Guardian 3 TWIC User Manual - DTNrfsupport.dtn.com/images/E0258401/TWIC_UM_ver_1.pdf · Guardian 3 TWIC User Manual Schneider Electric Confidential Page 3 of 19 Updated 9/1/2016 1

Guardian 3 TWIC User Manual

Schneider Electric Confidential Page 1 of 19 Updated 9/1/2016

Guardian 3 TM

TWIC

User Manual

Company Confidential

Last Saved on: 3/25/2013



CONTENTS 1 Introduction .......................................................................................................................................... 3 2 TWIC Overview as Supported by Guardian 3 ..................................................................................... 4

2.1 Enrollment System ........................................................................................................................ 4 2.2 Access Control System ................................................................................................................. 4

3 Operation ............................................................................................................................................. 5 3.1 General Setup and Control ........................................................................................................... 5

3.1.1 PC3 Setup ..................................................................................................................................... 5 3.1.2 G3 Setup ....................................................................................................................................... 6 3.1.3 Canceled Card List (CCL) Processing .......................................................................................... 8 3.1.4 G3 Operation ................................................................................................................................. 9

3.2 Driver/Employee Enrollment ......................................................................................................... 9 3.3 General Operation ....................................................................................................................... 10 3.4 Driver/Employee Access ............................................................................................................. 11 3.5 Event Logging ............................................................................................................................. 14

Appendix A Errors Codes.......................................................................................................................... 16 Appendix B TBR Statistics Screens .......................................................................................................... 18



1 Introduction

Schneider Electric’s Guardian 3 (G3) system for years has supported access control into bulk fuel terminals using card and/or PIN control access. Since the 9/11 attacks, the Department of Homeland Security, Transportation Security Administration (TSA) has mandated a common credential for all workers in facilities deemed as ports. Many of Schneider Electric’s Terminal Automation System (TAS) customers operate terminals with waterway accesses that are classified as ports by the US Coast Guard. These terminals are thus required to support the Transportation Worker Identification Credential or TWIC for facility access. The TWIC system consists of the following main components:

1. TWIC Card – Issued by the TSA to individuals that require access to facilities requiring TWIC.

2. Enrollment System – Used to add individuals to a facility’s access system/database. TWIC card is required for enrollment.

3. Access Control System – Used to control access into, out of and possibly within a facility. Requires enrolled individual, and biometric based card reader to read TWIC card with each access.



2 TWIC Overview as Supported by Guardian 3

For years Guardian 3 has supported TWIC card usage but only as an access device. With version R13.07 or later, G3 fully supports the TWIC system as required by the TSA. This includes full biometric access control and card verification processing. As the diagram below shows, the enrollment and access control systems both make use of the G3 database and server system.

TWIC Applicant

G3 Client

Enrollment Reader

Server/Guardian Control

TWIC Card Holder Requesting Access

TWIC

Car

d

Biog

raph

ical In

form

ation

Enrollment System Access Control System

TWIC CertificateAuthority

G3 Database

2.1 Enrollment System The enrollment system is used to enroll an applicant (driver, employee, etc.) into the G3 system. This requires that the applicant have a valid TWIC card issued to them. The enrollment process then uses G3 Client to add the applicant (name, address, phone, etc.) into the G3 Driver or Employee database. The applicant’s TWIC card is then read via a smart card enrollment reader by G3 Client. Using the enrollment reader, card information only available via the smart card interface is read and stored in the G3 database for use later by the access control system. Also as part of the TWIC card enrollment, the TWIC card’s signing certificates are validated against the TWIC Certificate Authority’s signing certificates. The TWIC Certificate Authority is an outside organization that requires access via Internet connection. The G3 system does cache certificates locally to minimize Internet access requirements and availability issues due to outside network issues.

2.2 Access Control System The access control system (ACS) governs access of drivers and employees into, out of and possibly within a facility. Drivers and employees must have been enrolled in the system in order for the ACS to grant



access through controlled-access gates and doors. The primary device that supports the ACS is the Schneider Electric PC3 configured with a TWIC Biometric Reader (TBR). The TBR based PC3 then works in conjunction with Guardian Control and the G3 database to control access.

