As reported in numerous media accounts, coordinated drone strikes have caused extensive damage to crude oil production facilities in Saudi Arabia. 

Seebald & Associates has no reason to believe that similar attacks are planned against U.S. oil facilities.  Any such warning would come from the Department of Homeland Security, the U.S. Coast Guard, or Federal Bureau of Investigation.  Nonetheless, there are actions U.S. maritime facilities can take to better prepare for attacks in the United States, should they occur.

  • Ensure your personnel are alert for drone activity near your facility or vessel.  Report any drone sightings to the National Response Center at 1-800-424-8802, and to your local Coast Guard Captain of the Port.  Terrorists are known to conduct surveillance and to rehearse planned attacks.  Reporting enables law enforcement and intelligence agencies to take prompt action, potentially interrupting or stopping a planned attack. 

  • The Federal Aviation Administration (FAA) describes drones as “Unmanned Aircraft Systems” (UAS).  For information on FAA rules pertaining to UAS, visit https://www.faa.gov/uas/.

  • Review your MARSEC procedures and other contingency plans.  A drone attack could result in deaths, injuries, fire, pollution, or damage to critical infrastructure.  Well thought out contingency plans can save lives and help you return to business quickly.  S&A can help you develop contingency plans that meet your business and security needs.    

  • After reviewing your plans, conduct a drill or exercise.  If properly documented, this could count as one of your Coast Guard required drills or exercise. 

  • Review your Facility Security Assessment.  Does it consider this type of scenario, or other technology or cyber based threats?  Unfortunately, terrorists and criminal organizations now have capabilities that were previously only available to the most advanced organizations.  FSO/VSOs should work with your organization’s cyber professionals to consider and prepare for cyber-attacks, including combined physical/cyber-attacks. 

  • Build a strong security culture and remind all your personnel to be alert for suspicious activity.  An alert and well trained work force is your best defense.

 

The Department of Homeland Security, including the U.S. Coast Guard, use various means to notify the public about security concerns.  The Coast Guard uses MARSEC (maritime security) Levels to signify elevated threat conditions, and to require the increased security measures specified in Facility Security Plans and Vessel Security Plans.

While the Coast Guard’s MARSEC system is specific to the maritime industry, DHS’s National Terrorist Advisory System is intended for everyone, and does not carry specific requirements.  Recently, DHS revised NTAS to include three types of advisories: 

  • An NTAS “Bulletin” describes current developments or general trends regarding threats of terrorism.
  • An “Elevated Alert” warns of a credible threat against the United States that is general in both timing and potential location, and for which it is reasonable to adopt additional protective security measures.
  • An “Imminent Alert” is intended to warn of a credible, specific and impending terrorist threat or on-going attack.

The Coast Guard and the Department of Homeland Security coordinate closely on MARSEC and NTAS activity. 

While the thought process behind NTAS and MARSEC are very similar, an NTAS Alert will not necessarily lead to an increase in MARSEC Levels.  For example, one can imagine a credible threat scenario against a sector of our economy or area of our nation that does not include a significant maritime nexus, and therefore might not lead to a MARSEC increase.

At Seebald and Associates, we encourage our clients to be aware of both systems.  Be sure you understand your own MARSEC responsibilities and are prepared to implement them if and when required.  Also, even if the Coast Guard does not raise MARSEC, you may to decide to implement some or all of your MARSEC actions based on an NTAS alert, or any other information that you think suggests a threat to your activities and people. 

Raise your hand if you are fine with business coming to a screaming, and expensive halt for, say a month or two.  A cyber-attack can be the business equivalent of a deadly, metal-on-metal sound coming from under the hood of your car.  Sure you can get it fixed, but it won’t be quick, or cheap, or easy.  A ransomware attack on the City of Baltimore had just this effect.  

At Seebald & Associates, we can’t prevent all cyber-attacks, but we can help organizations recognize their risk and build resilience.  We address cyber security during training courses, audits, and security assessments. Our goals during these activities are as follows:

  • We help FSOs and others to recognize that many of the systems they use have cyber components – and therefore cyber vulnerabilities.  These systems could be anything from simple wi-fi enabled cameras and web-based employee alert systems to sophisticated cargo and industrial control systems.

  • During audits and assessments, we gauge the client’s overall approach to cyber security, addressing, in the most basic of terms, topics such as employee training, network access policies, IT/OT segregation, and the role of cyber security in MTSA regulated functions such access control and cargo systems.

  • We encourage cooperation between FSOs/VSOs and the organization’s dedicated cyber security professionals.  This cooperation should include suspicious activity reporting, risk assessment and mitigation activity, and response operations.  

  • We encourage cyber professionals to participate in information sharing organizations, and to take advantage of well recognized cyber security standards and resources, such as are published by NIST,SANS, and CISA.

Maritime organizations will increasingly require more technical assistance, and we are proud to refer them to Make A Difference with MAD Security.  MAD Security is a highly respected managed security services organization with close ties to S&A and experience working with port and waterways organizations, industrial and other private sector clients, as well as with the U.S. Coast Guard, the Department of Defense, NASA, and other government agencies.  They provide 24/7 network monitoring and intrusion detection and will ensure you become compliant with emerging Coast Guard/DHS requirements. So go ahead and get MAD.  With their cyber expertise, and S&A’s holistic approach to security, your vessel or facility can be well prepared and resilient when (not if!) cyber or other threats come your way.  

