TWIC update: Initiative prepares for pilot projects

May 4, 2009 -- The Transportation Worker Identification Credential (TWIC) program hit a milestone last month on April 15th as ports across the nation required workers to present a TWIC card before gaining unescorted access. The process wasn't perfectly smooth. Some port workers did not receive their cards in time, and still others had not yet applied for their cards. With an extension for many ports until May 13th for full worker compliance, the program, however, is off to at least some sort of a start in terms of enforcement.

But having cards out in the hands of port workers wasn't the full goal of the TWIC program. It also seeks to use functions like biometrics, digitally encrypted certificates, background checks, PIN readers and more to create a highly effective program to ensure security at U.S. ports by verifying and authenticating workers. caught up with one of our regular sources on topics of the TWIC program, Rob Zivney, to discuss the technological status of this program. Zivney is a member of the Security Industry Association and vice president of marketing at Hirsch Electronics, one of the companies seeking to provide technology solutions to TWIC. In his capacity with both SIA and Hirsch, Zivney has served as an industry liaison with government on the TWIC initiative via groups like the NMSAC (National Maritime Security Advisory Committee), the body which developed the industry recommendation for a reader specification.

The first thing that Zivney points out is that, initially, this high-tech card currently is going to be used as a visual "flash pass". In the flash pass usage, the TWIC card is being presented to a guard as a simple ID badge, and not generally being read electronically to take advantage of the technology features in the card. There are, of course, some implementations of handheld TWIC card readers in the field by the U.S. Coast Guard -- which allows the card to be used as more than a flash pass -- but the reading of the cards by a PACS (physical access control system) reader is not yet a standard practice.

"TWIC can claim some success from this deadline," said Zivney. "The U.S. Coast Guard is doing the primary enforcement -- rather than the ports themselves -- until this interim period is done. One of the real advantages of the TWIC program has already been realized and that is the vetting process."

"No one will receive a TWIC without successfully passing the background checks and vetting process. Further, the TSA hot list is updated daily to ensure that the subscribers are able to keep their local handheld readers and PACS databases current so only valid TWICs are able to be granted access."

One of the challenges in getting the cards issued and used to their full capacity, said Zivney, is that there are so many different stakeholders in the process.

"It's based on FIPS 201 standards to a great extent, but in TWIC we have the TSA issuing the cards and we have the Coast Guard doing the actual enforcement. We have port operators who will be using cards with the card readers, and then you have longshoremen and port workers and truckers who have to buy the cards. They couldn't really force everybody to do this, as was done with the federal FIPS 201 PIV cards."

The use of biometrics to individually verify and authenticate card holders has been one of the hallmarks of the TWIC initiative, said Zivney, but it's also been one of the biggest hurdles the program has encountered. In fact, the application of biometrics, is one of the main reasons for the pilot project phase of the TWIC initiative.

"They wanted to go with biometrics, but biometrics has not been historically very effective outdoors."

Innovative enclosures can help ports get around the problem of reading biometrics in a difficult outdoor environment, but the program also has had to face the issue of managing the biometric templates and ensuring privacy. The issue of biometrics also is tied up in the concerns about throughput -- i.e., not slowing down commercial operations at the ports. As Zivney explains it, the solution for using biometrics isn't particularly simple.

"The FIPS 201 PIV requirements recognize that biometrics are privacy items and protect the release of any biometric template to a reader for comparison by requiring entry of a PIN. The FIPS 201 approach further restricted the transmission of the template from the card to the reader to a contact reader to avoid risk or concerns about sniffing. However, the NMSAC committee that developed the reader spec heard the insistence of the port operators and other interested bodies that a PIN not be required and that a contactless reader was necessary in lieu of a contact reader."

"The pilot projects are heavily focused on the fact that they need to get trucks through the port access points quickly," continued Zivney. "If a trucker forgets his PIN [which is needed to access the individual's biometrics], they can't just back up because there is a line of trucks behind them.

"But because of the environmental conditions and concern of foreign objects, they also didn't want a slot for a contact reader on the TWIC reader stations. So the idea was that the second set of fingerprint templates would be encrypted and stored in a second 'container' on the card. These encrypted templates could be transmitted securely over a contactless interface without the requirement of an unblocking PIN. But then they had to consider how to decrypt these templates for comparison to an unencrypted template produced by a live fingerprint read. Since the original charter was for a standalone reader without a PACS, the spec provided for encoding the decryption key onto the TWIC's magnetic stripe to be read by a mag stripe reader attached to the TWIC reader. The swipe of the TWIC through the mag stripe reader would transfer the de-encryption key to decrypt the biometric template once it was transferred to the reader."

"Fortunately the final spec acknowledged the existence of a PACS and also placed the TPK (TWIC Privacy Key) in the smart chip to be available on the contact interface accessible by a PIN. The process of registering a TWIC with a PACS to verify the card and assign authorization privileges at a given port, can be done in an office and not when the truck is at the gate, explained Zivney. "The TPK is a good thing in that it allows the TWIC to be presented to a contactless reader -- after registering to a PACS -- and does not require use of a PIN except at registration. But it does require registration to a PACS at each port, so there is this extra step before all is smooth for use with electronic readers. Testing out this technology and the operational issues is what the pilot is all about. Changes will no doubt be made based on lessons learned."

