Cybersecurity Executive Order
- Posted by Drew Tucci
The recently released Executive Order (EO) on Maritime Cybersecurity to quote SC Media “was long on lofty policy goals and short on specifics. For example, today’s release did not outline what the new cyber standards are and any specifics on the reporting time period.”
A key point for ALL maritime stakeholders is that the Coast Guard has announced proposed rulemaking that includes a public comment period as part of the standard rulemaking process. Stakeholders – especially FSO’s should absolutely get involved in this process with their IT/OT professionals.
This EO potentially revises Captain of the Port (COTP) authority that will give the COTP the ability to control vessel/facility operations for any clear cyber problem, no need to wait for the bad thing to happen. An analogy might be that in the physical world, if the inspector sees your steering linkage consists of twine, the COTP can say "do not operate" without waiting for the accident. Presumably a known cyber problem, like known malware in the system or a glaring vulnerability, would be the same.
Our advice is that large and medium sized facilities are, or should be doing most of these things (example: use Multi-Factor Authentication for remote access) already, so for them, it is more about putting that in a plan than reinventing their practices. Smaller facilities, where the "network" consists of a home wi-fi, 4 laptops, and a printer, and the consequences of the network going down are essentially zero? These facilities are going to need another option. If the cyber part of the FSA finds no consequences to hacks, then maybe the cyber plan for them could be minimal.
The Bottom Line – FSO’s need to get involved with their IT/OT staff and involve them in your feedback to the Coast Guard through the regulatory process!
CISA, NSA, & FBI Joint Cybersecurity Advisory
- Posted by Drew Tucci
Seebald & Associates friends and colleagues,
Here at Seebald & Associates, we monitor advisories from the Cybersecurity and Infrastructure Protection Agency (CISA) and other organizations to ensure that we are aware of emerging threats.
On February 7th, CISA released an advisory related to the People's Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon. The advisory was issued in cooperation with the National Security Agency, the Federal Bureau of Investigation, and other government agencies and foreign allies. The link to that advisory is:
I’ve included a few key quotes below that show the seriousness of this advisory:
- “The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors”
- “Cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
- “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. “
- “The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”
I strongly encourage you to share this advisory with your cybersecurity teams, and with senior risk management personnel at your organization. The advisory recommends that organizations take immediate actions to hunt for and respond to this threat and provides tools and information for doing so.
Thank you for doing all you can to protect your organization, and our great nation, from all threats.
Cybersecurity Alert - Patching Android Devices
- Posted by Richard Sundland
- Android OS versions up to and including version 10 are in end-of-life status, meaning they are no longer receiving security patches/updates.
- Unpatched vulnerabilities can lead to unauthorized access to sensitive security information, denial of service (DoS) attacks and ransomware.
- Security patches also improve the stability and performance of devices, which is crucial to physical access control systems (PACS) that require fast and reliable authentication to ensure security of secured areas.
In today's world, technology is an indispensable tool that makes our personal and professional lives easier and more convenient. We rely on our smartphones, tablets, and other mobile devices to stay connected, access information, and perform a wide range of tasks. However, as technology evolves rapidly, so do the risks associated with it. While visibility of this issue has improved significantly for workstation computers in recent years, security on mobile devices remains a frequently overlooked topic. In this post, we will explain the security risks associated with unmaintained Android software when used by Maritime Transportation Security Act and Chemical Facility Anti-Terrorism Standards regulated facilities for physical access control and how to mitigate them.
Physical access control systems are used to regulate and monitor access to secured areas, assets, and buildings. PACS use technologies such as smart cards, biometric readers, and mobile devices to authenticate and grant access to authorized individuals. With the increasing use of mobile devices in PACS, it is essential to have up-to-date applications and operating systems, especially for Android devices.
Android is one of the most widely used mobile operating systems in the world, with more than 2.5 billion active users. With such a large user base, the platform provides an appealing target for those looking to infiltrate vulnerable systems through cyber-attacks. These vulnerabilities can be exploited by attackers to gain unauthorized access to a PACS, which can lead to severe security breaches. To mitigate these risks, it is essential to ensure that devices are running actively maintained operating systems, and that they are receiving patch updates on a regular basis.
The Importance of Android Security Patches
Security patches are released periodically by device vendors to address vulnerabilities and bugs that are found in the operating system. These patches are critical in ensuring the security of the Android operating system, and failure to install them can leave the device vulnerable to attack. For example, Android OS 7.1.2 and 8.0 have been in end-of-life status since 2019 and 2021 respectively. From the standpoint of cybersecurity, that is a very long time and each version has accumulated a large number of unpatched security bulletins that can provide a significant attack surface.
Unpatched vulnerabilities can create several problems for a device. First, attackers can exploit these vulnerabilities to gain unauthorized access and steal sensitive data from the device. Second, running outdated Android versions can make the device vulnerable to denial-of-service (DoS) attacks and ransomware. A DoS attack involves flooding the device with traffic to overwhelm the system and prevent legitimate users from accessing the system. Ransomware, on the other hand, selectively blocks access to critical functionality or information until the device owner has paid a ransom to the attacker. Either attack can be particularly problematic for PACS, which requires fast and reliable authentication processes.