Calendar year 2019 is almost halfway over and after conducting numerous Facility Security Plan annual mandated audits, we note many Facility Security Officers (FSO), Company Security Officers (CSO), Alternate FSOs, Personnel with Security Duties (PSD) and All Others (AO) are not current on their required Maritime Transportation Security Act (MTSA) training. 

This non-conformity is a compliance risk and will draw warnings and citations from a U.S. Coast Guard facility security inspection.  It is generally recommended that facility security staff attend a U.S. Coast Guard approved 33 CFR, Part 105 or Part 106 training course at a minimum initially, then every 3-5 years with a refresher course.  Depending on when security personnel have been trained, even within the past 5 years, many new MTSA regulation, guidance and policy updates and changes have taken place.  Recent topics of significant interest are cyber-security threats, seafarer access, active shooter threats, TWIC card access procedures and cruise terminal screening requirements. 

All Seebald & Associates facility security training courses address these topics, and our certified master instructors and Coast Guard-approved training courses fully address and inform students of the new topics.  You do not need an audit to know if your training is current and in compliance.  To request an FSO, CSO/OCS FSO, PSD, OCS PSD or AO training course or event please contact Ed Seebald at This email address is being protected from spambots. You need JavaScript enabled to view it., or phone 716-481-5597, and we will help you meet your MTSA training needs. 

The Specific Roles and Responsibilities of Owners and Operators of Regulated Maritime Transportation Security Act for 33 CFR Part 106 Outer Continental Shelf (OCS) Facilities

 

What are the specific duties and responsibilities of MTSA 33 CFR Part 106 Facility Owners and Operators?

33 CFR Part 106 Subpart B – OCS Facility Security Requirements, outlines and describes the roles and responsibilities of owners and operators of 33 CFR Part 106 Facilities. 

As mentioned in the previous blogs, the absolute responsibility for a regulated facility’s security management regime starts and ends with the owners and operators.  While 33 CFR Parts 106 Subparts B, C and D sections are most familiar to Company Security Officers (CSO) and OCS Facility Security Officers (FSO), Subpart B – OCS Facility Security Requirements, identifies more specific requirements that owners and operators are responsible for.  Subpart B also addresses the knowledge, training and experience requirements for CSOs, OCS FSOs, Company or Facility Personnel with Security Duties and All Other persons who work at the facility.  For this final blog focusing on owners & operators, we remain focused on owners and operators of 33 CFR Part 106 Facilities and the specific roles and responsibilities of owners and operators are listed below:

  • Each OCS facility owner or operator must ensure that the OCS facility operates in compliance with the requirements of Subpart B.
  • For each OCS facility, the OCS facility owner or operator must:
    1. Define the security organizational structure for each OCS facility and provide each person exercising security duties or responsibilities within that structure the support needed to fulfill those obligations;
    2. Designate in writing, by name or title, a CSO and an FSO for each OCS facility and identify how those officers can be contacted at any time;
    3. Ensure that a Facility Security Assessment (FSA) is conducted;
    4. Ensure the development and submission for approval of a Facility Security Plan (FSP);
    5. Ensure that the OCS facility operates in compliance with the approved FSP;
    6. Ensure that the TWIC program is properly implemented as set forth in this part, including:
      • Ensuring that only individuals who hold a TWIC and are authorized to be in the secure area are permitted to escort; and
      • Identifying what action is to be taken by an escort, or other authorized individual, should individuals under escort engage in activities other than those for which escorted access was granted.
    7. Ensure that adequate coordination of security issues takes place be- tween OCS facilities and vessels, including the execution of a Declaration of Security (DoS) as required by Subpart B;
    8. Ensure, within 12 hours of notification of an increase in MARSEC Level, implementation of the additional security measures required by the FSP for the new MARSEC Level;
    9. Ensure all breaches of security and security incidents are reported in accordance with part 101 of this sub- chapter;
    10. Ensure consistency between security requirements and safety requirements;
    11. Inform OCS facility personnel of their responsibility to apply for and maintain a TWIC, including the dead- lines and methods for such applications, and of their obligation to inform TSA of any event that would render them ineligible for a TWIC, or which would invalidate their existing TWIC;
    12. Ensure that protocols consistent with 106.260(c) of Subpart B, for dealing with individuals requiring access who report a lost, damaged, or stolen TWIC, or who have applied for and not yet received a TWIC, are in place; and
    13. If applicable, ensure that proto- cols consistent with 106.262 of Subpart B part, for dealing with newly hired employees who have applied for and not yet received a TWIC, are in place.

CSOs and FSOs of CFR Parts 105 & 106, knowing the roles and responsibilities of your owners and operators will help you help them, especially when new persons come on board your facilities in leadership or management roles of your maritime security regime and have no prior experience with MTSA requirements.  Remember any violation issued by U.S. Coast Guard security compliance inspectors is permanently recorded in a database that is shared across the Coast Guard.

Owners and operators, security directors and managers, to ensure your plan renewals and announced and unannounced U.S. Coast Guard compliance inspections will pass training standards, register yourself, CSOs, FSOs and Alternates to attend a U.S. Coast Guard approved Seebald & Associates CSO/FSO training course.  To view a list of current and upcoming courses and for more information on how to register for a course visit www.seebald.com.