A fitting tribute for a murdered Coast Guardsman... thank you to Sheriff Karl Leonard and all of the law enforcement in the Central Virginia area for helping recognize this Coastie's service!

Things observed  …. Good, Bad, and Ugly.

Some facts remain indisputable, regardless of your political affiliation.   One such fact is this:  We live in a fallen world.    Most days it doesn’t touch us, so we mindlessly go about our daily lives oblivious to the crime, evil, and discontent that seems to occupy every minute of our newsfeeds.     And then, there it is — in our face, front and center.     Today I will put on my service dress uniform for the first time in five years to attend the funeral of Petty Officer Caroline Schollaert, who grew up just a few miles from my hometown.   She was ruthlessly killed last week in Jacksonville by a thief caught breaking into her car.  Caroline was 27.  He was 22.  A common thief, likely looking for pocket change to buy his next fix.  The obvious irony is that Caroline’s final duty station was HITRON, the U.S. Coast Guard’s elite airborne counter-drug interdiction unit.        

I heard about the killing a week ago today from Sheriff Karl Leonard, who is a retired Coast Guard reserve officer.  I live in his county.   Caroline will be laid to rest this afternoon just up the road from us.  As a gesture of honor bestowed only to fallen military and first responders, he offered to provide a police escort for Caroline’s body when it arrived at our local Airport last Tuesday.  To that end, he requested that I reach out to my former colleagues at LANTAREA to get the arrival details.  In my mind, I envisioned a few police cars in a short motorcade, perhaps a motorcycle or two, following a black hearse.   It would be a journey of about 25 miles into the rural Virginia Countryside.   I sensed that people would pay it little mind as they saw it pass, many of them grumbling under their breath as they impatiently glance at their watches over the extra minute or two they would have to spend at an intersection.   I would be proved wrong. 

The Sheriff made a few calls and graciously picked me up at my house in a squad car on Tuesday afternoon; we immediately proceeded to the airport to wait for the Coast Guard C-27J carrying Caroline’s body.    What happened over the next two hours will forever be etched into my memory, and every Coast Guardsman who witnessed it should thank Karl Leonard for pulling this together.    The scene was this:   At the entrance to the airport were a litany of law enforcement vehicles from multiple jurisdictions, all parked in perfect formation  — facing the road, with blue lights flashing.   Everyone new something important was about to happen.     Waiting in a the parking lot were even more of them: scores of local, state, and county police vehicles from all over.   Then no less than 150 Harley Davidson’s manned by “Patriot Riders” came roaring in — among them were veterans of all military services — colors flying proudly.   In a nearby hanger, temperatures hovering in the upper 90s, was a contingent of Coast Guardsman in full Service Dress, waiting to line up and render a salute to their fallen shipmate as she was carried out of plane, proceeded by her mother, father, brother, and fiancé.    The hearse was loaded.  Few words were spoken.   People got into their vehicles and the Harley Davidsons fired to life.     

As the procession pulled out of the airport, led by flashing blue lights and motorcycles extending as far as the eye could see, the officers and firefighters staged along the way all snapped to attention and rendered salutes.    The local fire station had prepositioned a ladder truck, boom extended.   Hanging from it was a giant National Ensign — the same ensign that the other part of America now denigrates.   But not here — not today.   The state police would not let a single car pass as we creeped along at half speed, even on the four-lane highway.    Respect was due.   Respect would be rendered. 

As we started to draw near the small rural community of Powhatan, we began to see citizens lining route 60, hands over hearts, holding flags, silently honoring a mother and father who’s precious daughter lay in a flag-draped coffin in the hearse ahead.   The closer we got, the denser the crowd.     It was indeed a sight to behold.   I saw an old man solemnly holding a Coast Guard Ensign as we slowly turned into the funeral home parking lot, now overflowing with more cars and Harleys than it had likely ever held.   Then I turned to the Sheriff and said “Thank you Sir.   I will never forget this.”   He turned and said, “No, this is what we do for each other.”   

Petty Officer Schollaert’s tragic death was bad.   It was ugly.   But in it we found some real Americans who are still good, and humble, and God fearing.”    No riots, no fires, no looting.   Just grief.

