Tuesday, March 15, 2016

Troubling DHS Analysis of an Unexpected Closure of the Poe Lock and Its Impact

The Department of Homeland Security, National Protection and Programs Directorate, Office of Cyber and Infrastructure Analysis (OCIA-NISAC),  has released “The Perils of Efficiency: An Analysis of an Unexpected Closure of the Poe Lock and Its Impact.”  We wish to thank the Principal Investigator Craig S. Gordon, PhD and Supporting Investigator Marilee Orr for this disturbing but truly important document, and for the editors of Seaway Review and the Lake Carriers Association for making the report easily accessible. Below is a summary, derived from the report, which can be found at http://www.lcaships.com/wp-content/uploads/2016/03/OCIA-The-Perils-of-Efficiency-An-Analysis-of-an-Unexpected-Closure-of-the-Poe-Lock-and-Its-Impact1.pdf. 

"The Soo Locks, which are owned and operated by the United States Army Corps of Engineers (USACE), consists of four lock.The two primary locks in operation are the Poe Lock, rebuilt in 1968, and the MacArthur Lock, constructed in 1943.The Lakers carrying iron ore use the Poe Lock almost exclusively because the MacArthur Lock is too small to accommodate the larger Lakers; almost 70 percent of the U.S. Laker capacity on the Great Lakes is Poe-restricted, meaning that the Lakers can use only the Poe Lock. Lakers small enough to lock through the MacArthur Lock are referred, herein, as MacArthur-sized. The dependency on the Poe Locks to move the preponderance of the commodities, particularly iron ore, led USACE to call the Poe Lock “the Achilles’ heel of the Great Lakes Navigation System. There is currently no redundancy for the Poe Lock.”34 This lock is the weak link in Great Lakes commerce.

The scenario closure used in the analysis lasts from March 25– September 25. Overall, about 78 percent of the domestic iron ore capacity is expected to shutter for the duration of the scenario. Limestone deliveries could continue if only the Poe Lock closed. Far less limestone is required to move upstream, as the iron ore-to-limestone ratio is about 9:1.  Further, limestone is far less dense than iron ore and there are more options to deliver limestone to the pelletizing plant.

An extended closure of the Poe Lock, which OCIA-NISAC assumes to be 6-months, would be extremely detrimental to the North American automotive industry including Canada and Mexico. Almost all North American automobile production would cease, and, in addition to the automotive industry, other industries that depend on steel including farm, mining, and construction equipment manufacturing, railroad locomotive and railcar production, and appliances.

According to industry experts, short-term disruptions of a single steel mill can cause disruptions throughout the North American supply chain. Firms must scramble to find alternative suppliers and to begin managing the process, part-by-part, to extend production times for at least some of their lines. Eventually, keeping the system going becomes impossible and lines shut down due to the lack of a single component. It could take more than 2 months to resupply the supply chain with enough steel-based product to restart production from the loss of a single steel mill. Lead times for many automotive parts are typically 8 – 14 weeks. However, regarding the current scenario, one industry expert said, "it's all done if all of the steel mills shut down."

A 6-month closure, from about March 25 to September 25 does not mean that steel production could begin shortly thereafter. First, blast furnaces, which presumably have been hot idled or kept warm during the closure, would have to be re-inspected. Extended hot idling can damage or destroy a blast furnace, incurring lengthy repairs times and costs well in excess of $100 million each, though processes have improved that could mitigate this risk. A significant problem with hot-idling a blast furnace is the cooling water. Hot idling a blast furnace during the winter may lead to the freezing of the cooling water and damage to the blast furnace. Blast furnaces generally operate continuously for about 15 years between significant maintenance periods. If a blast furnace is not going to be operated, it must be kept warm by keeping coking coal heated, but not adding in iron ore, limestone and enriched oxygen that make steel. Hot idling, the term to denote this process of keeping the furnace warm is usually not done for periods longer than a few weeks (see Platts, “Platts Steel Glossary,” at
www.steelbb.com/steelglossary/#term_206, accessed January 17, 2015). Anything longer than a few weeks is considered, herein, to be an extended period.

