Facility Security Threats – What’s in Your Crystal Ball?

What types of threats are we facing?

Last week’s blog discussed threats as a key factor in our risk equation.  This week we’ll delve into the types of threats that challenge our facility security regime.

Over the course of many years, we’ve placed threats in various categories.  In our courses we highlight threats from terrorism, organized crime, lone criminal acts, cyber, civil unrest, and our ever-popular “random acts of stupidity.”  Recently we’ve added to these types of threats to now include complacency, communicable diseases, and natural disasters. 

Let’s look at a few of these threats…

Terrorism – On average, there are well over 100 terrorist attacks globally every month.  Recent domestic terror events clearly demonstrate that terrorists are entrenched in America.  Our history is rife with terrorists dating back to the Revolutionary War.  Today is no exception.  The terrorist will capitalize on our weaknesses and will be patient in planning the attack.  They’re not afraid to die, but they are afraid to fail.  Our awareness is crucial – detecting terrorist activity while the attack is in the planning stage is the most effective defense.  Your facility’s security posture can help deter a terrorist attack – become a hard target. 

The term "lone wolf" is used by U.S. law enforcement agencies and the media to refer to individuals undertaking violent acts of terrorism outside a command structure.  While the lone wolf acts to advance the ideological or philosophical beliefs of an extremist group, they act on their own, without any outside command or direction. The lone wolf's tactics and methods are conceived and directed solely on their own; in many cases, the lone wolf never has personal contact with the group they identify with.  As such, it is considerably more difficult for officials to gather intelligence on lone wolves, since they may not come into contact with routine counter-terrorist surveillance.

Organized Crime – Referred to as Transnational Organized Crime (TOC), the FBI cites that these groups are self-perpetuating associations of individuals who operate, wholly or in part, by illegal means and irrespective of geography.  They constantly seek to obtain power, influence, and monetary gains.  There is no single structure under which TOC groups function - they vary from hierarchies to clans, networks, and cells, and may evolve into other structures.  These groups are typically insular and protect their activities through corruption, violence, international commerce, complex communication mechanisms, and an organizational structure exploiting national boundaries.

With few exceptions, TOC groups’ primary goal is economic gain and they will employ an array of lawful and illicit schemes to generate profit.  Crimes such as drug trafficking, migrant smuggling, human trafficking, money laundering, firearms trafficking, illegal gambling, extortion, counterfeit goods, wildlife and cultural property smuggling, and cyber crime are keystones within TOC enterprises.  Note that each of these crimes can have a maritime component.

Lone Criminal Act – This threat is contrasted with the lone wolf terrorist.  For example, a lone criminal could be an Active Shooter, who is defined as “an individual actively engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms and there is no pattern or method to their selection of victims.  Recently, the word ‘shooter’ is often dropped because a method of attack can be by any means.  The semantic distinction may seem trivial but it is critical to security.  For example, instead of Active Shooter, in Israel the term used is ‘sacrificial attack.’  Other examples of lone criminals include a saboteur, who destroys or damages something deliberately, or a thief, who steals property, especially by stealth and without using force or violence.  Remember, a lone criminal as a threat can have a broad application.

Cyber Attack – This is the threat that is most likely to occur.  There are all sorts of cyber attacks occurring in today’s world.  Wikipedia characterizes these attacks as follows: 

  • Indiscriminate attacks - These attacks are wide-ranging, global and do not seem to discriminate among governments and companies.
  • Destructive attacks - These attacks relate to inflicting damage on specific organizations.
  • Cyber warfare - These are politically motivated destructive attacks aimed at sabotage and espionage.
  • Government espionage - These attacks relate to stealing information from/about government organizations.
  • Corporate espionage - These attacks relate to stealing data from corporations related to proprietary methods or emerging products/services.
  • Stolen email addresses and login credentials - These attacks relate to stealing login information for specific web-based resources.
  • Stolen credit card and financial data, stolen medical-related data – Attacks that gain access to personal data, resulting in compromised finances and personal information.

Civil Unrest – America’s civil stability is increasingly threatened and the dangers are now bigger than the collective episodes of violence we’ve witnessed in recent years.  Much civil unrest is characterized as low-intensity conflicts with episodic violence in constantly moving locales.  The question is whether our facility could be one of those locales.  What relationship does your facility have with the community outside your fence line?  How does your public reputation impact your perceived threat of civil unrest activity either on or adjacent to your facility?

