A proven method for identifying security gaps in international postal and transportation critical infrastructure

The safety, security, and resilience of international postal, shipping, and transportation critical infrastructure are vital to the global supply chain that enables worldwide commerce and communications. But security on an international scale continues to fail in the face of new threats, such as the discovery by Panamanian authorities of suspected components of a surface-to-air missile system aboard a North Korean-flagged ship in July 2013 [1].This reality calls for new and innovative approaches to critical infrastructure security. Owners and operators of critical postal, shipping, and transportation operations need new methods to identify, assess, and mitigate security risks and gaps in the most effective manner possible.


List of Figures
S58 Requirements and Assessment Questions 6

Introduction
In October 2010, two packages from Yemen containing explosives were discovered on U.S.bound cargo planes of two of the largest worldwide shipping companies, UPS and FedEx [CNN 2010, Perez 2010. The visibility of this incident brought regulatory attention to a long-standing problem. The Wall Street Journal reported, "International cargo shipments have for years been seen as a weak link in anti-terror efforts. Lawmakers have stressed the importance of bolstering cargo screening for explosives, but much emphasis has focused on material loaded into passenger rather than cargo planes" [Perez 2010]. In early 2012, the Universal Postal Union (UPU) and several stakeholder organizations developed two security standards to improve security in the transport of international mail and to improve the security of critical postal facilities.
Developers of the standards recognized a need for some means to enable implementation of the new standards and measure compliance to them. The U.S. Postal Inspection Service (USPIS), the UPU, and the CERT ® Division at Carnegie Mellon University's Software Engineering Institute (SEI) collaborated to develop a physical security assessment method and an associated field instrument based on the UPU standards. 1 The method can be used to identify gaps in the security of international mail processing centers and similar shipping and transportation processing facilities.
In this report, we present the development approach, field experiences, benefits, and potential applications of the method for other types of critical transportation services.
1 CERT ® is a registered mark of Carnegie Mellon University.

Background
The UPU, headquartered in Berne, Switzerland, is a unit of the United Nations that regulates the postal services of 192 member countries. These postal services form the largest physical distribution network in the world. The Foreword to the Postal Security Standards states, "More than 5 million postal employees working in over 660,000 post offices all over the world handle an annual total of 434 billion letter-post items in the domestic service and 5.5 billion in the international service. More than 6 billion parcels are sent by post annually" [UPU 2013a].
The Postal Security Group (PSG) of the UPU develops global and regional security strategies to assist postal operators in their common security missions. As the UPU describes its role, "Through training initiatives, consulting missions, and prevention programs, the PSG strives to protect the employees and assets of the postal operators along with safeguarding the mails from fraud, theft and misuse" [UPU 2013a]. PSG members are security experts from a number of UPU member countries.

USPIS Involvement
For the past 17 years, the chief postal inspector of the USPIS has chaired the PSG, and USPIS inspectors participated in the development of S58 and S59. The USPIS is the law enforcement arm of the U.S. Postal Service (USPS). It is the longest standing federal law enforcement agency in the United States, dating back to 1772. The United States is the only country to have a separate and distinct postal inspection service. The USPIS website describes its mission and responsibilities: The mission of the U.S. Postal Inspection Service is to support and protect the U.S. Postal Service and its employees, infrastructure, and customers; enforce the laws that defend the nation's mail system from illegal or dangerous use; and ensure public trust in the mail. Through its security and enforcement functions, the Postal Inspection Service provides assurance to American businesses for the safe exchange of funds and securities through the U.S. Mail; to postal customers of the "sanctity of the seal" in transmitting correspondence and messages; and to postal employees of a safe work environment. [USPIS 2013] As a member of the PSG, USPIS Inspector in Charge Gregory Crabb saw the need for a simple, lightweight assessment method for determining the capabilities of postal organizations against the new standards. In a presentation to the UPU in February 2012, Crabb proposed several objectives that could be achieved through this effort [Gregory Crabb, unpublished data]: • improve security practices (as participating organizations made whatever adjustments the assessments revealed as necessary to meet the standards) • demonstrate assessed organizations' capabilities to regulators (the European Commission, the International Air Transport Association, the International Civil Aviation Organization, the World Customs Organization, and internal and external governance bodies) • assess security suppliers • have the PSG serve as the independent validator for the European Commission

