Where Every Domain Converges
Transportation hubs are the most sensor-dense, multi-jurisdictional, and operationally complex security environments outside of military installations. A major commercial port operates simultaneously in the maritime domain (vessel traffic, harbor craft, underwater threats), the air domain (manned aviation, rotary wing, UAS), the ground domain (perimeter, intermodal yard, rail, truck gates), the cyber domain (OT for cranes, fuel systems, and cargo handling; IT for logistics, credentialing, and communications), and the electromagnetic domain (GPS timing, radar, communications, and the RF environment around all of it). An airport adds controlled airspace management, TSA security directives, and the intersection of commercial aviation, general aviation, and law enforcement flight operations.
No other civilian environment requires simultaneous awareness across this many domains. And no other civilian environment distributes the security responsibility across as many organizations with as many incompatible systems. At a single port, the Facility Security Officer manages the MTSA compliance program. The port authority police handle law enforcement. The Coast Guard handles maritime security and MARSEC level enforcement. CBP handles cargo inspection and border control. TSA handles credentialing. The terminal operators manage their own physical security within their leased footprint. Each of these entities has a different communication system, a different incident reporting chain, and a different operational picture that shares nothing with anyone else's.
Empyrean provides a unified operational picture across all of these domains - with role-based views that give each organization the picture they need without exposing data that belongs to someone else. The port security director sees the full picture. The terminal operator sees their footprint. The Coast Guard liaison sees the maritime picture and the incident timeline. The airport operations manager sees airspace, perimeter, and OT status. Each view is live, correlated, and sourced from the same fusion engine - not from five separate dashboards running five separate applications.
The Cost of a Ground Stop
The regulatory landscape for airport UAS protection is changing. The FAA's proposed Part 74 rule (published May 2026) would establish a process for airports, ports, and other transportation facilities to request unmanned aircraft flight restrictions (UAFRs) over their properties - creating a legally enforceable drone no-fly zone backed by FAA authority. Separately, the SAFER SKIES Act (effective December 2025) grants certified airport and port authority law enforcement the authority to mitigate drone threats directly, backed by $500 million in FEMA C-UAS grant funding. Transportation facilities with detection data in hand will be best positioned for both UAFR applications and effective law enforcement response.
At a Part 139 certificated airport, an unauthorized UAS incursion triggers a chain of events that the airport security coordinator knows by heart because they have lived through it: tower calls a ground stop, arriving aircraft enter holding patterns or initiate go-arounds, departing aircraft hold on the taxiway, airlines begin calculating delay costs, TSA opens an inquiry, FAA and NTSB opens an investigation, and the airport's public affairs office starts fielding calls from media who saw the NOTAM. A single incursion that lasts ten minutes can cost airlines tens of thousands of dollars per minute in delay costs, trigger regulatory action, and generate negative coverage that affects the airport's relationship with carriers and the community.
The airport security coordinator's detection capability for this event is currently a tower controller who saw something out the window, or a pilot who reported an object on approach. There is no organic UAS detection system at most Part 139 airports. There is no cooperative ID lookup against Remote ID transmissions that would distinguish the authorized pipeline survey drone operating under a Low Altitude Authorization and Notification Capability (LAANC) authorization from the unauthorized hobbyist flying in the approach corridor. There is no automated correlation with the airport's existing surveillance systems to determine whether the object detected by radar or reported by a pilot corresponds to an RF emitter detectable by ground-based sensors.
Empyrean integrates radar, RF detection, Remote ID receivers, and camera analytics into a single airspace awareness layer that operates alongside the airport's existing surveillance and ADS-B infrastructure. The platform's Air Domain Intelligence & UAS Traffic Management (UTM) continuously assesses every aircraft track against the full aeronautical context - airspace classification, active TFRs, registered owner, transponder integrity, and behavioral anomalies. Cooperative UAS with valid Remote ID are identified and checked against LAANC authorizations automatically. Non-cooperative targets - no Remote ID, no transponder - generate alerts that route to the airport security coordinator and, via federation, to the TSA and FAA liaisons with track data, RF characterization, and the relevant camera sector. The ground stop decision - which today is made on the basis of a verbal report with no supporting data - is made with a complete picture of what is in the airspace, where it is, and whether it is authorized to be there.
