Our previous blog defined risk as a combination of threat, vulnerability and consequences.  This week, I’d like to focus on threat.

When one hears “threat” in a security discussion, the natural tendency is to equate threat to whatever powerful, overseas terrorist organization is currently in the news.  While those organizations certainly mean us harm, ending the discussion there overlooks many possible threats, and leaves us with little understanding of actions we can take. 

A better approach is to create categories that help us identify and describe threats, and then use that understanding to reduce risk.  Bucketing threats by where they originate – internally, locally, or globally, is one method. 

  • Internal threats originate within the fence line of our facilities, or the gunwales of our ships.  They could be employees, contractors, customers or crew with a deliberate intent to cause harm, or they could simply be careless in keeping the gates closed and the hatches locked down when required. 
  • Local threats originate nearby.  Are you in a high crime area, are there drug gangs or other organized criminal operations?  Is the area known for civil disobedience?  Could the properties outside your gates be used for surveillance, a staging area, or might they be a target themselves, with you as the conduit – or collateral damage? 

And remember the waterside!  What is the mix of recreational and commercial vessel traffic in the area?  Would an unusual vessel stand out?  Are there dive shops nearby?  Are the water conditions such that an underwater threat is plausible? 

  • For global threats, we don’t need our own spy network to make some useful observations, just pay attention to the news.  Package bombs, mass shootings and the use of vehicles against pedestrians have all been, or continue to be, common threats.  “Lone wolf” and copycat attacks mean that we can identify these as plausible threats even if we know nothing about the individuals who might carry them out.  What has changed in the world since your last risk assessment that might suggest a new threat? 

At Seebald & Associates, we help our clients identify threats and imagine how they might play out against their business operations.  Results are best when the company can provide personnel from across their business enterprise – operators, managers, labor, IT/cyber specialists, and others.  A diverse team ensures that the group will identify threats that a narrower group won’t think of.  A diverse group also helps identify diverse solutions. 

Tune in to this website next week for a discussion of vulnerability – or, what is our exposure to all of those threats?

Here at Seebald & Associates, we strive to provide the very best security consulting services to the maritime industry.  We can (and do) help companies meet specific Coast Guard regulatory security requirements.  Our goal goes beyond regulatory compliance, and aims to help companies reduce all manner of security related risks. 

This is the first of a series of blogs that attempt to explain what we mean by risk, and how we can help companies identify, define, evaluate, and ultimately reduce that risk.

Risk is made up of the components of threats, vulnerabilities, & consequences

Risk is comprised of threats, vulnerabilities and consequences which is associated with target desirability.  Target desireability of an event, which is commonly defined as the likelihood that some negative event will occur, derives from the vulnerability and consequence from that event.  For example, what is the risk associated with me forgetting to bring my spiffy Seebald & Associates jacket on my next business trip?  Well, I can be forgetful when I pack, so let’s say that the likelihood of me forgetting is pretty good.  That’s fairly high, but fortunately, the consequences aren’t that severe.  Our founder, Ed Seebald, might give me a hard time if he sees me without the jacket (he bought it after all), but even without it, I can still deliver world class security services. 

The likelihood component of risk is usually addressed with preventative measures (such as checklist for my packing), while consequences are usually addressed with response actions and contingency plans (such as me buying Ed dinner so he forgets about me not wearing the company jacket).  They say an ounce of prevention is worth a pound of cure, and in this case, me using a checklist is cheaper than me buying Ed dinner, but it’s best to look at both components to determine the most cost-effective techniques for any given situation.

A high quality vessel or facility security plan can reduce both the likelihood of a security incident, and the potential consequences if an incident does occur.  At Seebald & Associates, we work with facility and vessel operators to understand all aspects of their security risks, and to develop programs that address those risks effectively, while still meeting all applicable Coast Guard regulations.  More on that process, and a discussion of operational, business, and compliance risks, when we continue this series next week.

Hopefully, you have done a thorough job of conducting the RBA and then building out your FSA.  Once this is complete, you can fill out the CG-6025 & CG-6025A forms.  These forms should mirror the scenarios and mitigation actions that you identified in your RBA.  The Coast Guard uses these forms to better understand the potential vulnerabilities at your facility but also to get a better picture of potential vulnerabilities in the Captain of the Port Area.   This information can be helpful to the Area Maritime Security Committee.

You’re now ready to begin to build your FSP.  Remember, your FSP should address the vulnerabilities in the FSA!

A final reminder, a useful, effective FSP is not written overnight.  The COTP wants your FSP 60 days prior to its expiration.  You will need at least the same amount of time to develop your FSA/FSP.  If your FSP is due for re-submission in 2019, get started now!!!

The RBA is a documented analysis that is a REQUIRED part of the FSA and forces us to look critically at potential attack scenarios for our facility, and identify possible mitigation actions.  Finally, we attempt to rate these items to identify those scenarios that have a high impact and vulnerability and the mitigation actions that we believe would be most effective.

Coast Guard NVIC 11-05 provides a good, basic framework for conducting an RBA.  It’s important to involve key personnel and stakeholders at your facility when you conduct the RBA.  When Seebald and Associates conducts an RBA, we use a slightly more involved process and have developed a spreadsheet to help us thoroughly analyze the data.  We also like to have all of important players at the facility sitting around the table (senior/corporate leadership, FSO, AFSO, terminal manager, shipping manager, IT manager, production manager, security supervisor, etc.).  A more inclusive and thoughtful process will yield a more realistic and effective RBA especially identifying vulnerable systems, processes or protocols.

Remember to check your FSP approval date, 2019 is right around the corner!!!

As we get closer to the holiday season, many in the maritime industry see an increase in business.  All those toys on the shelves and specialty foods come from somewhere, and the container trade typically sees a surge in operations this time of year.  Some segments of the energy industry will see an increase in heating oil, propane, and other fuels, and even facilities that handle bulk commodities are doubtless seeing those mountains of salt grow on their terminals. 

Increased trade is good for business, but busy terminals can also mean increased risk.  Fast paced operations can distract from security needs and contribute to a sense of chaos.  Key employees may be on vacation, and foul weather may simply encourage people to keep their heads down.  Ice and snow can degrade the operation of cameras and other security systems.  Terrorists and others may try to exploit any of these factors.

To reduce your security risk, consider the following:

  • Remind all personnel to be alert for suspicious activity or behavior, including the presence of suspicious packages or devices on the facility.
  • “Phishing” attempts and other scams may come in the form of holiday themed e-mail.  Ensure all employees are aware of the potential threat, and to follow company guidelines concerning e-mail security.  In general, don’t click on links or open attachments if you aren’t sure of the sender.  Malware and Cyber-attacks could cost the company money and even degrade critical security, safety, and operational systems. 
  • Take advantage of your S&A Platinum membership perks by participating in monthly webinars and conducting drills using the monthly drills scenarios you receive by email.

Here at Seebald & Associates we hope that the remainder of 2018 and 2019 is a prosperous, safe, and secure year for you, your families, and your employees.