More problematic than re-starting the blast furnace is restarting the coke batteries. Coke batteries concentrate the carbon from coal to make coke, which is an essential ingredient in steelmaking. Industry executives reported that the coke battery must be operated continuously or hot-idled properly to prevent damage. The coke battery is far more likely than the blast furnace to become damaged in this unanticipated outage scenario. OCIA-NISAC analysts believe that the steel mills will not re-commence mill operations until about mid-December, in order to secure sufficient inventory of iron ore to last through the normal winter closure of the Soo Locks. Automotive parts manufacturers could then begin operations in mid-January, but the first cars are not likely to come off production lines until early April. 

The scenario closure would have catastrophic impacts on the regional and National economy. Economic modeling based on the assumptions described in the preceding section shows that approximately $1.1 trillion in economic output, as measured by the Gross Domestic Product (GDP), and over 10.9 million jobs would be lost in the first year following the disruption. The impacts described here are more severe than those predicted in prior studies because this analysis took a comprehensive view of the supply chain and its relationship to the National economy.

A 6-month closure of the Poe Lock, at the start of the navigation season, would be expected to halt all automobile production and the sales of cars manufactured in North America completely for almost 10 months, from about June 1 to April 1. That is, no automobiles would be produced in North America. By comparison, during the 2009 recession, two of the three major automotive companies required bailouts from the United States Government when annualized sales of new automobiles had dropped from the typical 16–18 million units to about 9 million units.

At the National level, the model predicts that the Poe Lock closure scenario would add 5.8 percentage points to the unemployment rate, currently at 5.5 percent. This would bring the National unemployment rate under the closure scenario to 11.3 percent. This would exceed the highest level of National unemployment recorded during the 2008-2009 recession, which peaked at 10.0 percent in October 2009. Under the Poe Lock closure scenario, exceptionally high rates of unemployment occur along the Great Lakes and south. Unemployment rates in Indiana and Michigan would reach or exceed 22 percent and all of the Great Lakes States, except for Minnesota and New York, have unemployment rates that would exceed 10 percent.

A recession brought about by an unexpected closure of the Poe Lock would be categorically different from historical recessions. Recessions are usually caused by falling aggregate demand, credit contractions, or oil supply shocks, for which government fiscal or monetary policy can mitigate the length or severity of the recession. A supply shock as contemplated herein may be unprecedented. The closest example may be recession following the 1973-1974 Arab Oil Embargo. In that case, however, oil was available in the United States, but not in sufficient supply to meet demand. The dust bowl in the 1930s resulted in a lack of arable land in the Midwest, which led to the largest population migration in the United States.138 In the Poe Lock closure scenario, there is no plan, policy, or remedy that could restart automobile production. Government policy would be generally limited to transfer payments to those individuals directly impacted by the event.

Moving iron ore from the mines to the mills is not a viable mitigation; as one industry executive put it, “it's not even in the realm of the possible; it's just not going to happen.” Even if the steel mills could accept iron ore from rail transportation, congested rail lines and the lack of equipment would make the use of rail impractical. For 160 years, the steel mills along the Great Lakes have received their iron ore via Lake Carrier; the mills are designed to receive iron ore by water and there is logistically no way to receive iron ore by rail. The Great Lakes steel mills are built with the iron ore inventory facing the water and the rail lines on the other side of the mills inland for truck or rail shipment of steel out.

There are not enough trucks, or drivers, in the Nation to move the iron ore from the mines to the mills. Each One Thousand Footer Lake Carrier carries approximately 70,000 tons of iron ore, which is equivalent to about 3,000 trucks. The mills use the 70,000 tons about every five days, which means that 600 trucks per day--1 truck every 2.4 minutes--would have to enter a steel mill, drop its load and leave. To bring trucks to 7 mills would mean that, for every point on the Interstate Highway System between Minnesota and Indiana, there would be a truck loaded with iron ore passing every 20 seconds on one side of the road and one truck returning empty on the other side of the road. The Interstate Highway System would have to be shut down to all traffic except for the iron ore trucks and no road maintenance could occur. Finally, OCIA-NISAC estimates that the cost of moving iron ore by truck is approximately four times the value of the iron ore itself and would likely be cost-prohibitive in addition to impractical.