Finally, patches can also improve the overall performance of the Android operating system. These updates often include bug fixes and stability improvements that can enhance the effectiveness of the device. This can be crucial for PACS, which requires fast and reliable authentication processes to ensure the security of the secured area.
Mechanically, attacks leveraging such vulnerabilities can take several forms. In the simplest cases, an attacker may be able to exfiltrate data from the PACS, compromising operational security and providing the attacker with valuable information on a facility. In the most complex cases, an attacker may attempt to fully take control of a device, actively making the device complicit in a broader cyber or physical attack on the organization. In the case of the Android 7.1.2 and 8.0 versions mentioned earlier, there are 8 and 38 (respectively) documented exploits that can be used for remote code execution - which is typically a precursor to the most sophisticated attacks.
Best Practices for Android Operating System Updates
To ensure the security of a PACS, it is essential to follow best practices for Android operating system updates. Here are some tips to help ensure that the device is up-to-date and secure:
- Ensure the Android devices used in your PACS are running supported versions of the operating system. As of today, currently supported versions are Android 11 and higher. If your device cannot be updated to a supported Android Operating System, it is recommended that you upgrade your equipment as soon as possible.
- Enable automatic updates: One of the easiest ways to ensure that the device is up to date is to enable automatic updates. This will allow the device to automatically download and install the latest security patches and updates as they become available. If this is done through your service provider, you should ask them what their policy is on updating your deployed equipment.
- Check for updates regularly: If automatic updates are not enabled, it is essential to check for updates regularly. This will ensure that the device is up to date with the latest security patches and updates.
The bottom line is: if you are using a PACS at your facility, it is imperative for security that you know what operating system is running on your equipment, and what the patching/updating policy is for those devices. Collaborate with your IT staff, reach out to your contracted service providers and do not overlook the importance of keeping your security software and hardware up to date.
Seebald Services - Much More Than MTSA
- Posted by Drew Tucci
Remember the old TV ads where a fast talking salesman demonstrated the amazing features of various household gadgets? While the quality of those products was always a bit doubtful, you could count on getting various bonus products if you “act now and call the number on your screen!”
Here at Seebald & Associates, we take pride in providing world class expertise in helping facilities and vessels meet their Coast Guard security requirements under the Maritime Transportation and Security Act. And while those at Seebald & Associates have been known to talk at length, this is no late-night TV scam. You can trust all of us here at Seebald & Associates to provide top service in a wide range of areas of interest to marine transportation and critical infrastructure.
Did you know that Seebald & Associates can help your organization with other Coast Guard requirements? Need to update your Operations Manual or your Facility Response Plan? We’ve got you covered. Concerned about an upcoming safety inspection for your liquified or hazardous gas facility – we have experts to help you prepare.
And yes, our expertise extends to other DHS security programs. Many U.S. Coast Guard regulated facilities also participate in Customs and Border Protection’s Customs Trade Partnership Against Terrorism (CTPAT), which is focused on supply chain security. This is a voluntary program, but meeting its standards has many benefits, and it aligns well with MTSA requirements. Let us know how we can help!
And for non-transportation related facilities that handle, use, or store certain “chemicals of interest”, we can help ensure compliance with CISA’s Chemical Facility Anti Terrorism Standards (CFATS), which helps keep our nation safe from malicious actors who might find ways to release, sabotage, or steal dangerous chemicals.
Like the old TV commercials, all can say is “but wait, there’s more!”. Call now, operators are standing by. Or to bring this into the 21st century, go to the “Services” tab on our website and click on the link for the full list or download the Products & Services Document.
Facility Security Symposium Wraps Up
- Posted by Drew Tucci
On the final day of our 2023 Security Symposium, Captain Andy Meyers, CG-FAC, served as our morning keynote speaker. Captain Meyers is the program manager at Coast Guard Headquarters for the Coast Guard’s facility inspection program, including safety, security, and environmental standards.
Captain Meyers addressed several important security topics, including cyber, TWIC, and the growing use of drones in and around waterfront facilities. Captain Meyers also discussed recovery and resilience, and the growing use of novel fuels in the maritime industry, such as hydrogen and ammonia. Facilities that may be adding these fuels to their inventory should certainly consider the safety, security, and emergency response risks they may bring.
Sergeant Jay Santalucia, of the Broward County Sherriff department was our second speaker. With 35 years of law enforcement experience, he gave us a frank and engaging presentation on active shooter incidents. A few takeaways: develop a warrior mindset, consider “stop the bleed” training, https://www.stopthebleed.org/training/, and work with your local law enforcement agencies before an incident to build relationships and understand how to report and respond to an active shooter incident, including how to behave once law enforcement arrives.
After lunch Eric Linden, Integritas Security Service Inc., showed us how they train and use canines for explosives and narcotics. It was clear that the dogs are enthusiastic and very good at their jobs and could be an effective security tool in many scenarios.
Lastly, Ian Wristbridge, MAGNAR LLC, gave us an education on the value of access control technologies, including the social and economic factors that can make it effective. We know that access control is the most common violation issued by the Coast Guard, so clearly, we have some work to do in this critical area.
After the Symposium concluded, Mark Dubina, Vice President and Security Chief for Port Tampa Bay hosted a cruise through the Port. It was a delightful end to a great week. Thank you Mark and thanks to all our FSOs, participants, and partners who made the Symposium a tremendous success!