The Hack: Solar Winds - The Bear is Back
While I won’t pretend to understand all of the technical details of this event, it is fundamentally a “supply chain” attack. The malware infected the SolarWinds Orion business software. Thousands of public and private entities use this software, and they introduced the malware into their own systems as they downloaded routine updates. The malware installs “backdoors” into the infected systems, and voila, the bad guys are in.
The sophistication of the attack indicates a nation-state actor. Frankly, if it is true that the attack started in the spring of this year, we’re fortunate that it was discovered so soon.
The natural progression for these types of events is for organizations to initially claim they are fine, only to find out (or admit) later that they are infected. Active, aggressive monitoring and threat hunting should be the new normal for most organizations.
So what should FSOs and facility owners do about this event?
First, share this blog with the attached links with whoever manages cyber security at your facility, including any outside vendors. You should already have these folks on your speed dial. If not, it is time to learn their names and team up on security.
Second, ask to be kept informed on the progress of any response actions your company takes. Insist that any systems with particular importance to your FSP be included in the detection, response, and recovery actions. This might include security cameras, Terminal Operating Systems, electronic gate access systems, sensors, alarms, and more.
Third, ensure your cyber security colleagues are aware of the Coast Guard requirement to report cyber related breaches of security and suspicious activity to the National Response Center. Information sharing is vital to securing our nation against these attacks.
Finally, I’ll remind you that early this year the Coast Guard published NVIC 01-20, Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities. If you are not already working on a cyber security annex to your FSP, give S&A a call and we’ll help you understand how to meet this requirement.
Coast Guard Marine Safety Bulletin https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2020/MSIB-20-20-Solar-Wind.pdf?ver=J4I_zECX5EQecQ2ex6LeNw%3D%3D
Cybersecurity and Infrastructure Security Agency (CISA)
MAD Security (Seebald & Associates cyber security partner) https://madsecurity.com/
Foreign Flag Ship Port Call
Foreign Flag Ship Port Call
Regulations and Security Procedures
Drew Tucci, Captain, USCG (retired)
A client recently asked for some information about what happens when a foreign flag ship calls on a U.S. port facility, and what responsibilities the facility owner has. U.S. port facilities are part of complex global trade system, in which government agencies, vessel owners, and facility owners all share responsibilities.
When a foreign flag ship calls on a U.S. port, the vessel owner/operator is responsible for most Coast Guard and Customs regulations. The vessel agent typically addresses these requirements. Nonetheless, the facility owner also has some responsibilities.
All foreign flag ships bound for U.S. ports must notify the U.S. Coast Guard, and U.S. Customs, at least 96 hours in advance. This is a VESSEL requirement found in 33 Code of Federal Regulations Part 160.205. The Notice of Arrival (NOA) process is done electronically, and it allows the Coast Guard and Customs and Border Protection (CBP) to do a detailed joint vetting of the ship, its crew, owner, operator, cargo, past port calls, as well as past safety, security, and environmental compliance.
When I was on active duty, I visited the DHS National Targeting Center in Reston, VA on several occasions. Coast Guard and CBP personnel, along with other agencies, work side by side, comparing intelligence, sharing data, and evaluating the ships, personnel, and cargo bound for U.S. ports. It is a great example of government agency cooperation.
While there is considerable overlap in authority and jurisdiction, the Coast Guard generally has primary authority over the ship, with Customs having primary authority over the cargo and the crew members (e.g. cargo tariffs, visa requirements for crew members).
The National Targeting Center provides their analysis to the local Captain of the Port (and CBP office). The local Coast Guard and CPB personnel add their perspective, including knowledge of local risk factors, and determine what actions, if any, they will take. On rare occasions, the Coast Guard and/or Customs will place restrictions on a ship or its crew, such as holding it offshore until they conduct a boarding, or issuing a “detain on board” for crew members identified as illegal immigration risks.
As the ship approaches port, local pilots (typically licensed by the State and the Coast Guard) will guide it to the dock. Pilots will communicate with the Coast Guard, and often the facility operator, if they have any concerns about the ships they bring to port.
The Coast Guard and/or Customs may also board a vessel after it is at the facility for more routine checks. If they find significant safety/security/environmental regulations they may prohibit cargo operations until the matter is resolved.
In most cases, once a ship is safely docked, cargo operations may begin. The Coast Guard generally only requires advance notice of fuel/cargo transfers in special circumstances (33 CFR 156.118), but a courtesy notice to the local Sector or Marine Safety Unit is a good idea.
Safety regulations for oil/fuel/hazmat transfers for a foreign flag ship are the same as for U.S. barges: Qualified Person in Charge, hoses in good condition, communications, and other requirements per the Declaration of Inspection (33 CFR 156.120).
