Monday, May 11, 2009

Video Escorts

There is an interesting article over on SecurityDirectorNews.com about how an MTSA covered facility has received Coast Guard approval to use their video surveillance system to fulfill the MTSA escort requirements for personnel without a current TWIC. According to the article the Port of Wilmington, DE “will use the its video system with analytic capability to track visitors and other non-TWIC individuals”. Video Surveillance and TWIC Apparently the Siemens Building Technologies SiteIQ system allows the video surveillance system to tag a person and track that person moving through the facility even as that person moves from the coverage area of one camera to another. Again, the article notes that this “ability to leverage video as a substitute for physical escorts will reduce manpower costs involved with TWIC compliance”. From what I have read, this sounds like it is pushing the capability of current video surveillance technologies. While movements can probably be tracked along common paths in good weather and visibility, I would be surprised to hear that it would be able to track someone that was attempting to evade surveillance. But, I am not a video surveillance expert, so I would like to hear from people that do have experience with systems like the Siemens SiteIQ. It would also be useful to know what the port operator had to do to convince the Captain of the Port that this system was the functional equivalent of personal escort of non-TWIC personnel. Was the Siemens’ description of the system capability adequate, or did the Coast Guard require a demonstration? Was a ‘red team’ exercise used to provide a performance evaluation of the equipment? If this system actually performs as the functional equivalent of personal escort of non-cleared personnel, it could be valuable in a number of high-risk chemical facilities. This would be especially true for small facilities with a relatively high number of transient personnel (truck drivers, contract maintenance or construction personnel). The burden of using personnel to escort these ‘visitors’ could provide a serious disruption of normal business activities on site. Video Surveillance and CFATS It will be interesting to see how DHS actually treats such a system in their Site Security Plan evaluation. I would expect that it would probably be accepted as part of the SSP submission in CSAT. Then it would be up to the facility to demonstrate to the DHS inspector that the system did actually perform as the functional equivalent of a live person escorting someone. To perform that function it would have to be demonstrated that it could track a person moving about the facility. There would have to be some capability to identify when a person approached an unauthorized area. It would have to alert security or site personnel in time to either stop the unauthorized person from entering a critical security area or stop them from taking some pre-determined action in that area. The DHS inspector will not have enough time on site to do a comprehensive evaluation of this effectiveness of this type system. That is not really the function of the inspector. I would expect that the inspector would want to see tapes (oops, I’m dating myself, I guess ‘videos’ would be more appropriate) of the system tracking personnel in a variety of lighting and weather conditions. Video Surveillance Records While we are looking at this type system it might also be a good time to think about the types of records facilities might be expected to maintain for this type of video surveillance equipment. The requirements for record keeping on this type system are covered under the Risk-Based Performance Standards {§27.230(10) – Monitoring} and under the separate recording keeping section of the CFATS regulations {§27.255(3) – Incidents and breaches of security and §27.255(4) – Maintenance, calibration, and testing of security equipment}. Sub-paragraph ii of the Monitoring RBPS section addresses measures “designed to regularly test security systems” and requires the facility to “record results so that they are available for inspection by the Department”. While not specifically spelled out, it seems reasonable to assume that the testing here is different than the maintenance testing required in §27.255(4). This would more likely be performance testing of the system to ensure that it remains capable of tracking personnel under a variety of conditions. Video records of the test as well as written reports on the conditions, deficiencies and corrective actions would be the type records a DHS inspector would expect to see. A comprehensive evaluation plan would periodically evaluate the system under a variety of weather and lighting conditions. A typical evaluation could be as simple as reviewing the actual video log for a specific site visitor to ensure that the person was not out-of-sight at any time that they were not being escorted. The records keeping requirements in §27.255 are not part of the RBPS, so these are specific requirements that must be met by all covered facilities. The maintenance records requirements under sub-paragraph 4 would include provisions for following the manufacturers recommended maintenance plan for the system and associated equipment. The records would include the “date and time, name and qualifications of the technician(s) doing the work, and the specific security equipment involved for each occurrence of maintenance, calibration, and testing”. Maintenance work done by contractors is included in this requirement. The incidents and security breach records required under §27.255(3) would include incidents and breaches involving the video surveillance system. Any time that the system lost track of a visitor or a visitor was detected near (without a clear pre-approved reason) or attempting to enter a restricted area defined in the Site Security Plan would be considered to be an incident. Actually entering a restricted area, or determining that an incident was the result of a deliberate attempt to enter a restricted area would be considered to be a security breach. The records for both incidents and breaches would include the date and time of “occurrence, location within the facility, a description of the incident or breach, the identity of the individual to whom it was reported, and a description of the response”. All of these records would be considered to be Chemical-terrorism Vulnerability Information (CVI) and would have to be appropriately marked and protected.

1 comment:

John Honovich said...

Hi Patrick,

It's great that you are calling attention to this. Let me share some concerns and questions I have about this approach.

1. It's very hard to set up video surveillance cameras to cover all areas of a facility. Lots of logistical barriers exist - some permanent, like trees, walls and storage areas and some temporary like trucks, containers, etc. The risk is high that significant gaps will exist in coverage. Designers may try to use PTZ (controllable cameras) but then someone needs to control them and they may still have issues with barriers preventing them from seeing areas.

2. If video analytics are used (such as Siemen's SiteIQ), there will certainly be issues where the system losses sight of an unescorted person. This could be because of inclement weather or more frequently, bright sunlight or darkness obscuring a person.

3. One of the key benefits of a human escort is that the human escort can instantly respond and intercept an unregistered visitor from causing damage or violating regulations. With video surveillance, an operator will have to dispatch a responder which costs critical amounts of time.

I assume organizations are looking at video as a way to cut costs in conforming to this regulation. However, saturating facilities with video surveillance and optimizing video analytics may be very expensive and still provide far less performance than human escorts.

While I need more details to speak definitively, I think the risk of such an approach is high and should be approached with caution.

Best,

John

 
/* Use this with templates/template-twocol.html */