Next week we’ll wrap up our look at facility security threats…

Also, did you know? …

Registering for either the Seebald & Associates Facility Security Officer Course (4-6 June) or Facility Security Officer Refresher Course (5 June) will enable you to attend the 2018 Facility Security Symposium (6-8 June in New Orleans) for free!  Register now to participate!  And, if you register by April 2, 2018, you’ll receive a one-year subscription to the Seebald & Associates Platinum Membership, a $925 value!

Facility Security Threats – What’s in our Risk Equation?

Last week we looked at the regulatory requirement to be aware of security threats and patterns.  This week we’ll explore threats and risk.

Where do threats fit into our facility’s risk equation?

Before specifically starting our focus on threats, it’s essential to remember that threat patterns constantly change, and facility security threats vary from facility to facility.  That’s why we must remain vigilant to our vulnerabilities and the consequences of an attack on our facility as critical factors in our risk equation, as they could be an indicator of the type of threats that we could encounter. 

This points to the importance of a thorough Facility Security Assessment and Risk-Based Analysis.  Those with intent to harm our personnel and facilities often plan and rehearse their attacks, and their methods are geared toward success.  If we’re in tune with our risk profile – our threats, vulnerabilities, and the consequences of an attack – we can take actions to mitigate our risk. 

Just as we have a risk equation for our facility, the Coast Guard takes a risk-based approach to security.  A primary driver for setting our Maritime Security (MARSEC) Level is the threat to our nation, area, region, zone, industry or facility type.  We can slice and dice our security readiness to be prepared for the threat, as dictated by the Coast Guard directing the appropriate MARSEC Level.

In next week’s blog, we’ll start to dig into the various types of threats we’re facing…

Also, did you know? …

The 2018 Facility Security Symposium (6-8 June in New Orleans) will allow port facility professionals from around the country and world to share their expertise as well as current and future trends.  Attendees will hear from senior Coast Guard personnel and other key partners that will deliver cutting-edge insight on regulation changes with a spotlight on exemplary facilities that are leading the way.  Register now to participate!

Facility Security Threats – It’s a Knowledge Requirement!

Before we get started on our threat discussion this month, let’s see what 33 CFR 105 requires of us.  In particular, our knowledge and training must include awareness of security threats and patterns. 

  • §105.205 Facility Security Officer (FSO).

(b) Qualifications.

(2) In addition to knowledge and training required in paragraph (b)(1) of this section, the FSO must have knowledge of and receive training in the following, as appropriate:

(b)(2)(viii) Current security threats and patterns;

  • §105.210 Facility personnel with security duties.

Facility personnel responsible for security duties must maintain a TWIC, and must have knowledge, through training or equivalent job experience, in the following, as appropriate:

(a) Knowledge of current security threats and patterns;

  • §105.225 Facility recordkeeping requirements.

(b) Records required by this section may be kept in electronic format. If kept in an electronic format, they must be protected against unauthorized deletion, destruction, or amendment. The following records must be kept:

(6) Security threats. For each security threat, the date and time of occurrence, how the threat was communicated, who received or identified the threat, description of threat, to whom it was reported, and description of the response;

The Coast Guard takes a risk-based approach to security.  Threats are an important consideration in their many activities, such as setting MARSEC levels.  In lieu of your own research, or trying to navigate through Homeport, you can take advantage of participating in your Area Maritime Security Committee (AMSC) to learn more about what the Coast Guard perceives as the prominent threats in your area.  Have that discussion with your Coast Guard facility inspector and with your colleagues in the AMSC. 

Remember that the specific threat discussions may include Sensitive Security Information (SSI), so it’s our duty to be careful to protect this information.  If you’re having a threat discussion, then be sure to know your surroundings.  Also, when recording a security threat to your facility or personnel, be sure to mark the record as SSI, and protect it along with your other facility documentation.

Next week’s blog will look at Threats as a component of our facility’s risk equation…

Also, did you know? …

The Facility Security Symposium and FSO Academy (June 6-8 in New Orleans) was created to give members of the international port community a unique opportunity to have direct access to the foremost leaders that establish the industry's best practices and procedures.  Register now before it’s too late – rooms and seats are going fast!

TWIC Reader Requirements Final Rule - So far this month we discussed Who, What, When, Where and Why, so we will cover a few “What if” questions this week.

