Our previous blogs defined risk as a combination of threat, vulnerability and consequences. This week, I’d like to focus on vulnerability.
A vulnerability is a potential weakness in our defenses, a chink in our armor. Much as we’d like to be perfectly protected from any possible threat, we know that isn’t practical or even possible. We do need to identify and evaluate potential vulnerabilities, and then decide what action, if any, to take to address them.
To begin, recognize that your organization is a business, with all manner of people and things coming and going. Legitimate points of entry (think gates and gangways) are your first consideration. How are those points monitored and controlled, how do you screen the legitimate from the nefarious? Consider people (employees, contractors, visitors), vehicles, cargo, supplies, and special deliveries (packages, ships stores).
Next consider the not-so-legitimate access points – fence lines and gunwales, and ask the same questions. For both categories, put yourself in the mind of an adversary, and think about how they might get to a point where they can cause harm. Could a person gain access to your ship or facility using a fake TWIC or other form of identification? How well do you check vehicles? Are there areas of your fence line that are in poor condition, or shielded from view by buildings, poor lighting, or vegetation? How are packages and mail handled? How about ships’ stores? Could small boats, divers, or other waterborne threats approach your facility or vessel without being detected?
Chances are, all of these and more are potential vulnerabilities.
But wait, there’s more! What if the threat was an “insider” – a regular crew member or employee? How difficult would it be for such a person to access restricted areas, sabotage critical equipment, or to bring a weapon or dangerous device on board? How about cyber vulnerabilities? Could hackers disrupt your critical processes, or “spoof” someone’s email? Could you even detect such an attack, much less defend against it?
Coast Guard regulations attempt to help operators identify vulnerabilities by specifying certain topics in the security assessment and plan, such as “measures to protect computer systems and networks” and “security measures for handling cargo.” While these requirements are a good starting point, you and your colleagues are the best people to identify your vulnerabilities.
Once you’ve identified the various ways people, vehicles, cargo, and data can enter your facility or vessel, you can start to prioritize them, and identify ways to minimize risk. Your facility is not Fort Knox, and your vessel is not a carrier battle group, but there are measures you can take to reduce (not eliminate) any vulnerability. Typical solutions might include:
- · Infrastructure (fencing, gates, ship design)
- · Equipment (lighting, cameras, metal detectors)
- · Procedures (screening, roving patrols, escorts)
- · Training, drills, and exercises
- · Cyber security measures (authentication procedures, data logging, monitoring)
- · Audits and inspections
Security measures must be practical, effective, and aligned with your business operations. Prioritizing is key. Not all vulnerabilities are equal, and not all security measures are equally effective against all vulnerabilities.
At Seebald & Associates, we help our clients identify and prioritize threats and vulnerabilities, and develop the most cost-effective security measures to address them. These measures become the basis of your Coast Guard required security plan.
As mentioned earlier, there are chinks in every armor. We can’t eliminate every vulnerability. That means we must prepare for possible consequences. Tune in next week for a discussion of consequences, preparedness, resilience, and how to mitigate the compliance, operational, and business risks from a security incident.