Recently the U.S. Coast Guard published a Marine Safety
Information Bulletin (attached) regarding an incident involving a ransomware
intrusion that occurred at a Maritime Transportation Security Act (MTSA)
regulated facility. The virus, identified as “Ryuk” ransomware, may have
entered the network of the MTSA facility via an email phishing campaign. The
ransomware was able to gain access to significant Information Technology (IT)
network files and encrypt them, preventing the facility’s access to the
critical files. The virus was also able to encrypt files critical to process
operations and then infiltrated the industrial control systems that monitor and
control cargo transfers. The entire corporate IT network was impacted,
disrupting camera and physical access control systems, and loss of critical
process control monitoring systems. These combined effects required the company
to shut down the primary operations of the facility for over 30 hours while the
cyber response was conducted.
The U.S. Coast Guard states that at a minimum, the following
measures may have prevented or limited the breach and decreased the time for
- Intrusion Detection and Intrusion Prevention Systems to monitor
real-time network traffic
- Industry standard and up to date virus detection software
- Centralized and monitored host and server logging
- Network segmentation to prevent IT systems from accessing the
Operational Technology (OT) environment
- Up-to-date IT/OT network diagrams
- Consistent backups of all critical files and software
Coast Guard also recommends that facilities utilize the National Institute of
Standards and Technology (NIST) Cybersecurity Framework and NIST Special
Publication 800-82 when implementing a Cyber Risk Management Program.
Contact Greenwood Security Services to have us conduct an assessment of your cyber systems. We can also assist you with developing and implementing the recommended NIST standards.
Greenwood Security Services
An AMSYS Company
8300 Bissonnet Street, Suite 570
Houston, TX 77074
content rich templates ready to customize for your facilities.
The Reception/Front Desk Reference Guide
- Developed from our large procedure library with recent input from Security Directors.
- Includes Reception Duties, Confidentiality, Use of Email and Phone Systems, and Emergency Response guidance ranging from dealing with activists and protestors, angry and distressed persons in the lobby, process servers, weather emergencies, and dozens of other response procedures.
- We are ready to align our template with your department’s specific requirements and insert your contact lists in the finished document.
- In use now by several large companies in oil, gas, and chemicals.
The Field Security Resource Manual
- Most of our oil, gas, pipeline, and chemical clients have field facilities where security is managed or supervised by EH&S, port FSOs, or operations personnel. Clients asked us for a field security guide that would speed up training for the field and provide a catalogue of general security management information for their everyday reference.
- Our template includes a wide range of topics from Guard Force Contracting and Management, to practical steps in Risk Assessment, perimeter protection and responding to threats.
*Contact us to arrange a visit to
view the Field Security Manual; or ask for an online meeting.
All facilities need a security plan, whether required by regulation or not.
Security plans should be designed to control access to the facility, prevent intrusions, and reduce the chances of theft or other loses , and to provide procedures for response to security incidents.
Security planning must take into consideration that the adversary sets the agenda. This is an important and too little discussed reality. Building occupants, even building security, are unlikely to know that an adversary is considering an adverse attack or criminal intrusion. (click here to read more about how The Adversary Sets the Agenda)
Security plans protect people and their safety.
Security plans should:
- be facility specific and include
security requirements and procedures for both normal and emergency or crisis operations
- describe the roles and
responsibilities for security related tasks
- describe in detail how access is
managed for the facility
- describe the physical security
features and security countermeasures of the facility and their importance in
protecting people and the facility
- describe how the facility will
test, maintain, and repair the physical security features
- identify all critical areas of the
facility and address the level of protection required for each area
- have procedures and policies for
how to respond to a security incident
- have a system in place for
reporting and investigating a security incident
- provide for ongoing employee
security awareness training
- have policies and procedures for
protecting critical cyber and IT infrastructure and systems
- describe how the facility will test
and exercise the security plan
- be reviewed frequently and updated
A Security Risk Assessment should be conducted prior to developing a security plan.
Contact Don Greenwood & Associates, Inc. to have us conduct a security assessment on your facility and assist you in developing your security plan.
DHS Issues 60 Day ICR Notice for CSAT
From Chemical Facility Security News
Yesterday the DHS Cybersecurity and Infrastructure Security Agency, the agency that oversees the CFATS program, published a 60-day Information Collection Request (ICR) notice for revisions to the Chemical Security Assessment Tool (CSAT). The notice is intended to revise collection and burden estimates for data collection using CSAT 2.0.