Container and dry bulk cargos don’t have specific Coast Guard transfer requirements, but the facility owner should be alert for any safety, security, or environmental risk factors. If you start having any doubts while communicating with the vessel master or chief mate, address them before someone gets hurt or other problems develop.
Security regulations for vessel interaction are described in your Facility Security Plan. A Declaration of Security (DoS) is generally NOT required at MARSEC Level 1, unless specifically required in your FSP. That said, a DoS is a good idea, and the FSO and the VSO should be clear on joint security procedures, especially reporting of suspicious activity and any planned Seafarer Access activity.
Your FSP should already address Seafarer Access requirements. In general, vessel crew members (with visas provided by Customs) may transit through your facility without undue delay – but of course they need to be escorted. Your security guards should be screening them, just like any other visitor to your facility. Seafarer Access requirements also apply to seafarer advocacy groups (Seaman’s Church Institute, mariner unions).
While the vessel is responsible for all vessel requirements, the facility operator is responsible for:
- FSP requirements (33 CFR Part 105). This includes monitoring and screening people and stuff coming from and going to the vessel (crew members, vessel stores, cargo)
- Facility environmental requirements – 33 CFR Part 154 – think oil spill plan, hoses in good condition, drip pan under the manifold.
- Facility safety requirements – safety gear on the dock, traffic management, controlling hot work and fire hazards, especially for facilities that handle flammable or other hazardous materials.
- Facility portion of oil transfer requirements.
- Reporting suspicious activity.
- Reporting perceived deficiencies in vessel security procedures (yes, this is a judgement call).
- Reporting oil spills, unsafe conditions, or similar situations.
Cooperation and communication among all parties is key to secure, safe, and smooth cargo operations. Invest in building relationships with all the agents, pilots, officials, and other personnel who come together at your facility.
USCG MSIB 13-20: COVID-19 TWIC Operations Change 1
The uninterrupted flow of commerce on our Marine Transportation System (MTS) is critical to both National Security and National economic well-being. During this National emergency for COVID-19 it is paramount that the Coast Guard safeguards the continued operation of the MTS. The regulations outlined throughout 33 and 46 Code of Federal Regulations remain in force, and maritime operators are expected to continue to comply with these requirements. However, when compliance with these regulations cannot reasonably be met as a result of COVID-19, the Coast Guard will exercise flexibility to prevent undue delays. The following clarification is provided regarding the Transportation Worker Identification Credential (TWIC®), which is jointly managed by the Coast Guard and the Transportation Security Administration (TSA).
Maritime Facilities and Vessels:
TWIC Readers - the Coast Guard is not changing or delaying the TWIC Reader Rule implementation date of June 7, 2020, for facilities that receive vessels certificated to carry more than 1,000 passengers and vessels certificated to carry more than 1,000 passengers. However, the Coast Guard will delay enforcement until December 31, 2020. Applicable facilities and vessels are not required to update facility security plans (FSP)/vessel security plans (VSP) or install readers until the revised enforcement date. (Change 1).
Escort Ratios - Escort ratios for secure and restricted areas of a facility are provided in Navigation and Inspection Circular (NVIC) 03-07. To provide flexibility due to COVID-19 related health impacts, the escort ratio may be adjusted to meet employee shortages or other demands. This would constitute a change to the FSP or require Captain of the Port approval via noncompliance (discussed below and in MSIB 07-20).
New Hires - After enrollment has been completed and a new hire has presented an acceptable form of identification per 33 CFR 101.515(a) to the vessel security officer or facility security officer, that new hire may be allowed access to secure or restricted areas where another person(s) is present who holds a TWIC and can provide reasonable monitoring. The side-by-side escorting required in 33 CFR 101.105 for restricted areas will not be enforced during the COVID-19 pandemic. Additional compliance options for new hires can be found in 33 CFR 104.267 and 105.257 or via noncompliance (discussed below).
Alternate Security Plan (ASP) - Local users who are unable to comply with the requirements in an approved ASP may pursue temporary relief via noncompliance (discussed below) or an amendment can be submitted to cover the entire ASP via submission to CG-FAC.
Noncompliance - 33 CFR 104.125 and 105.125 discusses noncompliance with facility and vessel security requirements. If a situation arises where a facility or vessel will not be able to comply with the requirements of 33 CFR parts 104 or 105, they must contact the Captain of the Port (COTP) to request and receive permission to temporarily deviate from the requirements. While not discussed in 33 CFR 104.125 or 105.125, the vessel or facility operator should evaluate and consider any safety risks that may be created from the noncompliance. This request to continue operations should include new measures or safeguards the facility or vessel plans to employ to mitigate any risk from the non-compliance with 33 CFR part 104 or 105.