Based on the MARSEC level currently set at the facility, different levels of checking are performed by the ACS. For example at the lowest level only the TWIC card is read and signing information for the FASC-N (card number) is verified; whereas, at the highest level card information is read and verified, the card is verified and biometrics are authenticated. Current TWIC requirements do not require a PIN at any MARSEC level.

3 Operation

3.1 General Setup and Control

3.1.1 PC3 Setup The PC3 used as part of the ACS is an updated version of the standard PC3 that includes a new enclosure design to meet NEMA/IP requirements for standalone TWIC readers and also includes a Schneider Electric TWIC Biometric Reader model TBR31. While the dimensions of the new enclosure are different from the standard PC3, the mounting holes and conduit opening are located in the same positions to aid in upgrading to the new style of PC3. As long as the wiring and power supplies configurations meet the requirements for the PC3, no changes are required in this area.

PC3s shipped from Schneider Electric with the TBR31 installed should be configured for the TBR31, but initial setup of the PC3 will require that the card reader configured for the PC3 be set to the Schneider Electric TBR31 type card reader.

This setting is selected by cycling through the list of card readers available in the PC3’s setup via the Configuration/Unit Configuration/Card Reader/Type menu item. Press the soft-key to the left of Type to cycle to the TBR31 card reader selection.



3.1.2 G3 Setup

3.1.2.1 TWIC Required The TWIC required setting should be checked on the Sentry/Details page as shown in the follow screen shot. When TWIC required is set, the Card Canceled List Used option is automatically selected and the control is disabled. This is due to the TWIC specification requirement that Hotlist checking must be done. When Required is not selected, TWIC cards can be used at facilities that do not require TWIC cards and want to avoid issuing cards specific to the facility. In this configuration the Hotlist checking can be done as desired based on the Hotlist Used setting.

3.1.2.2 TWIC Mode Assignments Per the TWIC specification the security requirements are not specified for the different MARSEC levels, but instead TWIC Modes are defined and those modes must be assignable to the MARSEC levels based upon Coast Guard and site requirements. To support this requirement, modifications to the TWIC control area of the Sentry/Details page have been made.



The TWIC Mode Assignments configuration control defines the three MARSEC levels, and the TWIC Mode can be assigned to each MARSEC level as required. Clicking on a TWIC Mode cell allows the lookup list to be selected. This list defines the four currently available TWIC Modes.



3.1.2.3 Biometric Read Attempts The maximum number of biometric verification attempts by a person attempting to access the facility can be controlled in G3. The setting is controlled with the Biometric Retries field in the TWIC configuration settings area on the Sentry’s Details page.

3.1.2.4 Station Max Allowable Activated Time It is recommended that the Max Allowable Activate Time on the Station be set to a value like 20 to 30 seconds. Guardian Control does reset its internal timer as the TWIC verification steps progress, but if the value is set too low and additional prompts are required for gate access i.e. PIN entry, there could be inadequate time for of additional entry of data if the time is set too low.

3.1.3 Canceled Card List (CCL) Processing Every time a driver or employee presents their TWIC card to the TBR their card is checked to see if it has been added to the CCL. In order to enable TWIC CCL processing one must add an Activity Scheduled processing event. The screen show below show Activity Schedule that is located in the Administration main menu item. One selects the Activity type as TWIC Canceled Card List and sets up a processing time such as the one below that is set to process every day at 8:00.



3.1.4 G3 Operation Once G3 is completely setup for operation, the only control operation that an operator should be required to change is the MARSEC level. This level would change based on threat levels assigned by the TSA/Coast Guard. To change the MARSEC level, select the level from the pick list on the Sentry/Details page and then Post the change to the database.

3.2 Driver/Employee Enrollment In order for drivers or employees to access a facility that is under TWIC enforcement, they must first have their cards enrolled in the G3 system. At the time of enrollment the following operations are performed using the contact interface of the TWIC card:

1. The FASC-N, which is used to identify the driver when the TWIC card is presented to the system, us read.

2. The expiration date is read and used to verify the card has not expired. 3. The TWIC Privacy Key is read for later use by the PC3 with the fingerprint verification process. 4. Fingerprint information is read to allow selection of preferred finger prompted for at the PC3. 5. The TWIC card is also checked at this time for inclusion on the Card Cancel List. 6. The signing certificates from the TWIC card are verified against the TWIC Certificate Authority.



