get to this PAC on Homeport, go to  then MTSA>MTSA/ISPS Policy Advisory Council FAQs>20-04 Certain Dangerous Cargo Facilities.pdf

May 6, 2004
Certain Dangerous Cargo Facilities
Issue: What is a CDC facility?

Discussion: Certain Dangerous Cargoes (CDC’s) are defined in 33 CFR 160.204, and the
preamble to the Final Rule states that facilities that handle such CDC’s are considered CDC
Facilities. The Final Rule preamble also notes the Coast Guard disagrees “that 105.295 should only apply when CDC is actually present on a facility, because the measures required by the section must be taken in advance so that they can be implemented when CDC is present.” The Final Rule preamble does not define what the word handles means, and the purpose of this paper is to decide how to interpret this term.

Decision: In order for a facility to be classified as a CDC Facility, a vessel-to-facility
interface must occur, or be capable of occurring, and involve the transfer of CDC’s in bulk.
Facilities designated as CDC facilities would need to comply with the regulations contained in 33 CFR 105.295. A facility that is required to complete a Security Plan but that is not designated as a CDC Facility must develop security procedures for the safeguarding of the CDC while it is present on the facility. The following scenarios are examples of how this might be accomplished:

Scenario A: Facilities that receive vessels and engage in vessel-to-facility interfaces that
involves the transfer of bulk Certain Dangerous Cargoes from the vessels that they receive.

Scenario A Decision: Facilities would be designated as Certain Dangerous Cargo (CDC)
Facilities and would be required to comply with 33 CFR 105.295.

Scenario B: Facilities that receive vessels and engage in vessel-to-facility interfaces that
involves the transfer of packaged Certain Dangerous Cargoes from the vessels that they receive.

Scenario B Decision: Facilities would not be required to comply with 33 CFR 105.295. The
Facility Security Plan for these facilities must address the fact that they handle such cargoes and the provisions that the facilities have to secure such cargoes. Scenario C: Facilities that receive vessels that carry CDC’s in bulk but the transfer of CDC’s does not occur between the vessels and the facility.

Scenario C Decision: Facilities would not be required to comply with 33 CFR 105.295. Under 33 CFR 105. 245(b), prior to the arrival of a vessel to the facility, the Facility Security Officer and the Vessel Security Officer, or their designated representatives, would be required to coordinate security needs and agree upon the contents of a DoS. The vessel and facility representatives would then need to sign and implement this DoS. As part of the Security that the two agree upon, provisions should be implemented to safeguard the CDC onboard the vessel.

Scenario D: Facilities, already subject to 33 CFR Part 105, receiving Certain Dangerous
Cargoes from entities other than vessels, such as rail cars and tanker trucks.

Scenario D Decision: Facilities would not be required to comply with 33 CFR 105.295. The
Facility Security Plan for these facilities must address the fact that they handle such cargoes and the provisions that the facilities have to secure such cargoes. At a minimum, these facilities would need to designate the areas where CDC’s are present as restricted areas.

Scenario E: Facilities, already subject to 33 CFR Part 105, through which train cars travel
carrying CDC’s. These CDC’s are not received at the facility, but the train cars might be present for extended periods of time.

Scenario E Decision: Facilities would not be required to comply with 33 CFR 105.295. The
facility should be aware of the movement of such cargoes and have included this in their Facility Security Plans. At a minimum, the facility should incorporate the checking of railcars duringsecurity rounds on the facility.

Friday, March 31, 2017

Sen John Thune (R-S.D.) introduces S.763, the Surface Transportation and Maritime Security Act.