“Blessed are those who mourn, for they shall be comforted.”   — Matthew 5:4

W. D. Lee

VADM, USCG (ret)

Submitted by Coast Guard Cyber CommandMaritime Cyber Readiness Branch

The Marine Transportation System (MTS) should be on heightened alert as a result of two recent developments. The first is a cyber-attack impacting port operations at container terminals in several South African ports due to “an act of cyber-attack, security intrusion and sabotage.”[1][2] The impacted terminals use a popular Terminal Operating System (OS) widely used throughout the U.S., and certain processes handled by the Terminal OS were suspended as a result of the cyber-attack. The attack is believed to be related to the “Death Kitty” ransomware, although full details are still not available.

The second development is the recent release of leaked Iranian documents detailing research into how a cyber-attack could be used to target critical infrastructure, including MTS entities. [3] These documents cover research into topics such as how to use ballast water systems to sink a vessel and how to interfere with MTS satellite communications. 

Coast Guard Cyber Command is continuing to monitor these situations and is fully engaged with cybersecurity agencies worldwide to identify and take action to mitigate vulnerabilities and threats to the MTS.

The Coast Guard strongly encourages vessels and facilities operating in the MTS to take prompt action in the following areas:

  • Review controls protecting Operational Technology,
  • Closely monitor network and system logs for any signs of unusual activity,
  • Review incident response plans, security plans, business continuity plans, and disaster recovery plans,
  • After reviewing these plans, with the context of these recently identified threats, implement increased security measures to mitigate any identified vulnerabilities.

Any Breach of Security or Suspicious Activity resulting from Cybersecurity Incidents shall be reported to the National Response Center at 1-800-424-8802 in accordance with CG-5P Policy Letter No. 08-16, Sections 3.B.ii-iv. You are strongly encouraged to report any abnormal behavior with your operational technology to your local Coast Guard Captain of the Port or the CG Cyber Command 24×7 watch at 202-372-2904 or This email address is being protected from spambots. You need JavaScript enabled to view it., as it may related to the developments described in this article.

As part of the effort to protect the MTS, Coast Guard Cyber Command has created Cyber Protection Teams and the Maritime Cyber Readiness Branch as detailed in the Cyber Strategic Outlook released on August 3, 2021.  Additionally, the Coast Guard is in the process of hiring 40 individuals as Marine Transportation System Specialists (MTSS)-Cybersecurity, to further aide in the coordination of efforts at our Area, District, and Sector/Marine Safety Unit Commands to strengthen the MTS against cybersecurity attacks[4].  

If you are a stakeholder in the MTS and would like to assist in our effort to combat cybersecurity attacks against the MTS, please reach out to your local Captain of the Port to become a part of their Area Maritime Security Committee (AMSC).  Many Committees have established cybersecurity subcommittees for the specific purpose of hardening our nation’s ports against cybersecurity attacks.       

For additional questions contact This email address is being protected from spambots. You need JavaScript enabled to view it.

[1] S.Africa’s Transnet says will soon lift force majeure after cyberattack | Reuters, July 27, 2021.

[2] Cyber attacks expose the vulnerability of South Africa’s ports – ISS Africa

[3] Iran’s secret cyber files on how cargo ships and petrol stations could be attacked | World News | Sky News

[4] For more information on MTSS-Cybersecurity positions please continue to monitor USA Jobs USAJOBS – The Federal Government’s official employment site

Today Admiral Karl L. Schultz, Commandant of the U.S. Coast Guard published the Coast Guard Cyber Strategic Outlook.  This is a relatively brief document, similar to the Coast Guard’s original, 2015, Cyber Security Strategy.  Nonetheless, Admiral Schultz’s clear eyed introduction is a sobering reminder of the threat we all face:

“Cyber attacks against the United States (U.S.) are one of the most significant threats to our economic and military power since World War II. The events of the last five years, including the exploitation of U.S. Coast Guard networks and information, attacks on maritime critical infrastructure, and adversarial efforts to undermine our democratic processes, reinforce that cyberspace is a contested domain.”

The Marine Transportation System features prominently in this document.  To address cyber threats to the marine industry, the Cyber Strategic Outlook outlines changes to reporting strategies, implement a risk based regulatory and compliance program, work with CISA and other agencies, and other actions, including developing Cyber Incident Response Plans through Area Maritime Security Committees.

