Facility Security Symposium Kicks Off
- Posted by Drew Tucci
On Wednesday morning the FSO course finished when the students made their presentations and took the final exam. The good news is that everyone passed, and the better news is that our nation and marine transportation system is now stronger by 34 fully qualified Facility Security Officers!
In the afternoon the symposium kicked off with opening remarks from Captain Michael P. Kahle, Commander of Sector St. Petersburg and Captain of the Port here in Tampa. He emphasized the importance of supply chains and the need for the Coast Guard, other agencies, and the many private sector companies to cooperate in preparing for contingencies and building resilience.
After Captain Kahle’s remarks, our own John Felker chaired a cybersecurity panel discussion with three experts from the Coast Guard: LCDR Matt Whitney from Coast Guard Headquarters, Mr. Nick Parham from Coast Guard Atlantic Area, and Mr. Carl Hatfield from Coast Guard District Eight. These three individuals have tremendous technical expertise, but they helped us all understand cyber risks in simple terms.
They also discussed some emerging policies and described the Coast Guard’s “Cyber Protection Teams”, which are available, free of charge, to help MTSA facilities with cybersecurity challenges. These teams are NOT part of the Coast Guard’s regulatory program, so you can take advantage of their services without the risk of a fine or requirement. Contact any S&A member for more information or contact them directly at
Jorge Torres, Port Tampa Bay FSO, receives S&A Maritime Excellence award
Spencer Byrum, CEO of HRS Consulting, introduced us to the concept of High Reliability Organizations, situational awareness, and not driving your ship straight into the lighthouse. Many of us have operational environments that are “volatile, uncertain, complex, and ambiguous”, but we can learn to recognize red flags and take action to address these complex risks.
Dr. Will Wilkins, Executive Director, Global Security & Construction Management for Valero made a captivating presentation on preparing and responding to protest activities. Have a clear-eyed discussion with both your security personnel, and your senior management, about how to respond to these types of events BEFORE they happen to you.
After the presentations we all attended an informal reception where we were delighted to present Jorge Torres, of the Port of Tampa Bay, with our Maritime Excellence Award.
FSO Course & Refresher Course Wraps Up
- Posted by Drew Tucci
The start of day three for the Facility Security Officer (FSO) Course and the day prior, the one day FSO Refresher Course wrapped up with 21 "old hands" sharing years of experience and wealth of knowledge. These were all seasoned FSOs, many of them senior managers at their organizations, taking the time to refresh their knowledge about Coast Guard requirements and emerging threats.
While all Seebald & Associates courses benefit from student discussions, the refresher course typically has at least as many “sea stories” and examples from the students as formal lecture from Captain Brian Kelley, the lead instructor. Discussions about everything from the use of shotguns to remove rust and slag from ships (no kidding, you had to be there), to how to best support security guards quickly dominated the course. Had we not had to break from lunch Master Instructor Captain Brian Kelley might never have had the chance to return to his course plan.
TWIC was the first topic in the afternoon, which included some interesting stories about forgeries. Many of us have seen guards fooled by fairly simple fakes, like those made on a copy machine and hotel rewards cards. Good training can catch these fakes, but professional forgeries are all too easy to find these days. Fortunately electronic TWIC readers, which a majority of our students are using, can catch these threats.
Another key topic was Facility Security Assessment (FSA) procedures. The FSA is the foundation of your Facility Security Plan, and if done correctly, will help you identify the security procedures at all MARSEC levels that will reduce your operational risk, meet the regulations, and align with your business practices. At Seebald and Associates we take pride in our FSA process, which always includes a risk-based-analysis of threats, vulnerabilities, and consequences.
Speaking of FSAs, we also discussed the latest Coast Guard policy guidance on incorporating cybersecurity into the FSA, which was released just weeks earlier. Seebald & Associates is already incorporating this policy into our procedures.
Wednesday closes out the FSO course, with 34 graduates joining the 21 Refresher FSO students as we transition to the Symposium, with special guest speakers and panel discussions on cybersecurity, high reliability and situational awareness and ending the day with Dr. Watkins, Valero Executive Director for Global Securities will discuss the response and lessons learned from the recent protests on Valero facilities in the United Kingdom and Valero's planning against this threat against their facilities in the U.S.
Maritime Cybersecurity Assessment & Annex Guide
- Posted by Drew Tucci
On January 23, 2023, the United States Coast Guard released new guidance on cybersecurity for port facilities regulated by the Maritime Transportation Security Act and 33 CFR Part 105.
The “Maritime Cybersecurity Assessment and Annex Guide (MCAAG)” helps facility operators with the cybersecurity aspects of a Facility Security Assessment (FSA) and provides a template for incorporating the results of that process into a Cybersecurity Annex to a Facility Security Plan (FSP).
Before getting into the details of this new guidance, let’s first clarify that this does NOT impact facilities that already have approved Cybersecurity Annexes. Those facility operators are NOT required to resubmit new Annexes based on this guidance. However, this guidance will clearly be an appropriate tool for when existing FSPs come up for their normal, five-year renewal.
