Posted by Richard Sundland

May 19, 2023

Key takeaways:

- Android OS versions up to and including version 10 are in end-of-life status, meaning they are no longer receiving security patches/updates.

- Unpatched vulnerabilities can lead to unauthorized access to sensitive security information, denial of service (DoS) attacks and ransomware.

- Security patches also improve the stability and performance of devices, which is crucial to physical access control systems (PACS) that require fast and reliable authentication to ensure security of secured areas.

In today's world, technology is an indispensable tool that makes our personal and professional lives easier and more convenient. We rely on our smartphones, tablets, and other mobile devices to stay connected, access information, and perform a wide range of tasks. However, as technology evolves rapidly, so do the risks associated with it. While visibility of this issue has improved significantly for workstation computers in recent years, security on mobile devices remains a frequently overlooked topic.  In this post, we will explain the security risks associated with unmaintained Android software when used by Maritime Transportation Security Act and Chemical Facility Anti-Terrorism Standards regulated facilities for physical access control and how to mitigate them.

Physical access control systems are used to regulate and monitor access to secured areas, assets, and buildings. PACS use technologies such as smart cards, biometric readers, and mobile devices to authenticate and grant access to authorized individuals. With the increasing use of mobile devices in PACS, it is essential to have up-to-date applications and operating systems, especially for Android devices.

Android is one of the most widely used mobile operating systems in the world, with more than 2.5 billion active users. With such a large user base, the platform provides an appealing target for those looking to infiltrate vulnerable systems through cyber-attacks. These vulnerabilities can be exploited by attackers to gain unauthorized access to a PACS, which can lead to severe security breaches. To mitigate these risks, it is essential to ensure that devices are running actively maintained operating systems, and that they are receiving patch updates on a regular basis.

The Importance of Android Security Patches

Security patches are released periodically by device vendors to address vulnerabilities and bugs that are found in the operating system. These patches are critical in ensuring the security of the Android operating system, and failure to install them can leave the device vulnerable to attack. For example, Android OS 7.1.2 and 8.0 have been in end-of-life status since 2019 and 2021 respectively. From the standpoint of cybersecurity, that is a very long time and each version has accumulated a large number of unpatched security bulletins that can provide a significant attack surface.

Unpatched vulnerabilities can create several problems for a device. First, attackers can exploit these vulnerabilities to gain unauthorized access and steal sensitive data from the device. Second, running outdated Android versions can make the device vulnerable to denial-of-service (DoS) attacks and ransomware. A DoS attack involves flooding the device with traffic to overwhelm the system and prevent legitimate users from accessing the system. Ransomware, on the other hand, selectively blocks access to critical functionality or information until the device owner has paid a ransom to the attacker. Either attack can be particularly problematic for PACS, which requires fast and reliable authentication processes.

Finally, patches can also improve the overall performance of the Android operating system. These updates often include bug fixes and stability improvements that can enhance the effectiveness of the device. This can be crucial for PACS, which requires fast and reliable authentication processes to ensure the security of the secured area.

Mechanically, attacks leveraging such vulnerabilities can take several forms. In the simplest cases, an attacker may be able to exfiltrate data from the PACS, compromising operational security and providing the attacker with valuable information on a facility. In the most complex cases, an attacker may attempt to fully take control of a device, actively making the device complicit in a broader cyber or physical attack on the organization. In the case of the Android 7.1.2 and 8.0 versions mentioned earlier, there are 8 and 38 (respectively) documented^[1] exploits that can be used for remote code execution - which is typically a precursor to the most sophisticated attacks.

Best Practices for Android Operating System Updates

To ensure the security of a PACS, it is essential to follow best practices for Android operating system updates. Here are some tips to help ensure that the device is up-to-date and secure:

- Ensure the Android devices used in your PACS are running supported versions of the operating system. As of today, currently supported versions are Android 11 and higher. If your device cannot be updated to a supported Android Operating System, it is recommended that you upgrade your equipment as soon as possible.

- Enable automatic updates: One of the easiest ways to ensure that the device is up to date is to enable automatic updates. This will allow the device to automatically download and install the latest security patches and updates as they become available. If this is done through your service provider, you should ask them what their policy is on updating your deployed equipment.

