Exercise Operational Security
Seebald & Associates recently posted a joint NSA-CISA cyber security advisory concerning operational technology and a Coast Guard MSIB regarding operational technologies and control systems. See previous blogs.
I’ll summarize my understanding of this advisory as follows: OT systems are increasingly accessible via the internet though the convergence of IT and OT systems. Malicious actors are increasingly able to find and exploit those systems. The advisory goes on to suggest various ways to address this threat, including network mapping and hardening, and cyber resilience and recovery plans.
While technical cyber security measures are beyond the skill of most FSOs, fostering a strong security culture across all of the organization is a key FSO responsibility. A great way to promote this is to call up your cyber security counterparts and ask them to help you understand what actions the facility would take in the event of a cyber attack.
Keep in mind that a cyber attack might be a precursor to a physical attack, so cooperation and communications between the FSO and the cyber security team is critical. Even if the Coast Guard does not change the MARSEC level, you may want to increase patrols, increase screening, and advise visiting vessels and all other facility personnel to be especially vigilant for suspicious activity. Plan all of this in cooperation with your cyber team.
You should also recognize that a cyber attack, or the response actions taken by your cyber security personnel, may impact cyber systems you rely on – from e-mail and security cameras to alarms, access control systems, and cargo control. Discuss these possibilities with your cyber security partners now, so you are prepared if and when such an attack occurs.
If you’ve never had such a discussion, much less planned a joint cyber/physical security drill or exercise, now is the time to change that. Seebald & Associates can help you prepare for all security risks, and can help you develop a Facility Security Plan that meets new Coast Guard cyber security requirements. Finally, if you have facilities regulated under CFATS, pass this along to them, and let them know that S&A also serves the CFATS community.
Seebald & Associates will be sending out a cyber security drill this week for our platinum members to assist you in building your cyber security awareness.
USCG Cybersecurity Urgent Message
- Posted by Edward Seebald
Boating Safety and Security
As the summer boating season reaches its peak, we know that many of our clients, including FSOs and the many facility employees, like to head out on the water for some recreation after the work day is done. As Seebald & Associates is made up of retired Coast Guard and Coast Guard Auxiliary members, we share this love of the water.
While you are out boating, always wear your life jacket, never boat while intoxicated, and keep a sharp lookout for other boaters, commercial vessels, heavy weather, and any other events that could create a safety risk. We also encourage all boaters to take a Coast Guard boating safety course, and to have a qualified member of the Coast Guard Auxiliary conduct a courtesy vessel exam. For more information on boating safety, go to https://www.uscgboating.org/.
Finally, an FSO’s work is never done, which means you should also be alert for any security risks on the water. As boaters, you are in the best position to identify suspicious activity at marinas, along our waterways, or near commercial vessels or facilities. If you see something concerning, call the NRC at 1 800-424-8802, or 877-24WATCH. America’s Waterway Watch provides more information on identifying and responding to suspicious activity.
So when you are getting your boat ready, wear your life jacket, pack your safety gear, and bring the same strong security culture you champion at work. Help yourself and help our nation identify threats by staying alert on the water.
COVID 19 – Port and Facility Operations - Change 2
- Posted by Edward Seebald
In conjunction with the novel coronavirus (COVID-19) guidance provided to commercial vessels by the Coast Guard in Marine Safety Information Bulletin (MSIB) Numbers 02-20 (as amended) and 06-20, the Coast Guard is providing the following updated information to port and facility operators as it relates to COVID-19.
The facility compliance regulations outlined throughout 33 Code of Federal Regulations remains in force, and facility operators are expected to continue to comply with these requirements. Questions or issues that arise as a result of COVID-19 should, where possible, be addressed in accordance with regulations outlined in 33 Code of Federal Regulations, and any plans and manuals already approved/reviewed by the Coast Guard. However, it is recognized that the COVID-19 pandemic has resulted in a myriad of unique operating conditions that warrant special considerations. Some challenges have included cruise ships mooring at facilities not approved for passenger operations, garbage removal, and facility and vessel crew interactions. Because of these operational concerns, the following clarification and guidance is provided to help ensure the safety and security of workers, ports, and facilities:
• Signatures: Both Declarations of Security (DoS) and Declarations of Inspection (DOI) require signatures. Electronic signatures discussed below are acceptable. However, if electronic signatures are not reasonable, in lieu of having one DoS/DOI with two signatures, two separate forms may be used. Each DoS/DOI will be signed and the name of the other Person in Charge (PIC) or Facility Security Officer (FSO)/Vessel Security Officer (VSO) or their designated representative should be written on each form with a date and time. Each PIC and FSO/VSO shall keep their respective copies. Communications are key and both parties should ensure complete understanding of their duties and responsibilities before beginning any operations. (Ch 1)
• Declarations of Security (DoS) – 33 CFR 105.245 and approved Facility Security Plans require a DoS to be completed in certain situations, depending on the Maritime Security (MARSEC) level. While there may be a requirement to complete a DoS, there is no requirement for the coordination of security needs and procedures, signature of the DoS, or implementation of agreed upon measures to be conducted in a face-to-face manner between the FSO and the Master, VSO, or their designated representative. As such, electronic communication may be used for the purposes of completing the DoS, however a conversation should still occur between both the vessel and facility.
• Declarations of Inspection (DOI) – 33 CFR 156.150 requires a DOI to be completed before any transfer of oil or hazardous material to or from a vessel. Prior to the transfer beginning and in accordance with 33 CFR 156.120 and 156.120(w), the PIC from the vessel and facility shall meet to begin completing the DOI and hold a conference to ensure both parties understand the operation. The DOI meeting/conference can be completed over the radio, phone or at a safe social distance and still meet these requirements, however both PIC’s must communicate with each other before beginning any transfer. Additionally, both PIC’s shall sign the DOI, but it can be done electronically, or in accordance with the “Signatures” paragraph above. All other requirements of 33 CFR 156.150 must be met before the transfer begins. (Ch 2)
• Seafarer’s Access - Maritime facility operators are reminded they are not permitted to impede the embarkation/disembarkation of crew members as permitted under Seafarer's Access regulations. The authority to restrict access resides with Customs and Border Protection (CBP), the Coast Guard, and the Center for Disease Control (CDC) for medical matters. Facility operators should contact their local CBP, Coast Guard, or the CDC, State and local health department offices regarding specific questions or concerns about their individual operations. Nothing in the Seafarer Access requirements prevent the facility from maximizing options to minimize direct interaction that may include use of camera systems, barriers, or other measures. These modifications can be made to the Facility Security Plan (FSP) or use of Noncompliance, as discussed below, may be used.
• Noncompliance – 33 CFR 105.125 discusses noncompliance with the facility security requirements. If a situation arises where a facility will not be able to comply with the requirements of 33 CFR 105, the facility must contact the Captain of the Port (COTP) to request and receive permission to temporarily deviate from the requirements. Potential situations where this can be used are modified escort requirements in secure areas or mooring a cruise ship at a non-passenger terminal. This request should include any new measures or safeguards the facility plans to employ to mitigate any risk from the non-compliance with 33 CFR 105. While not discussed in 33 CFR 105, the facility operator should also evaluate and consider any safety risks that may be created from the non-compliance. For example, if a facility will receive a different type of vessel than they normally receive, the facility operator should consider if the dock is physically capable of handling that vessel, and any logistical issues that may arise such as movement of personnel from the vessel off the facility, any medical issues or personnel that may be introduced to the facility, supplies for the vessel, and waste removal from the vessel.