On March 30, 2017, Sen John Thune (R-S.D.) introduced S.763, the Surface Transportation and Maritime Security Act.  Sen. Thune is Chairman of the Senate Committee on Commerce, Science, and Transportation. He’s been in the Senate since 2005 and has served in powerful positions within that body. From Sen. Thune’s website, at
U.S. Sen. John Thune (R-S.D.), chairman of the Senate Committee on Science, Commerce, and Transportation, joined Sens. Bill Nelson (D-Fla.), Deb Fischer (R-Neb.), and Cory Booker (D-N.J.) in reintroducing S. 763, the Surface Transportation and Maritime Security Act. The legislation, which is substantially similar to the bill introduced late last Congress, would address deficiencies in the Transportation Security Administration’s (TSA) efforts to protect rail, transit, highway, and maritime passenger and freight transportation.

“To keep Americans safe, Congress must continually focus attention on areas of neglect and potential weakness to keep them from becoming targets for terrorism,” said Thune. “The Commerce Committee will soon vote on these important reforms for the TSA.”
The legislation would address concerns, raised by independent government watchdog agencies, that TSA is not adequately positioned to identify security risks across different modes of transportation or effectively support federal, state, local and private providers of transportation security. TSA has previously said in testimony to Congress that it uses only three percent of its budget on surface transportation security.

Highlights of the Surface Transportation and Maritime Security Act:

Enhances Risk-Based Security Planning
  • Requires the TSA administrator to conduct a risk analysis and implement a risk-based security model for surface transportation facilities.
  • Mandates risk-based budgeting for surface transportation security focusing resources on current threats with annual reviews of program effectiveness.

Canine Explosive Detection Teams for Surface Transportation
  • Authorizes as many as 70 additional canine teams to work in surface transportation security as soon as possible.
  • Requires a review of the number, location, and utilization of canine teams in surface transportation security to ensure effective use.
  • Following this review and the implementation of recommendations, TSA may then raise the total number of canine teams to 200 or higher as identified in TSA’s risk-based analysis. 
Increases Transparency
  • Mirroring the advisory committee for aviation established by the Aviation Security Stakeholder Participation Act of 2014, establishes a Surface Transportation Advisory Committee to provide stakeholders and the public with the opportunity to coordinate with the agency and comment on policy and pending regulations. 
  • Requires that TSA budget submissions clearly indicate which resources will be used for surface transportation security and which will be dedicated to aviation.
  • Directs TSA to regularly update Congress on the status of long overdue surface transportation rulemakings.

Enhances Passenger Rail Security
  • Authorizes the use of computerized vetting systems for passenger rail at the request of Amtrak police and the Amtrak Board of Directors.
  • Allows grant funding to be used to enhance passenger manifest data so that rail passengers can be identified in case of emergency.
From a quick read of the text of the bill, link from the Senator's website:
The vulnerability assessment off surface transportation modes required of the bill must evaluate  the vetting and security training of employees in maritime transportation and other individuals with access to sensitive or secure areas of transportation networks.
The  Commandant of  the  Coast Guard shall  coordinate  with  the Administrator (of the TSA) to  provide  input  and  other  information regarding  the vulnerabilities of  and  risks  to maritime facilities.  

(1)   In GENERAL - Not   later   than   180 days after  the  date  the  security  assessment  from subsection (a)  is  complete, the  Administrator  shall  use the  results  of  the assessment-
(A)  to develop  and  implement  a cross-cutting, risk-based  security strategy that      includes
(i) all surface transportation modes;
(ii)  to the  extent  the Transportation Security  Administration   provides support in maritime transportation security efforts, maritime  transportation;
(B)  coordinate with  the  Commandant   of the  Coast Guard-
(i)         to evaluate existing maritime transportation  security  programs, policies, and initiatives   for  consistency with  the risk-based  security strategy and, to the extent practicable, avoid any unnecessary duplication   of effort;
(ii)  to   ensure   there  are   no security gaps between  jurisdictional  authorities that a threat can exploit to  cause  harm;
(iii)  to determine  the  extent  to which    stakeholder   security programs, policies, and   initiatives  address  the  vulnerabilities and  risks to  maritime transportation systems, identified in subsection (a); and
(iv)  subject  to clauses  (ii)  and (iii), to mitigate each  vulnerability and       risk   to maritime transportation systems identified in subsection (a).