What if my TWIC card is stolen, damaged or lost? – Unescorted access can be granted up to 30 days if:

  • TWIC card appears on the Cancelled Card List (CCL)
  • Individual was known to have had a TWIC card
  • Individual reported it lost, stolen or damaged

Facilities using a Physical Access Control System (PACS) - If after 30 days the individual has NOT linked their facility access card to a valid TWIC card, the PACS must deny unescorted access to secure areas.

What if I forgot my TWIC card at home? – Unescorted access is DENIED unless electronic TWIC inspection can be performed by PACS with facility access card.  If you have TWIC readers, the individual will NOT be able to perform a required electronic TWIC inspection.

What if my job requires me to go between secure and unsecure areas to complete my duties, do I need to complete an electronic TWIC inspection every time I re-enter the secure area? – NO, an electronic TWIC inspection is not required for reentry into a secure area as long as certain requirements and conditions are met.  This includes the following:

  • Designated Recurring Access Area (DRAA) – An unsecure area adjacent to a secure area with access gates where employees require frequent access between the unsecure and secure areas to complete their duties.
  • Recurring Unescorted Access (RUA) – TWIC holding employees going between secure and unsecure areas without going through an electronic TWIC inspection each time they pass from unsecure to secure after an initial electronic TWIC inspection was conducted.

DRAA Requirements

  • Must be designated and approved in FSP
  • Security Guards at each secure area access point
  • Entire DRAA must be visible to security personnel
  • Electronic TWIC inspection completed for initial entry into secure area (beginning of work shift) and TWIC holder can have RUA as long as they do NOT leave DRAA
  • If TWIC holder leaves DRAA for ANY reason, they must conduct an electronic TWIC inspection upon return into the secure area

Some possible DRAA scenarios are:

Cruise ship porters carry baggage from curbside check-in area (unsecure) to baggage storage area (secure) for cruise ship passengers

Forklift operators transport packages from loading area (unsecure) to secure storage area on vessel or facility.

NOTE – Seebald & Associates presented a Webinar last Thursday (February 22nd) that covered everything you need to know about TWIC Reader Requirements.  If you missed the webinar, S&A Platinum members can view the recorded presentation via our website.

Last week we discussed WHO is expected to comply with TWIC Reader Requirements, WHAT is required to complete an Electronic TWIC Inspection, and WHY this is a requirement.  This week we will go over the WHEN, WHERE, and HOW for different implementation options along with administrative requirements.

There is quite a bit of apprehension in how to purchase or enhance current systems to be in compliance with the TWIC Reader Requirement Final Rule.  We are asked all the time - How do I know what TWIC Readers to purchase? or Can I enhance the Physical Access Control System (PACS) I have in place at my facility?  I will address each question and provide guidance that will assist you in determining which solution is better for you.

TWIC Readers – TSA has a Qualified Technology List (QTL) outlining companies that have approved readers meeting the Electronic TWIC inspection requirements.  That list can be found at: TSA QTL:  https://universalenroll.dhs.gov/permalinks/static/twic-reader-qtl   If your TWIC reader is not on the list, that is OK as long as it meets the Electronic TWIC Inspection Requirements – see last week’s blog for details.

PACS -  Facilities are authorized to enhance their current systems to meet the Electronic TWIC inspection requirements.  I am sure you are picking up a theme here – whatever system or reader you use, it must meet the Electronic TWIC inspection requirements.

Can the TWIC Readers and PACS be portable? – Yes, there is no requirement for either to be fixed or stationary, portable systems are acceptable.

What if TWIC Reader or PACS malfunctions? – You are required by law to have a back-up system or portable TWIC readers at the ready that perform the Electronic TWIC Inspection requirements (Visual inspection of the TWIC cards is NOT authorized).  NOTE: If you cannot provide a back-up for that access point, you must report it to your Captain of the Port and obtain permission to operate.

Once you have decided on the hardware solution, there are some administrative requirements that must be met and those are:

  • Must record/document each ENTRY into a secure area and you are required to maintain these records for two years.

We are asked -  What if we document both the entry and exit of all personnel in and out of a secure or secure/restricted area?  A lot of facilities track who enters and exits for accountability reasons and this is permissible and accepted by the Coast Guard, but make sure you maintain those records for two years.

Next week’s blog will discuss what is required if a TWIC card is lost, stolen or damaged as well as what requirements need to be met if you routinely move between a secure area and an unsecure area to perform your duties.

Reminder – Seebald & Associates will host a Webinar this week.  We’ll discuss the TWIC Reader Requirements Final Rule on Thursday, February 22, at 11:00am ET and 3:00pm ET.