Remember that we first defined security risk as the product of threat, vulnerability, and consequences. We know that there are steps we can take to reduce, but not eliminate, the risks associated with threats and vulnerabilities. But what about consequences? If all else fails, is there anything we can do once the event happens except pick up the pieces?
The short answer (spoiler alert!), is yes. As with threats and vulnerabilities, it is helpful to bucket consequences into logical categories, and from there work out risk reduction strategies. We can begin with operational risks, such as loss of life/injuries, environmental damage, and property/equipment damage.
First aid kits, pollution responders on retainer, and having repair plans and critical spare parts identified are all ways of reducing the operational consequences of a security incident. Some options are direct, simple and lifesaving. For example, research has shown that the use of tourniquets and direct pressure can save lives, see https://www.dhs.gov/stopthebleed. That sounds like a great way of reducing consequences to me.
In other cases, detailed written contingency plans (including your FSP/VSP) and exercises that test those plans will enable you to deal with security events as managed incidents, rather than react to them in crisis mode. If possible, train your personnel in the Incident Command System (ICS). The Coast Guard, other federal agencies, and many state/local responders use ICS, and you want to be able to interface with them.
Business risk is another important category. Business risk speaks to your ability to resume normal trade activity as soon as possible after an incident. Without a plan, a prolonged shut down or mismanaged restart could result in the loss of customers, reputation, and market share, followed by a loss of key employees and customers. The Coast Guard includes “transportation system disruption, or economic disruption” in its definition of a Transportation Security Incident. This recognizes that business continuity is an objective of the Maritime Transportation Security Act regulations.
To address business risk, identify key personnel, systems (including IT/cyber), supplies, equipment, and partner organizations you need to conduct normal business operations. Who will notify them of an incident at your facility/vessel, how many might themselves be impacted during a security incident or natural disaster? Who and what can’t you do without? Are backup personnel available? How about expensive and difficult to replace equipment such as electrical transformers? Who has the knowledge, budget, and authority to implement contingency plans? A thoughtful review of these issues can help you identify critical paths and improve day to day efficiency through streamlining, while also identifying desirable redundancies or alternatives you may want to put in place for the day they are needed.
A third risk category is compliance risk. A vessel or facility not in compliance with Coast Guard regulations could face consequences such as fines, penalties, or even a Captain of the Port order to cease all operations until the regulatory deficiency is addressed. While full compliance with your FSP/VSP certainly can’t guarantee a security incident won’t occur, failure to abide by those standards will make it easier for threats to exploit vulnerabilities, which will lead to operational consequences. Even without a security incident, significant or recurring compliance problems can lead to increased business risks as customers, shareholders, insurance providers, and others take note and act in their own interests.
Audits, training, drills, exercises, and an FSP/VSP customized for your operation can help minimize compliance risk. If the Coast Guard does note a violation, quickly and professionally correcting the issue can keep a minor incident from becoming a pattern of problems.
At Seebald & Associates, we can help companies address all of these risks. Our risk based assessment process, which we use as the baseline for FSPs and VSPs, addresses each of these types of risk. Our audits, exercises, drills, and training services improve compliance and help identify potential improvements to your security program. And while our discussion has been security focused, all of these principles apply equally to environmental incidents, natural disasters, and other significant disruptions to your business activity.
We’re not quite done with our risk discussions however. Cyber systems have some similarities, but also some important differences in their relationship to threat, vulnerability, and consequences. Provided that malware doesn’t take down your system, keep watching this space for some thoughts on that topic in the near future.
Coming to a Rig Near You
- Posted by Edward Seebald
All Maritime Transportation Security Act (MTSA) Regulated
Outer Continental Shelf (OCS) Facility Owners & Operators
Word is out that the U.S. Coast Guard is going to increase their efforts on MTSA security compliance inspections and oversight of all MTSA regulated OCS facilities in the Gulf of Mexico starting in early 2019. What this means to you is the Coast Guard will annually conduct one announced and one unannounced spot check of your security compliance requirements from 33 CFR Part 106 and Coast Guard Navigation & Vessel Inspection Circular 05-03 (Implementation Guidance for the Maritime Security Regulations Mandated by the Maritime Transportation Security Act of 2002 for Outer Continental Shelf Facilities).
Be aware that your Company Security Officer, OCS Facility Officer, OCS Facility Personnel with Designated Security Duties and all other OCS personnel must be trained and certified by an approved training provider. In addition to the increased focus on MTSA compliance, 2019 is a prevailing year for the required five-year renewal of your OCS Facility Security Assessment and OCS Facility Security Plan.