180 days after the date that the security assessment is completed, TSA shall submit to the appropriate Congressional committees a report that includes, among other items, any   recommended   changes  to the National  Infrastructure Protection  Plan, the  modal   annexes  to the NIPP, or  relevant surface  or  maritime transportation security  programs,   policies, or initiatives.

BUDGET TRANSPARENCY - ln submitting the annual  budget  of  the  United  States  Government under Section 1105  of title 81,  United States Code,  the President  shall clearly distinguish  the  resources requested for surface and maritime transportation  security from  the  resources requested for aviation security.

SURFACE TRANSPORTATION SECURITY ADVISORY COMMITTEE   - The   TSA Administrator shall establish  within  the TSA the Surface Transportation  Security Advisory  Committee.  Voting members to serve in a volunteer, non-paid  basis and consist of representatives from associations  representing the  modes of surface transportation;  labor organizations  representing the modes; groups representing  the  users of the modes, including asset manufacturers,  as appropriate;  relevant  law enforcement, first  responders, and security experts; and other   groups   as   the Administrator considers appropriate.

Friday, February 3, 2017

gCaptain Article Concerning the Impact of the President’s Order on Immigration and Travel on U.S. Shipping

 On Feb. 1, 2017, gCaptain printed a sobering article concerning the impact of the president’s order on immigration and travel on U.S. shipping, at  The entire content of the article is reprinted below, with permission.
FSOs who foresee an upcoming ban-related problem with mariners should immediately contact the local COTP for guidance.
“President Trump’s Executive Order on immigration and travel to the United States has immediate implications for ships calling at U.S. ports, particularly those ships with crew members hailing from any one of the seven countries whose citizens are banned under the order, P&I clubs are warning.
As the Executive Order bans entry into the US for citizens from Syria, Yemen, Sudan, Somalia, Iraq, Iran and Libya for the next 90 days, crewmembers aboard ships entering US waters who are citizens of these countries will be denied entry to the US during this time, says The Standard Club, a specialist marine and energy insurer. The club is telling its members to anticipate that shore leave will be denied for those crewmembers and that enhanced security of the ship, including the use of armed guards, may be ordered by local immigration officials while the ship is in a U.S. port.
At this time however, it is not believed that ships carrying crew from these countries will be denied entry into U.S. ports, The Standard Club said.
The UK P&I Club offered similar guidance to its members.
“For the next 90 days crewmembers from Syria, Yemen, Sudan, Somalia, Iraq, Iran and Libya, whether or not they hold visas, will be denied entry to the U.S.,” the UK P&I Club wrote in a alert to members. The club is warning members to avoid crew changes in the United States for those citizens of the seven countries targeted by the order.
Regarding medical emergencies, both the UK P&I Club and The Standard Club say if a crewmember from Syria, Yemen, Sudan, Somalia, Iraq, Iran and Libya requires emergency medical treatment while in the United, there is an exception under the order that MAY allow the crewmember to be removed from the ship for medical treatment.
The Executive Order says that the Departments of State and Homeland Security (CBP) may determine on a case by case basis to issue visas or other immigration benefits to nationals of countries for which visas and benefits are otherwise blocked. Therefore, government authorities may be able to use the exception to allow the crewmember to be treated in the U.S. if there is a true medical emergency.
At this time it is unclear how many ships and crew members may be impacted by the Executive Order.
Both the UK P&I Club and The Standard Club say they will continue to monitor the situation and update its members with any developments.

In addition to banning citizens from the seven countries for 90 days, the Executive Order also bars the entry of refugees from Syria indefinitely and stops admission of all refugees to the United States for the next four months, among other things.”