- Check for updates regularly: If automatic updates are not enabled, it is essential to check for updates regularly. This will ensure that the device is up to date with the latest security patches and updates.

The bottom line is: if you are using a PACS at your facility, it is imperative for security that you know what operating system is running on your equipment, and what the patching/updating policy is for those devices. Collaborate with your IT staff, reach out to your contracted service providers and do not overlook the importance of keeping your security software and hardware up to date.  

^[1] Based on MITRE CVE Database; https://cve.mitre.org/

Posted by Drew Tucci

May 1, 2023

Remember the old TV ads where a fast talking salesman demonstrated the amazing features of various household gadgets?  While the quality of those products was always a bit doubtful, you could count on getting various bonus products if you “act now and call the number on your screen!”

Here at Seebald & Associates, we take pride in providing world class expertise in helping facilities and vessels meet their Coast Guard security requirements under the Maritime Transportation and Security Act.  And while those at Seebald & Associates have been known to talk at length, this is no late-night TV scam.  You can trust all of us here at Seebald & Associates to provide top service in a wide range of areas of interest to marine transportation and critical infrastructure.

Did you know that Seebald & Associates can help your organization with other Coast Guard requirements?  Need to update your Operations Manual or your Facility Response Plan?  We’ve got you covered.  Concerned about an upcoming safety inspection for your liquified or hazardous gas facility – we have experts to help you prepare.

And yes, our expertise extends to other DHS security programs.  Many U.S. Coast Guard regulated facilities also participate in Customs and Border Protection’s Customs Trade Partnership Against Terrorism (CTPAT), which is focused on supply chain security.  This is a voluntary program, but meeting its standards has many benefits, and it aligns well with MTSA requirements.  Let us know how we can help!

And for non-transportation related facilities that handle, use, or store certain “chemicals of interest”, we can help ensure compliance with CISA’s Chemical Facility Anti Terrorism Standards (CFATS), which helps keep our nation safe from malicious actors who might find ways to release, sabotage, or steal dangerous chemicals.

Like the old TV commercials, all can say is “but wait, there’s more!”.  Call now, operators are standing by.  Or to bring this into the 21^st century, go to the “Services” tab on our website and click on the link for the full list or download the Products & Services Document. 

Posted by Drew Tucci

February 3, 2023

On the final day of our 2023 Security Symposium, Captain Andy Meyers, CG-FAC, served as our morning keynote speaker.  Captain Meyers is the program manager at Coast Guard Headquarters for the Coast Guard’s facility inspection program, including safety, security, and environmental standards.

Captain Meyers addressed several important security topics, including cyber, TWIC, and the growing use of drones in and around waterfront facilities.  Captain Meyers also discussed recovery and resilience, and the growing use of novel fuels in the maritime industry, such as hydrogen and ammonia.  Facilities that may be adding these fuels to their inventory should certainly consider the safety, security, and emergency response risks they may bring.

Sergeant Jay Santalucia, of the Broward County Sherriff department was our second speaker.  With 35 years of law enforcement experience, he gave us a frank and engaging presentation on active shooter incidents.  A few takeaways: develop a warrior mindset, consider “stop the bleed” training, https://www.stopthebleed.org/training/, and work with your local law enforcement agencies before an incident to build relationships and understand how to report and respond to an active shooter incident, including how to behave once law enforcement arrives.

After lunch Eric Linden, Integritas Security Service Inc., showed us how they train and use canines for explosives and narcotics.  It was clear that the dogs are enthusiastic and very good at their jobs and could be an effective security tool in many scenarios.

Lastly, Ian Wristbridge, MAGNAR LLC, gave us an education on the value of access control technologies, including the social and economic factors that can make it effective.  We know that access control is the most common violation issued by the Coast Guard, so clearly, we have some work to do in this critical area.

After the Symposium concluded, Mark Dubina, Vice President and Security Chief for Port Tampa Bay hosted a cruise through the Port.  It was a delightful end to a great week.  Thank you Mark and thanks to all our FSOs, participants, and partners who made the Symposium a tremendous success!