Merchant Mariner Credentials - The Coast Guard is providing flexibility with regard to requirements to have a TWIC when applying for a credential or when serving under the authority of a credential. To date, the processing of submitted TWIC enrollments has not been impacted by the COVID-19 crisis, and there is no delay in vetting, card production, and issuance. However, TSA and the Coast Guard recognize that this is an evolving public health situation and enrollment centers closures or processing delays will impact applicants for a merchant mariner credential (see below for more on TSA enrollment centers).
Under the 46 CFR 10.203(b), failure to hold a valid TWIC may serve as grounds for suspension or revocation of a merchant mariner credential (MMC). The Coast Guard will not pursue any suspension and revocation actions based on expired TWIC’s during the COVID-19 pandemic. The Coast Guard will update industry prior to reinstating enforcement of this requirement. This enforcement discretion for expired TWICs does not apply to cases where a mariner’s TWIC has been suspended or revoked due to a determination that they are a security threat. In those cases, the Coast Guard may pursue suspension or revocation of the MMC.
With respect to expired TWICs in the MMC application process, mariners applying for an original credential will be treated differently than mariners seeking a renewal, raise of grade or new endorsement. This is because the TSA provides the Coast Guard with biometric and biographic information (including the photograph) necessary to evaluate and produce a MMC.
Mariners applying for an original credential need to demonstrate that they have enrolled for a TWIC. Mariners may pre-enroll for a TWIC online, can schedule an appointment, but must complete the in-person enrollment process at the nearest TSA enrollment center. While this proof of application is sufficient to begin the merchant mariner credentialing process, an applicant for an original credential will be unable to obtain a MMC until their biographic and biometric information is provided to the Coast Guard by TSA.
For mariners already holding a MMC, if their TWIC expires, and their credential remains valid, then no action needs to be taken and the credential remains valid. If a mariner applies for a renewal, raise of grade, new endorsement or duplicate merchant mariner credential while their TWIC is expired, they may apply without a valid TWIC if they demonstrate that they have enrolled for a TWIC renewal.
TSA Enrollment Centers - Almost all of the TSA’s Enrollment Centers are open, and TSA is processing new and renewal TWIC enrollments with no delays. A few enrollment centers are temporarily closed to ensure the safety, health and wellness of staff and the public. If applicants are planning to visit an enrollment center, TSA encourages individuals to use the “Find an Enrollment Center” feature at the bottom of the Universal Enrollment Services home page (https://universalenroll.dhs.gov/locator) to determine if the center is open and its hours of operation. If an individual still has any questions with finding an enrollment center, please call the UES help desk. TWIC enrollments must be completed in-person at an enrollment center. It is strongly recommended that you schedule an appointment. You may pre-enroll and schedule an appointment online (https://universalenroll.dhs.gov) or call 855-DHS-UES1 (855-347-8371). (Change 1)
Exercise Operational Security
Seebald & Associates recently posted a joint NSA-CISA cyber security advisory concerning operational technology and a Coast Guard MSIB regarding operational technologies and control systems. See previous blogs.
I’ll summarize my understanding of this advisory as follows: OT systems are increasingly accessible via the internet though the convergence of IT and OT systems. Malicious actors are increasingly able to find and exploit those systems. The advisory goes on to suggest various ways to address this threat, including network mapping and hardening, and cyber resilience and recovery plans.
While technical cyber security measures are beyond the skill of most FSOs, fostering a strong security culture across all of the organization is a key FSO responsibility. A great way to promote this is to call up your cyber security counterparts and ask them to help you understand what actions the facility would take in the event of a cyber attack.
Keep in mind that a cyber attack might be a precursor to a physical attack, so cooperation and communications between the FSO and the cyber security team is critical. Even if the Coast Guard does not change the MARSEC level, you may want to increase patrols, increase screening, and advise visiting vessels and all other facility personnel to be especially vigilant for suspicious activity. Plan all of this in cooperation with your cyber team.
You should also recognize that a cyber attack, or the response actions taken by your cyber security personnel, may impact cyber systems you rely on – from e-mail and security cameras to alarms, access control systems, and cargo control. Discuss these possibilities with your cyber security partners now, so you are prepared if and when such an attack occurs.
If you’ve never had such a discussion, much less planned a joint cyber/physical security drill or exercise, now is the time to change that. Seebald & Associates can help you prepare for all security risks, and can help you develop a Facility Security Plan that meets new Coast Guard cyber security requirements. Finally, if you have facilities regulated under CFATS, pass this along to them, and let them know that S&A also serves the CFATS community.
Seebald & Associates will be sending out a cyber security drill this week for our platinum members to assist you in building your cyber security awareness.