Here at Seebald & Associates, our experts have taken a preliminary look at this guidance and we think it will be a useful tool in helping facilities identify and manage their cyber risks. Here are a few key points:
· The guidance begins with terms, definitions, examples, and a discussion of how various Information Technology (IT) and Operational Technology (OT) systems are often connected. This reflects sound cybersecurity principles and helps us all recognize that a vulnerability in one part of a network can have consequences elsewhere.
· The guidance recommends that facility operators identify a “Cybersecurity Officer (CySO) to work with the FSO on cybersecurity matters.
· The guidance includes a step-by-step process for facility operators to identify cyber vulnerabilities in an FSA, determine mitigation strategies, and document the results in a Cybersecurity Annex of an FSP.
· The guidance uses the NIST Framework functions (Identify, Protect, Detect, Respond, Recover), and select categories and subcategories as baseline or additional measures, based on the organization’s risk tolerance.
At Seebald & Associates, we are in regular contact with U.S. Coast Guard cybersecurity personnel, both at the Headquarters and local Captain of the Port level. We will keep all our clients informed as we all learn more about how to how the Coast Guard expects us to apply this guidance. In the meantime we look forward to working with all of you to improve your security programs.
Moving the Cyber Goal Posts
- Posted by Drew Tucci
It’s football season, and I hope you all will help Ed by cheering on the Buffalo Bills, who will doubtless go to the Superbowl this year. Just ask him!
In between games, give some thought to cybersecurity, where the goalposts always seem to be moving. Most of us can find the combination of ever evolving threats and countless new standards to be overwhelming.
Here at Seebald & Associates, we keep in close contact with cybersecurity experts at the U.S. Coast Guard, and at the Cybersecurity and Infrastructure Security Agency (CISA), to provide you with the best, most credible advice on how to manage your cybersecurity risks while meeting Coast Guard requirements.
CISA recently published “Cross-Sector Cybersecurity Performance Goals”. This document, which is written in plain language, is a set of voluntary core cybersecurity practices. It is intended to reduce risk for both individual organizations and our nation’s critical infrastructure. You can access the document at https://www.cisa.gov/cpg.
The U.S. Coast Guard is encouraging vessel and facility operators to consider these performance goals. You can read the Coast Guard’s information on this topic at https://mariners.coastguard.blog/2022/11/08/cisa-releases-cross-sector-cybersecurity-performance-goals/.
According to CISA, these performance goals can help address the concerns of small and medium sized businesses who struggle to know where to focus and invest their scarce cybersecurity resources. Our cybersecurity experts at S&A agree that this is a valuable addition to the best practices developed by CISA, and jointly promulgated with the Coast Guard.
Cybersecurity really does have moving goalposts. But to make that touchdown every time for our clients, Seebald & Associates constantly updates our training aids, audit checklists, and Facility Security Assessment processes to reflect current standards and best practices. The audit we provide next year will be different from this year’s, especially in cyber. This is how we ensure that your security programs provide meaningful security that reduces compliance, operational, and reputational risk.
For all the latest in cyber and other security issues, be sure to attend our upcoming Security Symposium, 30 January – 2 February 2023 in Tampa, FL. We’ll have an impressive list of senior Coast Guard and industry experts who will address cybersecurity, TWIC, preparing for protest activity, security guard management, and more. To register and for more information, go to at https://fsosymposium.com/.
Further Delay for TWIC Reader Rule
- Posted by Richard Sundland
Further Delay to the TWIC Reader Rule
Below is the excerpt from the Office of Information and Regulatory Affairs outlining the Coast Guard’s intentions with a further delay for the TWIC reader rule to May 8, 2026.
On August 23, 2016, the Coast Guard issued a final rule, requiring owners and operators of certain vessels and facilities regulated by the Coast Guard to conduct electronic inspections of Transportation Worker Identification Credentials (TWICs) as an access control measure (81 FR 57651). On March 9, 2020, Coast Guard published a final rule, delaying the effective date of the 2016 TWIC reader rule for three categories of facilities (85 FR 13493). This rulemaking would further delay portions of the August 2016 final rule. The Coast Guard would delay the effective date for the three categories of facilities by at least an additional 3 years (until May 8, 2026) or later depending on the outcome of the Homeland Security Operational Analysis Center (HSOAC) study and consideration of public comments. The study is estimated to be completed no earlier than June 2022.
The three facility categories that would be delayed are:
- Facilities that handle certain dangerous cargoes in bulk, but do not transfer those cargoes to or from a vessel
- Facilities that handle certain dangerous cargoes in bulk, and do transfer those cargoes to or from a vessel
- Facilities that receive vessels carrying certain dangerous cargoes in bulk, but do not, during that vessel to facility interface, transfer those bulk cargoes to or from said vessels
You can read the entire rule intentions at: View Rule (reginfo.gov)