Posted by Edward Seebald

November 6, 2017

I have been getting many calls from near and far regarding the TWIC Final Rule requirements that go into effect August 23, 2018.  My advice to you has not changed since our last conversation when I visited this topic. 

The Coast Guard is not going to release anything in writing until the final rule making process has been completed.  Time of that release would only be a guess.

My advice to you is - If you are in Risk Group A: 

You will be required to use TWIC Readers or Physical Access Control System (PACS) that meets electronic TWIC inspection requirements (Card Authentication, Card Validity & Identity Verification).  If those access points do not have the infrastructure (power and connectivity) to the nodes where you are planning to install fixed TWIC readers or PACS, continue planning and installing the infrastructure because civil engineering, project planning, trenching and running power and connectivity are your long lead-time projects. 

If your access points (turnstiles, gates, and doors) already have PACS but do not meet electronic TWIC inspection requirements, you should WAIT to replace the PACS hardware and software.

Do not buy the readers, software or hardware!  Research and evaluate systems, but do not commit resources just yet.

My reason for this advice:

- Technology is advancing so quickly and the price is continually decreasing. If you buy it now it could be obsolete by the time the Coast Guard is going to enforce the law. 

- We are evaluating multiple hardware and software options at this time and hope to have some of these vendors at the Facility Security Symposium in June of 2018.

- Wait for the Coast Guard to come out with their written enforcement guidance. This is common practice for them to provide industry a grace period to allow facilities to purchase, install and execute all of the hardware and software, modify the FSPs and educate their people.

- During a major construction period, you can still use portable readers if your infrastructure is not in place.

Final thoughts, patience is a virtue and the bureaucracy moves very, very slowly.

We will keep you advised.

Ed

Posted by John Brady

November 4, 2017

Our previous blog discussed the absolute need to protect against cyber-attacks. In this blog we will explore and define some of the most common cyber-attacks.

• Identity theft – Any “attack” which causes a person’s personal identifiable characteristics to be stolen and used fraudulently. Some common forms include: stealing credit card information and using another person’s social security number to apply for a financial transaction.

• Ransomeware - Is a type of malicious “attack” which can block access to a facility’s own network and/or data or can threaten to publish data unless a “ransom’ is paid.

• Malware – This is a broad term to describe a software “attack” which gives access to a computer or network often without the user’s knowledge. Malware is short for malicious software and common examples include: adware, bots, bugs, rootkits, spyware, Trojan horses, viruses, and worms.

• Denial of Service (DoS) – This is an “attack” in which a facility’s website is overwhelmed with traffic. The DoS may be triggered by a specific event or can be a malicious barrage of traffic intent on creating an organizational disruption.

• Man in the Middle – This is an “attack” where an Internet “conversation” between two endpoints of an online information exchange is interrupted or altered. This is simply a sophisticated form of electronic eavesdropping where a person(s) is able to gain information from this “conversation”.

• Phishing(pronounced fishing) An “attack” which baits you to give out personal information by utilizing some form of electronic communication most commonly emails, often disguised a coming from a legitimate source. Phishing now has several versions of the same theme:

Spear Phishing - A form of targeted phishing, may appear to come from a known business associate asking for personal or business information.

Smishing and Vishing scam – A version of phishing that use SMS (text) and voice communications to solicit information.  These types have variations in which a facility may receive a phone call or text from a legitimate sounding business requesting information or an email requesting a facility call or text this information.

Whaling – This is another form of a targeted phishing where the intended target is the CEO, CFO or other high-level executive (whale) at a facility.

This is certainly not an all-inclusive list of cyber-attacks. As long as there are people with nefarious intent and the access to a computer the threat will be present. Also as technology evolves so will the threat. In our next blog, we explore how to detect and protect against these cyber-attacks. 

Posted by John Brady

November 4, 2017

In an ever-growing technological and networked world, the need to protect a facility’s information and information systems can no longer be ignored.  Bad actors include computer hackers bent on embarrassing a facility (exposing a weakness), cyber criminals attempting to pilfer financial records, nation states seeking a foothold to disrupt the flow of goods or gain competitive advantage, or a cyber terrorist taking control of a facility’s critical infrastructure to cause loss of life and property.  With threat actors stepping up their game daily, it is essential to protect your cyber network.