Also included in yesterday’s ICR notice is a detailed review of the risk identification tool, Identification of Additional Facilities and Assets at Risk, that DHS is using to collect data during compliance inspections. At facilities that ship and receive COIs, the facilities are requested to voluntarily provide information on:
- Shipping and/or receiving procedures
- Invoices and receipts
- Company names and locations that COI is shipped and/or received from
Facilities that are identified has having SCADA, DCS, PCS, or ICS systems are requested to voluntarily provide information on:
- Details on the system(s) that controls, monitors, and/or manages small to large production systems as well as how the system(s) operates.
- If it is standalone or connected to other systems or networks and document the specific brand and name of the system(s)
Thanks to PJ Coyle for the information on this ICR. To read a more detailed review of the ICR, click here. While there, subscribe the PJ’s blog.
If you transport certain hazardous material, you probably need to implement a security plan. Many oil and gas operators are already familiar with the U.S. Coast Guard Maritime Transportation Security Act (MTSA) and DHS Chemical Facility Anti-Terrorism Standards (CFATS), but many are not familiar with the U.S. Department of Transportation’s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) HAZMAT Site Security Plan requirements (49 CFR Part 172.800). The rule took effect in September 2003 and requires companies that transport hazardous material to establish a written security plan. The regulation also requires specific security training requirements for HAZMAT drivers and HAZMAT employees.
Security Plan Requirements
The security plan must include an assessment of the transportation security risk for HAZMAT shipments, including site-specific and location-specific risks associated with the facilities at which the materials are prepared for transport, stored, or unloaded incident to movement, and appropriate measures to address the assessed risks. At a minimum, the security plan must include the following elements:
- Personnel security;
- Unauthorized access;
- En route security;
- Identification by job title the senior management official responsible for the development and implementation of the security plan;
- Security duties for each position or department responsible for implementing the plan; and
- A plan for training HAZMAT employees.
The regulation requires the company/facility to ensure that each of its hazmat employees receive security awareness training as well as in-depth security training.
For more information of the DOT regulation, click here.
According to The Hill, Senators have struck a last-minute deal to extend the Chemical Facility Anti-Terrorism (CFATS) program. This program regulates how manufacturers must guard against potential terror attacks.
Congress will now vote on the bill to reauthorize the CFATS program for 15 months. The CFATS program was set to officially expire at the end of Thursday, January 17, 2019.
To read more about CFATS, click here.
To read The Hill, article click here.
To read more on the bill, click here.
Last week the DHS Infrastructure Security Compliance Division posted a link to a new version of the Chemical Security Assessment Tool (CSAT) 2.0 Portal User Manual.
Read more here.
Click here to download the CSAT 2.0 User Manual.
Security planning must take into consideration that the Adversary sets the agenda and is better informed when plotting than the security strategist.
The threat adversary sets the agenda. This is an important and too little discussed reality.
Building occupants, even building security, do not know that an adversary is considering an adverse attack or criminal intrusion. The building and suite occupants “blindly” implement security measures that are customary and often “cosmetic”. However, the adversary has an agenda:
- They have an objective ranging from simple theft of purses and wallets to incidents of workplace violent, including rage killings.
- They know the “territory” – they have studied and surveilled the building and avenues of access. They know how ineffective the lobby guard is. They have a target and a plan.
- They want to enter incognito – their observations of building activity show they what to do to maintain a low profile.
- In active shooter situations, they may be suicidal and have no plan of escape, which makes them very dangerous.
- They will likely identify the same vulnerabilities that have been identified during a security assessment.
Security countermeasures must mitigate these risk as far as is reasonable and possible. They should be deterred by at least two access-controlled perimeters to complicate their plan and increase their risk of detection.
Watch for our series of blogs on the security assessment process.
A recent FBI report reveals that a majority of active shooters spend at least a week planning their attack and often attack people and places with which they were already familiar. In the majority of active shooter cases, the active shooter knew and actively targeted at least one of the victims.
In this growing threat environment, employees are expressing concerns about acts of workplace violence and active shooter. The most important security measures for workplace protection are employee awareness training and a fundamental building security program.
A thorough and detailed building security risk assessment (SRA) and report are the first steps in developing an effective building security program to protect people and critical assets. The SRA provides for the foundation of a risk management program.
The objective of conducting a security assessment is to assess security risks as a means to assist management in identifying and understanding the risks that face the organization. This assists management in making informed decisions on the adequacy of security and the need for additional security countermeasures to address threats, risks, vulnerabilities and potential consequences.
Contact Don Greenwood & Associates, Inc. to have us conduct a security assessment on your building or office spaces.