Iranian Cyber Reconnaissance – Potential Maritime Impacts

Tuesday, July 27 Sky News broke a story that should be of interest to maritime security professionals and the maritime community in general – as well as potentially other critical infrastructure sectors.  Sky News claims to be in possession of “very confidential” leaked Iranian cyber intelligence documents demonstrating Iran’s intent and desire to compromise critical infrastructure using cyber, including cargo vessels, fuel facilities and satellite communications. See the article here:  Iran's alleged secret cyber files revealed - YouTube

FireEye, a cybersecurity company, suggests that the documents, "discuss the possible physical impacts of cyber operations targeting civilian critical infrastructure and the feasibility of conducting such attacks, while examining the percentage of internet-accessible devices that could be potential targets."  FireEye stated further that, “these are the initial steps a state would take if they wanted to develop a specific cyber-attack capability.”

Iran has been engaged in cyber operations for some time (NY financial institutions, UK Parliament, Saudi Aramco, etc.)  Although this type of reconnaissance may not seem new, it appears to be another piece of the puzzle as Iran seeks to prepare for, and potentially execute cyber-attacks against the US and others.

These recent discoveries emphasize things our FSOs should be doing to mitigate risk: 

  • As new requirements for a cyber annex in facility security plans come into play, have you connected your physical and cyber security thinking, and more importantly the teams you have doing both?  
  • Have you established relationships with partners in your port and/or sector to exchange information?  
  • Do you have a connection to the Maritime Transportation System Information Sharing and Analysis Center?  
  • Is there a regular dialogue with the Captain of the Port in your area and others related to cyber as well as physical threats?

All of these are important to your cyber preparation – “if you are ready, you do not have get ready!”

Our Thursday morning started with two representatives from U.S. Coast Guard Headquarters, Office of Port and Facility Compliance (CG-FAC).  Mr. Charles Blackmore discussed cyber security topics, while Ms. Betty McMennemy discussed trends in compliance actions, the importance of the Facility Security Assessment, and TWIC. 

Mr. Blackmore noted that recent cyber NVIC was driven in part by the 2018 National Cyber Security Plan, which noted the importance of the maritime sector and the need for further action.  In addition to NVIC 01-20, the Coast Guard has developed a cyber security job aid for their inspectors to use during inspections, and is hiring maritime cyber security personnel across the service to improve expertise and capability at the field level. 

He also explained the enforcement timeline.  Facilities must complete their cyber security assessments and submit amendments on or before their next audit date beginning this October.   Mr. Blackmore emphasized that both the industry and the Coast Guard are in a learning stage at this point, and that he would not expect rigorous enforcement action as long as facilities are operating in good faith.

A key point, and one that S&A loudly echoes, is that the cyber NVIC presents an opportunity for the FSO, IT personnel, and OT personnel, to work together to develop an effective security program that addresses both cyber and physical risks.

Ms. Betty McMenemy has been at HQ since the beginning of the MTSA program and she is an enthusiastic proponent for both the Coast Guard and the regulated industry.  She told us that nationwide, there are approximately 2,600 MTSA regulated facilities that are required to maintain an FSP, along with an additional 400 facilities that are exempt due to their remote location or other factors. 

For 2020, Coast Guard data shows that most deficiencies were in the following 5 categories:

  • Access control (signs, unmonitored gates)
  • Restricted Areas
  • Drill and Exercise requirements (missing drills or exercises)
  • Record Keeping
  • Amendments and audits

Among other issues, Ms. McMenemy made two points that I think are keystone issues for an effective security program.  The first is to be sure to conduct a thoughtful and well informed Facility Security Assessment.  Facilities can’t devise effective mitigation measures without understanding their risk, so make sure that FSA really reflects your reality.  The Coast Guard is revising FSA guidance in an upcoming NVIC, so we look forward to that chance to improve our processes.

The second point she made, in the context of keeping up with drill and exercise requirements, is that “a crisis isn’t the time to do training”.  This is another area where S&A adds an enthusiastic foot stomp, and is why we include drills, exercises, and training during our audit visits.  We want you to succeed during Coast Guard compliance inspections AND in actual security incidents.

Our next speaker was Detective Raul Rivas, Orlando SWAT (retired).  Detective Rivas was one of many courageous law enforcement officers who responded to the Pulse nightclub shooting.  He shared body camera footage, photographs, and other first-hand accounts of that terrible event. 

PictureAS.jpg

I can’t begin to capture the force of his testimony in this blog, but I’ll offer a few take-aways that should be applicable to FSOs and facility operators:

The responding officers were not familiar with the club layout and construction.  Obtaining that knowledge in the midst of the response was challenging.  FSOs should consider inviting police and firefighters to visit and train at their facility so that they aren’t seeing it for the first time in a crisis.

