Credentialing and Screening Part 1
- Posted by CAPT Andrew Tucci
Who and What is Allowed on Board Anyway?
Knowing who and what comes across your brow or through your gate is a fundamental security procedure. Coast Guard regulations describe this as “access control”, and all Vessel and Facility Security Plans include this process.
While the concept of access control is simple, some of the terms and techniques can be misunderstood. This can lead to regulatory problems and poor security practices, potentially letting unauthorized persons or dangerous substances and devices on board.
We’ll begin with credentialing. We all know that TWIC, the Transportation Worker Identification Credential, is a vital component of any access control program. Coast Guard regulations are unusually prescriptive as to how your Personnel with Security Duties are supposed to validate a TWIC. But before we get into that procedure, note that the “C” in TWIC stands for credential, not card. Why is that? As I’ve explained at FSO classes, a credential is something you get after some vetting or testing. Anyone can get a library card (and everyone should), but only people who have passed a federal background check are entitled to a TWIC.
The rigorous application and vetting process to obtain a TWIC enables you to determine who you allow on board with confidence – but your Personnel with Security Duties must do their part. Coast Guard regulations specify that your PSD must either use an electronic reader or manually compare the photo with the individual, check the expiration date, and examine the various security features of the TWIC to confirm it is not counterfeit or tampered with. This credentialing process, if done manually, can be tedious even for alert PSD, but it is vital.
Before we move on to screening, it is worth pointing out that the list of disqualifying offences for TWIC is not a comprehensive list of every crime from jaywalking on up. On the contrary, it is a fairly short list of terrorism related and other quite serious crimes. Holding a TWIC does not entitle you to date my daughters (as if they would listen to me). My point is that if an individual is using a bogus TWIC because they can’t get their own TWIC you really don’t want them on board – which is why it is so important that your PSD credential and screen properly.
Credentialing helps you keep out dangerous individuals. Screening is focused on dangerous substances or devices. The Coast Guard defines screening as the “reasonable examination of persons, cargo, vehicles, or baggage….to ensure that dangerous substances and devices, or other items that pose a real danger of violence or a threat to security are not present.”
Screening is not searching. Searching is a term used in the law enforcement community, and refers to a more intrusive process than your PSD have the legal authority to employ. While less intrusive than a search, proper screening procedures can detect and deter the introduction of weapons and other dangerous devices and substances. Screening may employ metal detectors, mirrors for checking the undercarriage of vehicles, scanning devices for luggage and packages, and, most importantly, careful observation by your PSD.
The frequency and exact techniques used for screening will vary with individual FSP/VSPs, and with the MARSEC level, but Coast Guard regulations require some level of screening at all times. At elevated MARSEC levels, your access program should “increase the frequency and detail of the screening of persons, baggage, and personal effects for dangerous substances and devices” (33 CFR 105.255).
At all MARSEC levels training is key. A PSD who has never seen a cargo container up close, or the underside of a truck won’t be effective at detecting tampering, even with all the mirrors, lighting, and cameras money can buy.
Smart policies in combination with well trained and properly equipped PSD are vital to any access control system. We’ll talk more about how to improve the efficiency and effectiveness of your credentialing and screening procedures next week. In the meantime, take the time to actually observe your PSD as they carry out their access control duties. How confident are you in your first line of defense?
“CAN AN OUNCE OF PREPAREDNESS PREVENT A TON OF RESPONSE?”
- Posted by Edward Seebald
All Maritime Transportation Security Act (MTSA) Regulated
Outer Continental Shelf (OCS) Facility Owners & Operators
In our previous blog, we introduced you to Seebald & Associates International and how we can help you achieve and maintain compliance with your MTSA regulated OCS facility security responsibilities as prescribed in 33 CFR Part 106. Next let’s emphasize what you need to do to improve security, reduce your operational and compliance risk, and make your U.S. Coast Guard inspection and plan submission worry-free.
Seebald & Associates is extremely proud to announce our new affiliation with J. Connor Consulting, Houston, Texas. J. Connor Consulting is an industry and government recognized leader with decades of safety, environmental management and drill permitting experience in the offshore oil and gas industry. Seebald & Associates relationship with J. Connor Consulting will ensure the highest degree of safety and security compliance success. This association of companies allows the bundling of some safety and security management functions and less disruption to your facility’s critical daily operations.
