Cyber Security - How to Protect Your Facility.
- Posted by Cliff Neve
Seebald & Associates’ and MAD Security’s Cliff Neve delivered a webinar on October 25th discussing the recent cyber attacks at the Ports of Barcelona and San Diego. Cybersecurity has many analogies to physical security, and bad actors use the same basic steps to exploit victims’ information, property, and information systems. In addition, the convergence of information technology (IT) with operational technology (OT) allows for expanded access for administrators and operators to industrial control systems, camera systems, and other OT devices. It also, however, expands the attack surface for nefarious cyber actors, and Cliff discussed the ways to protect your converged networks from threats.
Most companies cannot afford to hire their own 24/7/365 cyber security operations center personnel, nor should they spend the money for at least a dozen people (~five people per 24/7/365 watch position), the facility, the software and licenses, the training for personnel, and the management oversight necessary to secure their information and information systems.
Seebald and Associates have partnered with MAD Security to offer a very affordable alternative: 24x7x365 Managed Security Services, including network monitoring and vulnerability scanning, that will harden your IT systems and allow for quick detection of cyber intrusions.
TWIC FINAL RULE ENFORCEMENT DELAY CONFUSION? HERE ARE YOUR ANSWERS…
- Posted by Ivan Ramirez
TWIC FINAL RULE ENFORCEMENT DELAY CONFUSION?
HERE ARE YOUR ANSWERS…
Per the H.R. 5729 law passed by Congress in July 2018, the Coast Guard is required to submit a report summarizing the DHS led security assessment study on TWIC readers. The study is currently being conducted and not expected to be completed until sometime late Spring of 2019. For at least 60 days after the report is submitted to Congress, TWIC Reader requirements are delayed for all Certain Dangerous Cargo (CDC) facilities to include facilities handling CDC but do NOT transfer them to or from vessels and receive vessels certified to carry 1000 or more passengers. Below explains where and how the confusion came about.
On August 23, 2016 the Coast Guard published a final rule in the Federal Register named “Transportation Worker Identification Credential (TWIC) Reader Requirements,” which was to be implemented on August 23, 2018. As we got closer to the effective date of this regulation, rumors started circulating that the Coast Guard would delay implementation.
In June 2018, the Coast Guard published a Notice of Proposed Rulemaking that delayed for three years the implementation of TWIC readers for facilities that handle CDCs in a non-maritime nexus, meaning they do not receive or transfer them to or from vessels. In July 2018, a court order delayed the enforcement of TWIC readers for all facilities handling CDC either by maritime means or by land.
Shortly after the court ruling, Congress passed a law, the aforementioned H.R. 5729, prohibiting the Coast Guard from implementing and enforcing the TWIC Reader requirements on any CDC facility and cruise ship terminals for at least 60 days after the Coast Guard provides Congress with a TWIC Reader security and feasibility study. This study is currently underway. The study is expected to be completed by late Spring of 2019. DHS and the Coast Guard will then review and assess the study before submitting their final report to Congress. This review process may take several weeks or months.
What does this mean for your facility and your business?
The regulatory delay is so the Coast Guard can reconsider the effectiveness and scope of the TWIC Final Rule and to re-evaluate which facilities would be subject to the electronic TWIC inspection requirements. The TWIC program’s purpose is clear - to keep persons who may be a security risk away from secure areas of vessels and waterfront facilities.
Key take-away points:
Expect the Coast Guard to significantly increase the number of TWIC verifications (with their own electronic readers) during their routine and/or unannounced inspections;
Certain vessel and facility operators will be required to use readers in the future;
TWIC is here to stay…so facility and vessel operators who voluntarily use their TWIC readers will be one step ahead; and
Seebald & Associates International is ready to assist you in getting ahead of the game by reducing your exposure to compliance risk, whether for the TWIC Final Rule or any regulatory concern you may have.
We’re proud of our reputation in helping you keep your facility and our nation’s ports secure.
Maritime Ports Are Under Cyber-Attack - Two Ports Attacked In Same Week.
- Posted by Cliff Neve
Ports are under Cyber-Attack - Prepare now!
Ports are constantly being probed by nefarious actors, and two ports last month confirmed that they had been hacked.
The Port of San Diego CEO, Randa Coniglio, released the following statement on September 26th:
“The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems. The Port first received reports of the disruption on Tuesday, September 25, 2018. The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems.”