Friday, January 27, 2017

Final rule - Civil monetary penalties assessed by the USCG adjusted for inflation in today’s FR effective immediately for violations occurring after 11/02/2015

In the January 27, 2017 Federal Register, at, the Department of Homeland Security established the schedule of civil monetary penalties as adjusted for inflation. As explained in the Final Rule, in 2015 government agencies were required to “(1) Adjust the level of civil monetary penalties with an initial ‘‘catch-up’’ adjustment through issuance of an Interim Final Rule (IFR) and (2) make subsequent annual adjustments for inflation”. This final rule reflects this adjustment, is effective immediately, and applies to violations that occurred after November 2, 2015.

The Coast Guard has a lengthy list of civil violation costs; port security appears near the end of this list on p. 8577. Amending 46 U.S.C. 70119 (cited in 33 CFR 101.415, Penalties) the new penalty for a port security violation is $33,333. The penalty for a continuing violation is $59,893.

Wednesday, January 18, 2017

On 01/17/2017, the U.S. Coast Guard Maritime Commons site advised that the Coast Guard had recently published CG-5P Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security, which outlines the criteria and process for suspicious activity (SA) and breach of security (BoS) reporting.

The document can be found at Homeport >Maritime Security > Policy. The purpose of the policy document, dated 12/14/2016, is to promulgate policy for use by MTSA-regulated vessels and facilities outlining the criteria and process for suspicious activity and breach of security reporting. Because plausible terrorist attack scenarios include combined cyber and physical incidents, vessel and facility operators should consider this possibility when evaluating a cyber incident, including the possibility that a cyber incident is a precursor to a physical attack. As a security measure, The Coast Guard strongly encourages vessel and facility operators to minimize, monitor, and wherever possible, eliminate cyber connections between the business/administrative systems and the operational, industrial control and security systems. The USCG handles all reports of security incidents as SSI.

What is really new in this policy document is:
1.  Inclusion of cyber incidents into BoS and SA;
2. An expanded definition of SA;
3. Permission to report cyber incidents to the National Cybersecurity and Communications Integration Center under certain conditions

The document then proceeds to describe U.S. Coast Guard requirements for reporting BoS and SA for both physical and network or computer-related events. The inclusion of cyber here is new and helpful. Industry has been reporting physical BoS and SA since 2004 but cyber is much newer and many FSOs are less certain when to report.

Breaches of security include:
a)            “Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorized root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the MTS;
b)           Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions; and/or
c)            Any denial of service attacks that adversely affect or degrade access to critical services that are linked to security plan functions.
Note that routine spam, phishing attempts, and other nuisance events that do not breach a system’s defenses are NOT BoS.  Furthermore, breaches of telecommunications equipment, computer, and networked systems that clearly target business or administrative systems unrelated to safe and secure maritime operations are outside the U.S. Coast Guard’s jurisdiction and need not be reported to the U.S. Coast Guard.

Suspicious Activity includes:

A.         Suspicious Activity
i.             Reference (c) defines SA as “observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.”
ii.           Computer-related suspicious activity presents additional vulnerabilities, and companies should be able to distinguish untargeted cyber incidents from targeted incidents on vessel or waterfront facility computer related systems. Untargeted cyber incidents are part of the normal information technology landscape and commonly include “phishing” or persistent scanning of networks, and these are not considered SA or BoS.
iii.         In contrast, targeted incidents may be large, sustained attacks on important cyber systems in an apparent attempt to exploit them for nefarious purposes. Spear phishing campaigns, a marked increase in network scanning, or other attacks may be considered SA if the volume, persistence, or sophistication of the attacks is out of the ordinary.
iv.         Unsuccessful but apparently targeted incidents may be SA if they threaten systems that could contribute to a TSI, have a link to the MTS portion of the facility or are otherwise related to systems, personnel, and procedures addressed by security plans or MTSA requirements.
v.           SA may include, but is not limited to, any of the following:
a)            Unfamiliar persons in areas that are restricted to regular employees;
b)           Unusual behavioral patterns, such as:

(1)         Not responding to verbal interaction;
(2)         Walking slowly in a deliberate fashion towards a potential target;
(3)         Inappropriately dressed (e.g., wearing excessive clothing as to conceal something, or looking out of place);
(4)         Excessive nervousness or “doomsday” talk;
(5)         Excessive questions;
(6)         Lack of photo identification;
(7)         Agitation or rage;
(8)         Picture taking, especially if the suspect has been asked earlier not to take photos;
(9)         Note taking or drawing;
(10)      Taking measurements; and/or
(11)      Attempting to access unauthorized areas.
c)            Potentially dangerous devices found by screeners prior to loading persons or cargo or items found on or near the facility that seem out of place.
d)           Vehicles parked or standing for excessive amounts of time near the facility perimeter;
e)            Unmanned Aircraft System (UAS) activity, including but not limited to:
(1)         Reconnaissance and surveillance activities, indicated by repeated activities at a particular place and time (e.g., fly-overs, hovering at low altitudes, and prolonged time on station); and/or
(2)         Testing of facility security protocols using UAS, indicated by flying by a target, moving into sensitive areas, and observing the reaction of security personnel (e.g., the time it takes to respond to an incident or the routes taken to a specific location).
f)            Unauthorized personnel accessing IT spaces linked to security plan functions.
g)           Unsuccessful attempts to access telecommunication, computer, and network systems linked to security plan functions.
vi.         The Coast Guard recognizes that the cyber domain includes countless malicious but low-level events that are normally addressed via standard anti-virus programs and similar protocols. Operators should only report events that are out of the ordinary in terms of sophistication, volume, or other factors which, from the operator’s perspective, raise suspicions.

Cyber incidents may be reported to the National Cybersecurity and Communications Integration Center. It is imperative that the reporting party inform the NCCIC that they are a Coast Guard regulated entity in order to satisfy the reporting requirements of 33 CFR part 101.305. The NCCIC will forward the report electronically to the NRC, who will notify the appropriate COTP. Reporting cyber incidents in this manner, including notifying the NCCIC that the reporting source is regulated by the Coast Guard, meets Coast Guard regulatory requirements. Note that this is applicable for only a cyber incident; if there are other factors involved, such as pollution or a physical breach of security, operators must report the incident directly to the NRC.

The policy document then discusses other Critical Infrastructure and Cyber Incident resources, including ICS-CERT, InfraGard, National Suspicious Activity Reporting (SAR) Initiative, and the local AMSC.

Wednesday, April 13, 2016

HR 3586 Sec. 12, TWIC Provisions

Our colleague Patrick Coyle at Chemical Facility Security News ( spotted and posted about HR 3586, To amend the Homeland Security Act of 2002 to improve border and maritime security coordination in the Department of Homeland Security, and for other purposes. The bill is at
Mr. Coyle expects that the bill will pass with substantial bipartisan support today, and will probably be taken up by the Senate under their unanimous consent process, without debate and no vote. A discussion of the TWIC provisions is below, followed by the full text of Sec. 12, the section dealing with TWIC.

The bill requires DHS to publish a list of documents that will  identify non-United States citizen TWIC applicants and verify the immigration statuses of such applicants by requiring each such applicant to produce a document or  documents that demonstrate (i) identity; and  (ii) proof of lawful presence in the United States. The bill also requires DHS to enhance training requirements to ensure that trusted agents at transportation security card enrollment centers receive training to identify fraudulent documents.

There are two parts to Sec. 12:  #1, strengthening procedures so that the card cannot be used by illegal aliens and #2, requiring a report from DHS on the appeals process. (The section title states “waiver and appeals” but only the appeal process is addressed in the bill and the two processes are entirely apples and oranges. I don’t have any figures and this is just an informed guess but I am betting that there are many more waivers filed than appeals.)

