Remember that we first defined security risk as the product of threat, vulnerability, and consequences. We know that there are steps we can take to reduce, but not eliminate, the risks associated with threats and vulnerabilities. But what about consequences? If all else fails, is there anything we can do once the event happens except pick up the pieces?
The short answer (spoiler alert!), is yes. As with threats and vulnerabilities, it is helpful to bucket consequences into logical categories, and from there work out risk reduction strategies. We can begin with operational risks, such as loss of life/injuries, environmental damage, and property/equipment damage.
First aid kits, pollution responders on retainer, and having repair plans and critical spare parts identified are all ways of reducing the operational consequences of a security incident. Some options are direct, simple and lifesaving. For example, research has shown that the use of tourniquets and direct pressure can save lives, see https://www.dhs.gov/stopthebleed. That sounds like a great way of reducing consequences to me.
In other cases, detailed written contingency plans (including your FSP/VSP) and exercises that test those plans will enable you to deal with security events as managed incidents, rather than react to them in crisis mode. If possible, train your personnel in the Incident Command System (ICS). The Coast Guard, other federal agencies, and many state/local responders use ICS, and you want to be able to interface with them.
Business risk is another important category. Business risk speaks to your ability to resume normal trade activity as soon as possible after an incident. Without a plan, a prolonged shut down or mismanaged restart could result in the loss of customers, reputation, and market share, followed by a loss of key employees and customers. The Coast Guard includes “transportation system disruption, or economic disruption” in its definition of a Transportation Security Incident. This recognizes that business continuity is an objective of the Maritime Transportation Security Act regulations.
To address business risk, identify key personnel, systems (including IT/cyber), supplies, equipment, and partner organizations you need to conduct normal business operations. Who will notify them of an incident at your facility/vessel, how many might themselves be impacted during a security incident or natural disaster? Who and what can’t you do without? Are backup personnel available? How about expensive and difficult to replace equipment such as electrical transformers? Who has the knowledge, budget, and authority to implement contingency plans? A thoughtful review of these issues can help you identify critical paths and improve day to day efficiency through streamlining, while also identifying desirable redundancies or alternatives you may want to put in place for the day they are needed.
A third risk category is compliance risk. A vessel or facility not in compliance with Coast Guard regulations could face consequences such as fines, penalties, or even a Captain of the Port order to cease all operations until the regulatory deficiency is addressed. While full compliance with your FSP/VSP certainly can’t guarantee a security incident won’t occur, failure to abide by those standards will make it easier for threats to exploit vulnerabilities, which will lead to operational consequences. Even without a security incident, significant or recurring compliance problems can lead to increased business risks as customers, shareholders, insurance providers, and others take note and act in their own interests.
Audits, training, drills, exercises, and an FSP/VSP customized for your operation can help minimize compliance risk. If the Coast Guard does note a violation, quickly and professionally correcting the issue can keep a minor incident from becoming a pattern of problems.
At Seebald & Associates, we can help companies address all of these risks. Our risk based assessment process, which we use as the baseline for FSPs and VSPs, addresses each of these types of risk. Our audits, exercises, drills, and training services improve compliance and help identify potential improvements to your security program. And while our discussion has been security focused, all of these principles apply equally to environmental incidents, natural disasters, and other significant disruptions to your business activity.
We’re not quite done with our risk discussions however. Cyber systems have some similarities, but also some important differences in their relationship to threat, vulnerability, and consequences. Provided that malware doesn’t take down your system, keep watching this space for some thoughts on that topic in the near future.