• Equipment Testing - 33 CFR 126, 127, 154, and 156 contain various requirements for conducting tests on different facility systems and equipment. Due to the COVID-19 pandemic, some of these tests may be impractical for various reasons. When a facility is unable to conduct these tests, as an alternative, they should submit a request to the local COTP in accordance with 33 CFRs 126.12, 127.017, 154.107, 156.107 as appropriate, to extend the deadline, outlining the reason(s) the delay is needed and any additional interim measures that will be employed to help ensure the safety of the system until the required test can be carried out. For example, if a facility desires to extend the hydrostatic test date of facility transfer pipeline required by 33 CFR 156.170, they should submit a written request to the COTP. The request may state the test is not safe at this time due to the need to introduce third party contractors onto the facility, the amount of product in the pipeline/tanks and that the facility will increase visual inspections of the transfer pipeline until the required annual hydrostatic test can be completed. If there are no significant safety issues, COTP’s may approve extension requests for up to three months to expire on 30 September 2020. (Ch 2)
• Third Party Audits/Assessments - In accordance with 33 CFR 105.415(b), the FSO must ensure an audit of the FSP is performed annually. The annual audit may be completed internally and there is no requirement to use third parties. The person conducting the audit must have knowledge of methods for conducting audits, not have regularly assigned security duties, and be independent of any security measures being audited, unless appropriately excepted, per 33 CFR 105.415(d). The facility may also maintain social distancing if performing the audit onsite or develop another method for a virtual review as there is no requirement for the audit to be conducted in person. If the facility chooses a virtual audit, encrypted emails should be used to protect Sensitive Security Information. However, the initial Facility Security Assessment or review/validation required every five years must have an on-scene survey per 33 CFR 105.305(b), but there is no requirement that it be performed by a third party. (Ch 2)
• Waste Reception Facilities – Garbage and Medical Waste
33 CFR 158 regulations require all ports and terminals under the jurisdiction of the United States to provide vessels with reception facilities for garbage (33 CFR 158.133(c)). International regulations require these reception facilities to have a Certificate of Adequacy (COA) issued by the Coast Guard that attests to their ability to offload garbage, which may include medical waste (33 CFR 158.410). Medical waste is defined in 33 CFR 158.120 as “isolation wastes, infectious waste, human blood and blood products, pathological wastes, sharps, body parts, contaminated bedding, surgical wastes and potentially contaminated laboratory wastes, dialysis wastes and such additional medical items as prescribed by the EPA by regulation.”
o Reception Facilities - Ports and terminals must be ready to receive any medical waste from any vessels calling at their facility. This means that those ports/terminal with or without a COA for garbage, must provide vessels with adequate reception facilities for medical waste or a list of persons authorized by federal, state or local law or regulation to transport and treat such wastes.
o Vessels - In addition to notifying the COTP, vessels must coordinate with the port/terminal/recreational boating facility their needs for reception facilities for medical waste, 24 hours in advance of their arrival (33 CFR 151. 65(b)), or immediately if already in port.
o COA Waivers - If there are issues or concerns with the health hazards associated with any garbage, reception facilities and vessels should work with the appropriate federal, state, and/or local agencies to determine the actual risks and formulate a plan of action based on information received from those agencies. COTP may also exercise their authority to grant waivers under 33 CFR 158.150, if necessary, to allow for offloading of medical waste or garbage to a reception facility without having a COA.
• Facility Safety and Security Inspections: Coast Guard COTP’s will continue to use risk based decision making to determine if a facility inspection or spot check will be conducted. Owners and operators should work closely with the COTP to determine if attendance for a full or abbreviated inspection is necessary and what mitigations measures may be taken to include social distancing, phone interviews, providing electronic logs, etc. The COTP may conduct and credit a virtual inspection based off facility inspection history, phone interviews, review of electronic records/pictures, etc, or defer an inspection/spot check for up to 90 days. (Ch 2)
• TWIC Enrollment Centers – If applicants are planning to visit an enrollment center, please use the “Find an Enrollment Center” feature at the bottom of the Universal Enroll website (https://universalenroll.dhs.gov/locator) to determine if the center is open and its hours of operation.
This release has been issued for public information and notification purposes only.