Collaboration with the CERT Division
Since 2011, the USPIS has collaborated with the SEI's CERT Division to improve the resilience of selected USPS products and services. This collaboration has included projects dealing with incident response, export screening, authentication services, physical security and aviation screening for international mail, Express Mail revenue assurance, and development of mail-specific resilience management practices for mail induction, transportation, delivery, and revenue assurance.
The CERT Division is the largest technical program at the SEI, a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. CERT staff conduct research and development in internet security, secure systems, operational resilience, and coordinated response to security incidents.
Much of the USPIS work with the CERT Division related to the CERT Resilience Management Model (CERT-RMM), a capability-focused maturity model for improving an organization's management of operational resilience activities across the domains of security management, business continuity management, and aspects of information technology operations management. Crabb asked the CERT Division to develop an assessment method for the UPU standards based on the CERT-RMM assessment method and process, along with a companion field instrument with automated features.
These were the design criteria for the method and the instrument: • repeatable: The method can be used consistently by different independent teams in the same situation to acquire the same results.
• cost effective and scalable: The method is economical and functional for all locations, regardless of size or capability.
• accurate: The method is evidence-based and derived from international standards so that results can be relied on by the international community (e.g., UPU, International Civil Aviation Organization, International Air Transport Association, Transportation Security Administration, and World Customs Organization).
• meaningful: The method generates results that can easily be acted on by owners and operators of the assessed processing facilities.
• transparent: The method is publicly available and can be used for self-assessment.
The method was designed to allow assessed postal organizations to gain insight into their capabilities by identifying the strengths and weaknesses of their current security practices. Assessment results could also identify risks and inform the prioritization of security improvements.
USPIS and CERT staff held several work sessions in January and February 2012 to develop the first version of the method and instrument for piloting in February. The S58 and S59 postal security standards served as the requirements for the method and were annotated to facilitate the formulation of assessment questions. The team continued to develop and improve the method based on pilot assessments in three locations worldwide. The method and field instrument were released for public use in September 2012, and a number of additional locations have applied them since then. Updates to the method require UPU approval.
As depicted in Figure 1, the method defines three phases for conducting the assessment: • Preparation: Analyze requirements, develop an assessment plan, select and prepare the assessment team, send and receive the pre-assessment questionnaire, obtain and inventory objective evidence, and prepare for the conduct of the assessment (initial site visit and logistics).
• On-site: Prepare participants, conduct interviews, examine objective evidence, document objective evidence, verify objective evidence, perform characterizations and ratings, formulate and validate preliminary findings, generate the final results of the assessment, and identify improvements to the method and the standards.
• Reporting: Deliver assessment results to sponsors and key stakeholders, and preserve and archive assessment results. The assessment method contains a series of questions based on the requirements in the S58 and S59 standards (refer to Table 1 for examples) [UPU 2013c]. The method also defines the evidence requirements for each section of the standards. The team conducting the assessment must see documented artifacts or receive oral and written statements and affirmations confirming or supporting implementation (or lack of implementation) of a practice. If there are specific weaknesses in implementation, team members record them on their assessment worksheets. For example, a weak-ness in implementation of S58 Section 5.1.1, Risk Assessment and Facility Security Plans, might be that the facility's security plan covers general lighting requirements but not interior emergency lighting. After security controls have been applied, how is mail accounted for and protected from unauthorized interference prior to loading on an aircraft or secure exchange with the carrier, ground handling agent, or other contractor?
The assessment team considers the results of interviews and the other evidence collected to reach a consensus on subsection characterizations and section ratings.
Subsections are characterized using the FILIPINI scale and rules (see Figure 2): • Fully Implemented (FI): One or more direct artifacts are present and judged to be acceptable; at least one indirect artifact or affirmation exists to confirm the implementation; and no weaknesses are noted.
• Largely Implemented (LI): One or more direct artifacts are present and judged to be adequate; at least one indirect artifact or affirmation exists to confirm the implementation; and one or more weaknesses are noted.
• Partially Implemented (PI): Direct artifacts are absent or judged to be inadequate; one or more indirect artifacts or affirmations suggest that some aspects of the practice are implemented; and one or more weaknesses are noted. Alternatively, one or more direct artifacts are present and judged to be adequate; no other evidence (indirect artifacts, affirmations) supports the direct artifact(s); and one or more weaknesses are noted.
• Not Implemented (NI): Direct artifacts are absent or judged to be inadequate; no other evidence (indirect artifacts, affirmations) supports the practice implementation; and one or more weaknesses are noted.
• Not Applicable (NA): The standard section does not apply (e.g., in the S58 standard, Section 6.2, "Contractor Security Requirements," applies only to organizations that use contractors for mail handling/transport operations or other sensitive functions).
Sections are rated more simply, since the goal of the assessment is essentially to arrive at a "Yes" or "No" judgment for each set of practices that constitute a section: • Satisfied: All associated practices are characterized as FI, LI, or Not Applicable, with at least one practice characterized as FI or LI; and the aggregation of weaknesses does not have a significant negative impact on goal achievement.
• Not Applicable: All practices are characterized as Not Applicable.
• Not Satisfied: All other cases (i.e., the rules for Satisfied [S] and Not Applicable [NA] are not met).