But because entering a PIN is the primary method to get to the privacy information like a photo or biometrics for most applications, that also presents operational challenges for the officers doing TWIC card enforcement with a handheld reader. The photo in the card stored on the smart chip is much more reliable than the photo printed on the card due to the availability today of sophisticated machines and apparatuses to print counterfeit cards.

"When the Coast Guard is doing their spot checks at the ports, the only way they can get your digitized and encoded photo is to have you enter your PIN. But if you can't remember your PIN, how do they get to your biometric photo to verify you are who you say you are? You can see the security challenge there."

With so many different technologies in place and used in an outdoor environment -- from tropical to arctic, from dry to rainy, from clean to salty or even polluted conditions -- these are going to be "the biggest and most hardened readers in the world."

But Zivney says that even with the latest technology and best equipment in use, the pilot projects (which will be occurring at select ports, including the Port of Long Beach, Calif.) have to determine the effects on throughput.

"With the extra encryption, there is a concern about how long it takes. They want the pass-through to be no more than 8 seconds - from the time truck pulls up and starts the process until the gate starts to open."

In the process, the TWIC pilot projects are expected to uncover all manners of operational challenges before a final rule is issued to all ports.

One of the problems is that TWIC is designed for a single worker. That presents a problem when you have interactions with long-haul truck drivers picking up loads from U.S. ports. It's not uncommon for many of these drivers to use trucks with sleeping cabins and to have spouses and children with them. The rule for use of the TWIC card is to allow unescorted access for the card holder, and that means port operators may have to develop waiting areas for family members not allowed in due to port security restrictions.

There have also been issues of parking - like where to park trucks towing 50-foot trailers while the drivers enter a port office to sign up for TWIC. Some ports have had to consider off-site parking areas for such vehicles, adding another challenge to simplifying the process.

"They are so space constrained at many of our large ports that they don't have a place for truckers to park while they go in to register their TWIC with a PACS," said Zivney. "There are over 20 operators at that Port of Long Beach and seven operators at the Port of Los Angeles. They need to look at a shared enrollment site. Right now the operators are all prepared do that separately on their individual PACS. There wasn't money in the grant programs for the TWIC reader pilot for shared PACS registration facilities."

Getting ready for the pilot projects has also been a challenge, and that comes down to money again. One aspect of the pilot project is the testing of different reader solutions from different reader manufacturers.

"We're one of the companies that have bid on it, and we're already installed at some of the operators, and we'd like to be involved with the pilots. They haven't released the grant funds yet, and it doesn't look like vendors of readers would get a contract before August."

"One of the things the port operators have said is that they have to test it during the peak shipping period of August to October. It's unlikely that there will be sufficient pilots installed for larger ports in that timeframe, and if you don't hit that window, it could be until the end of 2010 before the pilot is done since you have to test this during the peak period."

As much as the timeline may present a challenge for the pilot projects, simply creating readers has been tough, too. The readers are typically called Initial Capability Evaluation (ICE) readers, a stamp that indicates the reader has been approved for evaluation during the pilot process. Becoming ICE approved, however, is no guarantee of final approval or even extensive evaluation or testing.

"Not a lot of companies have submitted readers. The readers have been a moving target. It's hard for many manufacturers to spend the time and money to build a custom reader for the pilot when it's highly possible that the final spec will be different."

The complexity of designing these TWIC readers has also extended into the issue of compatibility with physical access control systems (PACS). The initial thought was that the TWIC readers would stand separate from the PACS, but requirements like whitelists and blacklists of certain persons requires connections to PACS for a practical implementation.

Now the Coast Guard and TSA are also looking at issues of MARSEC (maritime security) threat levels. The government is studying how different MARSEC levels might affect different TWIC implementations, whereas a heightened MARSEC level might require extra validation, authentication factors, and enforcement.

In addition to the TWIC reader pilot, DHS and the Coast Guard recently published an Advance Notice of Proposed Rule Making (ANPRM) on March 27, 2009, which provides guidance on how to approach different modes of TWIC authentication factor implementations.

"The ANPRM is shopping around some information," explained Zivney. "They are establishing a risk management criteria. They are realizing that every situation is not a worst-case scenario. The idea is to match the right reader technology and authentication factors to the risk assessment of the facility. That is just good business."

No one ever said this was going to be easy, but it's too early to be negative about the program.

"Unfortunately, it's not going any faster," said Zivney, "but what they're doing with TWIC is very important work. It's going to be watched by the world and also by U.S. airports. We are now moving into the reader test phase. This is all about making new technology work for both security and commerce, so the pilot is absolutely necessary to get it right."

Links with Related Information on May 2009 standing for TWIC program initiative: