USCG Sybersecurity Advisory 2

 

 

 

 

 

 

 

 

 

 

 

As the summer boating season reaches its peak, we know that many of our clients, including FSOs and the many facility employees, like to head out on the water for some recreation after the work day is done.  As Seebald & Associates is made up of retired Coast Guard and Coast Guard Auxiliary members, we share this love of the water.

While you are out boating, always wear your life jacket, never boat while intoxicated, and keep a sharp lookout for other boaters, commercial vessels, heavy weather, and any other events that could create a safety risk.  We also encourage all boaters to take a Coast Guard boating safety course, and to have a qualified member of the Coast Guard Auxiliary conduct a courtesy vessel exam.  For more information on boating safety, go to https://www.uscgboating.org/.

Finally, an FSO’s work is never done, which means you should also be alert for any security risks on the water.  As boaters, you are in the best position to identify suspicious activity at marinas, along our waterways, or near commercial vessels or facilities.  If you see something concerning, call the NRC at 1 800-424-8802, or 877-24WATCH.  America’s Waterway Watch provides more information on identifying and responding to suspicious activity. 

So when you are getting your boat ready, wear your life jacket, pack your safety gear, and bring the same strong security culture you champion at work.  Help yourself and help our nation identify threats by staying alert on the water.

 

In conjunction with the novel coronavirus (COVID-19) guidance provided to commercial vessels by the Coast Guard in Marine Safety Information Bulletin (MSIB) Numbers 02-20 (as amended) and 06-20, the Coast Guard is providing the following updated information to port and facility operators as it relates to COVID-19. 

The facility compliance regulations outlined throughout 33 Code of Federal Regulations remains in force, and facility operators are expected to continue to comply with these requirements. Questions or issues that arise as a result of COVID-19 should, where possible, be addressed in accordance with regulations outlined in 33 Code of Federal Regulations, and any plans and manuals already approved/reviewed by the Coast Guard. However, it is recognized that the COVID-19 pandemic has resulted in a myriad of unique operating conditions that warrant special considerations. Some challenges have included cruise ships mooring at facilities not approved for passenger operations, garbage removal, and facility and vessel crew interactions. Because of these operational concerns, the following clarification and guidance is provided to help ensure the safety and security of workers, ports, and facilities: 

Signatures: Both Declarations of Security (DoS) and Declarations of Inspection (DOI) require signatures. Electronic signatures discussed below are acceptable. However, if electronic signatures are not reasonable, in lieu of having one DoS/DOI with two signatures, two separate forms may be used. Each DoS/DOI will be signed and the name of the other Person in Charge (PIC) or Facility Security Officer (FSO)/Vessel Security Officer (VSO) or their designated representative should be written on each form with a date and time. Each PIC and FSO/VSO shall keep their respective copies. Communications are key and both parties should ensure complete understanding of their duties and responsibilities before beginning any operations. (Ch 1) 

Declarations of Security (DoS) – 33 CFR 105.245 and approved Facility Security Plans require a DoS to be completed in certain situations, depending on the Maritime Security (MARSEC) level. While there may be a requirement to complete a DoS, there is no requirement for the coordination of security needs and procedures, signature of the DoS, or implementation of agreed upon measures to be conducted in a face-to-face manner between the FSO and the Master, VSO, or their designated representative. As such, electronic communication may be used for the purposes of completing the DoS, however a conversation should still occur between both the vessel and facility. 