Seebald & Associates is a Coast Guard recognized and approved training provider for 33 CFR Part 105 Facility Security Officers & Maritime Personnel with Designated Security Duties and has provided training since 2003. Seebald & Associates is proud to offer OCS MTSA security compliance products and services along with a Company Security Officer (CSO)/OCS Facility Security Officer training course beginning in 2019. Seebald & Associates has submitted a CSO/OCS Facility Security Officer training course for Coast Guard approval. Upon Coast Guard approval, Seebald & Associates will be the only company with an approved CSO/OCS training course and we’ll be offering courses soon, so be on the lookout for our email flyer to register.
Coast Guard regulations require an annual, third party audit of your MTSA program. Seebald & Associates currently offers these audits for onshore-based MTSA regulated facilities and is now poised to offer the same to offshore facilities. A Seebald & Associates audit will help you improve overall security as well as meet all audit requirements, including your compliance with all laws, regulations, and government agency policies relevant to MTSA. A Seebald & Associates audit can also include training for your personnel, as well as drills and exercises, as needed.
If you are behind on your audit requirements, then contact Seebald & Associates as soon as possible to schedule the audit and avoid fines and penalties. Note that the Coast Guard has the authority to prohibit all operational activities if they determine that an onshore or offshore facility does not meet security regulations.
Seebald & Associates can also help you write or renew your onshore or offshore Facility Security Plan. These plans must be resubmitted every five years, and most offshore plans will expire on or about July 1, 2019. A well-informed security assessment is the foundation of a quality security plan and program. We can help you conduct a security assessment and develop a security plan that meets Coast Guard requirements, improves security, and aligns with your business operations.
Seebald & Associates offers access to its premium website for graduated students of its security officer courses. Additionally, recommended drills are offered every month to meet the MTSA requirement of conducting a security drill every three months. Simply execute and document the provided drill and it will keep you in compliance with Coast Guard security drill requirements. We offer a facility compliance tool kit for our clients that helps your security personnel ensure they are fully prepared for announced and unannounced Coast Guard inspections.
Seebald & Associates has a strong reputation and record in meeting and exceeding established Coast Guard security compliance standards, and we always stand by our clients. We look forward to working with you.
Our previous blogs defined risk as a combination of threat, vulnerability and consequences. This week, I’d like to focus on vulnerability.
A vulnerability is a potential weakness in our defenses, a chink in our armor. Much as we’d like to be perfectly protected from any possible threat, we know that isn’t practical or even possible. We do need to identify and evaluate potential vulnerabilities, and then decide what action, if any, to take to address them.
To begin, recognize that your organization is a business, with all manner of people and things coming and going. Legitimate points of entry (think gates and gangways) are your first consideration. How are those points monitored and controlled, how do you screen the legitimate from the nefarious? Consider people (employees, contractors, visitors), vehicles, cargo, supplies, and special deliveries (packages, ships stores).
Next consider the not-so-legitimate access points – fence lines and gunwales, and ask the same questions. For both categories, put yourself in the mind of an adversary, and think about how they might get to a point where they can cause harm. Could a person gain access to your ship or facility using a fake TWIC or other form of identification? How well do you check vehicles? Are there areas of your fence line that are in poor condition, or shielded from view by buildings, poor lighting, or vegetation? How are packages and mail handled? How about ships’ stores? Could small boats, divers, or other waterborne threats approach your facility or vessel without being detected?
Chances are, all of these and more are potential vulnerabilities.
But wait, there’s more! What if the threat was an “insider” – a regular crew member or employee? How difficult would it be for such a person to access restricted areas, sabotage critical equipment, or to bring a weapon or dangerous device on board? How about cyber vulnerabilities? Could hackers disrupt your critical processes, or “spoof” someone’s email? Could you even detect such an attack, much less defend against it?
Coast Guard regulations attempt to help operators identify vulnerabilities by specifying certain topics in the security assessment and plan, such as “measures to protect computer systems and networks” and “security measures for handling cargo.” While these requirements are a good starting point, you and your colleagues are the best people to identify your vulnerabilities.
Once you’ve identified the various ways people, vehicles, cargo, and data can enter your facility or vessel, you can start to prioritize them, and identify ways to minimize risk. Your facility is not Fort Knox, and your vessel is not a carrier battle group, but there are measures you can take to reduce (not eliminate) any vulnerability. Typical solutions might include:
- · Infrastructure (fencing, gates, ship design)
- · Equipment (lighting, cameras, metal detectors)
- · Procedures (screening, roving patrols, escorts)
- · Training, drills, and exercises
- · Cyber security measures (authentication procedures, data logging, monitoring)
- · Audits and inspections
Security measures must be practical, effective, and aligned with your business operations. Prioritizing is key. Not all vulnerabilities are equal, and not all security measures are equally effective against all vulnerabilities.
