Credentialing and Screening Part 2
- Posted by CAPT Andrew Tucci
Keeping Business Moving While Stopping Threats
Last week we defined and explained credentialing and screening. These activities are vital components of any security program, but we know that they can be tedious, time consuming, and prone to error. How can we keep business moving while stopping threats?
The TWIC checks that are at the heart of credentialing are problematic, especially for facilities with a high volume of TWIC holders. Pull out your TWIC and check the photo against that handsome face in the mirror, then check the expiration date against today’s date – what year is it anyway? Then check the holograms, the condition of the laminate, and the other security features. Now repeat the process with other TWICs a few dozen times in the next half hour. Eyes looking down and glazing over, or up and alert to your surroundings? By the way, the line is growing. Feeling secure?
Human beings just aren’t good at this kind of task. Fortunately, TWICs are designed to be read by machines. That gold square at the bottom isn’t there for decoration, it has an antenna for contactless reading, and a chip packed with information. An electronic reader can validate the TWIC and compare it to the CCL, or Canceled Credential List. If an individual is convicted of certain serious crimes, or is placed on a terrorist watch list, their name is placed on the CCL, effectively canceling their TWIC if they hold one, and preventing them from obtaining a new or replacement TWIC. This CCL check is only possible with an electronic reader.
Like all electronics, TWIC readers have dropped in price and increased their capability and reliability since they were first introduced. Most electronic readers I’ve seen work in a few seconds – less time than it takes to conduct even a cursory manual check. Some work in non-biometric mode, which still require a visual comparison of the individual to the photo, but electronically validate the TWIC and compare it to the CCL. For Group B facilities, which aren’t required to do a biometric check, this may be an ideal and affordable option.
While improving speed and reliability, electronic TWIC readers also allow human beings to do what human beings do better than machines – evaluating the individual for suspicious behavior while remaining alert to the general surroundings for other security concerns. This combination of increased speed and reliability, while allowing your PSD to observe human behavior, makes electronic readers a good choice, especially for high volume facilities.
Once your PSD have validated the TWIC, how do they then select individuals for screening? At MARSEC 1, your FSP or VSP probably specifies some percentage of all arrivals for screening. A common but poor practice is to screen on a steady, rotational basis, such as every 5th arrival to achieve a 20% screening rate. This creates an easily observable and avoidable pattern. I’d bet you dollars to donuts that regular employees (also known as insider threats) are quite aware of any existing pattern. External threats need only the ability to watch your main gate for a few hours and count to arrive at the same information. Arrive in between the pre-determined screening points and you in the clear.
A much better approach is to select persons and vehicles for screening on a random basis. Unpredictability is the relevant security principle in this case. If threat actors can’t predict when they might be subject to screening, they can’t predict when they might get caught.
So how do you make that random determination? Any way that works. We recommend the “marble method”, where your security guards pull a marble out of a jar when someone arrives. A given percentage of the marbles are a certain color, and those lucky individuals get screened. Gumballs in a machine, a roll of the dice, a spinner from a game board, there are many ways to do this. There are also electronic devices that will randomly generate a “screen or not screen” decision for you. Whatever method you use, your PSD should have the discretion to select additional arrivals for screening if they have any concerns.
A description of actual screening techniques is better suited to a classroom than a blog, but I’ll mention that if screening an individual with a vehicle, it is best to ask the person to exit the vehicle, screen the person first, and then the vehicle, all the while keeping the individual in sight. Hand held metal detectors, mirrors, cameras, and lighting can make the process speedy and effective. Be sure you have sufficient space for your PSD to conduct screening without stepping into traffic or other safety hazards. Designing your gate area to allow other traffic to continue while screening promotes security, safety, and keeps business moving.
While improving your credentialing and screening practices can’t guarantee security for all possible scenarios, they can make your facility or vessel a less attractive target for both insider and external threats. By focusing on an area that all crew, workers, visitors, and Coast Guard inspectors experience, you will minimize compliance and operational risk, and promote a strong security culture.
Credentialing and Screening Part 1
- Posted by CAPT Andrew Tucci
Who and What is Allowed on Board Anyway?
Knowing who and what comes across your brow or through your gate is a fundamental security procedure. Coast Guard regulations describe this as “access control”, and all Vessel and Facility Security Plans include this process.
While the concept of access control is simple, some of the terms and techniques can be misunderstood. This can lead to regulatory problems and poor security practices, potentially letting unauthorized persons or dangerous substances and devices on board.
We’ll begin with credentialing. We all know that TWIC, the Transportation Worker Identification Credential, is a vital component of any access control program. Coast Guard regulations are unusually prescriptive as to how your Personnel with Security Duties are supposed to validate a TWIC. But before we get into that procedure, note that the “C” in TWIC stands for credential, not card. Why is that? As I’ve explained at FSO classes, a credential is something you get after some vetting or testing. Anyone can get a library card (and everyone should), but only people who have passed a federal background check are entitled to a TWIC.
The rigorous application and vetting process to obtain a TWIC enables you to determine who you allow on board with confidence – but your Personnel with Security Duties must do their part. Coast Guard regulations specify that your PSD must either use an electronic reader or manually compare the photo with the individual, check the expiration date, and examine the various security features of the TWIC to confirm it is not counterfeit or tampered with. This credentialing process, if done manually, can be tedious even for alert PSD, but it is vital.
Before we move on to screening, it is worth pointing out that the list of disqualifying offences for TWIC is not a comprehensive list of every crime from jaywalking on up. On the contrary, it is a fairly short list of terrorism related and other quite serious crimes. Holding a TWIC does not entitle you to date my daughters (as if they would listen to me). My point is that if an individual is using a bogus TWIC because they can’t get their own TWIC you really don’t want them on board – which is why it is so important that your PSD credential and screen properly.
Credentialing helps you keep out dangerous individuals. Screening is focused on dangerous substances or devices. The Coast Guard defines screening as the “reasonable examination of persons, cargo, vehicles, or baggage….to ensure that dangerous substances and devices, or other items that pose a real danger of violence or a threat to security are not present.”
Screening is not searching. Searching is a term used in the law enforcement community, and refers to a more intrusive process than your PSD have the legal authority to employ. While less intrusive than a search, proper screening procedures can detect and deter the introduction of weapons and other dangerous devices and substances. Screening may employ metal detectors, mirrors for checking the undercarriage of vehicles, scanning devices for luggage and packages, and, most importantly, careful observation by your PSD.
The frequency and exact techniques used for screening will vary with individual FSP/VSPs, and with the MARSEC level, but Coast Guard regulations require some level of screening at all times. At elevated MARSEC levels, your access program should “increase the frequency and detail of the screening of persons, baggage, and personal effects for dangerous substances and devices” (33 CFR 105.255).
At all MARSEC levels training is key. A PSD who has never seen a cargo container up close, or the underside of a truck won’t be effective at detecting tampering, even with all the mirrors, lighting, and cameras money can buy.
Smart policies in combination with well trained and properly equipped PSD are vital to any access control system. We’ll talk more about how to improve the efficiency and effectiveness of your credentialing and screening procedures next week. In the meantime, take the time to actually observe your PSD as they carry out their access control duties. How confident are you in your first line of defense?
“CAN AN OUNCE OF PREPAREDNESS PREVENT A TON OF RESPONSE?”
- Posted by Edward Seebald
All Maritime Transportation Security Act (MTSA) Regulated
Outer Continental Shelf (OCS) Facility Owners & Operators
In our previous blog, we introduced you to Seebald & Associates International and how we can help you achieve and maintain compliance with your MTSA regulated OCS facility security responsibilities as prescribed in 33 CFR Part 106. Next let’s emphasize what you need to do to improve security, reduce your operational and compliance risk, and make your U.S. Coast Guard inspection and plan submission worry-free.
Seebald & Associates is extremely proud to announce our new affiliation with J. Connor Consulting, Houston, Texas. J. Connor Consulting is an industry and government recognized leader with decades of safety, environmental management and drill permitting experience in the offshore oil and gas industry. Seebald & Associates relationship with J. Connor Consulting will ensure the highest degree of safety and security compliance success. This association of companies allows the bundling of some safety and security management functions and less disruption to your facility’s critical daily operations.
An ounce of preparedness can prevent a ton of response!
While responding to a safety or security incident requires activating contingency plans and resources, it may shutdown production or interrupt operations! Keeping you in compliance and fully operational is our main purpose and focus and we recommend starting the OCS facility plan renewal process at least six months before its renewal deadline. If you answer NO or MAYBE to any of the following statements, then you need to take swift action to avoid costly risks and expenses that can easily be prevented:
- Have my OCS facility company security officers, facility security officers, company personnel with specific security duties and all other OCS personnel been properly trained and the training documented in accordance with 33 CFR Part 106?
- Has my OCS facility security plan been audited in the last 12 months by a competent third-party organization outside of our own?
- Has my currently U.S. Coast Guard approved OCS facility security plan been updated as reflected by any vulnerabilities and non-conformities found during our annual audits?
- Has our MTSA required OCS facility security assessment to include the required vulnerability and risk-based analysis been conducted?
- Has our MTSA required OCS facility security plan been updated with the data from the OCS facility security assessment?
- Are we prepared to meet our five-year renewal deadline for the submission of our updated OCS facility security plan including the required facility security assessment?
- Have we already submitted our OCS facility security plan or plans for all our MTSA regulated facilities? (Early submission does not get penalized by the U.S. Coast Guard and helps them manage the evaluation and approval of MTSA required plans).
- Have we conducted drills every three months that test one part of our OCS facility security plan?
- Have we conducted an exercise in the last eighteen months that tests our OCS facility security plan?
- Have we maintained records and documents as required by 33 CFR Part 106?
- Do we utilize and maintain Declarations of Security with all vessels providing services to our OCS facilities?
- Do we have defensible justification for not meeting the deadline for our OCS facility security plan renewal submission to the U.S. Coast Guard?
If you answered NO or MAYBE to any of the listed statements you should act as soon as possible to prevent a serious disruption to your facility operations in the Gulf of Mexico. Any violation or non-compliance with required MTSA 33 CFR Part 106 security activities is permanently recorded by the U.S. Coast Guard and may result in a disruption. Noting that most OCS facility plan renewals may be due in in the middle of hurricane season in the Gulf, spending time and resources trying to get into compliance after your renewal deadline may be interrupted by storm preparation, evacuation and recovery.
Reminder: Seebald & Associates will be offering the first US Coast Guard approved Company Security Officer/OCS Facility Security Officer training soon with locations along the Gulf Coast.
Seebald & Associates, along with J. Connor Consulting, have a strong reputation and record in meeting and exceeding established U.S. Coast Guard safety and security compliance standards, and we always stand by our clients. We look forward to hearing from and working with you.
- Posted by CAPT Andrew Tucci
Remember that we first defined security risk as the product of threat, vulnerability, and consequences. We know that there are steps we can take to reduce, but not eliminate, the risks associated with threats and vulnerabilities. But what about consequences? If all else fails, is there anything we can do once the event happens except pick up the pieces?
The short answer (spoiler alert!), is yes. As with threats and vulnerabilities, it is helpful to bucket consequences into logical categories, and from there work out risk reduction strategies. We can begin with operational risks, such as loss of life/injuries, environmental damage, and property/equipment damage.
First aid kits, pollution responders on retainer, and having repair plans and critical spare parts identified are all ways of reducing the operational consequences of a security incident. Some options are direct, simple and lifesaving. For example, research has shown that the use of tourniquets and direct pressure can save lives, see https://www.dhs.gov/stopthebleed. That sounds like a great way of reducing consequences to me.
In other cases, detailed written contingency plans (including your FSP/VSP) and exercises that test those plans will enable you to deal with security events as managed incidents, rather than react to them in crisis mode. If possible, train your personnel in the Incident Command System (ICS). The Coast Guard, other federal agencies, and many state/local responders use ICS, and you want to be able to interface with them.
Business risk is another important category. Business risk speaks to your ability to resume normal trade activity as soon as possible after an incident. Without a plan, a prolonged shut down or mismanaged restart could result in the loss of customers, reputation, and market share, followed by a loss of key employees and customers. The Coast Guard includes “transportation system disruption, or economic disruption” in its definition of a Transportation Security Incident. This recognizes that business continuity is an objective of the Maritime Transportation Security Act regulations.
To address business risk, identify key personnel, systems (including IT/cyber), supplies, equipment, and partner organizations you need to conduct normal business operations. Who will notify them of an incident at your facility/vessel, how many might themselves be impacted during a security incident or natural disaster? Who and what can’t you do without? Are backup personnel available? How about expensive and difficult to replace equipment such as electrical transformers? Who has the knowledge, budget, and authority to implement contingency plans? A thoughtful review of these issues can help you identify critical paths and improve day to day efficiency through streamlining, while also identifying desirable redundancies or alternatives you may want to put in place for the day they are needed.