Declarations of Inspection (DOI) – 33 CFR 156.150 requires a DOI to be completed before any transfer of oil or hazardous material to or from a vessel. Prior to the transfer beginning and in accordance with 33 CFR 156.120 and 156.120(w), the PIC from the vessel and facility shall meet to begin completing the DOI and hold a conference to ensure both parties understand the operation. The DOI meeting/conference can be completed over the radio, phone or at a safe social distance and still meet these requirements, however both PIC’s must communicate with each other before beginning any transfer. Additionally, both PIC’s shall sign the DOI, but it can be done electronically, or in accordance with the “Signatures” paragraph above. All other requirements of 33 CFR 156.150 must be met before the transfer begins. (Ch 2) 

Seafarer’s Access - Maritime facility operators are reminded they are not permitted to impede the embarkation/disembarkation of crew members as permitted under Seafarer's Access regulations. The authority to restrict access resides with Customs and Border Protection (CBP), the Coast Guard, and the Center for Disease Control (CDC) for medical matters. Facility operators should contact their local CBP, Coast Guard, or the CDC, State and local health department offices regarding specific questions or concerns about their individual operations. Nothing in the Seafarer Access requirements prevent the facility from maximizing options to minimize direct interaction that may include use of camera systems, barriers, or other measures. These modifications can be made to the Facility Security Plan (FSP) or use of Noncompliance, as discussed below, may be used. 

Noncompliance – 33 CFR 105.125 discusses noncompliance with the facility security requirements. If a situation arises where a facility will not be able to comply with the requirements of 33 CFR 105, the facility must contact the Captain of the Port (COTP) to request and receive permission to temporarily deviate from the requirements. Potential situations where this can be used are modified escort requirements in secure areas or mooring a cruise ship at a non-passenger terminal. This request should include any new measures or safeguards the facility plans to employ to mitigate any risk from the non-compliance with 33 CFR 105. While not discussed in 33 CFR 105, the facility operator should also evaluate and consider any safety risks that may be created from the non-compliance. For example, if a facility will receive a different type of vessel than they normally receive, the facility operator should consider if the dock is physically capable of handling that vessel, and any logistical issues that may arise such as movement of personnel from the vessel off the facility, any medical issues or personnel that may be introduced to the facility, supplies for the vessel, and waste removal from the vessel. 

Equipment Testing - 33 CFR 126, 127, 154, and 156 contain various requirements for conducting tests on different facility systems and equipment. Due to the COVID-19 pandemic, some of these tests may be impractical for various reasons. When a facility is unable to conduct these tests, as an alternative, they should submit a request to the local COTP in accordance with 33 CFRs 126.12, 127.017, 154.107, 156.107 as appropriate, to extend the deadline, outlining the reason(s) the delay is needed and any additional interim measures that will be employed to help ensure the safety of the system until the required test can be carried out. For example, if a facility desires to extend the hydrostatic test date of facility transfer pipeline required by 33 CFR 156.170, they should submit a written request to the COTP. The request may state the test is not safe at this time due to the need to introduce third party contractors onto the facility, the amount of product in the pipeline/tanks and that the facility will increase visual inspections of the transfer pipeline until the required annual hydrostatic test can be completed. If there are no significant safety issues, COTP’s may approve extension requests for up to three months to expire on 30 September 2020. (Ch 2) 

Third Party Audits/Assessments - In accordance with 33 CFR 105.415(b), the FSO must ensure an audit of the FSP is performed annually. The annual audit may be completed internally and there is no requirement to use third parties. The person conducting the audit must have knowledge of methods for conducting audits, not have regularly assigned security duties, and be independent of any security measures being audited, unless appropriately excepted, per 33 CFR 105.415(d). The facility may also maintain social distancing if performing the audit onsite or develop another method for a virtual review as there is no requirement for the audit to be conducted in person. If the facility chooses a virtual audit, encrypted emails should be used to protect Sensitive Security Information. However, the initial Facility Security Assessment or review/validation required every five years must have an on-scene survey per 33 CFR 105.305(b), but there is no requirement that it be performed by a third party. (Ch 2) 

Waste Reception Facilities – Garbage and Medical Waste 

33 CFR 158 regulations require all ports and terminals under the jurisdiction of the United States to provide vessels with reception facilities for garbage (33 CFR 158.133(c)). International regulations require these reception facilities to have a Certificate of Adequacy (COA) issued by the Coast Guard that attests to their ability to offload garbage, which may include medical waste (33 CFR 158.410). Medical waste is defined in 33 CFR 158.120 as “isolation wastes, infectious waste, human blood and blood products, pathological wastes, sharps, body parts, contaminated bedding, surgical wastes and potentially contaminated laboratory wastes, dialysis wastes and such additional medical items as prescribed by the EPA by regulation.” 