Maritime: Beyond AIS
Port security directors and FSOs at MTSA-regulated facilities depend on AIS for vessel tracking in port approaches and harbor areas. AIS is cooperative, mandatory for vessels over 300 gross tons in international waters and most commercial vessels in U.S. waters, and widely available through commercial and government feeds. It is also trivially easy to spoof, selectively disabled, and entirely absent from the small craft, go-fast boats, and unmanned surface vessels that represent the fastest-growing threat vectors in maritime security.
AIS spoofing - transmitting false position, course, or identity data - is documented and recurring in contested waterways and around sanctioned-vessel operations. Dark vessel activity - operating with AIS transponders disabled to avoid tracking - is a standard technique for sanctions evasion, smuggling, and pre-operational surveillance. Small craft below the AIS carriage requirement do not appear on the cooperative picture at all. The FSO looking at an AIS display sees the vessels that want to be seen, in the positions they want to report, and nothing else.
Empyrean's Maritime Intelligence fuses AIS feeds with radar returns, EO/IR camera data, shore-based sensor networks, and 20+ environmental and regulatory data sources to build a maritime picture that includes both cooperative and non-cooperative tracks - wrapped in the full environmental and threat context. AIS positions are correlated with radar to detect spoofing - if the AIS says a vessel is at position A and the radar shows it at position B, the discrepancy surfaces as an alert, not an unnoticed data point. Transponder gaps - where a vessel's AIS drops and reappears - are flagged with the gap duration, the distance traveled during the gap, and the behavioral context.
Environmental intelligence runs continuously in the background: ocean currents and sea surface temperature, wave heights with Beaufort classification, real-time buoy observations, sea ice extent, harmful algal bloom detection, satellite-detected oil slick polygons with physics-based drift prediction, and surface wind fields. When sea state rises in a port approach, or an oil slick drifts toward a shipping lane, or ice advances into a transit corridor, operators know before the bridge crew does.
Vessels approaching port are automatically enriched with Port State Control detention history from five international MoU regimes, USCG PSIX regulatory profiles, flag-state risk classification, and sanctions screening. A vessel flagged to a Black-list state with detentions in multiple jurisdictions generates a compound risk signal that the FSO can act on during the approach, not after the vessel has berthed.
The Equipment Theft Pattern at Remote Sites
The transportation and logistics security problem extends beyond ports and airports to remote mining, construction, and extraction sites where high-value equipment is dispersed across large areas with minimal permanent staffing and limited connectivity. Organized theft rings have developed a consistent operational pattern: consumer drone reconnaissance of the site perimeter, equipment locations, and security posture, followed by a nighttime incursion with flatbed trucks or heavy haulers. The theft is discovered the next morning. The equipment is across a state line before anyone starts looking.
The site operations manager's security posture is typically a perimeter fence with an alarm system that generates enough false positives from wildlife, weather, and vegetation that the overnight guard treats every alert as probably-nothing. Cameras record to a local DVR that nobody reviews unless there is a known incident. There is no UAS detection. There is no correlation between the drone that surveyed the site three days ago and the fence alarm that triggered at 0200 this morning.
Empyrean provides integrated site awareness for remote operations that correlates perimeter sensors, camera analytics, UAS detection, and equipment tracking into a single picture - running on local hardware with no cloud dependency. When a drone surveys the site, it is detected, tracked, and logged with time, position, and RF signature. When a perimeter alarm triggers three days later in the same sector the drone surveyed, the correlation is automatic. The alert includes the drone track, the perimeter event, and the equipment positions in that sector. The site operations manager has a documented evidence package for law enforcement and insurance before the first phone call.
Geofenced equipment tracking adds a layer that addresses the theft directly. High-value assets - excavators, generators, haul trucks - are monitored for movement outside defined operational boundaries and outside operational hours. An excavator moving at 0300 triggers an alert that includes the asset identity, its location, its heading, and the associated perimeter and camera data. The response may still depend on law enforcement that is thirty minutes away - but the evidence package that meets them when they arrive is complete, timestamped, and actionable, not a phone call that says "we think something is missing."
