Recently the U.S. Coast Guard published a Marine Safety
Information Bulletin (attached) regarding an incident involving a ransomware
intrusion that occurred at a Maritime Transportation Security Act (MTSA)
regulated facility. The virus, identified as “Ryuk” ransomware, may have
entered the network of the MTSA facility via an email phishing campaign. The
ransomware was able to gain access to significant Information Technology (IT)
network files and encrypt them, preventing the facility’s access to the
critical files. The virus was also able to encrypt files critical to process
operations and then infiltrated the industrial control systems that monitor and
control cargo transfers. The entire corporate IT network was impacted,
disrupting camera and physical access control systems, and loss of critical
process control monitoring systems. These combined effects required the company
to shut down the primary operations of the facility for over 30 hours while the
cyber response was conducted.
The U.S. Coast Guard states that at a minimum, the following
measures may have prevented or limited the breach and decreased the time for
- Intrusion Detection and Intrusion Prevention Systems to monitor
real-time network traffic
- Industry standard and up to date virus detection software
- Centralized and monitored host and server logging
- Network segmentation to prevent IT systems from accessing the
Operational Technology (OT) environment
- Up-to-date IT/OT network diagrams
- Consistent backups of all critical files and software
Coast Guard also recommends that facilities utilize the National Institute of
Standards and Technology (NIST) Cybersecurity Framework and NIST Special
Publication 800-82 when implementing a Cyber Risk Management Program.
Contact Greenwood Security Services to have us conduct an assessment of your cyber systems. We can also assist you with developing and implementing the recommended NIST standards.
Greenwood Security Services
An AMSYS Company
8300 Bissonnet Street, Suite 570
Houston, TX 77074
a Houston based HR manager, arranges travel to the company’s Guatemala City
office to roll-out next year’s benefits package. He arrives at the Guatemala office only to learn
the people he needs to meet with have all departed to Houston for meetings with
operation leadership. Wouldn’t it be great
to have an easy to use software that requires Rick’s trip be approved ahead of
time by his boss, the host country manager, and perhaps his cost center
manager? How about notifying Corporate
Security of his travel plans? Business Travel Assurance (BTA) is a fully
deployed, stable software system developed by Don Greenwood & Associates
Inc. that accomplishes all of this and more.
a more serious note, when on 9/1/2012 the U.S. embassy was attacked in Benghazi,
our client had operations in Libya. In
minutes, they knew which employees were there, which were in route, and who had
planned travel to go there in the near term.
All easy to pull reports from BTA.
operates on the company email system – no need to sign-on to a separate
software application. When a travel itinerary is booked, BTA checks the
destinations against a configurable list and takes these actions:
- An automatically generated email alert is
sent to the traveler stating this travel booking needs approval.
- If the country is in the high-risk category,
Corporate Security is notified and must clear the travel before it can proceed.
- A similar email is sent to the traveler’s
manager, asking for the approval. The
manager can take one of three options – approve the trip, disapprove, or ask
for more information.
- An email is also sent to the cost center
manager seeking financial approval. And
an email notifies the destination country manager as well.
- If the destination is on a health alert list,
an email is sent to the medical department, so they can provide necessary
inoculations and information.
- The system also asks the traveler if they are
going to a conference. If the answer is
yes, it asks if they are a presenter and several other questions. Therefore, travel costs for conferences is
- Manager can pull many reports from the
system: travelers by approving manager, trips by a single traveler, volume of
travel to a specific destination, etc.
BTA is a fully deployed, cloud-based solution designed to
help assure business traveler safety, managerial awareness, and cost control.
Originally designed to facilitate a client-specific international travel
approval process, BTA has evolved as a comprehensive platform for managing
business travel at the enterprise level.
Click here to learn more about BTA.
Contact Don Greenwood & Associates, Inc. for further information.
firstname.lastname@example.org or email@example.com
content rich templates ready to customize for your facilities.
The Reception/Front Desk Reference Guide
- Developed from our large procedure library with recent input from Security Directors.
- Includes Reception Duties, Confidentiality, Use of Email and Phone Systems, and Emergency Response guidance ranging from dealing with activists and protestors, angry and distressed persons in the lobby, process servers, weather emergencies, and dozens of other response procedures.
- We are ready to align our template with your department’s specific requirements and insert your contact lists in the finished document.
- In use now by several large companies in oil, gas, and chemicals.
The Field Security Resource Manual
- Most of our oil, gas, pipeline, and chemical clients have field facilities where security is managed or supervised by EH&S, port FSOs, or operations personnel. Clients asked us for a field security guide that would speed up training for the field and provide a catalogue of general security management information for their everyday reference.
- Our template includes a wide range of topics from Guard Force Contracting and Management, to practical steps in Risk Assessment, perimeter protection and responding to threats.
*Contact us to arrange a visit to
view the Field Security Manual; or ask for an online meeting.
State of Texas abandonment of Licensing Requirements now allows anyone to be a Security Consultant – effective 9/1/2019
Why is this significant for you as a client?
Changes in Texas regulations – Security Consultants No Longer Need a State License:
- No requirement to be insured – this is significant
- State background checks no longer required.
- ID and Fingerprint Checks no longer required.
- No longer a requirement for license examinations
- No requirement for proof of experience.
- No more Qualified Manager exams.
In the past, Security Consultant and Consulting Companies, needed all of the above. Now all of this has gone away.
Here are some key questions you should ask when retaining security consultants:
- Can you provide a resume of relevant experience?
- Can you provide an insurance certificate and proof of adequate insurance? Important – it is likely if they get sued for your project, your company will also be sued.
- Can you provide five references from companies for whom you have done similar work in this past year?
- Understand, we will do a background check on you and your company. Incidentally, licensing was also abandoned for Security Salespersons, Branch Office Managers, Guard Dog Training Companies, and Employees of License Holders.
- Use your standard Contractor Master Services Agreements which accomplish some of the above.
Feel free to call or email us if you need support in hiring security consultants.
All facilities need a security plan, whether required by regulation or not.
Security plans should be designed to control access to the facility, prevent intrusions, and reduce the chances of theft or other loses , and to provide procedures for response to security incidents.
Security planning must take into consideration that the adversary sets the agenda. This is an important and too little discussed reality. Building occupants, even building security, are unlikely to know that an adversary is considering an adverse attack or criminal intrusion. (click here to read more about how The Adversary Sets the Agenda)
Security plans protect people and their safety.
Security plans should:
- be facility specific and include
security requirements and procedures for both normal and emergency or crisis operations
- describe the roles and
responsibilities for security related tasks
- describe in detail how access is
managed for the facility
- describe the physical security
features and security countermeasures of the facility and their importance in
protecting people and the facility
- describe how the facility will
test, maintain, and repair the physical security features
- identify all critical areas of the
facility and address the level of protection required for each area
- have procedures and policies for
how to respond to a security incident
- have a system in place for
reporting and investigating a security incident
- provide for ongoing employee
security awareness training
- have policies and procedures for
protecting critical cyber and IT infrastructure and systems
- describe how the facility will test
and exercise the security plan
- be reviewed frequently and updated
A Security Risk Assessment should be conducted prior to developing a security plan.
Contact Don Greenwood & Associates, Inc. to have us conduct a security assessment on your facility and assist you in developing your security plan.
On July 9, 2019, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published a notice in the Federal Register that announced the implementation of the Personnel Surety Program for all cover CFATS facilities, including Tier 3 and 4 facilities. Regulated CFATS facilities that have an approved SSP/ASP, will be notified by the Agency in a phased manner of the need to update their security plans with measures to comply with RBPS 12(iv).
To read more about the PSP requirements, click here and here.
To download a copy of the notice, click here.
Contact us if you need help revising your SSP/ASP and
implementing your Personnel Surety Program.