In terms of an impact to the North American economy, it is hard to conceive of a single asset more consequential than the Poe Lock. As outlined in the report, 10.9 million jobs in the United States, and possibly upwards of 13 million jobs in North America, are likely dependent on the functioning of the Poe Lock. An unprecedented supply shock could affect North America if the closure scenario were to occur. The United States has historical knowledge of how to respond to shocks caused by financial crises, oil prices or availability, or falling aggregate demand. There is no similar guide for responding to a supply shock that incapacitates a large set of industries.

As documented in this report, the iron mining - integrated steel production - manufacturing, particularly automobile manufacturing, supply chain, is not only consequential, but potentially one of the least resilient supply chain in North America. The relationship between the steel mills and the auto assembly plants is complex. There is a different steel coil for just about every part of an automobile made with steel, and collectively, there are reportedly some 1500 different recipes of steel for the automotive industry. Without the steady stream of iron ore coming from Lake Superior through the Poe Lock, many or all of these 1500 different steel recipes cannot be made. The inability to make just one recipe could stop production of a particular automobile; the inability to make a couple of recipes could stop production for a particular automotive company; and the inability to make a few recipes could stop production of all North American automotive production."

Tuesday, March 1, 2016

Summary of Coast Guard Office of Port and Facility Compliance (CG-FAC) 2015 Annual Report

On March 1, 2016, the Coast Guard Office of Port and Facility Compliance (CG-FAC) issued the 2015 Annual Report.  It can be found at http://www.uscg.mil/hq/cg5/cg544/docs/CG-FAC%20Year%20In%20Review%202015_Final.pdf. The MTSA community, especially Facility Security Officers, should read the entire report. Important points are summarized below, using portions of the report.

FSOs should pay particular attention to 2015 MTSA Facility Enforcement Actions and What’s Coming in 2016.

Strategy for the Waterside Security of Especially Hazardous Cargo
On 1 September 2015, the Commandant of the Coast Guard signed the "Strategy for the Waterside Security of Especially Hazardous Cargo."  It seeks to manage the risk of an attack on the Maritime Transportation System (MTS) involving EHC by mitigating the Threat, Vulnerability, and Consequence elements of risk through the Awareness, Prevention, Protection, Response, and Recovery components of the security spectrum. Security governance to facilitate and improve communication between industry and government on incident response/recovery, as well as maritime transportation infrastructure security, will be incorporated through an Implementation Plan.  CG-FAC is working an initial action plan with a 5 year execution.

Technology
USCG is deploying IPads to inspection corps who requested to be part of the program. This dramatically reduces large quantities of references and materials that inspectors need to carry around. Other devices which FAC recommends purchasing, at the unit’s expense, are a Bluetooth keyboard, portable Bluetooth printer, and Apps. The USCG would appreciate any feedback and recommendation for use of the iPads provided to the CG- Portal site. https://cg.portal.uscg.mil/units/cgfac2/iPads/SitePages/Home.aspx.

Port Security Specialist Program
The USCG has conducted a performance planning front end analysis (FEA) to determine Port Security Specialist and Security Specialist (Port / Recovery) performance requirements. Ten recommendations were identified during the FEA. Recommendations from this analysis will help optimize limited training resources and improve Port Security Specialist and Security Specialist (Port / Recovery) performance. A 2015 ALCOAST was issued providing an update to the PSS Program, defining roles and responsibilities of the PSS, and highlighting accomplishments.

Cybersecurity Assessment and Risk Management Approach (CARMA) Assessment in Philadelphia
During the week of June 8th, DHS Office of Sector Engagement Critical Infrastructure Resilience, in conjunction with the Coast Guard, led a cyber risk assessment in the Port of Philadelphia. Agencies involved were DHS, National Institute of Standards and Technology (NIST), Federal Energy Regulatory Commission (FERC), Customs and Border Protection (CBP), Transportation Security Administration (TSA), USCG Sector Del Bay, LANTAREA, CG-FAC, CG-CVC.