The Port of Barcelona, Spain, was hacked the same week. As alarmingly, victims often do not find that they have been hacked until months later, if ever, because they lack the insight into their networks and information systems.
Prevention is the key, a Seebald & Associates Partner, MAD Security, offers a very affordable Cyber Security 360 Health Check that includes: an external network vulnerability assessment/scan and an assessment of defense strategy and technology. The deliverable includes a roadmap for meeting gaps in your cyber defenses, an overall rating, ratings in dozens of subcategories, and specific recommendations for how to resolve gaps.
More information can be found here: http://www.madsecurity.com/360_deg_health_check/
Office of Inspector General TWIC Program Review Report
The latest chapters in the TWIC saga relates mostly to the biometric issue, although they touch on other topics. First, on August 2, 2018, Transportation Worker Identification Credential Accountability Act of 2018, delayed implementation of a pending Coast Guard regulation (the “reader rule”) which would have required certain higher risk vessels and facilities to use biometrics beginning 23 August of this year. Even more recently, a report on the TWIC program by the Department of Homeland Security’s Officer of Inspector General (OIG) identified a number of challenges and made recommendations to the Coast Guard on the TWIC program, and in how it oversees the security of waterfront facilities. The Coast Guard and the Department of Homeland Security agreed with the OIG’s recommendations.
So what does all this mean for vessel and facility operators?
First, the recent TWIC Accountability Act of 2018 delays implementation of any electronic reader requirement by three years. Of course, Congress could always revise that legislation, and might do so if and when the Coast Guard and DHS complete a previously required report on the TWIC program. But for now, vessels and facilities are not required to use electronic readers.
- The OIG report recommends that the Coast Guard more clearly define the facilities that have certain dangerous cargo (CDC) in bulk and which must use electronic TWIC readers as an access control measure. One issue, yet to be resolved, relates to the presence of bulk CDC on a facility, even if it isn’t transferred to or from a vessel.
Seebald Analysis: At a minimum, facilities that store or handle CDC in bulk, even if they don’t transfer it to or from a vessel, must consider that fact when conducting their required security assessments.
- The OIG report recommends that the Coast Guard improve (i.e. increase) its use of electronic readers to verify TWICs during Coast Guard inspections at regulated facilities.
Seebald Analysis: Expect the Coast Guard to significantly increase the number of electronic TWIC verifications they conduct during routine and unannounced inspections. If they find fraudulent or canceled cards, those workers will not be allowed unescorted access to secure areas. It could also result in fines or penalties.
- The OIG report recommends that the Coast Guard “revise and strengthen” its guidance to its facility inspectors concerning TWIC and related facility security requirements.
Seebald Analysis: Expect greater consistency and attention to detail by the Coast Guard during routine and unannounced facility inspections.
Finally, it is worth noting that a common theme in 10 years of TWIC reports, guidance, laws, and regulations has been that the program is fundamental to maritime security, and that the biometric aspect of the TWIC is a key feature, even as the Coast Guard and industry struggle to quantify and leverage its full benefits. TWIC is certainly here to stay. Coast Guard inspectors will be using their own electronic readers to verify them during inspections, and certain vessel and facility operators will be required to use readers in the future. In the meantime, facility and vessel operators who voluntarily use TWIC readers can keep one step ahead of the Coast Guard – and more importantly, potential threats.
Secure Areas and Secure/Restricted Areas – what’s the big deal?
- Posted by John Bingaman
First - the definitions we covered in week one of this Blog series explain the differences between these two areas. In week two, we reviewed Coast Guard guidance regarding these areas.
Second - TWIC requirements address the different areas when an individual who has not applied for a TWIC requires access. Non-TWIC individuals are required to be escorted by a TWIC holder trained in escorting responsibilities. In a Secure Area, a TWIC Escort is permitted to escort up to ten Non-TWIC individuals visually or by monitoring. In a Secure/Restricted Area, the TWIC Escort may escort up to five Non-TWIC individuals side-by-side.
Third – as an FSO, you are also required to implement the provision in your facility’s FSP. Ensure your facility diagrams are properly labeled, the correct verbiage is being used and that it is up-to-date with the physical infrastructure in use.
Stay secure, others are relying on you!