The Preferred Finger for Fingerprint Scanning selection presents the operator with all fingers that were found to have templates on the TWIC card. This setting is only used when prompting the individual to place their finger on the reader. In actual operation all TWIC fingerprint templates are read from the TWIC card and any finger for which there is a template on the card for can be presented to the reader for verification.

The actual process of enrolling a driver or employee’s TWIC card into the system requires that the TWIC

card be inserted into the HID 5321 contact reader supported by G3. One then clicks the read button to the right of the TWIC Card ID field and selects the OMNIKEY 5x21 reader as shown below.

Once the card has been read and has been successfully validated, the driver or employee record changes must be posted to the database by clicking the Post button.

3.3 General Operation The most frequent mode of operation of the TWIC system will be in Mode 1. This mode of operation is such that it mimics the operation of card based access that has always been supported by G3. In this case an individual presents their TWIC card and the validated FASC-N is read and sent to Guardian Control. Guardian Control then looks up the FASC-N and validates basic items such as the TWIC card being canceled or expired. It is at this point that the actual TWIC mode of operation for the site is checked and one of two operations takes place:



1. If the TWIC mode is Mode 1, then Guardian Control simply moves on to other prompts or grants access as it does for other non-TWIC card access.

2. If the TWIC mode is Mode 2 or higher, then Guardian Control instructs the PC3 that a higher level of access control is in effect for the site. The PC3 passes this new mode information back to the TBR, and the TBR begins the processing for increased TWIC mode processing.

It should be noted that the TBR actually acts as its own operating device, as such it uses the PC3 to display information for it display windows that it has requested the PC3 to display. In this role the PC3 is just acting as a support device to move communications between the TBR and Guardian Control and to display information to the individual requesting access to the site or area.

3.4 Driver/Employee Access The following is a narrative using PC3 screen shots to show TWIC Mode 4 processing.

When that station is idle there are just prompts saying the access point is ready (operating) and that a TWIC card is required:

Information displayed for Guardian Control.

Display Window that displays information for the TBR.



Once a TWIC card is applied to the PC3’s TBR, the FASC-N is read from the verified signed CHUID and sent to Guardian Control. After processing the FASC-N, Guardian Control returns the higher TWIC mode information if the TWIC mode is higher than Mode 1. At this point the TBR requests that the PC3 display a prompt window that instructs the individual to again place their TWIC card to the reader due to enhanced security measures being in effect.

A new progress window will then be displayed to show all of the steps that are required for the current TWIC mode being enforced:

As processing proceeds for the TWIC mode being enforced, the items will show passed:



With TWIC modes that require biometric verification, a prompt window is displayed that requests that an individual place their finger for scanning on the biometric scanner. The fingers found on the card are what is prompted for.

Once all processing has successfully passed, the progress window displays for a brief period showing all sets have completed and processing is finished. Guardian Control has also been notified that processing has successfully completed as can be seen below by the prompt to a PIN (Not the TWIC PIN)



3.5 Event Logging Logging of all TWIC related access operations are fully supported in G3. In normal operation with TWIC Mode 1, a driver is simply identified and granted access to the facility controlled by G3. When higher TWIC modes are in effect, logging of all steps related to the mode’s additional processing is reported. All TWIC information is reported in the G3’s event log under the Security channel. This includes logging of full FASC-N information. By storing all TWIC information to the Security channel the duration for that channel to retain records can be set differently than normal loading related information, etc. This is important in light of the USCG’s proposed rule for maintaining access logs for up to two years.

Shown below is a shot from the TWIC Mode 4 operation in which a person requesting access was successfully validated. Note that the shot below has All channels selected.



If errors are detected in the validation process, an error code and operation in the validation that failed is also logged to the G3’s event log as shown below. Error codes are defined in the Errors Defined section of this document.

TWIC Mode 1 – Signed CHUID failure:

TWIC Mode 4 – Card Authentication failure:

This image cannot currently be displayed.



