Marine Transportation System (MTS) cyber spotlight

Posted By: CWO Kurt Fredrickson on May 9, 2021

Editors note: This is the first in a series of articles addressing cyber risk management and cybersecurity within the Marine Transportation System (MTS). The maritime community is facing daily threats to their information and operational technology systems, whether through malicious actors, antiquated systems, or lack of emphasis on securing the cyber landscape. Cyber threats are constantly evolving, and it is crucial that our stakeholders have the guidance, resources, and awareness to mitigate these risks.

From the desk of Captain Bradley Clare
Office Chief for the Office of Port and Facility Compliance (CG-FAC)

CG-FAC is proud to present the first of these articles, providing a summary of Navigation and Vessel Inspection Circular (NVIC) No. 01-20: Guidelines for Addressing Cyber at MTSA Regulated Facilities and reminder of upcoming due dates. CG-FAC will be collaborating with cyber-focused personnel in the field, along with Headquarters program offices, to provide more information in the months ahead.

Approaching deadlines for incorporating cyber into Facility Security Assessments (FSA) and Facility Security Plans (FSP)

As evidenced by news of cyber incidents affecting critical infrastructure and the maritime environment, we are reminded that cyber threats to, and vulnerabilities of the MTS are constantly evolving. With a clear need to mitigate these risks, the Coast Guard is reminding MTS stakeholders, but specifically those facilities regulated under the Maritime Transportation Security Act of 2002 (MTSA), that the timeframe for incorporating cyber into FSAs and FSPs is rapidly approaching.

Navigation and Vessel Inspection Circular (NVIC) No. 01-20: Guidelines for Addressing Cyber at MTSA Regulated Facilities was issued in March of 2020. This NVIC provides guidance to facility owners and operators on complying with requirements to assess, document, and address computer system and network vulnerabilities. In accordance with 33 CFR parts 105 and 106, which implement MTSA, regulated facilities (including Outer Continental Shelf facilities) are required to assess and document vulnerabilities associated with their computer systems and networks in a FSA and FSP.

In announcing this guidance, the Coast Guard understood that facilities would require time to properly assess their cyber risks and vulnerabilities and establish a plan for documenting those as part of their FSAs and FSPs. The Coast Guard advised that facilities shall provide that cyber documentation, whether as an annex, addendum, enclosure, or other form as appropriate, to their local Captain of the Port (COTP) at the time of their annual audit date, beginning October 1st, 2021. COTPs will still have the flexibility, based on resource demands or upon discussion with facility personnel, to adjust when submissions are received, as along as all facility FSA and FSP (Headquarters for ASPs) submissions are received by the end of a one year period, no later than October 1st, 2022.

We continue to stress the importance of engaging early and often with respective COTPs to ensure alignment of expectations for achieving compliance. The Coast Guard is continually reviewing and updating guidance to both industry and CG field personnel, including Frequently Asked Questions and Cyber Security Job Aids, for added awareness.

Position: Security Director & Facility Security Officer

Tradepoint Atlantic, LLC., the largest and most strategically important multi-modal industrial tract on the eastern seaboard, is seeking a Security Director & Facility Security Officer to join its Corporate Team headquartered in Sparrows Point, MD. The position will report to the SVP, Facilities Management. The Security Director & Facility Security Officer key task is to maintain security controls for the 3300 acre site, its occupants, employees, vendors, tenants and visitors.

Duties and Responsibilities: 

  • Oversees security organization of the facility, including maritime, general vessel and facility operations and conditions.

  • Emergency preparedness, response, and contingency planning.

  • Ensures compliance with all federal, state, and local requirements, including knowledge of applicable laws (Maritime Transportation Security Act (MTSA), Security and Accountability For Every (SAFE) Port Act), regulations (33 CFR 101, 105), and agency guidance (Coast Guard NVICs, policies, MARSEC directives)

  • Proper protection and handling for Sensitive Security Information and security-related communications.

  • Ensure notification to law enforcement and facility personnel and other emergency responders for security or safety matters within the facility property.

  • Security equipment and systems knowledge and operation.

  • Positive control of all accountable items in compliance with contractual security obligations.

  • Provide oversight and guidance to assigned third-party security workforce.

  • Interact with senior management, contract field managers, stevedoring operations, tenant managers and public emergency officials/personnel as applicable.

  • Participate in facility security audits, assessments, and planning.

  • Maintain security knowledge through ongoing training and education.

  • Implement and maintain the Facility Security Plan and standard operating procedures.

  • Control access to protected areas and facilitate visitor requests for incoming personnel.

  • Support the Tradepoint Atlantic acquisition process as needed.

  • Ensure compliance with cyber and information systems security requirements.

