Our previous blog discussed the absolute need to protect against cyber-attacks. In this blog we will explore and define some of the most common cyber-attacks.

  • Identity theft – Any “attack” which causes a person’s personal identifiable characteristics to be stolen and used fraudulently. Some common forms include: stealing credit card information and using another person’s social security number to apply for a financial transaction.
  • Ransomeware - Is a type of malicious “attack” which can block access to a facility’s own network and/or data or can threaten to publish data unless a “ransom’ is paid.
  • Malware – This is a broad term to describe a software “attack” which gives access to a computer or network often without the user’s knowledge. Malware is short for malicious software and common examples include: adware, bots, bugs, rootkits, spyware, Trojan horses, viruses, and worms.
  • Denial of Service (DoS) – This is an “attack” in which a facility’s website is overwhelmed with traffic. The DoS may be triggered by a specific event or can be a malicious barrage of traffic intent on creating an organizational disruption.
  • Man in the Middle – This is an “attack” where an Internet “conversation” between two endpoints of an online information exchange is interrupted or altered. This is simply a sophisticated form of electronic eavesdropping where a person(s) is able to gain information from this “conversation”.
  • Phishing(pronounced fishing) An “attack” which baits you to give out personal information by utilizing some form of electronic communication most commonly emails, often disguised a coming from a legitimate source. Phishing now has several versions of the same theme:

Spear Phishing - A form of targeted phishing, may appear to come from a known business associate asking for personal or business information.

Smishing and Vishing scam – A version of phishing that use SMS (text) and voice communications to solicit information.  These types have variations in which a facility may receive a phone call or text from a legitimate sounding business requesting information or an email requesting a facility call or text this information.

Whaling – This is another form of a targeted phishing where the intended target is the CEO, CFO or other high-level executive (whale) at a facility.

This is certainly not an all-inclusive list of cyber-attacks. As long as there are people with nefarious intent and the access to a computer the threat will be present. Also as technology evolves so will the threat. In our next blog, we explore how to detect and protect against these cyber-attacks. 

In an ever-growing technological and networked world, the need to protect a facility’s information and information systems can no longer be ignored.  Bad actors include computer hackers bent on embarrassing a facility (exposing a weakness), cyber criminals attempting to pilfer financial records, nation states seeking a foothold to disrupt the flow of goods or gain competitive advantage, or a cyber terrorist taking control of a facility’s critical infrastructure to cause loss of life and property.  With threat actors stepping up their game daily, it is essential to protect your cyber network.

The need to protect a facility’s cyber infrastructure is incredibly important for several reasons, but two primary reasons are:

  • Financial – Protection against phishing, online scams, malware, ransomware, identity theft and simple fraud all affect a facility’s bottom line. According to estimates by the Center for Strategic and International Studies, Cyber crime costs the global economy over $400 billion per year. This is just one estimate, and there are other studies that put the cost into the trillion-dollar range. Even a fairly unsophisticated financial cyber attack can have an impact on facility’s’ financial resources.
  • Infrastructure - A facility’s infrastructure could be a target for a cyber terrorist attempting to take control of any one of a number of automated processes.  A cyber terrorist could potentially gain access to an unprotected fuel transfer system and cause a catastrophic leak or a disgruntled former employee might access an unprotected network to disseminate an organizations trade secrets.  Any unprotected or weakly protected system that can be accessed can be compromised.

For these reasons, a commitment to cyber security must be an essential component of a facility’s security plan.  Step One is to designate who at the facility is responsible for the cyber elements of a facility’s security.  Cyber and physical security are becoming increasingly difficult to separate, as many cyber-attacks result in physical effects.  We encourage each facility to discuss who should be responsible and designate a responsible party.

In the next Blog we will discuss the common types of cyber attacks.