OT/SCADA at the Hub
Port cranes, fuel transfer systems, baggage handling, rail signaling, and runway lighting are all operational technology systems that were designed for reliability, not security. These systems increasingly have network connections to IT infrastructure for remote monitoring, predictive maintenance, data logging, and vendor support - connections that create attack paths from the corporate network or the internet directly into systems that move physical equipment, transfer hazardous materials, or control the lighting that aircraft rely on during approach.
The ransomware attacks against port OT systems globally - including incidents that halted crane operations and forced manual cargo handling for days - demonstrated that this is not a theoretical risk. The attack path in most cases crossed from IT (email, web browsing, remote access) into OT (control systems, PLCs, HMIs) through connections that the IT security team did not know existed and the OT team did not consider a security responsibility.
Empyrean's cyber-physical convergence maps and monitors the actual IT/OT boundary - not the boundary on the network diagram, but the connections that exist in practice. SIEM alerts, network flow data, and endpoint telemetry from the IT side are correlated with PLC status, HMI activity, and control system behavior from the OT side - without requiring new network connections or bridging the segmentation that exists. When a ransomware event starts propagating from an email server toward the OT network, both the IT SOC and the operations team see the same alert at the same time. The crane operator does not discover the attack when the controls stop responding.
Multi-Agency Coordination at the Hub
A security incident at a major port or airport triggers a multi-agency response that involves organizations with overlapping jurisdictions and incompatible communication systems. TSA, CBP, Coast Guard, FAA, port authority police, airport police, city police, county sheriff, and private security contractors may all be involved in a single incident - and the coordination mechanism is a conference call where people who may not have met are trying to build a shared understanding of a situation that is still developing.
Empyrean's federation architecture provides each agency with a scoped view of the operational picture via TAK integration or native federation. The port authority police see the perimeter picture, the incident location, and the responding units. The Coast Guard sees the maritime picture, the vessel tracks, and the port status. TSA sees the security status of regulated areas and the credential system status. CBP sees the cargo and vessel information relevant to their mission. Each view is live, correlated, and scoped to what that agency needs - without requiring any agency to adopt a new radio system, install new software, or attend an integration workshop.
The federation is configured at the template level. When the FSO updates the facility security plan, the federation scoping updates with it. When a new agency is added to the coordination framework, their view is defined by role and activated - not engineered from scratch.
Compliance That Ships with the Platform
MTSA facility security plans require documented procedures for every MARSEC level, regular exercises, and detailed records of all security events and responses. TSA security directives impose additional requirements that change on short notice. FAA incident reporting for UAS events has specific data requirements. ICAO and IMO standards apply to international facilities. Each of these frameworks requires audit trails that most transportation security architectures cannot produce without weeks of manual reconstruction from camera pulls, access control exports, guard logs, and radio transcripts.
Empyrean records every detection, every correlation, every alert, and every operator action with timestamp, operator identity, source system, and disposition - across all domains, continuously. When the Coast Guard COTP calls an inspection, the FSO's evidence is a query, not a project. When TSA issues a compliance review, the documentation is already assembled. When the FAA requests the data from a UAS incident, the track history, the detection timeline, and the response actions are exportable in the format the investigation requires.
The compliance work is not eliminated - the regulatory frameworks are real and the requirements are specific. But the data assembly that consumes the compliance team's time is eliminated. The evidence exists because the platform was operating. The reports are views of operational data, not reconstructions of what operational data would have looked like if anyone had thought to record it.
At the Edge of Connectivity
Remote logistics sites, offshore terminals, and austere transportation infrastructure operate where cellular connectivity is intermittent, internet access is unreliable, and cloud-dependent tools are a liability rather than a capability. The mining site at the end of a gravel road, the ferry terminal on an island with satellite-only communications, the rail siding in a desert canyon with no cell coverage - these are real operational environments where transportation security tools need to work, and where most commercial security platforms do not.
Empyrean operates at the edge by design. The platform runs on local hardware - server, laptop, or ruggedized compute - with no external dependency for detection, correlation, alerting, or logging. When satellite or cellular connectivity is available, federation and data synchronization happen automatically. When connectivity is lost, the site continues operating independently and synchronizes when the link recovers. The security picture does not degrade with the network. It persists, because it was never dependent on the network in the first place.