Planning Your Drills & Exercises

The success of your drill or exercise depends largely on how well you plan it.  The first step is to decide what you will test.  Remember that Drills test individual elements of your FSP, while Exercises are a full test of the security program and must include substantial and active participation of FSOs. 

This leaves us to choose the single FSP element to focus on for our Drill.  There are many options, but where can we find them?  Your menu of FSP elements is located in 33 CFR 105’s table of contents.  For example there are 18 elements listed in Subpart B (plus four additional elements for specially designated facilities.)  Each one of these elements can serve as the basis for your Drill.

The second step is to develop a scenario.  Here’s where you can get creative.  Think of a simple situation that will test the individual FSP element.  Be careful not to overcomplicate things!  For examples of Drill scenarios, look to the monthly Drill reminders that Seebald & Associates provide to our Platinum members. 

The scenario for an Exercise is often more complicated than a Drill, as we’re testing the entire FSP.  Remember, the exercise must have a security focus and the FSO must substantially and actively participate.  Each exercise must test communication and notification procedures, and elements of coordination, resource availability, and response.  In many cases, the Exercise is a series of scenarios or events.  If you are plugged into your local AMSC, there may be opportunities to participate in area or regional exercises for credit.

The third step is to decide who will be tested.  This can include your Alternate FSO(s), Personnel with Security Duties, and All Other personnel.  As we do with the S&A monthly Drill reminders for Platinum members, develop a series of questions to ask beforehand to help guide the Drill or Exercise.  Here’s a hint:  Refer to the specific section of your FSP for the element tested to develop poignant questions.

If you have a vessel moored at your facility, you can ask the Master or VSO if they’d like to participate in your Drill or Exercise.  Similar to maritime facilities, vessels also have Drill & Exercise requirements. 

Next week we’ll explore how to conduct your Drills & Exercises…

In our previous Blogs, we discussed protecting our networks from cyber attacks, the reasons why we protect our networks, and some common cyber-attacks.  The U.S. Coast Guard is acutely aware of the impacts of cyber security to the maritime transportation system.  Cyber security will become an integral component to your FSP.  This final blog addresses how the U.S. Coast Guard is addressing these topics as they review and approve your FSP.

In October, Cyber Security Awareness month, the U.S. Coast Guard provided five key cyber security questions and challenges in the maritime industry.  Here is the link to that information:  http://mariners.coastguard.dodlive.mil/2017/10/30/10302017-natl-cybersecurity-awareness-month-five-key-cyber-questions-and-challenges-facing-the-maritime-industry/

The U.S. Coast Guard has prepared a draft NVIC to help guide inclusion of cyber security in your FSP.  The draft is “based on the National Institute of Standards and Technology (NIST) Cyber security Framework (CSF) and NIST Special Publication 800-82.”  As we teach in our FSO courses, the U.S. Coast Guard is utilizing cyber industry standards and requirements to aid in providing this guidance.  Specifically, the draft states “how those existing requirements relate to cyber security measures, and what would be recommended to be included in the FSP. “

Seebald & Associates provided feedback to the U.S. Coast Guard office that drafted this NVIC draft, and we will closely monitor the development of the cyber security requirement(s) for your FSP.  At Seebald & Associates, we are committed to keeping abreast of this topic and will share any updates as they become available after ensuring their validity.  The Seebald & Associates team is standing by to assist your facility when including this new requirement in your FSP becomes a requirement.

Remember, being vigilant in the maritime security environment is more than the physical aspect, it also includes cyber security for your networks.

In our last blog, we discussed several common cyber-attacks, this week we will discuss some common ways to protect against them. We will also identify some detection methods for recognizing these “attacks”.

Before discussing the protection and detection methods, it would be a good time to explore the idea of identifying a specific cyber security expert within your organization. Depending on the size of your organization this may be a full-time position within your IT department. Because cyber security affects almost all facets of an organization, the cyber security expert would need to educate every level of the organization about cyber security methods and the procedures your organization uses. Finally, an on staff cyber security expert can advise an organization on the latest trends, install appropriate security measures (firewalls, air gaps, etc) and monitor the organization’s network.

The following is a short list of common cyber hygiene practices. This is in no way an all-inclusive list but is a good starting point to protect against a cyber-attack:

  • Use of a strong password – Although this may seem like an overly simplistic method, the utilization of a strong password is one of the most basic steps in cyber security.
  • Practice and enforce cyber hygiene – Establish an organizational protocol (including strong password), which clearly defines cyber hygiene. Some examples include: locking computer screen when not in use, preventing the download of unauthorized software, educating employees of cyber threats, limit the amount of personnel with administrative privileges.
  • Updated Software – Old or outdated software may provide an avenue for accessing a network. New/updated software generally identifies and remedies security shortcomings in previous editions.
  • Upgraded aging infrastructure – In addition to updating software, upgrading an organization’s aging hardware and components can assist in protecting against an attack.
  • Back up data – Having a system (cloud based or local separate storage) where your system and data can be backed up in the event of a cyber-attack or other catastrophic loss. A data backup can reestablish your facility’s operation if an attack causes data loss.