Detective Rivas also pointed out the difficulty of advancing into active gun fire, even for trained law enforcement officers.  While we don’t expect FSOs and other facility personnel to take such extraordinary action, his message was to train realistically, because anything less won’t really prepare you for a crisis. 

Detective Rivas concluded with an account of the various post-incident services provided to the first responders.  Counseling programs like Critical Incident Stress Management (CISM) are vital to ensuring people can recover from traumatic events.  FSOs can work with their Human Resources departments to review their Employee Assistance Programs and identify other resources.  While this type of planning is not normally part of an FSP, we at S&A encourage facility operators to develop supporting plans to promote business continuity and care for their fellow workers.

While security often gravitates to hardware issues such as gates, barriers, and alarms, smart FSOs understand that human performance is the key to any organization. 

With that in mind, Thursday afternoon began with Spencer Byrum, CEO of HRS Consulting.  HRS focuses helping companies become High Reliability Organizations.  Mr. Byrum introduced the idea of operating in a VUCA-T environment (Volatility, Uncertainty, Complexity and Ambiguity-Threats), a concept that FSOs can certainly relate to. 

Picture55.jpg

He addressed critical human factors such as communications, multi-tasking, risk assessment, and fatigue.  With colorful real world accounts backed by solid research he helped us all understand how to build reliable, resilient organizations while improving our own personal performance. 

Next came our own Brian Kelly with a series he called "The Good, the Bad, and the Ugly”.  As we conduct our audits and assessments, we often come across security systems and practices that can either be examples to follow (the good), or pitfalls to avoid (the bad and the ugly).  There were plenty of the “good” – specialized fences to close gaps by railbeds, or on piers, inward facing signs reminding personnel to follow security practices. 

Unfortunately there were also “bad” and even “ugly” examples.  Some of these were cases where facility employees propped open gates or otherwise deliberately disabled or evaded security systems.  In others, fences or gates were in such disrepair that we were able to easily get through them.  The good news is that all of those failures can be turned around with a little attention, maintenance, and training. 

The final segment of the Symposium was the Cyber Security Panel, facilitated by John “There is no such thing as air gapped” Felker.

John opened with some of the day’s cyber news, including a new breach involving SolarWinds and 400,000 spoofed e-mails coming from a tug boat company in the U.S.  The panel included a brief demonstration of how using a $45 dollar device a person can scan for open networks or those with weak passwords. 

The major themes from the cyber panel included:

The Coast Guard, CISA, State agencies, and other reputable sources have a wide range of free tools, training, and resources to help companies identify their vulnerabilities and reduce their cyber risks. 

All companies should participate in information sharing organizations such as an ISAC, or at least closely follow information put out by CISA.  Coast Guard regulations require organizations to report certain types of cyber incidents.  While companies are often to report cyber breaches for many reasons, sharing those reports will in the long run improve security.  Besides, everyone gets hacked, pretending otherwise is not helping anyone.  John Felker reminded us that standard anti-malware systems typically only block about 26% of known malware. 

Because cyber incidents are so common, and so difficult to prevent, organizations should have cyber response/recovery plans.  These plans should include on-call experts who are already familiar with your network, and checklists and procedures a company can use to validate that an infected system is purged and safe to reconnect. 

Finally, response and recovery plans should be exercised, just like any other plans.

After our FSO and Refresher courses ended, we packed up our equipment and moved down the hall, filling a large conference room for the kick-off for the Symposium proper.  After introductions from Ed, our first event was the Captain of the Port Panel.  After our FSO and Refresher courses ended, we packed up our equipment and moved down the hall, filling a large conference room for the kick-off for the Symposium proper.  After introductions from Ed, our first event was the Captain of the Port Panel.  

Picture12.jpgPicture13.jpg
       
We had three distinguished panelists:  Captain Kelly Denning, Deputy Sector Commander, CAPT Eric King, currently the head of training for the Coast Guard and the prior Captain of the Port at Sector San Juan, and Captain Ryan Rhodes the Captain of the Port, Sector Lower Mississippi River in Memphis TN.  The Captains thanked the FSOs for their work in protecting the nation’s maritime security.  Hot topics for the panel were cyber security, Area Maritime Security Committees, and drones.  Participation in AMSCs enables FSOs to work together and take advantage of shared resources.  For example, use of drone detecting technology has helped authorities in the New Orleans area to locate drone operators and respond to complaints from facility operators.  This in turn helped support a new State law that increases the penalties for illegal drone operations.  