Coast Guard LNG Workgroup
Both Harvey-Gulf and TOTE have delivered vessels with LNG fueled engines, and the LNG workgroup worked closely with field units to interpret regulations and develop implementation strategies for these new facilities. CG-FAC chairs the LNG Workgroup, and during 2015 the work group facilitated the development and release of OES Policy letters 01-15 and 02-15 to, among other things, address gaps in 33 CFR 127 for LNG facilities that will bunker LNG. The report gives a link for USCG units to access the LNG Workgroup site in CG Portal (USCG restricted).

Alternative Security Program (ASP)
There are close to 200 facilities operating under ASPs and thousands of vessels, more than are using vessel-specific security plans. Since cyber-security is a topic of growing interest to the entire maritime industry the Coast Guard is exploring options for how to best incorporate cyber risks into security plans required by the Maritime Transportation Security Act. During the past year, two ASP Sponsoring Organization’s Workshops were held in Washington, DC. These workshops are a great forum for information sharing and discussions of best practices for both facilities and vessels. The workshop, held on November 18, 2015, provided an opportunity for in-depth discussions on cyber risks. Many industry groups are developing cyber security best practices and the Alternative Security Program potentially provides an ideal way of addressing cyber risks.

Cyber Risk Management
On 15 January 2015, CG-FAC held a public meeting to solicit input on a policy development project to address cyber security risks in the marine transportation system. In June 2015, the Commandant announced the promulgation of the Coast Guard’s first Cyber Strategy. This Strategy presents a ten-year vision for Coast Guard operations in cyberspace, and lays out our Service’s highest strategic objectives in this rap- idly evolving operational domain.

With the signing of the Cyber Strategy, CG-FAC became the lead office for implementing the Protect Infrastructure portion of the Strategy. The newly formed Protect Infrastructure Cyber Strategy Implementation Team (CSIT) had representatives from nearly every office within CG-5P and also representatives from other offices including CG-2, CG-6, and CG- 5R. Other offices outside of HQ have also pitched in, including National Maritime Center (NMC), Areas and Districts. The CSIT recently submitted an implementation plan and continues to work to complete identified initiatives. CG-FAC members were active in supporting Coast Guard wide research and development related to cyber risks in the marine transportation system.

Cyber Lexicon
CG-FAC, working within the Transportation System Sec- tor Cyber Security Working Group, assisted in developing a Common Cyber Language for the Transportation Sector. The language can be used to assist sub-sectors such as airlines or rail within the Transportation Sector have a common language when discussing cyber issues. The trail to this file in Homeport is Missions>Cybersecurity>Cyber Information> Transportation Sector Common Cyber Language.

Cybersecurity Assessment and Risk Management Approach (CARMA)
CARMA is a DHS developed tool that attempts to identify cyber risks within the port. It is a stakeholder-vetted list of the Port’s cyber infrastructure, as defined by its critical functions, supporting value chains, and specific types of cyber systems. What is important is that it utilizes local stakeholders to derive a port-level understanding of shared vulnerabilities and with it a prioritized list of strategies for managing the identified risks. This allows individual owners and operators to prioritize budget and resource allocations according to common risks. It also uses the identified cybersecurity risks to help build valid scenarios that could be leveraged for sector or national-level cyber exercises. Information on CARMA is accessed via email at ncsd_cipcs@hq.dhs.gov.

Cyber Risk Awareness and Policy Development
In 2015, the Coast Guard worked with the National Maritime Security Advisory Council, the National Offshore Safety Advisory Council, and many individual industry associations to share cyber information.

In June, the U.S. Coast Guard submitted a paper and introduced cyber risk management as a topic at the International Maritime Organization. Transport Canada has been a particularly strong partner in cyber. CG-FAC sent out 12 cyber related notices in 2015. A new resource section was also added to Homeport that shares over 100 different links to cyber related sites from advisories to alerts, assessment tools, recovery resources, supporting documents, tools, and training and education.