An ounce of preparedness can prevent a ton of response!
While responding to a safety or security incident requires activating contingency plans and resources, it may shutdown production or interrupt operations! Keeping you in compliance and fully operational is our main purpose and focus and we recommend starting the OCS facility plan renewal process at least six months before its renewal deadline. If you answer NO or MAYBE to any of the following statements, then you need to take swift action to avoid costly risks and expenses that can easily be prevented:
- Have my OCS facility company security officers, facility security officers, company personnel with specific security duties and all other OCS personnel been properly trained and the training documented in accordance with 33 CFR Part 106?
- Has my OCS facility security plan been audited in the last 12 months by a competent third-party organization outside of our own?
- Has my currently U.S. Coast Guard approved OCS facility security plan been updated as reflected by any vulnerabilities and non-conformities found during our annual audits?
- Has our MTSA required OCS facility security assessment to include the required vulnerability and risk-based analysis been conducted?
- Has our MTSA required OCS facility security plan been updated with the data from the OCS facility security assessment?
- Are we prepared to meet our five-year renewal deadline for the submission of our updated OCS facility security plan including the required facility security assessment?
- Have we already submitted our OCS facility security plan or plans for all our MTSA regulated facilities? (Early submission does not get penalized by the U.S. Coast Guard and helps them manage the evaluation and approval of MTSA required plans).
- Have we conducted drills every three months that test one part of our OCS facility security plan?
- Have we conducted an exercise in the last eighteen months that tests our OCS facility security plan?
- Have we maintained records and documents as required by 33 CFR Part 106?
- Do we utilize and maintain Declarations of Security with all vessels providing services to our OCS facilities?
- Do we have defensible justification for not meeting the deadline for our OCS facility security plan renewal submission to the U.S. Coast Guard?
If you answered NO or MAYBE to any of the listed statements you should act as soon as possible to prevent a serious disruption to your facility operations in the Gulf of Mexico. Any violation or non-compliance with required MTSA 33 CFR Part 106 security activities is permanently recorded by the U.S. Coast Guard and may result in a disruption. Noting that most OCS facility plan renewals may be due in in the middle of hurricane season in the Gulf, spending time and resources trying to get into compliance after your renewal deadline may be interrupted by storm preparation, evacuation and recovery.
Reminder: Seebald & Associates will be offering the first US Coast Guard approved Company Security Officer/OCS Facility Security Officer training soon with locations along the Gulf Coast.
Seebald & Associates, along with J. Connor Consulting, have a strong reputation and record in meeting and exceeding established U.S. Coast Guard safety and security compliance standards, and we always stand by our clients. We look forward to hearing from and working with you.
- Posted by CAPT Andrew Tucci
Remember that we first defined security risk as the product of threat, vulnerability, and consequences. We know that there are steps we can take to reduce, but not eliminate, the risks associated with threats and vulnerabilities. But what about consequences? If all else fails, is there anything we can do once the event happens except pick up the pieces?
The short answer (spoiler alert!), is yes. As with threats and vulnerabilities, it is helpful to bucket consequences into logical categories, and from there work out risk reduction strategies. We can begin with operational risks, such as loss of life/injuries, environmental damage, and property/equipment damage.
First aid kits, pollution responders on retainer, and having repair plans and critical spare parts identified are all ways of reducing the operational consequences of a security incident. Some options are direct, simple and lifesaving. For example, research has shown that the use of tourniquets and direct pressure can save lives, see https://www.dhs.gov/stopthebleed. That sounds like a great way of reducing consequences to me.
In other cases, detailed written contingency plans (including your FSP/VSP) and exercises that test those plans will enable you to deal with security events as managed incidents, rather than react to them in crisis mode. If possible, train your personnel in the Incident Command System (ICS). The Coast Guard, other federal agencies, and many state/local responders use ICS, and you want to be able to interface with them.
Business risk is another important category. Business risk speaks to your ability to resume normal trade activity as soon as possible after an incident. Without a plan, a prolonged shut down or mismanaged restart could result in the loss of customers, reputation, and market share, followed by a loss of key employees and customers. The Coast Guard includes “transportation system disruption, or economic disruption” in its definition of a Transportation Security Incident. This recognizes that business continuity is an objective of the Maritime Transportation Security Act regulations.
To address business risk, identify key personnel, systems (including IT/cyber), supplies, equipment, and partner organizations you need to conduct normal business operations. Who will notify them of an incident at your facility/vessel, how many might themselves be impacted during a security incident or natural disaster? Who and what can’t you do without? Are backup personnel available? How about expensive and difficult to replace equipment such as electrical transformers? Who has the knowledge, budget, and authority to implement contingency plans? A thoughtful review of these issues can help you identify critical paths and improve day to day efficiency through streamlining, while also identifying desirable redundancies or alternatives you may want to put in place for the day they are needed.
A third risk category is compliance risk. A vessel or facility not in compliance with Coast Guard regulations could face consequences such as fines, penalties, or even a Captain of the Port order to cease all operations until the regulatory deficiency is addressed. While full compliance with your FSP/VSP certainly can’t guarantee a security incident won’t occur, failure to abide by those standards will make it easier for threats to exploit vulnerabilities, which will lead to operational consequences. Even without a security incident, significant or recurring compliance problems can lead to increased business risks as customers, shareholders, insurance providers, and others take note and act in their own interests.
Audits, training, drills, exercises, and an FSP/VSP customized for your operation can help minimize compliance risk. If the Coast Guard does note a violation, quickly and professionally correcting the issue can keep a minor incident from becoming a pattern of problems.
At Seebald & Associates, we can help companies address all of these risks. Our risk based assessment process, which we use as the baseline for FSPs and VSPs, addresses each of these types of risk. Our audits, exercises, drills, and training services improve compliance and help identify potential improvements to your security program. And while our discussion has been security focused, all of these principles apply equally to environmental incidents, natural disasters, and other significant disruptions to your business activity.
We’re not quite done with our risk discussions however. Cyber systems have some similarities, but also some important differences in their relationship to threat, vulnerability, and consequences. Provided that malware doesn’t take down your system, keep watching this space for some thoughts on that topic in the near future.
Coming to a Rig Near You
- Posted by Edward Seebald
All Maritime Transportation Security Act (MTSA) Regulated
Outer Continental Shelf (OCS) Facility Owners & Operators
Word is out that the U.S. Coast Guard is going to increase their efforts on MTSA security compliance inspections and oversight of all MTSA regulated OCS facilities in the Gulf of Mexico starting in early 2019. What this means to you is the Coast Guard will annually conduct one announced and one unannounced spot check of your security compliance requirements from 33 CFR Part 106 and Coast Guard Navigation & Vessel Inspection Circular 05-03 (Implementation Guidance for the Maritime Security Regulations Mandated by the Maritime Transportation Security Act of 2002 for Outer Continental Shelf Facilities).
Be aware that your Company Security Officer, OCS Facility Officer, OCS Facility Personnel with Designated Security Duties and all other OCS personnel must be trained and certified by an approved training provider. In addition to the increased focus on MTSA compliance, 2019 is a prevailing year for the required five-year renewal of your OCS Facility Security Assessment and OCS Facility Security Plan.
Seebald & Associates is a Coast Guard recognized and approved training provider for 33 CFR Part 105 Facility Security Officers & Maritime Personnel with Designated Security Duties and has provided training since 2003. Seebald & Associates is proud to offer OCS MTSA security compliance products and services along with a Company Security Officer (CSO)/OCS Facility Security Officer training course beginning in 2019. Seebald & Associates has submitted a CSO/OCS Facility Security Officer training course for Coast Guard approval. Upon Coast Guard approval, Seebald & Associates will be the only company with an approved CSO/OCS training course and we’ll be offering courses soon, so be on the lookout for our email flyer to register.
Coast Guard regulations require an annual, third party audit of your MTSA program. Seebald & Associates currently offers these audits for onshore-based MTSA regulated facilities and is now poised to offer the same to offshore facilities. A Seebald & Associates audit will help you improve overall security as well as meet all audit requirements, including your compliance with all laws, regulations, and government agency policies relevant to MTSA. A Seebald & Associates audit can also include training for your personnel, as well as drills and exercises, as needed.