Figure 2: Steps in Compliance Determination
The assessment team repeats the on-site process for all subsections of the standard, as shown in Figure 3, beginning with "Conduct Interviews." The assessment team then creates a heat map of the results, as shown in Figure 4. To satisfy the standard, all section-level ratings for the facility must be Satisfied or Not Applicable. In February 2012, USPIS staff conducted the first pilot assessments using the new method with draft versions of S58 and S59. The USPIS continued to conduct assessments and work with CERT staff to improve the method throughout 2012. CERT staff also recommended some improvements to the content of the standards to the UPU.
As a result of one assessment, the country postmaster general closed down the facility where international mail was being dispatched and moved operations to a new facility with improved security controls and conformance with UPU standards. Other reviews have shown that postal administrations largely conform to UPU standards and that having the specific feedback of assessment results encourages them to make the minor improvements needed to ensure full compliance.
One consistent finding highlighted the effectiveness of the method for producing accurate assessments. The S58 standard requires a single, written security plan for critical facilities. Each pilot location had a security plan, but it did not contain all the elements that the standard requires. But in following the method's evidence-discovery procedures, the assessment team found the missing elements in other documents, such as maintenance plans.
The S58 standard requires that access control systems be used for employees, visitors, service providers, and vendors of critical facilities but does not specify any particular system. At all locations examined in the pilots, the assessment team found some failing in this requirement. But many postal organizations operate at a deficit, so the team tailored its compliance recommendations to each organization's fiscal realities.
None of the pilot locations had plans for crisis planning and business continuity. However, employees generally knew what to do in crisis situations, so the postal administrations had only to document that knowledge to reach compliance.
All of the pilot locations have asked to be reassessed after making the improvements recommended in their initial assessments.

Benefits
Based on field reports and assessment results, participating postal organizations have realized the following benefits: • gained insight into their capability by identifying the strengths and weaknesses of current security practices • achieved recognition as having a strong security posture by the International Civil Aviation Organization, World Customs Organization, and supply chain partners that rely on postal services for moving goods • obtained guidance to prioritize security-related improvement plans • received feedback on the maturity level of the organization's security program • were able to better identify and prioritize security risks Pilot organizations have shown that using a structured, scripted assessment instrument is an effective way to assess compliance with the UPU postal security standards. The USPIS and other postal sector organizations continue to use the assessment method today to achieve initial results and assess progress made after implementing improvements. In 2014, the method will be provided to civil aviation authorities, who will use it primarily to assess the performance of postal administrations in meeting the screening and other international airmail security standards of S59.