The need to protect a facility’s cyber infrastructure is incredibly important for several reasons, but two primary reasons are:

• Financial – Protection against phishing, online scams, malware, ransomware, identity theft and simple fraud all affect a facility’s bottom line. According to estimates by the Center for Strategic and International Studies, Cyber crime costs the global economy over $400 billion per year. This is just one estimate, and there are other studies that put the cost into the trillion-dollar range. Even a fairly unsophisticated financial cyber attack can have an impact on facility’s’ financial resources.

• Infrastructure - A facility’s infrastructure could be a target for a cyber terrorist attempting to take control of any one of a number of automated processes.  A cyber terrorist could potentially gain access to an unprotected fuel transfer system and cause a catastrophic leak or a disgruntled former employee might access an unprotected network to disseminate an organizations trade secrets.  Any unprotected or weakly protected system that can be accessed can be compromised.

For these reasons, a commitment to cyber security must be an essential component of a facility’s security plan.  Step One is to designate who at the facility is responsible for the cyber elements of a facility’s security.  Cyber and physical security are becoming increasingly difficult to separate, as many cyber-attacks result in physical effects.  We encourage each facility to discuss who should be responsible and designate a responsible party.

In the next Blog we will discuss the common types of cyber attacks.

Posted by John Bingaman

October 21, 2017

It’s time for a check of your security screening protocols – let’s start by answering these questions:

• Is your facility conducting random screening?
• What are your random screening protocols?
• What is the screening rate at MARSEC 1, 2, and 3?
• How is random screening obtained?
• How is random screening conducted?
• What is the purpose of random screening?
• What is random screening seeking to prevent?

Screening and searching or inspecting are two distinctly different security methods.  PSDs conduct screening.  Law Enforcement conduct searches or inspections.  The key is that PSDs DON’T TOUCH anything they are screening.  PSDs can and should touch one thing, an individual’s TWIC in order to properly credential that person.

Random means just that – random.  For example, selecting every ‘pick a number’ vehicle is NOT a random method.  There are simple, low-cost Best Practices available, such as the “Marble Method,” that can be easily adopted to ensure compliance.

When screening personnel, remember that you are looking for a person to be “biologically correct.”  Are there bulges on the person being screened that do not appear normal?  Your security personnel should NEVER ask a person to lift their shirt to look for prohibited items.  When inspecting a person’s bag, backpack, or purse, you should have the person open it and take items out so you can clearly see what is inside.

When screening a vehicle, ask the driver to open the trunk and all occupants to step out and stand clear of the vehicle.  Once clear, the security personnel should look inside the vehicle and the trunk for suspicious items.

If you haven’t attended a Seebald & Associate FSO Course or it’s been three years since you last attended, we highly recommend you attend an upcoming course.  We are continually updating the course and thoroughly cover access control and screening methods, along with the other 33 CFR 105 required FSO elements PLUS bonus modules – give ED a call to secure the date and place that best suits your schedule.  Brian, John, Rich, Tom, and/or Ed look forward to seeing you soon!

Posted by John Bingaman

October 15, 2017

Recall the 3 P’s of access control –

• Physical – security infrastructure and systems
• Presence – bearing and attitude of security force personnel
• Performance – security training, experience and application

Last week we touch on Physical security.  This week we address two more of access control’s 3 P’s, Presence and Performance.

Presence of a security force is necessary, and the Presence of the security guard is informative to Coast Guard Inspectors, Auditors, and would-be attackers.  In our line of work, we use terms like ‘Officer Presence,” “Bearing,” and “Attitude” to describe this.  Do your security personnel make you proud and feel secure?  Are they professionals in their appearance and demeanor?  If not, what are you – the FSO – doing about that?

Performance is how equipped the security force is and how well they carry out their duties.  Are security personnel properly trained, to include facility-specific training and awareness?  Do they have the requisite experience you require to guard your facility?  Are they confident in applying the security protocols required by the FSP?  How well do you sleep at night, knowing that your security personnel are standing the watch at your facility?

Ensuring the 3 P’s is the FSO’s job in conjunction with the security force.  Don’t rely solely on your security supervisor, doing so may eventually scare the P out of you!