If you are behind on your audit requirements, then contact Seebald & Associates as soon as possible to schedule the audit and avoid fines and penalties. Note that the Coast Guard has the authority to prohibit all operational activities if they determine that an onshore or offshore facility does not meet security regulations.
Seebald & Associates can also help you write or renew your onshore or offshore Facility Security Plan. These plans must be resubmitted every five years, and most offshore plans will expire on or about July 1, 2019. A well-informed security assessment is the foundation of a quality security plan and program. We can help you conduct a security assessment and develop a security plan that meets Coast Guard requirements, improves security, and aligns with your business operations.
Seebald & Associates offers access to its premium website for graduated students of its security officer courses. Additionally, recommended drills are offered every month to meet the MTSA requirement of conducting a security drill every three months. Simply execute and document the provided drill and it will keep you in compliance with Coast Guard security drill requirements. We offer a facility compliance tool kit for our clients that helps your security personnel ensure they are fully prepared for announced and unannounced Coast Guard inspections.
Seebald & Associates has a strong reputation and record in meeting and exceeding established Coast Guard security compliance standards, and we always stand by our clients. We look forward to working with you.
- Posted by CAPT Andrew Tucci
Our previous blogs defined risk as a combination of threat, vulnerability and consequences. This week, I’d like to focus on vulnerability.
A vulnerability is a potential weakness in our defenses, a chink in our armor. Much as we’d like to be perfectly protected from any possible threat, we know that isn’t practical or even possible. We do need to identify and evaluate potential vulnerabilities, and then decide what action, if any, to take to address them.
To begin, recognize that your organization is a business, with all manner of people and things coming and going. Legitimate points of entry (think gates and gangways) are your first consideration. How are those points monitored and controlled, how do you screen the legitimate from the nefarious? Consider people (employees, contractors, visitors), vehicles, cargo, supplies, and special deliveries (packages, ships stores).
Next consider the not-so-legitimate access points – fence lines and gunwales, and ask the same questions. For both categories, put yourself in the mind of an adversary, and think about how they might get to a point where they can cause harm. Could a person gain access to your ship or facility using a fake TWIC or other form of identification? How well do you check vehicles? Are there areas of your fence line that are in poor condition, or shielded from view by buildings, poor lighting, or vegetation? How are packages and mail handled? How about ships’ stores? Could small boats, divers, or other waterborne threats approach your facility or vessel without being detected?
Chances are, all of these and more are potential vulnerabilities.
But wait, there’s more! What if the threat was an “insider” – a regular crew member or employee? How difficult would it be for such a person to access restricted areas, sabotage critical equipment, or to bring a weapon or dangerous device on board? How about cyber vulnerabilities? Could hackers disrupt your critical processes, or “spoof” someone’s email? Could you even detect such an attack, much less defend against it?
Coast Guard regulations attempt to help operators identify vulnerabilities by specifying certain topics in the security assessment and plan, such as “measures to protect computer systems and networks” and “security measures for handling cargo.” While these requirements are a good starting point, you and your colleagues are the best people to identify your vulnerabilities.
Once you’ve identified the various ways people, vehicles, cargo, and data can enter your facility or vessel, you can start to prioritize them, and identify ways to minimize risk. Your facility is not Fort Knox, and your vessel is not a carrier battle group, but there are measures you can take to reduce (not eliminate) any vulnerability. Typical solutions might include:
- · Infrastructure (fencing, gates, ship design)
- · Equipment (lighting, cameras, metal detectors)
- · Procedures (screening, roving patrols, escorts)
- · Training, drills, and exercises
- · Cyber security measures (authentication procedures, data logging, monitoring)
- · Audits and inspections
Security measures must be practical, effective, and aligned with your business operations. Prioritizing is key. Not all vulnerabilities are equal, and not all security measures are equally effective against all vulnerabilities.
At Seebald & Associates, we help our clients identify and prioritize threats and vulnerabilities, and develop the most cost-effective security measures to address them. These measures become the basis of your Coast Guard required security plan.
As mentioned earlier, there are chinks in every armor. We can’t eliminate every vulnerability. That means we must prepare for possible consequences. Tune in next week for a discussion of consequences, preparedness, resilience, and how to mitigate the compliance, operational, and business risks from a security incident.