For facility operators, this document is an important reminder to meet the requirements of NVIC 01-20, which requires facilities to incorporate cyber risks into their Facility Security Plans.  Seebald and Associates has been working with our clients to meet this requirement since last year.  Based on our experience to date, I believe that we are not only helping our clients address and urgent compliance need.  We are also helping them improve cooperation between cyber and physical security managers and building a strong security culture.

Independent of any regulatory requirement, I strongly encourage facility and vessel operators to review your cyber security practices.  Work with your cyber security experts, including vendors who supply you with critical systems, such as tank/fuel management systems, terminal operating systems, access control, and others.  As Admiral Schultz makes clear, our adversaries are tenacious and terrible.

Iranian Cyber Reconnaissance – Potential Maritime Impacts

Tuesday, July 27 Sky News broke a story that should be of interest to maritime security professionals and the maritime community in general – as well as potentially other critical infrastructure sectors.  Sky News claims to be in possession of “very confidential” leaked Iranian cyber intelligence documents demonstrating Iran’s intent and desire to compromise critical infrastructure using cyber, including cargo vessels, fuel facilities and satellite communications. See the article here:  Iran's alleged secret cyber files revealed - YouTube

FireEye, a cybersecurity company, suggests that the documents, "discuss the possible physical impacts of cyber operations targeting civilian critical infrastructure and the feasibility of conducting such attacks, while examining the percentage of internet-accessible devices that could be potential targets."  FireEye stated further that, “these are the initial steps a state would take if they wanted to develop a specific cyber-attack capability.”

Iran has been engaged in cyber operations for some time (NY financial institutions, UK Parliament, Saudi Aramco, etc.)  Although this type of reconnaissance may not seem new, it appears to be another piece of the puzzle as Iran seeks to prepare for, and potentially execute cyber-attacks against the US and others.

These recent discoveries emphasize things our FSOs should be doing to mitigate risk: 

  • As new requirements for a cyber annex in facility security plans come into play, have you connected your physical and cyber security thinking, and more importantly the teams you have doing both?  
  • Have you established relationships with partners in your port and/or sector to exchange information?  
  • Do you have a connection to the Maritime Transportation System Information Sharing and Analysis Center?  
  • Is there a regular dialogue with the Captain of the Port in your area and others related to cyber as well as physical threats?

All of these are important to your cyber preparation – “if you are ready, you do not have get ready!”

Our Thursday morning started with two representatives from U.S. Coast Guard Headquarters, Office of Port and Facility Compliance (CG-FAC).  Mr. Charles Blackmore discussed cyber security topics, while Ms. Betty McMennemy discussed trends in compliance actions, the importance of the Facility Security Assessment, and TWIC. 

Mr. Blackmore noted that recent cyber NVIC was driven in part by the 2018 National Cyber Security Plan, which noted the importance of the maritime sector and the need for further action.  In addition to NVIC 01-20, the Coast Guard has developed a cyber security job aid for their inspectors to use during inspections, and is hiring maritime cyber security personnel across the service to improve expertise and capability at the field level. 

He also explained the enforcement timeline.  Facilities must complete their cyber security assessments and submit amendments on or before their next audit date beginning this October.   Mr. Blackmore emphasized that both the industry and the Coast Guard are in a learning stage at this point, and that he would not expect rigorous enforcement action as long as facilities are operating in good faith.

A key point, and one that S&A loudly echoes, is that the cyber NVIC presents an opportunity for the FSO, IT personnel, and OT personnel, to work together to develop an effective security program that addresses both cyber and physical risks.

Ms. Betty McMenemy has been at HQ since the beginning of the MTSA program and she is an enthusiastic proponent for both the Coast Guard and the regulated industry.  She told us that nationwide, there are approximately 2,600 MTSA regulated facilities that are required to maintain an FSP, along with an additional 400 facilities that are exempt due to their remote location or other factors. 

For 2020, Coast Guard data shows that most deficiencies were in the following 5 categories:

  • Access control (signs, unmonitored gates)
  • Restricted Areas
  • Drill and Exercise requirements (missing drills or exercises)
  • Record Keeping
  • Amendments and audits

Among other issues, Ms. McMenemy made two points that I think are keystone issues for an effective security program.  The first is to be sure to conduct a thoughtful and well informed Facility Security Assessment.  Facilities can’t devise effective mitigation measures without understanding their risk, so make sure that FSA really reflects your reality.  The Coast Guard is revising FSA guidance in an upcoming NVIC, so we look forward to that chance to improve our processes.