Appendix A Errors Codes

TWIC Error Error Code Comments

Memory Error 1 Memory error TWIC Card Removed 2 Card removed before processing Unable to Select TWIC App 3 TWIC app selection failed Unable to Select PIV App 4 PIV app selection failed Signed CHUID Read Error 5 Error reading signed CHUID Signed CHUID Parse Error 6 Error parsing signed CHUID Signed CHUID Content Signing OID Missing 7 id-TWIC-content-signing OID is missing in

signed CHUID Signed CHUID Invalid 8 signed CHUID missing some elements Signed CHUID Signature Failed 9 signature validation of signed CHUID failed Signed CHUID Expired 10 signed CHUID is expired TPK Unavailable 11 TWIC privacy key is unavailable Unsigned CHUID Read Error 12 Unable to read unsigned CHUID Unsigned CHUID Invalid 13 Unsigned CHUID missing some elements Multiple TWIC Cards Presented 14 More than one TWIC card at reader Card Authentication Certificate Read Error 15 Unable to read card authenticate certificate Card Authentication Certificate Parse Error 16 Unable to parse card authenticate

certificate Card Authentication Certificate Invalid 17 Card authenticate certificate is invalid Certificate Authority (CA) Unavailable to Validate 18 CA certificate not available or not found by

GC Card Authenticate Certificate CA Certificate Subject Issuer Mismatch

19 Card authenticate certificate issuer and CA certificate subject don't match

Card Authenticate Certificate Signature Failed 20 Signature of card authenticate certificate failed

Card Authenticate Certificate Date Invalid 21 Date of card authenticate certificate is invalid

Card Authenticate Certificate Key Usage Extension Invalid 22 Card authenticate certificate's keyUsage extension doesn't have digitalSignature flag

Card Authenticate Certificate Extended Key Usage Extension Invalid

23 Card authenticate certificate's extendedKeyUsage extension doesn't have id-TWIC-cardAuth keyPurposeID

Card Authenticate Certificate Contains Unknown Critical Extension

24 Card authenticate certificate contains unknown extension with Critical flag set to TRUE

Card Authenticate Certificate Subject Alternate Name Extension Invalid

25 Card authenticate certificate's subjectAltName extension invalid

Card Authenticate Certificate's FASCN Doesn't Match CHUID

26 Card authenticate certificate's FASCN (from subjectAltName's twicFASC-N) doesn’t match CHUID

Card Authentication General Authenticate Failed 27 General authenticate of card authenticate



failed Biometric Template Read Error 28 Error reading biometric template Biometric Template ParseError 29 Error parsing biometric template Biometric Template Invalid 30 Biometric template is invalid Biometric Template Has Zero Fingerprints 31 No fingerprints found in biometric template Biometric Template FASCN Doesn't Match CHUID 32 FASC-N in biometric template doesn’t

match CHUID Biometric Template Signature Failed 33 Signature of biometric template failed Biometric Template No Fingerprint Match Found 34 No fingerprint match between biometric

template and live sample scanned Signer Certificate CA Certificate Subject Issuer Mismatch 35 Signer certificate issuer and CA certificate

subject don't match Signer Certificate Signature Failed 36 Signature of signer certificate failed TWIC Card In Locked State 37 TWIC card may be in locked state, not

operational



Appendix B TBR Statistics Screens If a TBR is installed and configured in a PC3 as set of statistic screens are enabled within the PC3’s statistics area. It should be noted that the TBR design is based on the PC3’s core design, and some of the screens for the TBR look much like the PC3’s statistics screens.

To access the TBR statistics select the TWIC Biometric Reader Statistics option within the PC3 statistics selection menu.

There are seven statistic screens available that include general stats, card processing stats, fingerprint reader stats. Stats are also included for communications and file information on the TBR. The commonly reference screens are detailed below.

General TBR Statistics is shown below. The stats include information on software and hardware versions and memory use.



TWIC Card Processing Statistics screens are shown below. They include information related to:

• The last FASC-N read from the presented TWIC card • Verification Error and Success counts • Physical reader communication errors.

Fingerprint reader information is shown in the Fingerprint Reader Statistics screen. It includes:

• Information about the actual reader hardware • The match information from fingers presented to the reader

Documents

Guardian 3 TWIC User Manual - DTNrfsupport.dtn.com/images/E0258401/TWIC_UM_ver_1.pdf · Guardian 3 TWIC User Manual Schneider Electric Confidential Page 3 of 19 Updated 9/1/2016 1