It’s time for a check of your security screening protocols – let’s start by answering these questions:

  • Is your facility conducting random screening?
  • What are your random screening protocols?
  • What is the screening rate at MARSEC 1, 2, and 3?
  • How is random screening obtained?
  • How is random screening conducted?
  • What is the purpose of random screening?
  • What is random screening seeking to prevent?

Screening and searching or inspecting are two distinctly different security methods.  PSDs conduct screening.  Law Enforcement conduct searches or inspections.  The key is that PSDs DON’T TOUCH anything they are screening.  PSDs can and should touch one thing, an individual’s TWIC in order to properly credential that person.

Random means just that – random.  For example, selecting every ‘pick a number’ vehicle is NOT a random method.  There are simple, low-cost Best Practices available, such as the “Marble Method,” that can be easily adopted to ensure compliance.

When screening personnel, remember that you are looking for a person to be “biologically correct.”  Are there bulges on the person being screened that do not appear normal?  Your security personnel should NEVER ask a person to lift their shirt to look for prohibited items.  When inspecting a person’s bag, backpack, or purse, you should have the person open it and take items out so you can clearly see what is inside.

When screening a vehicle, ask the driver to open the trunk and all occupants to step out and stand clear of the vehicle.  Once clear, the security personnel should look inside the vehicle and the trunk for suspicious items.

If you haven’t attended a Seebald & Associate FSO Course or it’s been three years since you last attended, we highly recommend you attend an upcoming course.  We are continually updating the course and thoroughly cover access control and screening methods, along with the other 33 CFR 105 required FSO elements PLUS bonus modules – give ED a call to secure the date and place that best suits your schedule.  Brian, John, Rich, Tom, and/or Ed look forward to seeing you soon!

Recall the 3 P’s of access control –

  • Physical – security infrastructure and systems
  • Presence – bearing and attitude of security force personnel
  • Performance – security training, experience and application

Last week we touch on Physical security.  This week we address two more of access control’s 3 P’s, Presence and Performance.

Presence of a security force is necessary, and the Presence of the security guard is informative to Coast Guard Inspectors, Auditors, and would-be attackers.  In our line of work, we use terms like ‘Officer Presence,” “Bearing,” and “Attitude” to describe this.  Do your security personnel make you proud and feel secure?  Are they professionals in their appearance and demeanor?  If not, what are you – the FSO – doing about that?

Performance is how equipped the security force is and how well they carry out their duties.  Are security personnel properly trained, to include facility-specific training and awareness?  Do they have the requisite experience you require to guard your facility?  Are they confident in applying the security protocols required by the FSP?  How well do you sleep at night, knowing that your security personnel are standing the watch at your facility?

Ensuring the 3 P’s is the FSO’s job in conjunction with the security force.  Don’t rely solely on your security supervisor, doing so may eventually scare the P out of you!

As the FSO, you get this!  After all, your job depends on it.  The company is depending on you.  The local community and beyond is depending on the company.  Trade secrets, competitive advantage, threats, vulnerabilities… the list goes on.  Oh, and Coast Guard Inspectors do make unannounced visits to ensure you’re in compliance with MTSA, 33 CFR 105, NVIC 03-03 Change 2, and NVIC 03-07 along with other applicable regulations.

Remember the 3 P’s of access control –

  • Physical – security infrastructure and systems
  • Presence – bearing and attitude of security force personnel
  • Performance – security training, experience and application

The first of the 3 P’s, Physical security, forms the first impression – for compliance with the regulations, as well as target desirability for the would-be attacker.  Is the physical security well maintained, shiny and new looking, or not so much?

We’re talking about things like fencing, vehicle/rail/pedestrian gates, emergency egress points, sensor detection systems, lighting, and operational and/or security camera systems.  Much of this is not specifically spelled out in the CFR.  Look to security Best Practices and Industry Standards; and/or look to Seebald & Associates for their expertise by giving us a call.

The more sensitive the facility/product/location, the more formidable the physical infrastructure should be.  Ask yourself, is your facility a hard or soft target?