Although protection from a cyber-attack is paramount, the detection of a cyber-attack is also extremely important. In some cases, the detection of a cyber-attack may enable protective measures to be employed thereby preventing significant damage or system outages. 

  • System slow down – Any significant reduction in Internet speed should be reported immediately to the IT department or help desk.
  • Email attachments – At no time should an email attachment from an unknown sender be opened. These attachments may contain Malware and could cause serious problems.
  • Identify emails from unknown sources – An “official” looking email may be initiating a cyber-attack. Responding to a suspicious email can be just as risky.

Almost all of the cyber-attacks involve some type of human interaction. One of the best ways to detect AND protect against a cyber-attack is educating your team. A properly trained end user will be able to detect a suspicious email, a system slow down or other unusual network activity and report it to prevent a cyber-attack.

Our previous blog discussed the absolute need to protect against cyber-attacks. In this blog we will explore and define some of the most common cyber-attacks.

  • Identity theft – Any “attack” which causes a person’s personal identifiable characteristics to be stolen and used fraudulently. Some common forms include: stealing credit card information and using another person’s social security number to apply for a financial transaction.
  • Ransomeware - Is a type of malicious “attack” which can block access to a facility’s own network and/or data or can threaten to publish data unless a “ransom’ is paid.
  • Malware – This is a broad term to describe a software “attack” which gives access to a computer or network often without the user’s knowledge. Malware is short for malicious software and common examples include: adware, bots, bugs, rootkits, spyware, Trojan horses, viruses, and worms.
  • Denial of Service (DoS) – This is an “attack” in which a facility’s website is overwhelmed with traffic. The DoS may be triggered by a specific event or can be a malicious barrage of traffic intent on creating an organizational disruption.
  • Man in the Middle – This is an “attack” where an Internet “conversation” between two endpoints of an online information exchange is interrupted or altered. This is simply a sophisticated form of electronic eavesdropping where a person(s) is able to gain information from this “conversation”.
  • Phishing(pronounced fishing) An “attack” which baits you to give out personal information by utilizing some form of electronic communication most commonly emails, often disguised a coming from a legitimate source. Phishing now has several versions of the same theme:

Spear Phishing - A form of targeted phishing, may appear to come from a known business associate asking for personal or business information.

Smishing and Vishing scam – A version of phishing that use SMS (text) and voice communications to solicit information.  These types have variations in which a facility may receive a phone call or text from a legitimate sounding business requesting information or an email requesting a facility call or text this information.

Whaling – This is another form of a targeted phishing where the intended target is the CEO, CFO or other high-level executive (whale) at a facility.

This is certainly not an all-inclusive list of cyber-attacks. As long as there are people with nefarious intent and the access to a computer the threat will be present. Also as technology evolves so will the threat. In our next blog, we explore how to detect and protect against these cyber-attacks. 

In an ever-growing technological and networked world, the need to protect a facility’s information and information systems can no longer be ignored.  Bad actors include computer hackers bent on embarrassing a facility (exposing a weakness), cyber criminals attempting to pilfer financial records, nation states seeking a foothold to disrupt the flow of goods or gain competitive advantage, or a cyber terrorist taking control of a facility’s critical infrastructure to cause loss of life and property.  With threat actors stepping up their game daily, it is essential to protect your cyber network.

The need to protect a facility’s cyber infrastructure is incredibly important for several reasons, but two primary reasons are:

  • Financial – Protection against phishing, online scams, malware, ransomware, identity theft and simple fraud all affect a facility’s bottom line. According to estimates by the Center for Strategic and International Studies, Cyber crime costs the global economy over $400 billion per year. This is just one estimate, and there are other studies that put the cost into the trillion-dollar range. Even a fairly unsophisticated financial cyber attack can have an impact on facility’s’ financial resources.
  • Infrastructure - A facility’s infrastructure could be a target for a cyber terrorist attempting to take control of any one of a number of automated processes.  A cyber terrorist could potentially gain access to an unprotected fuel transfer system and cause a catastrophic leak or a disgruntled former employee might access an unprotected network to disseminate an organizations trade secrets.  Any unprotected or weakly protected system that can be accessed can be compromised.

For these reasons, a commitment to cyber security must be an essential component of a facility’s security plan.  Step One is to designate who at the facility is responsible for the cyber elements of a facility’s security.  Cyber and physical security are becoming increasingly difficult to separate, as many cyber-attacks result in physical effects.  We encourage each facility to discuss who should be responsible and designate a responsible party.

In the next Blog we will discuss the common types of cyber attacks.