Posted by Drew Tucci

February 16, 2022

Cyber Threat

In the past month, the Cybersecurity and Infrastructure Security Agency (CISA) has published a series of alerts and advisories related to cyber threats to U.S. critical infrastructure from Russian state sponsored cyber operations.  In some cases, these advisories have been jointly released by CISA, the Federal Bureau of Investigation, and the National Security Agency.  Coast Guard Captains of the Port and Area Maritime Security Committees have also distributed these advisories to port partners.

We are continuing that process to be sure that all Seebald & Associates clients are aware of the threat, and the actions you can take to improve your preparedness.

I also want to be sure that everyone understands why conflicts thousands of miles from our borders could be a threat to your operations and security.

First, State sponsored cyber attackers may target U.S. infrastructure in retaliation for any actions the U.S. takes as part of this conflict.

Second, the nature of malware is that it moves quickly from targeted to non-targeted systems, with no need for additional human direction.  From the attacker’s perspective, the harm to third parties is simply a bonus.

Third, recognize that cyber disruptions to your systems, whatever their origin, may increase your vulnerability to cyber and non-cyber-attacks.  This could be due to degraded security systems, such as cameras and sensors, or simply because leadership and front line personnel alike are focused on other areas. 

Some of the most relevant advisories on this topic include

Russia Threat Advisory, https://www.cisa.gov/uscert/russia

Understanding Russian Threats, https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

“Shields Up”, https://www.cisa.gov/shields-up

CISA/FBI/NSA Joint Advisory, https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber

Current Activity:  https://www.cisa.gov/uscert/ncas/current-activity

So take the time now to discuss security with your physical and cyber security personnel alike.  Ensure your cybersecurity personnel are fully aware of the risk and have taken action appropriate to your network.  Ensure physical security personnel are also aware and alert for suspicious activity and other security concerns.

As always, please contact Seebald & Associates for all your security needs. 

Posted by John Felker

November 30, 2021

Ransomware and Your Cybersecurity – Preparing for the Worst while Expecting the Best

The new Coast Guard requirement to include cyber in your FSP highlights that the threat of cyber intrusion into your networks, both information technology (IT) and operational technology (OT), is ever present and growing. Here is a very recent example of a cyber incident in the maritime sector that highlights the increasing trend of ransomware being used by criminal elements.

Ransomware Attack on Swire Pacific Offshore Breaches Personnel Data (maritime-executive.com)

Not only are networks being “locked up” by ransomware actors, but data theft is occurring with more regularity in these intrusions…

“…it is believed that they were successful in taking data from Swire Pacific Offshore’s personnel files ranging from passports, payroll, banking information, and email addresses.”

This element of cyber nastiness continues to grow across all critical infrastructure sectors. With the increasing demand on the maritime sector to move commerce safely and securely, these cyber incidents have the potential to be catastrophic – remember NotPetya and its impact on Maersk, FedEx/TNT and others as just one example!

In our experience we see many clients that are trying to do the right things by thoughtfully including cyber into their FSPs, and also carrying out recommend best practices within their companies, such as

• Forming partnerships and creating regular interaction between the FSO and the IT & OT staffs as appropriate;
• Educating leadership about how cyber fits into the overall security planning process - especially in conjunction with physical security; and
• Working with all parts of their organization to educate employees and raise awareness not only about the threats, but about their responsibilities to be attentive, use caution and effectively be part of the solution rather than part of the problem.

Are you following these best practices? Do you need help thinking through how to best include cyber into your plans? These best practices, and more, are integrated into the S&A FSO curriculum – we have been working hard on getting this thinking integrated into maritime security for several years. All S&A qualified FSOs bring this thinking to the table when building, reviewing, and implementing your MTSA-compliant security program.

Remember, S&A is your critical best friend when we conduct your audit or carry out your assessment and update of your FSP. We are going to absolutely stress the importance of cyber being INTEGRATED in your plan with all the other elements of good security practice!

Posted by Drew Tucci

November 15, 2021

How TWIC Saves Time and Money at the Airport

Recently, a Seebald & Associates auditor had to make a last minute change in travel plans to meet a client’s needs.  While already on the road, Rich had to book a flight on an airline that didn’t already have his Known Traveler Number (KTN) in their database.  The KTN is the number TSA issues to people who complete the TSA PreCheck application process, including paying the fee.    

But that KTN was on a slip of paper back at home.  Without the KTN readily at hand or access to those speedy PreCheck lanes, how would Rich avoid the long security line?

Fear not gentle reader, for Rich was equipped with the mighty TWIC, and although it is not widely known, the TWIC identification number serves as the KTN.  Rich entered his TWIC number when making his reservation, sped through security, and was on his way to the client.

So if you already have a TWIC (and if you are reading this blog, you probably do), there is no need to apply separately, and pay an additional $85 fee for PreCheck.  You already have it.  Active TWIC card holders enter their TWIC credential identification number (CIN) in the KTN field of their airline reservation or in their airline rewards profile section.  The CIN is printed on the back of each TWIC card in the lower left-hand corner.

This change has been a long time coming but is welcome all the same.  For more information see the link below:

https://www.tsa.gov/news/press/releases/2020/07/08/active-twicr-and-hme-holders-can-use-their-credentials-obtain-tsa

Posted by John Felker

November 4, 2021

We recently completed a Facility Security Assessment (FSA) which included a cybersecurity assessment in which we informed the IT/OT/Cybersecurity departments at a large refinery of the new requirement to have cybersecurity as part of the facility security plan (FSP).  We also made clear that there are required notifications of any cybersecurity incidents to the Facility Security Officer (FSO), National Response Center and the local Coast Guard Captain of the Port.  Shortly after completing the FSA, this refinery in the northeast was awash in phishing email attempts that were spurred by some recent changes.  The FSO attributes his recent FSO training and the FSA process in educating all necessary parties to the cyber requirements and with ensuring all required notifications were properly made and done so in a timely fashion.  

This cybersecurity threat was noticed when the entire company received suspicious emails regarding new administrative requirements and numerous employees contacted their cybersecurity department to investigate.  The cyber team did a superb job of determining that these were phishing emails and a companywide alert was sent out to that effect.  The FSO was notified so that the required notifications could be made.  The phishing attempts failed at inserting malware onto the companies’ network because of the quick action by the facility team. 

This thwarting of a full-blown potential cybersecurity incident is a perfect example of why all MTSA regulated facilities are required to conduct a cybersecurity assessment as part of the FSA and include a cybersecurity annex in their FSP, not to mention having current cyber policies and training. 

A reminder - all MTSA regulated facilities are required to conduct a cybersecurity assessment and include a cybersecurity annex to their FSP by their audit anniversary date September 30, 2022.

Posted by Edward Seebald

October 9, 2021

Released by Coast Guard Maritime Commons Blog

Beginning on Oct 1, 2021 facility owners and operators who have not already done so should submit FSP cyber amendments or annexes to their local Captain of the Port (COTP) as part of the facility's annual audit.