It is unclear what else DHS needs to do to about non-United States citizen TWIC applicants. There is already a procedure in place for foreign nationals who need a TWIC. They need to obtain a TWIC-annotated B-1 visa. From the TSA TWIC website:

“What is the TWIC annotated B-1 visa and who can apply for one?
Foreign nationals who perform maritime services in the United States and require access to secure areas of facilities and vessels can apply for this type of B-1 visa, specifically designed for the TWIC program. These individuals are required to meet the eligibility requirements set forth by the Department of State for a B-1 visa (‘Temporary Visitor for Business’) and are required to provide an official letter from their employer stating that a TWIC is required to perform the individual’s job in the maritime industry.
This letter must be provided to the relevant U.S. Embassy or Consulate as part of the individual’s visa application. The employer letter must contain details such as the type of work performed by the individual, the location and duration of the work, as well as employer contact information is required if additional information or follow up is necessary.”

NLT 90 days after the bill is passed, DHS must provide to the Committee on Homeland Security of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate information on  (1) The average time for the completion of an appeal under the appeals process; (2) The most common reasons for any delays at each step in such process;  (3) Recommendations on how to resolve any such delays as expeditiously as possible.

Text of this section:

(a) IN GENERAL.—Section 70105 of title 46, United 18 States Code, is amended by adding at the end the following new section:


‘‘(1) IN GENERAL.—The Secretary, acting  through the Administrator of the Transportation Security Administration, shall seek to strengthen the integrity of transportation security cards issued under this section against improper access by an individual who is not lawfully present in the United States.

‘‘(2) COMPONENTS.—In carrying out subsection  (a), the Administrator of the Transportation Security Administration shall—

 ‘‘(A) publish a list of documents that will  identify non-United States citizen transportation security card applicants and verify the immigration statuses of such applicants by requiring each such applicant to produce a document or  documents that demonstrate—  
‘‘(i) identity; and  
‘‘(ii) proof of lawful presence in the United States; and

 ‘‘(B) enhance training requirements to ensure that trusted agents at transportation security card enrollment centers receive training to identify fraudulent documents.

 ‘‘(3) EXPIRATION.—A transportation security  card issued under this section expires on the date of  its expiration or on the date on which the individual  to whom such card is issued is no longer lawfully entitled to be present in the United States, whichever is  earlier.’’.

(b) REPORT.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security shall provide to the Committee on Homeland Security of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate information on the following:

 (1) The average time for the completion of an appeal under the appeals process established pursuant to paragraph (4) of subsection (c) of section 70105 of title 46, United States Code.

(2) The most common reasons for any delays at each step in such process.

(3) Recommendations on how to resolve any such delays as expeditiously as possible.

Tuesday, March 15, 2016

Troubling DHS Analysis of an Unexpected Closure of the Poe Lock and Its Impact

The Department of Homeland Security, National Protection and Programs Directorate, Office of Cyber and Infrastructure Analysis (OCIA-NISAC),  has released “The Perils of Efficiency: An Analysis of an Unexpected Closure of the Poe Lock and Its Impact.”  We wish to thank the Principal Investigator Craig S. Gordon, PhD and Supporting Investigator Marilee Orr for this disturbing but truly important document, and for the editors of Seaway Review and the Lake Carriers Association for making the report easily accessible. Below is a summary, derived from the report, which can be found at 

"The Soo Locks, which are owned and operated by the United States Army Corps of Engineers (USACE), consists of four lock.The two primary locks in operation are the Poe Lock, rebuilt in 1968, and the MacArthur Lock, constructed in 1943.The Lakers carrying iron ore use the Poe Lock almost exclusively because the MacArthur Lock is too small to accommodate the larger Lakers; almost 70 percent of the U.S. Laker capacity on the Great Lakes is Poe-restricted, meaning that the Lakers can use only the Poe Lock. Lakers small enough to lock through the MacArthur Lock are referred, herein, as MacArthur-sized. The dependency on the Poe Locks to move the preponderance of the commodities, particularly iron ore, led USACE to call the Poe Lock “the Achilles’ heel of the Great Lakes Navigation System. There is currently no redundancy for the Poe Lock.”34 This lock is the weak link in Great Lakes commerce.