The second point she made, in the context of keeping up with drill and exercise requirements, is that “a crisis isn’t the time to do training”.  This is another area where S&A adds an enthusiastic foot stomp, and is why we include drills, exercises, and training during our audit visits.  We want you to succeed during Coast Guard compliance inspections AND in actual security incidents.

Our next speaker was Detective Raul Rivas, Orlando SWAT (retired).  Detective Rivas was one of many courageous law enforcement officers who responded to the Pulse nightclub shooting.  He shared body camera footage, photographs, and other first-hand accounts of that terrible event. 

PictureAS.jpg

I can’t begin to capture the force of his testimony in this blog, but I’ll offer a few take-aways that should be applicable to FSOs and facility operators:

The responding officers were not familiar with the club layout and construction.  Obtaining that knowledge in the midst of the response was challenging.  FSOs should consider inviting police and firefighters to visit and train at their facility so that they aren’t seeing it for the first time in a crisis.

Detective Rivas also pointed out the difficulty of advancing into active gun fire, even for trained law enforcement officers.  While we don’t expect FSOs and other facility personnel to take such extraordinary action, his message was to train realistically, because anything less won’t really prepare you for a crisis. 

Detective Rivas concluded with an account of the various post-incident services provided to the first responders.  Counseling programs like Critical Incident Stress Management (CISM) are vital to ensuring people can recover from traumatic events.  FSOs can work with their Human Resources departments to review their Employee Assistance Programs and identify other resources.  While this type of planning is not normally part of an FSP, we at S&A encourage facility operators to develop supporting plans to promote business continuity and care for their fellow workers.

While security often gravitates to hardware issues such as gates, barriers, and alarms, smart FSOs understand that human performance is the key to any organization. 

With that in mind, Thursday afternoon began with Spencer Byrum, CEO of HRS Consulting.  HRS focuses helping companies become High Reliability Organizations.  Mr. Byrum introduced the idea of operating in a VUCA-T environment (Volatility, Uncertainty, Complexity and Ambiguity-Threats), a concept that FSOs can certainly relate to. 

Picture55.jpg

He addressed critical human factors such as communications, multi-tasking, risk assessment, and fatigue.  With colorful real world accounts backed by solid research he helped us all understand how to build reliable, resilient organizations while improving our own personal performance. 

Next came our own Brian Kelly with a series he called "The Good, the Bad, and the Ugly”.  As we conduct our audits and assessments, we often come across security systems and practices that can either be examples to follow (the good), or pitfalls to avoid (the bad and the ugly).  There were plenty of the “good” – specialized fences to close gaps by railbeds, or on piers, inward facing signs reminding personnel to follow security practices. 

Unfortunately there were also “bad” and even “ugly” examples.  Some of these were cases where facility employees propped open gates or otherwise deliberately disabled or evaded security systems.  In others, fences or gates were in such disrepair that we were able to easily get through them.  The good news is that all of those failures can be turned around with a little attention, maintenance, and training. 

The final segment of the Symposium was the Cyber Security Panel, facilitated by John “There is no such thing as air gapped” Felker.

John opened with some of the day’s cyber news, including a new breach involving SolarWinds and 400,000 spoofed e-mails coming from a tug boat company in the U.S.  The panel included a brief demonstration of how using a $45 dollar device a person can scan for open networks or those with weak passwords. 

The major themes from the cyber panel included:

The Coast Guard, CISA, State agencies, and other reputable sources have a wide range of free tools, training, and resources to help companies identify their vulnerabilities and reduce their cyber risks. 

All companies should participate in information sharing organizations such as an ISAC, or at least closely follow information put out by CISA.  Coast Guard regulations require organizations to report certain types of cyber incidents.  While companies are often to report cyber breaches for many reasons, sharing those reports will in the long run improve security.  Besides, everyone gets hacked, pretending otherwise is not helping anyone.  John Felker reminded us that standard anti-malware systems typically only block about 26% of known malware. 

Because cyber incidents are so common, and so difficult to prevent, organizations should have cyber response/recovery plans.  These plans should include on-call experts who are already familiar with your network, and checklists and procedures a company can use to validate that an infected system is purged and safe to reconnect. 

Finally, response and recovery plans should be exercised, just like any other plans.