Conducting Your Drills & Exercises

Last week’s blog discussed planning your Drills & Exercises.  Once you’ve decided on what you’re testing and planned a scenario, it’s time to put your plan into action.  Remember that we’re focusing on a single element of your FSP for a Drill, while an Exercise tests the entire FSP and requires active and substantial FSO participation.

Since you’ve taken the time to plan your Drill or Exercise, conducting the evolution becomes a matter of choosing a time and location.  We have found it’s best to test personnel at the places where they work (e.g., at guard posts, or at their work areas) and at access points.  We suggest finding a time during the shift when there are fewer distractions and personnel can focus on the drill, such as after the morning or afternoon rush hour at your vehicle or pedestrian gates. 

Explain the Drill or Exercise to the participants.  It’s okay to remind the personnel that you’re only testing the specified FSP element to keep the Drill focused.  Once you’ve described the scenario, then allow the participants to explain and demonstrate what they would do in response.  Use your pre-planned questions to help guide the drill and ensure you’re thoroughly exploring the FSP element.

Remember that your Drill or Exercise is not a training event.  As you proceed through the evolution and it’s clear that the participants are failing, stop the Drill or Exercise evolution and shift to training instead.  Return at a different time and try the Drill or Exercise again.  If you have contract security personnel who fail, it’s important to hold the contractor accountable, especially if they’re responsible for providing qualified personnel to your facility!

Next up will be documenting your Drills & Exercises – stay tuned for next week…

Planning Your Drills & Exercises

The success of your drill or exercise depends largely on how well you plan it.  The first step is to decide what you will test.  Remember that Drills test individual elements of your FSP, while Exercises are a full test of the security program and must include substantial and active participation of FSOs. 

This leaves us to choose the single FSP element to focus on for our Drill.  There are many options, but where can we find them?  Your menu of FSP elements is located in 33 CFR 105’s table of contents.  For example there are 18 elements listed in Subpart B (plus four additional elements for specially designated facilities.)  Each one of these elements can serve as the basis for your Drill.

The second step is to develop a scenario.  Here’s where you can get creative.  Think of a simple situation that will test the individual FSP element.  Be careful not to overcomplicate things!  For examples of Drill scenarios, look to the monthly Drill reminders that Seebald & Associates provide to our Platinum members. 

The scenario for an Exercise is often more complicated than a Drill, as we’re testing the entire FSP.  Remember, the exercise must have a security focus and the FSO must substantially and actively participate.  Each exercise must test communication and notification procedures, and elements of coordination, resource availability, and response.  In many cases, the Exercise is a series of scenarios or events.  If you are plugged into your local AMSC, there may be opportunities to participate in area or regional exercises for credit.

The third step is to decide who will be tested.  This can include your Alternate FSO(s), Personnel with Security Duties, and All Other personnel.  As we do with the S&A monthly Drill reminders for Platinum members, develop a series of questions to ask beforehand to help guide the Drill or Exercise.  Here’s a hint:  Refer to the specific section of your FSP for the element tested to develop poignant questions.

If you have a vessel moored at your facility, you can ask the Master or VSO if they’d like to participate in your Drill or Exercise.  Similar to maritime facilities, vessels also have Drill & Exercise requirements. 

Next week we’ll explore how to conduct your Drills & Exercises…

In our previous Blogs, we discussed protecting our networks from cyber attacks, the reasons why we protect our networks, and some common cyber-attacks.  The U.S. Coast Guard is acutely aware of the impacts of cyber security to the maritime transportation system.  Cyber security will become an integral component to your FSP.  This final blog addresses how the U.S. Coast Guard is addressing these topics as they review and approve your FSP.

In October, Cyber Security Awareness month, the U.S. Coast Guard provided five key cyber security questions and challenges in the maritime industry.  Here is the link to that information:  http://mariners.coastguard.dodlive.mil/2017/10/30/10302017-natl-cybersecurity-awareness-month-five-key-cyber-questions-and-challenges-facing-the-maritime-industry/

The U.S. Coast Guard has prepared a draft NVIC to help guide inclusion of cyber security in your FSP.  The draft is “based on the National Institute of Standards and Technology (NIST) Cyber security Framework (CSF) and NIST Special Publication 800-82.”  As we teach in our FSO courses, the U.S. Coast Guard is utilizing cyber industry standards and requirements to aid in providing this guidance.  Specifically, the draft states “how those existing requirements relate to cyber security measures, and what would be recommended to be included in the FSP. “

Seebald & Associates provided feedback to the U.S. Coast Guard office that drafted this NVIC draft, and we will closely monitor the development of the cyber security requirement(s) for your FSP.  At Seebald & Associates, we are committed to keeping abreast of this topic and will share any updates as they become available after ensuring their validity.  The Seebald & Associates team is standing by to assist your facility when including this new requirement in your FSP becomes a requirement.