  • Assist and adhere to security measures required to safeguard personnel and prevent unauthorized access to equipment, facilities, and materials.

 

Education & Experience:

  • Fulfillment of all Facility Security Officer (FSO) requirements in 33 CFR 105.205

  • Completed USCG approved FSO training and certification within the last two years, or must complete USCG approved FSO training/certification within three months of employment.

  • BS/BA degree in a related field (e.g., Criminal Justice/Criminal Law, Homeland Security, Business Administration) preferred; equivalent work experience in a related career or Military Occupational Specialty may be considered in lieu of a degree.

  • Minimum two years of FSO experience at an MTSA regulated facility preferred; equivalent work experience in a related career or Military Occupational Specialty may be considered in lieu of FSO experience.

  • Port/Terminal/Marine operating systems experience preferred.

  • Must possess a valid driver’s license and ability to obtain and maintain a Transportation Worker Identification Credential.

  • Problem solving and decision-making skills.

  • Computer skills using Microsoft Office products.

  • Strong verbal, written and interpersonal skills.

 

Working Conditions

Must be able to work outside, exposed to all weather conditions, including heat, cold, wind, and rain. Standing and walking will be required throughout the course of a normal day. The wearing of personal protective equipment including, but not limited to, shoes, a safety vest and a hard hat will be required. Required to observe all safety and health requirements for maritime operations.

Hours

Normal working hours are Monday – Friday 8:00 a.m. – 5:00 p.m. with exceptions made for activities related directly to vessel operations. Exceptions may include extended shifts, days, evenings and nights.

How to Apply

Send resume and cover letter to This email address is being protected from spambots. You need JavaScript enabled to view it.

Tradepoint Atlantic LLC is an Equal Opportunity Employer. All qualified candidates will receive consideration for all positions without regard to race, religion, color, sex, gender identity, sexual orientation, pregnancy, age, national origin, ancestry, physical or mental disability, military or veteran status, genetic information, marital status, ethnicity, alienage, marital status, or any other characteristic protected by applicable law.

www.tradepointatlantic.com

 

Job Posting by MAGNAR

www.magnar.com

 

Postion Title: Technical Product Manager

Location: Audubon, NJ

Duration: Full-Time

To Apply: Please submit your cover letter and resume to This email address is being protected from spambots. You need JavaScript enabled to view it.

Who we are:

At Magnar, we are passionate about helping improve the safety and security of the United States. Our mission is to develop and deliver innovative technologies that improve the security, safety, and operational efficiencies of facilities within our nation’s critical infrastructure. We accomplish this through a collaborative, agile, and fast-paced team environment that reflects our values of excellence, innovation, integrity, and active/respectful listening.

What we’re looking for:

Our next Technical Product Manager is a data-driven, strategic team leader, who understands customer requirements and can effectively translate them into innovative solutions that fully satisfy those requirements. You must be capable of product discovery, feasibility, development, and deployment planning; communicating with diverse stakeholder groups; optimization of internal and external resources; project management; systems engineering; and strategic coordination with a cross-functional leadership team. As a member of Magnar’s leadership team, you will help define corporate strategy and planning. Your responsibilities will include execution of corporate and departmental plans, new product development, roadmapping, and product lifecycle management, along with management of related vendors and systems. 

Responsibilities:

  • Work with the leadership team to align corporate and departmental strategy, planning, and execution 

  • Collaborate with cross-functional teams on new product ideation, discovery, feasibility, development, and deployment planning across web and mobile applications

  • Manage development projects to ensure that they are completed on time and within budget

  • Be the end-to-end owner of the product life cycle; identify the customer experience, manage the business case, identify value propositions, build out the product requirements, etc.

  • Turn high-level project objectives and customer, regulatory, and best-practice requirements into a comprehensive set of system requirements

  • Work closely with cross-functional teams and external stakeholders to prioritize product features on the product roadmap

  • Systems integration and management

  • Successfully manage stakeholder feedback and expectations

  • Communicate development updates with the leadership team

  • Oversee Quality Assurance

  • Develop & document requirements, specifications and use cases for new product features

Requirements:

  • Bachelor's degree in Computer Science, Software Engineering, or Computer Engineering, with a minimum of 5-years experience in a related field

  • Project management experience (PMP certification is a plus)

  • Familiarity/experience with agile methodologies

  • Familiarity/experience with Android software development

  • Familiarity/experience with Android-based hardware

  • Familiarity/experience with web application development

  • Familiarity/experience with Mobile Device Management (MDM) systems

  • Understanding of cyber security optimization/analysis is a plus

  • An ability to work with both technical and non-technical stakeholders, along with the ability to translate between the two

  • Ability to be a customer-facing technical resource

  • Experience with data-driven decision making

  • Ability to effectively prioritize and deliver results under pressure

  • Ability to creatively problem-solve

  • Great people skills, and a proven track record of building relationships at all levels of the organization

Total Compensation:

  • Highly Competitive Salary

  • Performance-based bonuses

  • Health and Dental Insurance

  • 3% 401k company Match

  • Vacation, Personal, Sick and Holiday Pay

The Coast Guard continues to monitor the maritime impact from the ongoing Advanced Persistent Threat (APT) cyber incident in the United States, as previously reported in Marine Safety Information Bulletin (MSIB): 25-20. For more details, please see the Joint Statement by the recently established Cyber Unified Coordination Group (UCG) composed of the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Office of the Director of National Intelligence, and National Security Agency.