Posted by Drew Tucci

February 2, 2023

On Wednesday morning the FSO course finished when the students made their presentations and took the final exam.  The good news is that everyone passed, and the better news is that our nation and marine transportation system is now stronger by 34 fully qualified Facility Security Officers!

In the afternoon the symposium kicked off with opening remarks from Captain Michael P. Kahle, Commander of Sector St. Petersburg and Captain of the Port here in Tampa.  He emphasized the importance of supply chains and the need for the Coast Guard, other agencies, and the many private sector companies to cooperate in preparing for contingencies and building resilience.

After Captain Kahle’s remarks, our own John Felker chaired a cybersecurity panel discussion with three experts from the Coast Guard:  LCDR Matt Whitney from Coast Guard Headquarters, Mr. Nick Parham from Coast Guard Atlantic Area, and Mr. Carl Hatfield from Coast Guard District Eight. These three individuals have tremendous technical expertise, but they helped us all understand cyber risks in simple terms.  

They also discussed some emerging policies and described the Coast Guard’s “Cyber Protection Teams”, which are available, free of charge, to help MTSA facilities with cybersecurity challenges.  These teams are NOT part of the Coast Guard’s regulatory program, so you can take advantage of their services without the risk of a fine or requirement.  Contact any S&A member for more information or contact them directly at This email address is being protected from spambots. You need JavaScript enabled to view it..

Jorge Torres, Port Tampa Bay FSO, receives S&A Maritime Excellence award

Spencer Byrum, CEO of HRS Consulting, introduced us to the concept of High Reliability Organizations, situational awareness, and not driving your ship straight into the lighthouse.  Many of us have operational environments that are “volatile, uncertain, complex, and ambiguous”, but we can learn to recognize red flags and take action to address these complex risks.

Dr. Will Wilkins, Executive Director, Global Security & Construction Management for Valero made a captivating presentation on preparing and responding to protest activities.  Have a clear-eyed discussion with both your security personnel, and your senior management, about how to respond to these types of events BEFORE they happen to you.

After the presentations we all attended an informal reception where we were delighted to present Jorge Torres, of the Port of Tampa Bay, with our Maritime Excellence Award.

Posted by Drew Tucci

February 1, 2023

The start of day three for the Facility Security Officer (FSO) Course and the day prior, the one day FSO Refresher Course wrapped up with 21 "old hands" sharing years of experience and wealth of knowledge.  These were all seasoned FSOs, many of them senior managers at their organizations, taking the time to refresh their knowledge about Coast Guard requirements and emerging threats. 

While all Seebald & Associates courses benefit from student discussions, the refresher course typically has at least as many “sea stories” and examples from the students as formal lecture from Captain Brian Kelley, the lead instructor.  Discussions about everything from the use of shotguns to remove rust and slag from ships (no kidding, you had to be there), to how to best support security guards quickly dominated the course.  Had we not had to break from lunch Master Instructor Captain Brian Kelley might never have had the chance to return to his course plan.

TWIC was the first topic in the afternoon, which included some interesting stories about forgeries.  Many of us have seen guards fooled by fairly simple fakes, like those made on a copy machine and hotel rewards cards.  Good training can catch these fakes, but professional forgeries are all too easy to find these days.  Fortunately electronic TWIC readers, which a majority of our students are using, can catch these threats.

Another key topic was Facility Security Assessment (FSA) procedures.  The FSA is the foundation of your Facility Security Plan, and if done correctly, will help you identify the security procedures at all MARSEC levels that will reduce your operational risk, meet the regulations, and align with your business practices.  At Seebald and Associates we take pride in our FSA process, which always includes a risk-based-analysis of threats, vulnerabilities, and consequences.

Speaking of FSAs, we also discussed the latest Coast Guard policy guidance on incorporating cybersecurity into the FSA, which was released just weeks earlier.  Seebald & Associates is already incorporating this policy into our procedures. 

Wednesday closes out the FSO course, with 34 graduates joining the 21 Refresher FSO students as we transition to the Symposium, with special guest speakers and panel discussions on cybersecurity, high reliability and situational awareness and ending the day with Dr. Watkins, Valero Executive Director for Global Securities will discuss the response and lessons learned from the recent protests on Valero facilities in the United Kingdom and Valero's planning against this threat against their facilities in the U.S.