Remember, being vigilant in the maritime security environment is more than the physical aspect, it also includes cyber security for your networks.

In our last blog, we discussed several common cyber-attacks, this week we will discuss some common ways to protect against them. We will also identify some detection methods for recognizing these “attacks”.

Before discussing the protection and detection methods, it would be a good time to explore the idea of identifying a specific cyber security expert within your organization. Depending on the size of your organization this may be a full-time position within your IT department. Because cyber security affects almost all facets of an organization, the cyber security expert would need to educate every level of the organization about cyber security methods and the procedures your organization uses. Finally, an on staff cyber security expert can advise an organization on the latest trends, install appropriate security measures (firewalls, air gaps, etc) and monitor the organization’s network.

The following is a short list of common cyber hygiene practices. This is in no way an all-inclusive list but is a good starting point to protect against a cyber-attack:

  • Use of a strong password – Although this may seem like an overly simplistic method, the utilization of a strong password is one of the most basic steps in cyber security.
  • Practice and enforce cyber hygiene – Establish an organizational protocol (including strong password), which clearly defines cyber hygiene. Some examples include: locking computer screen when not in use, preventing the download of unauthorized software, educating employees of cyber threats, limit the amount of personnel with administrative privileges.
  • Updated Software – Old or outdated software may provide an avenue for accessing a network. New/updated software generally identifies and remedies security shortcomings in previous editions.
  • Upgraded aging infrastructure – In addition to updating software, upgrading an organization’s aging hardware and components can assist in protecting against an attack.
  • Back up data – Having a system (cloud based or local separate storage) where your system and data can be backed up in the event of a cyber-attack or other catastrophic loss. A data backup can reestablish your facility’s operation if an attack causes data loss.

Although protection from a cyber-attack is paramount, the detection of a cyber-attack is also extremely important. In some cases, the detection of a cyber-attack may enable protective measures to be employed thereby preventing significant damage or system outages. 

  • System slow down – Any significant reduction in Internet speed should be reported immediately to the IT department or help desk.
  • Email attachments – At no time should an email attachment from an unknown sender be opened. These attachments may contain Malware and could cause serious problems.
  • Identify emails from unknown sources – An “official” looking email may be initiating a cyber-attack. Responding to a suspicious email can be just as risky.

Almost all of the cyber-attacks involve some type of human interaction. One of the best ways to detect AND protect against a cyber-attack is educating your team. A properly trained end user will be able to detect a suspicious email, a system slow down or other unusual network activity and report it to prevent a cyber-attack.

I have been getting many calls from near and far regarding the TWIC Final Rule requirements that go into effect August 23, 2018.  My advice to you has not changed since our last conversation when I visited this topic. 

The Coast Guard is not going to release anything in writing until the final rule making process has been completed.  Time of that release would only be a guess.

My advice to you is - If you are in Risk Group A: 

You will be required to use TWIC Readers or Physical Access Control System (PACS) that meets electronic TWIC inspection requirements (Card Authentication, Card Validity & Identity Verification).  If those access points do not have the infrastructure (power and connectivity) to the nodes where you are planning to install fixed TWIC readers or PACS, continue planning and installing the infrastructure because civil engineering, project planning, trenching and running power and connectivity are your long lead-time projects. 

If your access points (turnstiles, gates, and doors) already have PACS but do not meet electronic TWIC inspection requirements, you should WAIT to replace the PACS hardware and software.

Do not buy the readers, software or hardware!  Research and evaluate systems, but do not commit resources just yet.

My reason for this advice:

- Technology is advancing so quickly and the price is continually decreasing. If you buy it now it could be obsolete by the time the Coast Guard is going to enforce the law. 

- We are evaluating multiple hardware and software options at this time and hope to have some of these vendors at the Facility Security Symposium in June of 2018.

- Wait for the Coast Guard to come out with their written enforcement guidance. This is common practice for them to provide industry a grace period to allow facilities to purchase, install and execute all of the hardware and software, modify the FSPs and educate their people.

- During a major construction period, you can still use portable readers if your infrastructure is not in place.

Final thoughts, patience is a virtue and the bureaucracy moves very, very slowly.

We will keep you advised.

 

Ed