This incident will require a sustained and dedicated effort to remediate. The UCG believes that the APT actor’s compromise of the SolarWinds Orion supply chain affected approximately 18,000 public and private sector customers and that the actor targeted a much smaller subset of that group with follow-on activity. CISA continues efforts to identify and confirm initial access vectors and identify any changes to the APT’s tactics, techniques, and procedures (TTPs). Please continue to refer to CISA Alert AA20- 352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. A comprehensive repository of CISA resources related to this incident is available at https://www.cisa.gov/supply-chain-compromise. CISA will update these resources as new information is discovered.

Even if you do not own SolarWinds Orion, you may be impacted as your third-party networks, services, and vendors may use SolarWinds Orion. It is critical that the Coast Guard understands the potential risks of this APT actor on marine transportation system networks and supply chain connections.

Reporting malicious cyber activity enhances maritime domain awareness and allows us all to be better postured to prevent and respond to cyber incidents that could disrupt commerce or jeopardize national security. Any owner or operator of a Maritime Transportation Security Act (MTSA)-regulated facility or vessel that relies on SolarWinds software for a system that serves or supports a critical security function per its security plan shall, in accordance with 33 CFR 101.305(b) and CG-5P Policy Letter No. 08-16, Section 3.A.i, report a breach of security if:

  • They have downloaded the trojanized SolarWinds Orion plug-in (see FBI Private Industry Notification 20201222-001 https://www.ic3.gov/Media/News/2020/201229.pdf); or
  • They note any system with a critical security function displaying any signs of compromise, including those that may have not originated from the SolarWinds Orion compromise but utilize similar TTPs (see CISA Alert AA20-352A).

This release has been issued for public information and notification purposes only.

CISA recommends utilizing three open-source tools—including a CISA-developed tool, Sparrow—to help in detecting and remediating malicious activity connected to this incident. Specifically, Sparrow was created to detect possible compromised accounts and applications in the Azure/Microsoft 365 environment. For guidance on all three tools, see CISA AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.

Any potential threat to the physical security or cybersecurity of your vessel or facility should be taken seriously. Any Breach of Security or Suspicious Activity resulting from Cyber Security Incidents for MTSA-regulated vessels or facilities shall be reported to the National Response Center at 1-800-424- 8802. If you have any version of SolarWinds Orion but are unsure if you are at risk, or for any other questions regarding cyber threats or potential compromises, consider also contacting the Coast Guard Cyber Command 24x7 watch at 202-372-2904 or This email address is being protected from spambots. You need JavaScript enabled to view it..

Richard V. Timme, RDML, U. S. Coast Guard, Assistant Commandant for Prevention Policy sends

CG-5PC - Marine Safety Information Bulletin 13-20, Change 2

COVID 19 – Transportation Worker Identification Credential (TWIC®) Operations

The uninterrupted flow of commerce on our Marine Transportation System (MTS) is critical to both National security and National economic well-being. During this National emergency for COVID-19 it is paramount that the Coast Guard safeguards the continued operation of the MTS to ensure our domestic supply chain continues uninterrupted. The regulations outlined throughout 33 and 46 Code of Federal Regulations remain in force, and maritime operators are expected to continue to comply with these requirements. However, when compliance with these regulations cannot reasonably be met as a result of COVID-19, the Coast Guard will exercise flexibility to prevent undue delays. The following clarification is provided regarding the Transportation Worker Identification Credential (TWIC®), which is jointly managed by the Coast Guard and the Transportation Security Administration (TSA). TSA may grant a temporary exemption from certain requirements in 49 CFR part 1572 for the expiration of the TWIC for current cardholders. If this occurs the Coast Guard will take these exemptions into consideration.

Maritime Facilities and Vessels:

 

TWIC Readers - the Coast Guard is not changing or delaying the TWIC Reader Rule implementation date of June 7, 2020 for facilities that receive vessels certificated to carry more than 1,000 passengers and vessels certificated to carry more than 1,000 passengers. However, the Coast Guard will delay enforcement until April 30, 2021.