A third risk category is compliance risk. A vessel or facility not in compliance with Coast Guard regulations could face consequences such as fines, penalties, or even a Captain of the Port order to cease all operations until the regulatory deficiency is addressed. While full compliance with your FSP/VSP certainly can’t guarantee a security incident won’t occur, failure to abide by those standards will make it easier for threats to exploit vulnerabilities, which will lead to operational consequences. Even without a security incident, significant or recurring compliance problems can lead to increased business risks as customers, shareholders, insurance providers, and others take note and act in their own interests.
Audits, training, drills, exercises, and an FSP/VSP customized for your operation can help minimize compliance risk. If the Coast Guard does note a violation, quickly and professionally correcting the issue can keep a minor incident from becoming a pattern of problems.
At Seebald & Associates, we can help companies address all of these risks. Our risk based assessment process, which we use as the baseline for FSPs and VSPs, addresses each of these types of risk. Our audits, exercises, drills, and training services improve compliance and help identify potential improvements to your security program. And while our discussion has been security focused, all of these principles apply equally to environmental incidents, natural disasters, and other significant disruptions to your business activity.
We’re not quite done with our risk discussions however. Cyber systems have some similarities, but also some important differences in their relationship to threat, vulnerability, and consequences. Provided that malware doesn’t take down your system, keep watching this space for some thoughts on that topic in the near future.
Coming to a Rig Near You
- Posted by Edward Seebald
All Maritime Transportation Security Act (MTSA) Regulated
Outer Continental Shelf (OCS) Facility Owners & Operators
Word is out that the U.S. Coast Guard is going to increase their efforts on MTSA security compliance inspections and oversight of all MTSA regulated OCS facilities in the Gulf of Mexico starting in early 2019. What this means to you is the Coast Guard will annually conduct one announced and one unannounced spot check of your security compliance requirements from 33 CFR Part 106 and Coast Guard Navigation & Vessel Inspection Circular 05-03 (Implementation Guidance for the Maritime Security Regulations Mandated by the Maritime Transportation Security Act of 2002 for Outer Continental Shelf Facilities).
Be aware that your Company Security Officer, OCS Facility Officer, OCS Facility Personnel with Designated Security Duties and all other OCS personnel must be trained and certified by an approved training provider. In addition to the increased focus on MTSA compliance, 2019 is a prevailing year for the required five-year renewal of your OCS Facility Security Assessment and OCS Facility Security Plan.
Seebald & Associates is a Coast Guard recognized and approved training provider for 33 CFR Part 105 Facility Security Officers & Maritime Personnel with Designated Security Duties and has provided training since 2003. Seebald & Associates is proud to offer OCS MTSA security compliance products and services along with a Company Security Officer (CSO)/OCS Facility Security Officer training course beginning in 2019. Seebald & Associates has submitted a CSO/OCS Facility Security Officer training course for Coast Guard approval. Upon Coast Guard approval, Seebald & Associates will be the only company with an approved CSO/OCS training course and we’ll be offering courses soon, so be on the lookout for our email flyer to register.
Coast Guard regulations require an annual, third party audit of your MTSA program. Seebald & Associates currently offers these audits for onshore-based MTSA regulated facilities and is now poised to offer the same to offshore facilities. A Seebald & Associates audit will help you improve overall security as well as meet all audit requirements, including your compliance with all laws, regulations, and government agency policies relevant to MTSA. A Seebald & Associates audit can also include training for your personnel, as well as drills and exercises, as needed.
If you are behind on your audit requirements, then contact Seebald & Associates as soon as possible to schedule the audit and avoid fines and penalties. Note that the Coast Guard has the authority to prohibit all operational activities if they determine that an onshore or offshore facility does not meet security regulations.
Seebald & Associates can also help you write or renew your onshore or offshore Facility Security Plan. These plans must be resubmitted every five years, and most offshore plans will expire on or about July 1, 2019. A well-informed security assessment is the foundation of a quality security plan and program. We can help you conduct a security assessment and develop a security plan that meets Coast Guard requirements, improves security, and aligns with your business operations.
Seebald & Associates offers access to its premium website for graduated students of its security officer courses. Additionally, recommended drills are offered every month to meet the MTSA requirement of conducting a security drill every three months. Simply execute and document the provided drill and it will keep you in compliance with Coast Guard security drill requirements. We offer a facility compliance tool kit for our clients that helps your security personnel ensure they are fully prepared for announced and unannounced Coast Guard inspections.
Seebald & Associates has a strong reputation and record in meeting and exceeding established Coast Guard security compliance standards, and we always stand by our clients. We look forward to working with you.