If the FSA is the Base of the Security Pyramid, the Risk-Based Analysis (RBA) is the Heart of the FSA!
- Posted by Thomas Venezio
The RBA is a documented analysis that is a REQUIRED part of the FSA and forces us to look critically at potential attack scenarios for our facility, and identify possible mitigation actions. Finally, we attempt to rate these items to identify those scenarios that have a high impact and vulnerability and the mitigation actions that we believe would be most effective.
Coast Guard NVIC 11-05 provides a good, basic framework for conducting an RBA. It’s important to involve key personnel and stakeholders at your facility when you conduct the RBA. When Seebald and Associates conducts an RBA, we use a slightly more involved process and have developed a spreadsheet to help us thoroughly analyze the data. We also like to have all of important players at the facility sitting around the table (senior/corporate leadership, FSO, AFSO, terminal manager, shipping manager, IT manager, production manager, security supervisor, etc.). A more inclusive and thoughtful process will yield a more realistic and effective RBA especially identifying vulnerable systems, processes or protocols.
Remember to check your FSP approval date, 2019 is right around the corner!!!
Holiday Season Security
As we get closer to the holiday season, many in the maritime industry see an increase in business. All those toys on the shelves and specialty foods come from somewhere, and the container trade typically sees a surge in operations this time of year. Some segments of the energy industry will see an increase in heating oil, propane, and other fuels, and even facilities that handle bulk commodities are doubtless seeing those mountains of salt grow on their terminals.
Increased trade is good for business, but busy terminals can also mean increased risk. Fast paced operations can distract from security needs and contribute to a sense of chaos. Key employees may be on vacation, and foul weather may simply encourage people to keep their heads down. Ice and snow can degrade the operation of cameras and other security systems. Terrorists and others may try to exploit any of these factors.
To reduce your security risk, consider the following:
- Remind all personnel to be alert for suspicious activity or behavior, including the presence of suspicious packages or devices on the facility.
- “Phishing” attempts and other scams may come in the form of holiday themed e-mail. Ensure all employees are aware of the potential threat, and to follow company guidelines concerning e-mail security. In general, don’t click on links or open attachments if you aren’t sure of the sender. Malware and Cyber-attacks could cost the company money and even degrade critical security, safety, and operational systems.
- Take advantage of your S&A Platinum membership perks by participating in monthly webinars and conducting drills using the monthly drills scenarios you receive by email.
Here at Seebald & Associates we hope that the remainder of 2018 and 2019 is a prosperous, safe, and secure year for you, your families, and your employees.
When and Why Do I Need to Do an FSA?
- Posted by Thomas Venezio
You might be thinking, “My FSP already has an FSA, so I can just change the date
and re-submit this.” Not so fast!! 33 CFR 105.310 is very clear in stating, “The FSA
must be reviewed and validated, and the FSA report must be updated each time the
FSP is submitted for re-approval or revisions.” So, the bottom line is we need to
conduct a complete FSA prior to re-submission of our FSP for approval. This is an
extremely important process so take the time to do a conscientious job because
threats are always changing.
33CFR105.300 details everything that must be considered in developing the FSA.
You must conduct a thorough on scene assessment but not limited to all of your
facility’s security systems, operations, infrastructure, threats, vulnerabilities and
weaknesses. You must also address important systems, resources and processes to
protect all of the personnel from contingencies, natural disasters, and mishaps. 33
CFR105.300 provides extensive specifics on all that must be addressed.
The FSA must also include a Risk-Based Analysis. We’ll address the RBA in next
week’s Blog. Remember to check your FSP approval date!!!
Facility Security Assessment, the foundation of your FSP
- Posted by Thomas Venezio
Facility Security Plans (FSP) were first written and submitted to the Coast Guard in
2004 with a 5 year re-write requirement. For everyone keeping track of the 5 year
re-write schedule for FSPs, that means in 2019 most facilities will need to re-write
their FSP. For those of you that are familiar with the Seebald Security Pyramid, you
know that at the base of the Pyramid is the Facility Security Assessment (FSA).
Without a well prepared and well thought out FSA, the FSP may be very weak and
not provide the level of security that your facility needs. The FSA will help you build
an FSP that truly takes into account current threats, real vulnerabilities at your site,
and design mitigation actions and security strategies that will be most effective in
reducing your risk. This means that you, the Facility Security Officer, must be
intimately involved in this development process! We’ll spend more time on this in
the coming blogs and in the November Webinar to be held on November 29, 2018 at
One final thought, be sure to check your FSP approval date. Many FSPs will need to
be resubmitted in 2019.
Cyber Security - How to Protect Your Facility.
- Posted by Cliff Neve
Seebald & Associates’ and MAD Security’s Cliff Neve delivered a webinar on October 25th discussing the recent cyber attacks at the Ports of Barcelona and San Diego. Cybersecurity has many analogies to physical security, and bad actors use the same basic steps to exploit victims’ information, property, and information systems. In addition, the convergence of information technology (IT) with operational technology (OT) allows for expanded access for administrators and operators to industrial control systems, camera systems, and other OT devices. It also, however, expands the attack surface for nefarious cyber actors, and Cliff discussed the ways to protect your converged networks from threats.
Most companies cannot afford to hire their own 24/7/365 cyber security operations center personnel, nor should they spend the money for at least a dozen people (~five people per 24/7/365 watch position), the facility, the software and licenses, the training for personnel, and the management oversight necessary to secure their information and information systems.
Seebald and Associates have partnered with MAD Security to offer a very affordable alternative: 24x7x365 Managed Security Services, including network monitoring and vulnerability scanning, that will harden your IT systems and allow for quick detection of cyber intrusions.