Ports are under Cyber-Attack - Prepare now!

Ports are constantly being probed by nefarious actors, and two ports last month confirmed that they had been hacked.

The Port of San Diego CEO, Randa Coniglio, released the following statement on September 26th:

“The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems. The Port first received reports of the disruption on Tuesday, September 25, 2018. The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems.”

The Port of Barcelona, Spain, was hacked the same week.  As alarmingly, victims often do not find that they have been hacked until months later, if ever, because they lack the insight into their networks and information systems.

Prevention is the key, a Seebald & Associates Partner, MAD Security, offers a very affordable Cyber Security 360 Health Check that includes: an external network vulnerability assessment/scan and an assessment of defense strategy and technology.  The deliverable includes a roadmap for meeting gaps in your cyber defenses, an overall rating, ratings in dozens of subcategories, and specific recommendations for how to resolve gaps.   

More information can be found here: http://www.madsecurity.com/360_deg_health_check/

For the months of October and November, MAD Security is offering this cybersecurity assessment for the price of $5,988.  This is the perfect first step for you to have true cybersecurity experts assess your readiness and provide guidance and prioritization for a fraction of the cost that most cybersecurity experts would charge.  To take advantage of this opportunity, please email Cliff Neve at This email address is being protected from spambots. You need JavaScript enabled to view it. or call him at (540) 809 8549.

The latest chapters in the TWIC saga relates mostly to the biometric issue, although they touch on other topics.  First, on August 2, 2018, Transportation Worker Identification Credential Accountability Act of 2018, delayed implementation of a pending Coast Guard regulation (the “reader rule”) which would have required certain higher risk vessels and facilities to use biometrics beginning 23 August of this year.  Even more recently, a report on the TWIC program by the Department of Homeland Security’s Officer of Inspector General (OIG) identified a number of challenges and made recommendations to the Coast Guard on the TWIC program, and in how it oversees the security of waterfront facilities.  The Coast Guard and the Department of Homeland Security agreed with the OIG’s recommendations.

So what does all this mean for vessel and facility operators? 

First, the recent TWIC Accountability Act of 2018 delays implementation of any electronic reader requirement by three years. Of course, Congress could always revise that legislation, and might do so if and when the Coast Guard and DHS complete a previously required report on the TWIC program.  But for now, vessels and facilities are not required to use electronic readers.

  • The OIG report recommends that the Coast Guard more clearly define the facilities that have certain dangerous cargo (CDC) in bulk and which must use electronic TWIC readers as an access control measure.  One issue, yet to be resolved, relates to the presence of bulk CDC on a facility, even if it isn’t transferred to or from a vessel. 

Seebald Analysis:  At a minimum, facilities that store or handle CDC in bulk, even if they don’t transfer it to or from a vessel, must consider that fact when conducting their required security assessments. 

  • The OIG report recommends that the Coast Guard improve (i.e. increase) its use of electronic readers to verify TWICs during Coast Guard inspections at regulated facilities.

Seebald Analysis:  Expect the Coast Guard to significantly increase the number of electronic TWIC verifications they conduct during routine and unannounced inspections.  If they find fraudulent or canceled cards, those workers will not be allowed unescorted access to secure areas.  It could also result in fines or penalties.

  • The OIG report recommends that the Coast Guard “revise and strengthen” its guidance to its facility inspectors concerning TWIC and related facility security requirements. 

Seebald Analysis:  Expect greater consistency and attention to detail by the Coast Guard during routine and unannounced facility inspections. 

Finally, it is worth noting that a common theme in 10 years of TWIC reports, guidance, laws, and regulations has been that the program is fundamental to maritime security, and that the biometric aspect of the TWIC is a key feature, even as the Coast Guard and industry struggle to quantify and leverage its full benefits.  TWIC is certainly here to stay.  Coast Guard inspectors will be using their own electronic readers to verify them during inspections, and certain vessel and facility operators will be required to use readers in the future.  In the meantime, facility and vessel operators who voluntarily use TWIC readers can keep one step ahead of the Coast Guard – and more importantly, potential threats.

First - the definitions we covered in week one of this Blog series explain the differences between these two areas.  In week two, we reviewed Coast Guard guidance regarding these areas.

Second - TWIC requirements address the different areas when an individual who has not applied for a TWIC requires access.  Non-TWIC individuals are required to be escorted by a TWIC holder trained in escorting responsibilities.  In a Secure Area, a TWIC Escort is permitted to escort up to ten Non-TWIC individuals visually or by monitoring.  In a Secure/Restricted Area, the TWIC Escort may escort up to five Non-TWIC individuals side-by-side.

Third – as an FSO, you are also required to implement the provision in your facility’s FSP.  Ensure your facility diagrams are properly labeled, the correct verbiage is being used and that it is up-to-date with the physical infrastructure in use.

Stay secure, others are relying on you!

For all Cruise terminal owners and operators, this blog highlights the regulations on what is required for the Cruise Terminal Screening Program (TSP) and what important dates you need to know.  The Coast Guard issued a final rule eliminating outdated regulations that imposed unnecessary screening requirements on cruise ships and cruise ship terminals.  This final rule replaces these outdated regulations with simpler, consolidated regulations that provide efficient and clear requirements for the screening of baggage, personal items, and person on a cruise ship.  This final rule enhances the security of cruise ship terminals and allows terminal operators to use effective screening mechanisms with minimal impact to business operations.

No later than October 15, 2018, cruise ship terminal owners or operators must submit, for each terminal, a TSP that conforms with the new requirements in 33 CFR 105.505-550, as noted below, as an amendment to their existing Facility Security Plan to the cognizant COTP for review and approval.

No later than April 18, 2019, each cruise ship terminal owner or operator must operate in compliance with an approved TSP and Subpart E – Facility Security: Cruise Ship Terminals.

33 CFR 105.505 through 105.550 highlights the different sections of what is required for the Terminal Screening Program.  The following sections provide details on:

  • 105.510 - Screening responsibilities of the owner or operator
  • 105.515 - Prohibited Items List (PIL) requirements
  • 105.525 - Terminal screening operations
  • 105.530 - Qualifications of screeners
  • 105.535 - Training requirements of screeners
  • 105.540 - Screener participation in drills and exercises
  • 105.545 - Screening equipment
  • 105.550 - Alternative screening

For platinum members to review the regulations, click on the following link:  Cruise Terminal Screening Program

Then click on “FSO Training” tab then “Course Materials” tab and then on the right click on “FSO Course Materials” and you will find it near the bottom.

Restricted Areas outside of the Secure Area are those areas that are deemed essential to the security of your maritime facility and require some level of protection, be it a physical barrier (such as gates and/or fencing), and/or monitoring by security guards, lighting, cameras and/or an intrusion detection system(s).

Common examples of Restricted Areas outside a Secure Area include the FSO’s office with SSI, guard posts outside the fence line, or off-site computer server rooms(s), electrical sub-station(s) that power the facility, and other critical utility feeds such as a water supply value.