At Seebald & Associates, we help our clients identify and prioritize threats and vulnerabilities, and develop the most cost-effective security measures to address them. These measures become the basis of your Coast Guard required security plan.
As mentioned earlier, there are chinks in every armor. We can’t eliminate every vulnerability. That means we must prepare for possible consequences. Tune in next week for a discussion of consequences, preparedness, resilience, and how to mitigate the compliance, operational, and business risks from a security incident.
Our previous blog defined risk as a combination of threat, vulnerability and consequences. This week, I’d like to focus on threat.
When one hears “threat” in a security discussion, the natural tendency is to equate threat to whatever powerful, overseas terrorist organization is currently in the news. While those organizations certainly mean us harm, ending the discussion there overlooks many possible threats, and leaves us with little understanding of actions we can take.
A better approach is to create categories that help us identify and describe threats, and then use that understanding to reduce risk. Bucketing threats by where they originate – internally, locally, or globally, is one method.
- Internal threats originate within the fence line of our facilities, or the gunwales of our ships. They could be employees, contractors, customers or crew with a deliberate intent to cause harm, or they could simply be careless in keeping the gates closed and the hatches locked down when required.
- Local threats originate nearby. Are you in a high crime area, are there drug gangs or other organized criminal operations? Is the area known for civil disobedience? Could the properties outside your gates be used for surveillance, a staging area, or might they be a target themselves, with you as the conduit – or collateral damage?
And remember the waterside! What is the mix of recreational and commercial vessel traffic in the area? Would an unusual vessel stand out? Are there dive shops nearby? Are the water conditions such that an underwater threat is plausible?
- For global threats, we don’t need our own spy network to make some useful observations, just pay attention to the news. Package bombs, mass shootings and the use of vehicles against pedestrians have all been, or continue to be, common threats. “Lone wolf” and copycat attacks mean that we can identify these as plausible threats even if we know nothing about the individuals who might carry them out. What has changed in the world since your last risk assessment that might suggest a new threat?
At Seebald & Associates, we help our clients identify threats and imagine how they might play out against their business operations. Results are best when the company can provide personnel from across their business enterprise – operators, managers, labor, IT/cyber specialists, and others. A diverse team ensures that the group will identify threats that a narrower group won’t think of. A diverse group also helps identify diverse solutions.
Tune in to this website next week for a discussion of vulnerability – or, what is our exposure to all of those threats?
Here at Seebald & Associates, we strive to provide the very best security consulting services to the maritime industry. We can (and do) help companies meet specific Coast Guard regulatory security requirements. Our goal goes beyond regulatory compliance, and aims to help companies reduce all manner of security related risks.
This is the first of a series of blogs that attempt to explain what we mean by risk, and how we can help companies identify, define, evaluate, and ultimately reduce that risk.
Risk is made up of the components of threats, vulnerabilities, & consequences
Risk is comprised of threats, vulnerabilities and consequences which is associated with target desirability. Target desireability of an event, which is commonly defined as the likelihood that some negative event will occur, derives from the vulnerability and consequence from that event. For example, what is the risk associated with me forgetting to bring my spiffy Seebald & Associates jacket on my next business trip? Well, I can be forgetful when I pack, so let’s say that the likelihood of me forgetting is pretty good. That’s fairly high, but fortunately, the consequences aren’t that severe. Our founder, Ed Seebald, might give me a hard time if he sees me without the jacket (he bought it after all), but even without it, I can still deliver world class security services.
The likelihood component of risk is usually addressed with preventative measures (such as checklist for my packing), while consequences are usually addressed with response actions and contingency plans (such as me buying Ed dinner so he forgets about me not wearing the company jacket). They say an ounce of prevention is worth a pound of cure, and in this case, me using a checklist is cheaper than me buying Ed dinner, but it’s best to look at both components to determine the most cost-effective techniques for any given situation.
A high quality vessel or facility security plan can reduce both the likelihood of a security incident, and the potential consequences if an incident does occur. At Seebald & Associates, we work with facility and vessel operators to understand all aspects of their security risks, and to develop programs that address those risks effectively, while still meeting all applicable Coast Guard regulations. More on that process, and a discussion of operational, business, and compliance risks, when we continue this series next week.