At IFSEC today in Birmingham, England, I caught up with two of Hirsch's leaders, Rob Zivney, worldwide director of marketing, and Lars Suneborn, who directs the company's government programs. Despite the fact that we were in a country where chips are fries and bangers are sausages, we turned our conversation to the issue of the United States TWIC (Transportation Worker Identification Credential) program that's currently being rolled out at many U.S. seaports. In summary, this is a credential (actually a smart card) for all port workers, from the shipping firms, to the dock workers and longshore menand even the trucking/delivery drivers. It is an initiative being pushed as part of the U.S. Department of Homeland Security/Transportation Security Administration, and ties in biometrics in addition to personnel identifying information normally common to ID cards.
Suneborn and Zivney were able to provide me an honest update on TWIC from the perspective of an access control system and reader firm. We discussed some of the challenges that this ambitious identity and access control project is facing, and it looks like TWIC has some big hurdles ahead.
For starters, they noted that there can be issues of usability, starting with the fact that it's very hard to put an exact number on the number of persons who need this credential. Additional challenges can include shifting route assignments for port truck deliveries, temporary placement of on-site workers, numerous operating companies working in a single port environment, and the challenge of putting background checks on a worker population that has never been subjected to such requirements before. Technology usability has also been a challenge. The rough, industrial-type environment is tough on fingerprint biometrics and even tough on the hardened readers themselves.
Additionally, because ports have strong Coast Guard presences, the technology, mainly the readers and access systems, would need to provide support for the Common Access Cards (CAC), of which there are different versions. Additionally, because TWIC standards allow for card technology options (like signed and unsigned biometrics, for one) and encryption (some six different encryption algorithm options), card readers would also need to support a variety of TWIC card implementations. With the new initiative for the FRAC (First Responder Access Card) to be used by fire responders, card readers at port entrances may also need to support that standard as well.
Zivney says the challenge with TWIC standards is that they are formulated such that "the readers have to do the heavy lifting," as opposed to the Physical Access Control system (PAC). And with requirements like AES encryption, vendors such as Hirsch will have to not only design very specific readers to unique specifications, but also get their card readers NIST certified, which is a similarly challenging and expensive process as earning UL approval.
Now, says Zivney, the government technology directors are asking "Where are the readers?", asking why such reader technology is not yet available to support the TWIC project. But as an unfunded mandate, says Zivney, "We're also asking, 'Where are the funds?' TWIC has the most advanced standards for readers compared to anything that's been required before."
Until the readers are in place, the many TWIC cards which have been issued will serve solely as "flash passes". Reader pilot projects have already started, but final reader requirements have not yet been published, though companies like Hirsch are optimistic that they can have TWIC-compliant readers in the works this year.
Zivney said that most of the focus has been on the card, driven by the implementation of PKI (which is a requirement of the card-reader communications), but he notes that other security standards common to PAC systems can't be lost in the mix. "We see a PKI as a welcome addition to, not as a replacement for, current security standards."