All posts by admin

CFATS PSP for Tier 3 and 4 Facilities

On July 9, 2019, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published a notice in the Federal Register that announced the implementation of the Personnel Surety Program for all cover CFATS facilities, including Tier 3 and 4 facilities. Regulated CFATS facilities that have an approved SSP/ASP, will be notified by the Agency in a phased manner of the need to update their security plans with measures to comply with RBPS 12(iv).

To read more about the PSP requirements, click here and here.

To download a copy of the notice, click here.

Contact us if you need help revising your SSP/ASP and implementing your Personnel Surety Program.

SEAFARERS ACCESS TO MARITIME FACILITIES

On April 1, 2019, the USCG issued a final rule, “Seafarers Access to Maritime Facilities” requiring owners or operators of a maritime facility regulated by the Maritime Transportation Security Act (MTSA) to implement a system providing seafarers, pilots, and representatives of seamen’s welfare and labor organizations access between vessels moored at the facility and the facility gate. Access between the vessel and the gate has to be provided in a timely manner and at no cost to the seafarer or other individuals.

These access procedures must be documented in the Facility Security Plan (FSP) for each regulated Part 105 facility and approved by the local Captain of the Port (COTP). Facility owners or operators will need to amend or update their FSP to ensure that they are in compliance with these requirements. The COTP will then review the submitted amendments to ensure they are in compliance with the requirements listed in 33CFR105.237 (c)-(e).

Important dates associated with the regulation:

  • May 1, 2019 – Seafarers’ Access to Maritime Facilities regulation became effective;
  • February 3, 2020 – The system of access must be documented in the FSP; and,
  • June 1, 2020 – The facility owner or operator must implement their system of access.

33CFR105.237 (c)-(e) Requirements:

(c) Timely access

(d) Access methods

(e) No cost to individuals

House Committee to markup CFATS Bill

From Chemical Facility Security News

The House Homeland Security Committee have scheduled a mark-up hearing of HR 3256, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. The bill would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for another 5 years. The new bill will also provide a number of amendments to the current bill.

To read an in-depth review of the bill, please click here and here.

Thanks again to PJ Coyle for the detailed analysis of the bill.

To read more about CFATS, click here.

TWIC Advisr App Beta Release

The TSA has released a beta version of their TWIC Advisr app. The app allows individuals to scan a TWIC using their phone. The app will scan the barcode on the back of the TWIC, or the CIN can be entered manually, and verify if the TWIC is on the Canceled Card List (CCL).

This is a huge improvement for the TWIC program and for facility personnel to verify if a TWIC is on the CCL. Previously the only way to do this accurately was to have a TWIC Reader and the supporting software to run the check against the CCL.

Click here for a link to the TWIC Advisr Beta Release presentation.

Cyber Adversaries Targeting Commercial Vessels

From Coast Guard Maritime Commons:

The Office of Commercial Vessel Compliance issued Marine Safety Information Bulletin 04-19, “Cyber Adversaries Targeting Commercial Vessels,” to inform the maritime industry of recent email phishing and malware intrusion attempts that targeted commercial vessels.

Cyber adversaries are attempting to gain sensitive information including the content of an official Notice of Arrival (NOA) using email addresses that pose as an official Port State Control (PSC) authority such as: port @ pscgov.org. Additionally, the Coast Guard has received reports of malicious software designed to disrupt shipboard computer systems. Vessel masters have diligently reported suspicious activity to the Coast Guard National Response Center (NRC) in accordance with Title 33 Code of Federal Regulations (CFR) §101.305 – Reporting, enabling the Coast Guard and other federal agencies to counter cyber threats across the global maritime network.

As a reminder, suspicious activity and breaches of security must be reported to the NRC at (800) 424- 8802. For cyber attempts/attacks that do not impact the operating condition of the vessel or result in a pollution incident, owners or operators may alternatively report to the 24/7 National Cybersecurity and Communications Integration Center (NCCIC) at (888) 282-0870. When reporting to the NCCIC, it is imperative that the reporting party notify the NCCIC that the vessel is a Coast Guard regulated entity in order to satisfy 33 CFR §101.305 reporting requirements. The NCCIC will in turn forward the report to the NRC, which will then notify the cognizant Coast Guard Captain of the Port.

The Coast Guards urges maritime stakeholders to verify the validity of the email sender prior to responding to unsolicited email messages. If there is uncertainty regarding the legitimacy of the email request, vessel representatives should try contacting the PSC authority directly by using verified contact information. Additionally, vessel owners and operators should continue to evaluate their cyber defense measures to reduce the effect of a cyber-attack.

To read more on Coast Guard Maritime Commons, click here.

Port Security Grant-Themed Malicious Email (TLP-GREEN)

MPS-ISAO Warning Report, “Malicious Port Security Grant-Themed Email“.  The MPS-ISAO received an email sample from a U.S. Port customer this morning, and have confirmed that it is malicious.  The distribution list for this port security grant-themed email was over 500.  Please click here to see the report for email indicators.

Thanks Lester Millet for the report.

Lester J. Millet III, LEM
Safety Agency Risk Manager / FSO Workgroup Chairman
Port of South Louisiana

Identification of Additional Facilities and Assets at Risk

DHS Issues 60 Day ICR Notice for CSAT

From Chemical Facility Security News

Yesterday the DHS Cybersecurity and Infrastructure Security Agency, the agency that oversees the CFATS program, published a 60-day Information Collection Request (ICR) notice for revisions to the Chemical Security Assessment Tool (CSAT). The notice is intended to revise collection and burden estimates for data collection using CSAT 2.0.

Also included in yesterday’s ICR notice is a detailed review of the risk identification tool, Identification of Additional Facilities and Assets at Risk, that DHS is using to collect data during compliance inspections. At facilities that ship and receive COIs, the facilities are requested to voluntarily provide information on:

  • Shipping and/or receiving procedures
  • Invoices and receipts
  • Company names and locations that COI is shipped and/or received from

Facilities that are identified has having SCADA, DCS, PCS, or ICS systems are requested to voluntarily provide information on:

  • Details on the system(s) that controls, monitors, and/or manages small to large production systems as well as how the system(s) operates.
  • If it is standalone or connected to other systems or networks and document the specific brand and name of the system(s)

Thanks to PJ Coyle for the information on this ICR. To read a more detailed review of the ICR, click here. While there, subscribe the PJ’s blog.

Do you need a DOT HAZMAT Security Plan?

If you transport certain hazardous material, you probably need to implement a security plan. Many oil and gas operators are already familiar with the U.S. Coast Guard Maritime Transportation Security Act (MTSA) and DHS Chemical Facility Anti-Terrorism Standards (CFATS), but many are not familiar with the U.S. Department of Transportation’s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) HAZMAT Site Security Plan requirements (49 CFR Part 172.800). The rule took effect in September 2003 and requires companies that transport hazardous material to establish a written security plan. The regulation also requires specific security training requirements for HAZMAT drivers and HAZMAT employees.

Security Plan Requirements

The security plan must include an assessment of the transportation security risk for HAZMAT shipments, including site-specific and location-specific risks associated with the facilities at which the materials are prepared for transport, stored, or unloaded incident to movement, and appropriate measures to address the assessed risks. At a minimum, the security plan must include the following elements:

  • Personnel security;
  • Unauthorized access;
  • En route security;
  • Identification by job title the senior management official responsible for the development and implementation of the security plan;
  • Security duties for each position or department responsible for implementing the plan; and
  • A plan for training HAZMAT employees.

Training Requirements

The regulation requires the company/facility to ensure that each of its hazmat employees receive security awareness training as well as in-depth security training.

For more information of the DOT regulation, click here.

Last Minute Deal Extends CFATS Program

According to The Hill, Senators have struck a last-minute deal to extend the Chemical Facility Anti-Terrorism (CFATS) program. This program regulates how manufacturers must guard against potential terror attacks.

Congress will now vote on the bill to reauthorize the CFATS program for 15 months. The CFATS program was set to officially expire at the end of Thursday, January 17, 2019.

To read more about CFATS, click here.

To read The Hill, article click here.

To read more on the bill, click here.

 

The Persistent Threat of Terrorism

Since 2013 there has been 159 homegrown jihadist cases in 30 states. Recent examples of homegrown terror-related incidents cited in the report include the case of a 28-year-old Ohio resident, Laith Alebbini, who was arrested Sept. 5 and charged with attempting to provide material support to ISIS. Also on Sept. 5, 26-year-old Alexander Ciccolo of Adams, Mass., was sentenced to 20 years in prison for the same crime. According to the snapshot, Ciccolo “planned to use pressure cooker explosives and firearms to target places where large numbers of people congregated, such as college cafeterias.” Ciccolo is the son of a Boston police captain.

To read more, click here.