March/April 2006 issue

Shipping security —all at sea?

Matthew Stibbe

The data load that has accompanied the globalization of trade would make even Atlas stagger. And that’s without the added burden of counter-terrorism.

Over four-fifths of the world’s manufactured goods moves around the globe in cargo containers. The world shipping fleet is a global conveyor belt that carries goods worth $2 trillion a year. Each 20 or 40 foot container, 8 feet wide, 8.6 feet tall, can carry up to twenty tons of goods: enough for 500 computer monitors, 3,600 suits on rails or 20,000 toy dolls. In 2004, world trade demanded the equivalent of 98 million 20-foot containers. Today it is nearer 200 million.
The 20-ton packet

In many ways, the international traffic of cargo containers by ship, road and rail is similar to the way data packets move across the internet. In his 1999 Wired article “The 20-Ton Packet” Stewart Taggart described ocean shipping as “the biggest real-time datastreaming network in the world.”

Each container is effectively a self-contained warehouse and packing crate. Keeping track of them, and the goods inside them, is a monumental challenge in itself. However, there is a physical security challenge, especially in the wake of 9/11. Besides its physical identity, each container and its contents has a data identity. Each must be booked, scheduled, tracked, logged, inspected and paid for. On top of this, there are also huge commercial pressures. The latest container ships can carry as many as 8,000 containers, so any delays in the logistics pipeline can be very expensive. Put simply, while a ship is in port it’s not earning.

Fear of terrorism
Governments fear that containers could be used to smuggle weapons of mass destruction, or even terrorists themselves into vulnerable places like harbours and airports. The US now insists that ships have detailed security plans and provide notice of their arrival 96 hours before they dock at a US port. The US also wants ports around the world to step up security or be blacklisted.

When it comes to the containers, the US requires cargo manifests 24 hours before a ship is loaded at a foreign port. Commercial pressures and these additional security demands have precipitated an overhaul in business processes that is still ongoing.

Smart containers
Management consultancy Accenture is working on an answer to the WMD problem: the smart container. Currently, it takes five people three hours to thoroughly inspect a single loaded container. Often the one they want to look at is underneath dozens of others in a stack at a port or onboard ship. This is why only 3% to 6% of containers are actually inspected in any given year. Fitting every container with, say, Geiger counters would be prohibitively expensive; there are millions of containers and after seven years at sea they are only worth about, 1,000 each.
Accenture proposes wiring up just a handful of containers, but networking them to form a sensor grid in ports and on ships. This would allow them to triangulate a container of interest. Accenture’s model suggests that fitting sensors to one in 20 containers would give security authorities an 80% chance of detecting offending containers. This is a considerable improvement in odds compared to the current inspection regime. Accenture doesn’t claim to have cracked the problem of container security, but its work points the way to improvements and may find commercial applications such as detecting tampering, spoilage or leakage.

While modern ships are highly computerized with minimal crews and clever autopilots, according to Mythicsoft founder David Vest there are still many ships that remain virtually untouched by the digital era. His company has designed software, called RemoteCommand, that allows managers to access on-board computers via email. This means that it works even with antique machines, intermittent connectivity and a crew that doesn’t speak English. A manager can send a series of instructions and queries at 4pm in London for a ship that won’t dock (or connect) until 3am the following morning in Cairo. It’s hardly real-time tracking, but it reflects the realities of onboard IT.

Container tracking
Being able to track the precise location of a container as it passes through a port and onto a ship is important. Each one has a unique ID number, but as these have to be entered and tracked manually it is easy to make mistakes. As many as 20% of container IDs aren’t entered correctly, which can mean losing track of containers and a time-consuming manual search to find the missing item.

The need to address this drives the current spate of RFID trials around the world. Some port authorities are testing optical character recognition systems installed on cranes to keep track of ID numbers. They promise easy tracking and close integration with company databases.

However, David Warrilow, managing director of Audax, a software and consultancy company that specializes in global logistics, is sceptical. “The technology works, especially in the courier world, but it’s yet to be proved in the Heathrow scenario with 40 containers arriving each night, each with thousands of individual pieces inside.” It will be a challenge to overcome the technological constraints economically, he reckons.

My word is my bond
Peter Bauer is CEO of Mimecast, but before he set up the email management firm he was involved in a South African business that helped shipping companies move from legacy mainframe-based systems into the dotcom era.
He identifies the paper trail behind the movement of goods as a potential vulnerability. For example, someone might be looking to buy a few hundred tons of copper and they’re based in Spain. Their decision about where to source the copper hinges as much on the cost of the logistics as on the cost of the copper. As the emails fly back and forth a degree of accountability is required. If someone gets something wrong or an email fails to reach the intended recipient, the results can be expensive.

He cites a legal case at the end of 2005 between two shipping organizations where an offer to remedy a dispute had been caught up in a company’s spam filtering system. It then cost around £50,000 when they failed to turn up for an arbitration hearing. In the subsequent trial the judge found that proper notice had been served, and the fact that it hadn’t been received was the fault of the recipient, not the sender.
With freight forwarders and agents in distant ports using only very basic IT, the shipping business relies on email to an unusual extent. “They’re not sophisticated IT users,” says Bauer. This frustrates the efforts of companies to digitize the document flow.

Bolero is one of the companies that are trying to provide an electronic document exchange that will allow the industry to move from paper-based bills of lading to digital ones. By linking in banks, customs and port authorities, they hope to accelerate the movement of documents and hence of goods.

Bills of lading are critical documents. They give you title to the goods that are in the shipment and they are often held as collateral until, for example, a transport provider gets paid for delivering the goods to the docks. However, for a digital system to be effective it must be ubiquitous.

David Warrilow says that this is “what keeps shipping in the Dark Ages. You’ve got to get round those issues, then you’ve got to get the whole shipping world to change their views.” He suggests that keeping the paperwork on paper keeps a lot of people in jobs—a powerful motive for inertia.

The security of the Bolero system is said to be very robust. The messaging hub guarantees delivery and originality of all messages as well as trustworthy acknowledgment and notification of document delivery (unlike traditional email). The system is based on a public key infrastructure; all messages are signed digitally and can be encrypted.

Supply chain
According to Warrilow, when the US introduced the Automated Manifest System after 9/11, it found that there are often discrepancies between what was on the manifest and what was actually in the box. They wanted advanced notification of what was being sent, they wanted accurate descriptions and they wanted a precise piece count.

The problem is to track the physical freight and keep it connected with the documentation that supposedly describes it. The documents should be accurate and should be attached. In reality, freight and documents move separately.

Airports 3, ports 1
“There’s a lot of ink being spilled about airport security,” says Andrew Fan, a research director at Accenture, “but little about container security.” RFID and embedded sensors promise increased security and accountability, but they are not yet in place.

One source interviewed for this article said that they found one of their client’s extranets completely unsecured. Private documents, including invoices, were accessible to anyone with an internet connection. In part this is because of wide differences in IT sophistication in what is literally a global business, and in part it is because, in general, people are focused on physical security of the goods being moved rather than information about them.

IT security is very strong in some areas, notably in electronic document interchange systems like Bolero, but strikingly absent elsewhere. David Warrilow sums up: “Do people worry about IT security? Nowhere near enough.” •

About the author
Matthew Stibbe is a freelance business and technology journalist, and writes for Director and wired, among others. He is at matthew@stibbe.net, www.stibbe.net.

Back to features index