The scenario closure used in the analysis lasts from March 25– September 25. Overall, about 78 percent of the domestic iron ore capacity is expected to shutter for the duration of the scenario. Limestone deliveries could continue if only the Poe Lock closed. Far less limestone is required to move upstream, as the iron ore-to-limestone ratio is about 9:1.  Further, limestone is far less dense than iron ore and there are more options to deliver limestone to the pelletizing plant.

An extended closure of the Poe Lock, which OCIA-NISAC assumes to be 6-months, would be extremely detrimental to the North American automotive industry including Canada and Mexico. Almost all North American automobile production would cease, and, in addition to the automotive industry, other industries that depend on steel including farm, mining, and construction equipment manufacturing, railroad locomotive and railcar production, and appliances.

According to industry experts, short-term disruptions of a single steel mill can cause disruptions throughout the North American supply chain. Firms must scramble to find alternative suppliers and to begin managing the process, part-by-part, to extend production times for at least some of their lines. Eventually, keeping the system going becomes impossible and lines shut down due to the lack of a single component. It could take more than 2 months to resupply the supply chain with enough steel-based product to restart production from the loss of a single steel mill. Lead times for many automotive parts are typically 8 – 14 weeks. However, regarding the current scenario, one industry expert said, "it's all done if all of the steel mills shut down."

A 6-month closure, from about March 25 to September 25 does not mean that steel production could begin shortly thereafter. First, blast furnaces, which presumably have been hot idled or kept warm during the closure, would have to be re-inspected. Extended hot idling can damage or destroy a blast furnace, incurring lengthy repairs times and costs well in excess of $100 million each, though processes have improved that could mitigate this risk. A significant problem with hot-idling a blast furnace is the cooling water. Hot idling a blast furnace during the winter may lead to the freezing of the cooling water and damage to the blast furnace. Blast furnaces generally operate continuously for about 15 years between significant maintenance periods. If a blast furnace is not going to be operated, it must be kept warm by keeping coking coal heated, but not adding in iron ore, limestone and enriched oxygen that make steel. Hot idling, the term to denote this process of keeping the furnace warm is usually not done for periods longer than a few weeks (see Platts, “Platts Steel Glossary,” at, accessed January 17, 2015). Anything longer than a few weeks is considered, herein, to be an extended period.

More problematic than re-starting the blast furnace is restarting the coke batteries. Coke batteries concentrate the carbon from coal to make coke, which is an essential ingredient in steelmaking. Industry executives reported that the coke battery must be operated continuously or hot-idled properly to prevent damage. The coke battery is far more likely than the blast furnace to become damaged in this unanticipated outage scenario. OCIA-NISAC analysts believe that the steel mills will not re-commence mill operations until about mid-December, in order to secure sufficient inventory of iron ore to last through the normal winter closure of the Soo Locks. Automotive parts manufacturers could then begin operations in mid-January, but the first cars are not likely to come off production lines until early April. 

The scenario closure would have catastrophic impacts on the regional and National economy. Economic modeling based on the assumptions described in the preceding section shows that approximately $1.1 trillion in economic output, as measured by the Gross Domestic Product (GDP), and over 10.9 million jobs would be lost in the first year following the disruption. The impacts described here are more severe than those predicted in prior studies because this analysis took a comprehensive view of the supply chain and its relationship to the National economy.

A 6-month closure of the Poe Lock, at the start of the navigation season, would be expected to halt all automobile production and the sales of cars manufactured in North America completely for almost 10 months, from about June 1 to April 1. That is, no automobiles would be produced in North America. By comparison, during the 2009 recession, two of the three major automotive companies required bailouts from the United States Government when annualized sales of new automobiles had dropped from the typical 16–18 million units to about 9 million units.