On April 1, 2019, the USCG issued a final rule, “Seafarers
Access to Maritime Facilities” requiring owners or operators of a maritime
facility regulated by the Maritime Transportation Security Act (MTSA) to
implement a system providing seafarers, pilots, and representatives of seamen’s
welfare and labor organizations access between vessels moored at the facility
and the facility gate. Access between the vessel and the gate has to be
provided in a timely manner and at no cost to the seafarer or other individuals.
These access procedures must be documented in the Facility
Security Plan (FSP) for each regulated Part 105 facility and approved by the
local Captain of the Port (COTP). Facility owners or operators will need to
amend or update their FSP to ensure that they are in compliance with these
requirements. The COTP will then review the submitted amendments to ensure they
are in compliance with the requirements listed in 33CFR105.237 (c)-(e).
Important dates associated with the regulation:
1, 2019 – Seafarers’ Access to Maritime Facilities regulation became effective;
3, 2020 – The system of access must be documented in the FSP; and,
1, 2020 – The facility owner or operator must implement their system of access.
33CFR105.237 (c)-(e) Requirements:
(c) Timely access
(d) Access methods
(e) No cost to individuals
From Chemical Facility Security News
The House Homeland Security Committee have scheduled a mark-up hearing of HR 3256, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. The bill would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for another 5 years. The new bill will also provide a number of amendments to the current bill.
To read an in-depth review of the bill, please click here and here.
Thanks again to PJ Coyle for the detailed analysis of the bill.
To read more about CFATS, click here.
The TSA has released a beta version of their TWIC Advisr app. The app allows individuals to scan a TWIC using their phone. The app will scan the barcode on the back of the TWIC, or the CIN can be entered manually, and verify if the TWIC is on the Canceled Card List (CCL).
This is a huge improvement for the TWIC program and for facility
personnel to verify if a TWIC is on the CCL. Previously the only way to do this
accurately was to have a TWIC Reader and the supporting software to run the
check against the CCL.
Click here for a link to the TWIC Advisr Beta Release presentation.
Guard Maritime Commons:
The Office of Commercial
Vessel Compliance issued Marine Safety
Information Bulletin 04-19, “Cyber Adversaries Targeting Commercial Vessels,”
to inform the maritime industry of recent email phishing and malware intrusion
attempts that targeted commercial vessels.
Cyber adversaries are
attempting to gain sensitive information including the content of an official
Notice of Arrival (NOA) using email addresses that pose as an official Port
State Control (PSC) authority such as: port @ pscgov.org. Additionally, the Coast Guard has
received reports of malicious software designed to disrupt shipboard computer
systems. Vessel masters have diligently reported suspicious activity to the
Coast Guard National Response Center (NRC) in accordance with Title 33 Code of
Federal Regulations (CFR) §101.305 – Reporting, enabling the
Coast Guard and other federal agencies to counter cyber threats across the
global maritime network.
As a reminder, suspicious activity and breaches of security must be
reported to the NRC at (800) 424- 8802. For cyber attempts/attacks that do not
impact the operating condition of the vessel or result in a pollution incident,
owners or operators may alternatively report to the 24/7 National Cybersecurity
and Communications Integration Center (NCCIC) at (888) 282-0870. When reporting to the NCCIC, it is
imperative that the reporting party notify the NCCIC that the vessel is a Coast
Guard regulated entity in order to satisfy 33 CFR §101.305 reporting
NCCIC will in turn forward the report to the NRC, which will then notify the
cognizant Coast Guard Captain of the Port.
The Coast Guards urges maritime
stakeholders to verify the validity of the email sender prior to responding to
unsolicited email messages. If there is uncertainty regarding the legitimacy of
the email request, vessel representatives should try contacting the PSC
authority directly by using verified contact information. Additionally, vessel
owners and operators should continue to evaluate their cyber defense measures
to reduce the effect of a cyber-attack.
To read more on Coast Guard Maritime Commons, click here.