Our Thursday morning started with two representatives from U.S. Coast Guard Headquarters, Office of Port and Facility Compliance (CG-FAC). Mr. Charles Blackmore discussed cyber security topics, while Ms. Betty McMennemy discussed trends in compliance actions, the importance of the Facility Security Assessment, and TWIC.
Mr. Blackmore noted that recent cyber NVIC was driven in part by the 2018 National Cyber Security Plan, which noted the importance of the maritime sector and the need for further action. In addition to NVIC 01-20, the Coast Guard has developed a cyber security job aid for their inspectors to use during inspections, and is hiring maritime cyber security personnel across the service to improve expertise and capability at the field level.
He also explained the enforcement timeline. Facilities must complete their cyber security assessments and submit amendments on or before their next audit date beginning this October. Mr. Blackmore emphasized that both the industry and the Coast Guard are in a learning stage at this point, and that he would not expect rigorous enforcement action as long as facilities are operating in good faith.
A key point, and one that S&A loudly echoes, is that the cyber NVIC presents an opportunity for the FSO, IT personnel, and OT personnel, to work together to develop an effective security program that addresses both cyber and physical risks.
Ms. Betty McMenemy has been at HQ since the beginning of the MTSA program and she is an enthusiastic proponent for both the Coast Guard and the regulated industry. She told us that nationwide, there are approximately 2,600 MTSA regulated facilities that are required to maintain an FSP, along with an additional 400 facilities that are exempt due to their remote location or other factors.
For 2020, Coast Guard data shows that most deficiencies were in the following 5 categories:
- Access control (signs, unmonitored gates)
- Restricted Areas
- Drill and Exercise requirements (missing drills or exercises)
- Record Keeping
- Amendments and audits
Among other issues, Ms. McMenemy made two points that I think are keystone issues for an effective security program. The first is to be sure to conduct a thoughtful and well informed Facility Security Assessment. Facilities can’t devise effective mitigation measures without understanding their risk, so make sure that FSA really reflects your reality. The Coast Guard is revising FSA guidance in an upcoming NVIC, so we look forward to that chance to improve our processes.
The second point she made, in the context of keeping up with drill and exercise requirements, is that “a crisis isn’t the time to do training”. This is another area where S&A adds an enthusiastic foot stomp, and is why we include drills, exercises, and training during our audit visits. We want you to succeed during Coast Guard compliance inspections AND in actual security incidents.
Our next speaker was Detective Raul Rivas, Orlando SWAT (retired). Detective Rivas was one of many courageous law enforcement officers who responded to the Pulse nightclub shooting. He shared body camera footage, photographs, and other first-hand accounts of that terrible event.
I can’t begin to capture the force of his testimony in this blog, but I’ll offer a few take-aways that should be applicable to FSOs and facility operators:
The responding officers were not familiar with the club layout and construction. Obtaining that knowledge in the midst of the response was challenging. FSOs should consider inviting police and firefighters to visit and train at their facility so that they aren’t seeing it for the first time in a crisis.
Detective Rivas also pointed out the difficulty of advancing into active gun fire, even for trained law enforcement officers. While we don’t expect FSOs and other facility personnel to take such extraordinary action, his message was to train realistically, because anything less won’t really prepare you for a crisis.
Detective Rivas concluded with an account of the various post-incident services provided to the first responders. Counseling programs like Critical Incident Stress Management (CISM) are vital to ensuring people can recover from traumatic events. FSOs can work with their Human Resources departments to review their Employee Assistance Programs and identify other resources. While this type of planning is not normally part of an FSP, we at S&A encourage facility operators to develop supporting plans to promote business continuity and care for their fellow workers.
While security often gravitates to hardware issues such as gates, barriers, and alarms, smart FSOs understand that human performance is the key to any organization.
With that in mind, Thursday afternoon began with Spencer Byrum, CEO of HRS Consulting. HRS focuses helping companies become High Reliability Organizations. Mr. Byrum introduced the idea of operating in a VUCA-T environment (Volatility, Uncertainty, Complexity and Ambiguity-Threats), a concept that FSOs can certainly relate to.
He addressed critical human factors such as communications, multi-tasking, risk assessment, and fatigue. With colorful real world accounts backed by solid research he helped us all understand how to build reliable, resilient organizations while improving our own personal performance.
Next came our own Brian Kelly with a series he called "The Good, the Bad, and the Ugly”. As we conduct our audits and assessments, we often come across security systems and practices that can either be examples to follow (the good), or pitfalls to avoid (the bad and the ugly). There were plenty of the “good” – specialized fences to close gaps by railbeds, or on piers, inward facing signs reminding personnel to follow security practices.
Unfortunately there were also “bad” and even “ugly” examples. Some of these were cases where facility employees propped open gates or otherwise deliberately disabled or evaded security systems. In others, fences or gates were in such disrepair that we were able to easily get through them. The good news is that all of those failures can be turned around with a little attention, maintenance, and training.
The final segment of the Symposium was the Cyber Security Panel, facilitated by John “There is no such thing as air gapped” Felker.
John opened with some of the day’s cyber news, including a new breach involving SolarWinds and 400,000 spoofed e-mails coming from a tug boat company in the U.S. The panel included a brief demonstration of how using a $45 dollar device a person can scan for open networks or those with weak passwords.
The major themes from the cyber panel included:
The Coast Guard, CISA, State agencies, and other reputable sources have a wide range of free tools, training, and resources to help companies identify their vulnerabilities and reduce their cyber risks.
All companies should participate in information sharing organizations such as an ISAC, or at least closely follow information put out by CISA. Coast Guard regulations require organizations to report certain types of cyber incidents. While companies are often to report cyber breaches for many reasons, sharing those reports will in the long run improve security. Besides, everyone gets hacked, pretending otherwise is not helping anyone. John Felker reminded us that standard anti-malware systems typically only block about 26% of known malware.
Because cyber incidents are so common, and so difficult to prevent, organizations should have cyber response/recovery plans. These plans should include on-call experts who are already familiar with your network, and checklists and procedures a company can use to validate that an infected system is purged and safe to reconnect.
Finally, response and recovery plans should be exercised, just like any other plans.