Cyber security was another hot topic, and both panelists and participants commented that the recent emphasis on cyber security is drawing physical security and cyber security personnel together.  A challenge in the cyber domain is understanding when a cyber breach of security or suspicious activity must be reported to the Coast Guard.  The discussion helped everyone understand that this issue is not as clear cut as it is for physical security events.  On the issue of TWIC, Captain Denning encouraged any facilities that are considering redesignating their Secure areas, to do so as early as possible.  Captain Denning also stated that any such request include an FSA and proposed FSP amendment that indicates that the change would not result in increased risk of a TSI.  Based on the energy level and pace of discussion, it is clear that the rest of the symposium will be lively! 

 Picture23.jpg "This is not a theoretical class on facility security”

The stars were quite literally out this afternoon as both Admiral Carl Schultz, Commandant of the Coast Guard, and Rear Admiral Richard Timme, Commander Eighth District Commander, joined our Symposium.  Admiral Schultz did so via a recorded address to Facility Security Officers.  Both Admirals emphasized the importance of Maritime Security and the role that FSOs and other industry personnel play in keeping the Marine Transportation System safe, secure, and resilient,   Although security classification restrictions kept Rear Admiral Timme from providing details, he made it clear that serious threats continue to exist in the Gulf region and elsewhere.  One of his strongest statements was that “This is not a theoretical class on facility security”.  That is a truth that every FSO should take to heart, and it reflects the reason we at S&A do everything we can to equip FSO’s to succeed.

Admiral Timme also discussed trends in the maritime domain, including larger, more complex ships, growing trade volume, and the fact that the United States is now an energy exporter.  Significant marine casualties, such as the capsizing of the car carrier Golden Ray near Savannah in 2019 and the more recent grounding of the container ship Ever Given in the Suez Canal demonstrate supply chain risks and the need for FSOs and others in the port community to cooperate in Area Maritime Security Committees and similar forums.  The Admiral noted that for those large scale events, the first question from authorities is often “is this a cyber event?”  Facility operators need to “know their network” so they will be able to determine if that might be the case, or demonstrate to others that cyber was not a factor.  

Picture25.jpg

We were particularly pleased that Admiral Timme took the time to recognize S&A client Trade Point Atlantic as the recipient of the 2020 Rear Admiral Richard E. Bennis Award for Excellence in Maritime Security.  
Rear Admiral Richard Timme, capped the day and began his remarks by recognizing Tradepoint Atlantic, a long time S&A client, as recipient of the Admiral Bennis award for excellence in facility security.    
A common theme among both Admirals was the growing complexities of the MTS and the importance of the MTS to the nation’s supply chain.  Cyber risks, drones, new port and vessel technologies innovative fuel and energy sources.  All of these and more are factors that industry and the Coast Guard must work together on to manage.  Our Symposium is one way in which we are able to do just that.

Afternoon, Day 2 – The Seebald & Associates FSO Course includes an Exercise.  Phase One of the exercise began the afternoon of Day 1.  The FSO Course participants were fully engaged in Phase Two.  The exercise includes designing a facility with security as the focus, drafting a Facility Security Assessment and writing a Facility Security Plan.

Picture5.jpgPicture6.jpg

This group exercise is designed to reinforce the material covered in class and to incorporate and apply the requirements of 33 CFR 105 that an FSO must know and be able to perform.

Each group was fully engaged and energetic in applying the regulatory information they recently learned.

Keeping it Fresh.


Nineteen new arrivals showed up on day two of the S&A FSO Course and Security Symposium.  These were seasoned FSOs, here to learn and contribute at the FSO Refresher Course.  Our FSO Refresher course helps FSOs and senior executives stay sharp.

Our new participants represented over 400 years of experience, and this is what makes the Refresher Course so valuable.  While S&A instructors provided an overview of threats, emerging Coast Guard policies, and related issues, the students all had their own stories of security incidents, best practices, and other “nuggets of knowledge” that others could benefit from.  In some cases, the students used Post-it notes to share some of their suggestions.

Picture4.jpg

The students in Refresher courses tend to be rather vocal, and today’s class was no exception.  While S&A Master Instructor Brian Kelly started with a planned agenda, the contribution from students often dominated the discussions.  Emerging threats and technologies were a popular topic.  One of the participants promised to share a video of a drone using a flame thrower, which we all look forward to seeing at a future course.

Picture3.jpg

Of course the class is also discussing new requirements, including cyber security, a review of MTSA fundamentals, and trends in Coast Guard compliance actions.  The networking lunch, which Ed Seebald so kindly provided, included yet more discussions on practical matters such as security camera vendors, and how effective the access control and credentialing solution, MAGNAR FortifiD, has been with existing customers.

Stay tuned, tomorrow the classes end and the Symposium begins with special guest speakers, Captain of the Port Panel, and more...