Applicable facilities and vessels are not required to update facility security plans (FSP)/vessel security plans (VSP) or install readers until the revised enforcement date.

Escort Ratios – Escort ratios for secure and restricted areas of a facility are provided in Navigation and Inspection Circular (NVIC) 03-07. To provide flexibility due to COVID-19 related health impacts, the escort ratio may be adjusted to meet employee shortages or other demands. This would constitute a change to the FSP or require Captain of the Port approval via noncompliance (discussed below and in MSIB 07-20).

New Hires – After enrollment has been completed and a new hire has presented an acceptable form of identification per 33 CFR 101.515(a) to the vessel security officer or facility security officer, that new hire may be allowed access to secure or restricted areas where another person(s) is present who holds a TWIC and can provide reasonable monitoring. The side-by-side escorting required in 33 CFR 101.105 for restricted areas will not be enforced during the COVID-19 pandemic. Additional compliance options for new hires can be found in 33 CFR 104.267 and 105.257 or via noncompliance (discussed below).

Alternative Security Program (ASP) – Local users who are unable to comply with the requirements in an approved ASP may pursue temporary relief via noncompliance (discussed below) or an amendment can be submitted to cover the entire ASP via submission to CG-FAC.

Noncompliance – 33 CFR 104.125 and 105.125 discusses noncompliance with facility and vessel security requirements. If a situation arises where a facility or vessel will not be able to comply with the requirements of 33 CFR parts 104 or 105, they must contact the Captain of the Port (COTP) to request and receive permission to temporarily deviate from the requirements. While not discussed in 33 CFR 104.125 or 105.125, the vessel or facility operator should evaluate and consider any safety risks that may be created from the noncompliance. This request to

 

continue operations should include new measures or safeguards the facility or vessel plans to employ to mitigate any risk from the non-compliance with 33 CFR part 104 or 105.

Merchant Mariner Credentials

The Coast Guard is providing flexibility with regard to requirements to have a TWIC when applying for a credential or when serving under the authority of a credential. To date, the processing of submitted TWIC enrollments has not been impacted by the COVID-19 crisis, and there is no delay in vetting, card production, and issuance. However, TSA and the Coast Guard recognize that this is an evolving public health situation and enrollment centers closures or processing delays will impact applicants for a merchant mariner credential (see below for more on TSA enrollment centers).

Under the 46 CFR 10.203(b), failure to hold a valid TWIC may serve as grounds for suspension or revocation of a merchant mariner credential (MMC). The Coast Guard will not pursue any suspension and revocation actions based on expired TWIC’s during the COVID-19 pandemic. The Coast Guard will update industry prior to reinstating enforcement of this requirement. This enforcement discretion for expired TWICs does not apply to cases where a mariner’s TWIC has been suspended or revoked due to a determination that they are a security threat. In those cases, the Coast Guard may pursue suspension or revocation of the MMC.

With respect to expired TWICs in the MMC application process, mariners applying for an original credential will be treated differently than mariners seeking a renewal, raise of grade or new endorsement. This is because the TSA provides the Coast Guard with biometric and biographic information (including the photograph) necessary to evaluate and produce a MMC.

Mariners applying for an original credential need to demonstrate that they have enrolled for a TWIC. Mariners may pre-enroll for a TWIC online, can schedule an appointment, but must complete the in-person enrollment process at the nearest TSA enrollment center. While this proof of application is sufficient to begin the merchant mariner credentialing process, an applicant for an original credential will be unable to obtain a MMC until their biographic and biometric information is provided to the Coast Guard by TSA.

For mariners already holding a MMC, if their TWIC expires, and their credential remains valid, then no action needs to be taken and the credential remains valid.

If a mariner applies for a renewal, raise of grade, new endorsement or duplicate merchant mariner credential while their TWIC is expired, they may apply without a valid TWIC if they demonstrate that they have enrolled for a TWIC renewal.

TSA Enrollment Centers – TSA’s Enrollment Centers remain open, at this time, and TSA is processing new TWIC enrollments. According to TSA, some enrollment centers have closed and may continue to close for a period of time to ensure the safety, health and wellness of staff and the public. If applicants are planning to visit an enrollment center, TSA encourages individuals to use the “Find an Enrollment Center” feature at the bottom of the Universal Enrollment Services home page (https://universalenroll.dhs.gov/locator) to determine if the center is open and its hours of operation. TWIC enrollments must be completed in-person at an enrollment center. You will be required to provide the necessary identity/immigration documentation and submit fingerprints during your in-person enrollment. It is recommended that you schedule an appointment. You may pre-enroll and schedule an appointment online (https://universalenroll.dhs.gov).

Richard V. Timme, RDML, U. S. Coast Guard, Assistant Commandant for Prevention Policy sends