2015 Facility Inspections Program Statistics
Total regulated facilities:
8,211
MTSA-regulated facilities:
3,476
Total facility inspections completed:
11,856
MTSA facility inspections completed:
5,937
Total container inspections completed:
18,053
Total transfer monitors conducted:
456
Total operational controls (COTP Orders)
34
Security COTP Orders
16
Safety/Environmental Protection COTP Orders
19



2015 MTSA Security Compliance by District
District
FSPs*
MTSA Inspections
Deficiencies
1st
298
949
164
5th
166
451
129
7th
310
928
241
8th
905
1902
570
9th
304
691
120
11th
135
326
120
13th
139
257
106
14th
77
214
142
17th
98
219
27
Total
2432
5937
1619

Container Update
CG-FAC continuously seeks to improve the National Container Inspection Program (NCIP) guidance and streamline the process for both industry and the field. CG-FAC recently met with Hapag-Lloyd and the National Cargo Bureau to discuss industry and Coast Guard concerns and issues with the shipment of containers in an effort to identify ways to mitigate risks. Hapag-Lloyd has developed a system called “Watchdog”, that analyzes shipping documents searching for key words to assist in selecting containers for inspection. Watchdog has enabled Hapag-Lloyd to inspect 20% of all containers shipped by the company.

Mis-declared cargo and leakage are the most prominent issues ailing the shipment of containers and account for 86% of deficiencies according to the Cargo Incident Notification System website. According to the same website, over 70% of those deficiencies involve general cargo shipments, which point to the success of inspection programs focused on declared Hazardous Materials (HAZMAT).

Higher national compliance rates in declared HAZMAT shipments led to a shift for inspections rates of declared HAZMAT and general cargo container shipments. Previous guidance prioritized HAZMAT over general cargo shipments at a 90% to 10% inspection goal respectively. On average, of the total containers inspected nationally the Coast Guard has achieved roughly 60% to 40% HAZMAT to general cargo annually.

Transportation Worker Identification Credential (TWIC) Verifications
As part of the MTSA security program, Facility Inspectors conducted a combined 48,289 visual and electronic inspections of TWIC cards in 2015, and identified 970 instances of non-compliance with TWIC requirements.  CG-FAC is currently conducting market research for replacement readers; current hand-helds are reaching the end of their service life. There are currently a few USCG units conducting field testing for iPad based reader applications. 

USCG TWIC Implementation branch members worked directly with counterparts at TSA to discuss and address TWIC program improvements and issues. TSA has recently begun implementation of a civil enforcement program for individual TWIC holders violating regulatory requirements. Many Transportation Security Inspectors – Surface (TSI-S) personnel have reached out to Districts and Sectors to coordinate implementation of this inspection program.

2015 MTSA Facility Enforcement Actions
In 2015, the Coast Guard completed 4,717 security-related MTSA annual and spot check ex- aminations and recorded 131 enforcement activities against MTSA-regulated facility owners or operators for noncompliance with MTSA regulations.  The 131 enforcement activities executed in 2015 took place at 115 MTSA-regulated facilities and included official letters of warning or administrative civil penalties.


Citation


Citation Title
Enforcement Activities Executed
33 CFR 101.305
Reporting, Breach of Security
3
33 CFR 105.125
Noncompliance
3
33 CFR 105.140
Alternative Security Program
1
33 CFR 105.200
Owner or operator requirements
27
33 CFR 105.205
Facility Security Officer requirements
7
33 CFR 105.210
Facility personnel with security duties
13
33 CFR 105.220
Drill and exercise requirements
15
33 CFR 105.225
Facility recordkeeping requirements
4
33 CFR 105.255
Security measures for access control
29
33 CFR 105.260
Security measures for restricted areas
8
33 CFR 105.275
Security measures for monitoring
3
33 CFR 105.290
Additional cruise ship terminal requirements
2
33 CFR 105.305
Requirements for facility security assessments
1
33 CFR 105.400
Facility Security Plans
5
33 CFR 105.410
Facility Security Plans – Submission and approval
7
33 CFR 105.415
Facility Security Plans – Amendment and audit
3
Total
131

As noted on the previous page, as in 2014, almost 50% of Coast Guard enforcement actions at regulated facilities were for 33CFR105.200 and 105.255 violations.

Rulemakings
Seafarer’s Access to Maritime Facilities - On July 27, 2015, the public comment period for the Seafarer’s Access to Maritime Facilities Notice of Proposed Rulemaking (NPRM) officially closed. The 162 comments have been adjudicated and the Final Rule is being developed. This proposed rule would implement section 811 of the Coast Guard Authorization Act of 2010, and requires each owner or operator of a facility regulated by the Coast Guard to implement a system that provides seafarers and other individuals with access between vessels moored at the facility and the facility gate, in a timely manner and at no cost to the seafarer or other individual.