At the National level, the model predicts that the Poe Lock closure scenario would add 5.8 percentage points to the unemployment rate, currently at 5.5 percent. This would bring the National unemployment rate under the closure scenario to 11.3 percent. This would exceed the highest level of National unemployment recorded during the 2008-2009 recession, which peaked at 10.0 percent in October 2009. Under the Poe Lock closure scenario, exceptionally high rates of unemployment occur along the Great Lakes and south. Unemployment rates in Indiana and Michigan would reach or exceed 22 percent and all of the Great Lakes States, except for Minnesota and New York, have unemployment rates that would exceed 10 percent.

A recession brought about by an unexpected closure of the Poe Lock would be categorically different from historical recessions. Recessions are usually caused by falling aggregate demand, credit contractions, or oil supply shocks, for which government fiscal or monetary policy can mitigate the length or severity of the recession. A supply shock as contemplated herein may be unprecedented. The closest example may be recession following the 1973-1974 Arab Oil Embargo. In that case, however, oil was available in the United States, but not in sufficient supply to meet demand. The dust bowl in the 1930s resulted in a lack of arable land in the Midwest, which led to the largest population migration in the United States.138 In the Poe Lock closure scenario, there is no plan, policy, or remedy that could restart automobile production. Government policy would be generally limited to transfer payments to those individuals directly impacted by the event.

Moving iron ore from the mines to the mills is not a viable mitigation; as one industry executive put it, “it's not even in the realm of the possible; it's just not going to happen.” Even if the steel mills could accept iron ore from rail transportation, congested rail lines and the lack of equipment would make the use of rail impractical. For 160 years, the steel mills along the Great Lakes have received their iron ore via Lake Carrier; the mills are designed to receive iron ore by water and there is logistically no way to receive iron ore by rail. The Great Lakes steel mills are built with the iron ore inventory facing the water and the rail lines on the other side of the mills inland for truck or rail shipment of steel out.

There are not enough trucks, or drivers, in the Nation to move the iron ore from the mines to the mills. Each One Thousand Footer Lake Carrier carries approximately 70,000 tons of iron ore, which is equivalent to about 3,000 trucks. The mills use the 70,000 tons about every five days, which means that 600 trucks per day--1 truck every 2.4 minutes--would have to enter a steel mill, drop its load and leave. To bring trucks to 7 mills would mean that, for every point on the Interstate Highway System between Minnesota and Indiana, there would be a truck loaded with iron ore passing every 20 seconds on one side of the road and one truck returning empty on the other side of the road. The Interstate Highway System would have to be shut down to all traffic except for the iron ore trucks and no road maintenance could occur. Finally, OCIA-NISAC estimates that the cost of moving iron ore by truck is approximately four times the value of the iron ore itself and would likely be cost-prohibitive in addition to impractical.

In terms of an impact to the North American economy, it is hard to conceive of a single asset more consequential than the Poe Lock. As outlined in the report, 10.9 million jobs in the United States, and possibly upwards of 13 million jobs in North America, are likely dependent on the functioning of the Poe Lock. An unprecedented supply shock could affect North America if the closure scenario were to occur. The United States has historical knowledge of how to respond to shocks caused by financial crises, oil prices or availability, or falling aggregate demand. There is no similar guide for responding to a supply shock that incapacitates a large set of industries.

As documented in this report, the iron mining - integrated steel production - manufacturing, particularly automobile manufacturing, supply chain, is not only consequential, but potentially one of the least resilient supply chain in North America. The relationship between the steel mills and the auto assembly plants is complex. There is a different steel coil for just about every part of an automobile made with steel, and collectively, there are reportedly some 1500 different recipes of steel for the automotive industry. Without the steady stream of iron ore coming from Lake Superior through the Poe Lock, many or all of these 1500 different steel recipes cannot be made. The inability to make just one recipe could stop production of a particular automobile; the inability to make a couple of recipes could stop production for a particular automotive company; and the inability to make a few recipes could stop production of all North American automotive production."