o Reception Facilities - Ports and terminals must be ready to receive any medical waste from any vessels calling at their facility. This means that those ports/terminal with or without a COA for garbage, must provide vessels with adequate reception facilities for medical waste or a list of persons authorized by federal, state or local law or regulation to transport and treat such wastes. 

o Vessels - In addition to notifying the COTP, vessels must coordinate with the port/terminal/recreational boating facility their needs for reception facilities for medical waste, 24 hours in advance of their arrival (33 CFR 151. 65(b)), or immediately if already in port. 

o COA Waivers - If there are issues or concerns with the health hazards associated with any garbage, reception facilities and vessels should work with the appropriate federal, state, and/or local agencies to determine the actual risks and formulate a plan of action based on information received from those agencies. COTP may also exercise their authority to grant waivers under 33 CFR 158.150, if necessary, to allow for offloading of medical waste or garbage to a reception facility without having a COA. 

• Facility Safety and Security Inspections: Coast Guard COTP’s will continue to use risk based decision making to determine if a facility inspection or spot check will be conducted. Owners and operators should work closely with the COTP to determine if attendance for a full or abbreviated inspection is necessary and what mitigations measures may be taken to include social distancing, phone interviews, providing electronic logs, etc. The COTP may conduct and credit a virtual inspection based off facility inspection history, phone interviews, review of electronic records/pictures, etc, or defer an inspection/spot check for up to 90 days. (Ch 2) 

• TWIC Enrollment Centers – If applicants are planning to visit an enrollment center, please use the “Find an Enrollment Center” feature at the bottom of the Universal Enroll website (https://universalenroll.dhs.gov/locator) to determine if the center is open and its hours of operation. 

This release has been issued for public information and notification purposes only. 

The Coast Guard recently published NVIC 01-20, which addresses cyber security requirements for facilities subject to the MTSA.  Although the Coast Guard has been addressing cyber security in the marine transportation system since about 2013, this NVIC represents a significant policy change in that it requires facility operations to incorporate cyber security into their Facility Security Plans. 

A key purpose of the NVIC is “to assist owners and operators in identifying computer systems and networks whose failure or exploitation could cause or contribute to a Transportation Security Incident (TSI).” 

As FSOs and facility operators know, an informed, thoughtful Facility Security Assessment is the foundation of any Facility Security Plan.  The FSA starts with identifying and validating possible vulnerabilities, and then applying mitigation measures. 

To meet the intent of the NVIC, we simply have to incorporate our cyber dependent systems into that process.  That will include systems that contribute directly to security, like cameras, and PACS, and systems with security implications, like communications or cargo control.

There are, of course, challenges.  How can one determine if a given cyber system is “vulnerable?”  When selecting mitigation measures, what cyber security standards is the Coast Guard likely to accept?  How can facility operators identify what systems fall within the scope and intent of the MTSA?  How should those measures be described in an FSP in a way that provides reasonable clarity without constraining business flexibility or revealing proprietary information? 

Fear not.  At Seebald & Associates, we are in frequent contact with the Coast Guard personnel responsible for these policies, and our team includes personnel with a deep understanding of cyber security at both the policy and technical level.

One useful approach is to make use of the Cyber Security Framework, developed by the National Institute of Standards and Technology (NIST) and referenced in the section 3.b. of the NVIC.  The Framework is arranged around 5 basic concepts – Identify, Protect, Detect, Respond, and Recover – that align well with MTSA regulations.  The Framework is flexible, suitable to organizations of any size/complexity, and performance oriented.  If you use Industrial Control Systems, then we also recommend incorporating NIST 800-82, which is the other framework referenced in the NVIC.