Consolidated Cruise Ship Security - On June 1, 2015, the public comment period for the Consolidated Cruise Ship Security Notice of Proposed Rulemaking (NPRM) officially closed. The 115 comments have been adjudicated and the Final Rule is being developed. The Coast Guard proposes to amend its regulations on cruise ship terminal security and the proposed regulations would provide detailed, flexible requirements for the screening of all baggage, personal items, and persons—including passengers, crew, and visitors—intended for carriage on a cruise ship. The proposed regulations would standardize security of cruise ship terminals and eliminate redundancies in the regulations that govern the security of cruise ship terminals.

Training
This year, CG-FAC traveled to each District to meet with a number of Facility Inspectors and Port Security Specialists during the FAC road show. Program staff covered certain topics specific to the Unit, District, or Area’s request.  Hot topics were LNG as Fuel, TWIC, MTSAII, and Cyber.

Area Maritime Security Committees
In April 2015, the Delaware Bay Area Maritime Security Committee was recognized as the 2014 Area Maritime Security Committee of the Year. This AMSC has developed a Regional Business Continuity Planning Template which was developed by taking an all hazards approach to include commercial risks. The template document serves as a readily implementable tool for use by Port Stakeholders in developing their own Business Continuity Plans. Widespread use of this template will lead to facilities better suited  to maintain critical business functions throughout our port and the nation, leading to a more  secure, resilient port and the ability to continue to contribute to the regional economy through unforeseen circumstances.

Trending Issues in Port Safety, Security, and Resilience
MTSRU - In order to build system continuity and maintain effective levels of program readiness, CG-FAC Senior Leadership developed and incorporated a strategy with the office business plan to host a National MTSRU Workshop every two years, to review and update program policies, guidance and analyze lessons learned from real events to improve response effectiveness and enhance program visibility.

Cooperation with Transport Canada - increased cooperation in 2016.

What to Expect in 2016
Facility Security - A policy letter encouraging facilities to submit their FSP/VSP/ASP renewals to the Coast Guard 60 days prior to the expiration date will be signed and disseminated to the field in CY16. Also, the Breach of Security Instruction has been updated to include suspicious activity response. The instruction will be published mid- 2016 and will address network security in addition to physical security incidents. Finally, be on the lookout for NVIC 03-03, Change 3 as well as an Alternative Security Plan NVIC in CY16.

EHC Strategy - CG-FAC will be working with other offices to create an Implementation Working Group for the EHC Strategy. This working group will look to implement the four goals of the EHC Strategy including awareness, prevention, response, and recovery.

Cyber - CG-FAC is working on several policy updates concerning cyber risk management. In cooperation with NIST, CG-FAC is drafting a Cyber Framework Implementation Guide for bulk liquid facilities. This will help facility operators identify the components of the NIST Cybersecurity Framework most applicable to their operations. CG-FAC is also developing a NVIC that will provide cyber risk management guidance to facility and vessel operators. CG-FAC will continue to support the Areas on conducting Cyber Awareness Training for CG Units.

Exercise requirements: CG-FAC is working on policy to clarify the definition for annual, and other time periods, as it is used in the 33 CFR 154 for exercise requirements.

Pipeline testing: CG-FAC is updating current policy and incorporating that into a pipeline testing policy NVIC that will guidance on alternate testing methods.

HOMEPORT— CG FAC is working with other Coast Guard Headquarters Offices to complete a long overdue technical refresh of Homeport.  This update will improve reliability and cyber security for the system and provide a better user interface.

Regulatory Projects:
Consolidated Cruise Ship Security - The public comment period for this NPRM ended on June 1, 2015. The anticipated final rule publication date is in 2016.

Seafarer’s Access to Maritime Facilities - The public comment period for this NPRM ended July 27, 2015. The anticipated final rule publication date is in 2016.

Transportation Worker Identification Credential (TWIC) Reader Requirements - The Final Rule is in final agency clearance.