Seebald & Associates will be hosting one or more webinars on this topic in the near future.  In the meantime, take a look at the table below to see a simplified example of how a facility might start the process of addressing cyber in a way that meets the intent of the NVIC: 

Coast Guard Requirement

NIST Framework

Example in FSP or Cyber Annex

Facility Security Assessment

Identify

Include cyber/IT/OT experts in the FSA.  Identify and evaluate ways that cyber vulnerabilities could contribute to a TSI.  Technical procedures such as security scans and penetration testing may be employed to validate and quantify cyber vulnerabilities. 

Security Organization

Identify

FSP should identify who in the organization has responsibility for cyber security, and how that person will communicate and coordinate with the FSO.

Access Control and Restricted Areas

Protect

FSP may reflect topics such as authentication, least privilege, encryption, and mobile device management (BYOD).

Monitoring

Detect

FSP may reflect topics such as routine scanning of inbound/outbound data, data logging, use of virus detection software.

Cargo Handling and DoS

Protect Detect

FSP may address security concerns with electronic transmission of cargo information between the facility and visiting vessels, including use of portable media (data in motion).  Other topics include security of databases used for tracking cargo status/location on the facility (data at rest).  DoS procedures may address data transmitting procedures and notifications of suspicious cyber activity for the facility and visiting vessels.   

Security Incidents, Drills, Exercises, and Training

Respond Recover

FSP may address topics such as incident monitoring, reporting, and logging, the use of backups, restoration procedures and testing, and procedures to ensure that a compromised system has been properly addressed and is now considered safe to operate. 

TSA issued a notice, Exemption to Extend the Expiration Date of Certain Transportation Worker Identification Credentials, on April 10, 2020. With this notice, TSA is granting a temporary exemption from requirements in 49 CFR part 1572 regarding the expiration of certain Transportation Worker Identification Credentials (TWIC®s).

For TWICs expiring between March 1, 2020, and July 31, 2020, the exemption extends the validity of a TWIC for 180 days for an individual whose TWIC would otherwise expire during the effective period of the exemption, which remains in effect through July 31, 2020. TSA may extend this exemption at a future date depending on the status of the Corona Virus Disease 2019 (COVID-19) National Emergency. 

Frequently Asked Questions:

Q: Why is TSA granting this exemption? 

A: TSA determined that it is in the public interest to grant an exemption from the current expiration standard in 49 CFR part 1572, which is five years from the date of issuance, given the need for transportation workers to continue to work without interruption during the current National Emergency created by the COVID-19 pandemic. 

Q: Has the U.S. Coast Guard (USCG) provided guidance on the use of TWIC? 

A: Yes. USCG published Marine Safety Information Bulletin 13-20. Updated information on USCG operations and procedures, may be found under “Featured Content” on the USCG Deputy Commandant for Operations website and by monitoring Coast Guard Maritime Commons

Q: Do TWIC holders need to take any action(s) to extend their Security Threat Assessment? 

A: No. This exemption applies to TWICs that expire on or after March 1, 2020, through July 31, 2020. For those TWICs, TSA will extend the security threat assessment expiration date for an eligible TWIC to 180 days after the current expiration date that appears on the face of the credential. If the 180 day period extends past July 31, 2020, the TWIC will be valid for the remainder of the extended 180-day period based on the expiration date of the TWIC. In accordance with USCG requirements, facility or vessel owners and operators may accept TWIC cards that show an expired date for unescorted access to secure areas. (Note: For new TWIC enrollments, TSA is planning to keep enrollment centers open. Please visit https://universalenroll.dhs.gov to verify enrollment center operations.) 

Q: Does this exemption compromise national or transportation security? 

A: The risk to transportation security associated with this exemption is low. TSA maintains the ability to recurrently vet TWIC holders and take action to cancel or revoke a TWIC if derogatory information becomes available, regardless of the expiration date. 

Q: Where can I find more information on TSA’s temporary exemption? 

A: The exemption notice is appended to this fact sheet and published to the Federal Register. For additional information, please contact the TSA TWIC program at: This email address is being protected from spambots. You need JavaScript enabled to view it.