Recently the U.S. Coast Guard published a Marine Safety
Information Bulletin (attached) regarding an incident involving a ransomware
intrusion that occurred at a Maritime Transportation Security Act (MTSA)
regulated facility. The virus, identified as “Ryuk” ransomware, may have
entered the network of the MTSA facility via an email phishing campaign. The
ransomware was able to gain access to significant Information Technology (IT)
network files and encrypt them, preventing the facility’s access to the
critical files. The virus was also able to encrypt files critical to process
operations and then infiltrated the industrial control systems that monitor and
control cargo transfers. The entire corporate IT network was impacted,
disrupting camera and physical access control systems, and loss of critical
process control monitoring systems. These combined effects required the company
to shut down the primary operations of the facility for over 30 hours while the
cyber response was conducted.
The U.S. Coast Guard states that at a minimum, the following
measures may have prevented or limited the breach and decreased the time for
- Intrusion Detection and Intrusion Prevention Systems to monitor
real-time network traffic
- Industry standard and up to date virus detection software
- Centralized and monitored host and server logging
- Network segmentation to prevent IT systems from accessing the
Operational Technology (OT) environment
- Up-to-date IT/OT network diagrams
- Consistent backups of all critical files and software
Coast Guard also recommends that facilities utilize the National Institute of
Standards and Technology (NIST) Cybersecurity Framework and NIST Special
Publication 800-82 when implementing a Cyber Risk Management Program.
Contact Greenwood Security Services to have us conduct an assessment of your cyber systems. We can also assist you with developing and implementing the recommended NIST standards.
Greenwood Security Services
An AMSYS Company
8300 Bissonnet Street, Suite 570
Houston, TX 77074
State of Texas abandonment of Licensing Requirements now allows anyone to be a Security Consultant – effective 9/1/2019
Why is this significant for you as a client?
Changes in Texas regulations – Security Consultants No Longer Need a State License:
- No requirement to be insured – this is significant
- State background checks no longer required.
- ID and Fingerprint Checks no longer required.
- No longer a requirement for license examinations
- No requirement for proof of experience.
- No more Qualified Manager exams.
In the past, Security Consultant and Consulting Companies, needed all of the above. Now all of this has gone away.
Here are some key questions you should ask when retaining security consultants:
- Can you provide a resume of relevant experience?
- Can you provide an insurance certificate and proof of adequate insurance? Important – it is likely if they get sued for your project, your company will also be sued.
- Can you provide five references from companies for whom you have done similar work in this past year?
- Understand, we will do a background check on you and your company. Incidentally, licensing was also abandoned for Security Salespersons, Branch Office Managers, Guard Dog Training Companies, and Employees of License Holders.
- Use your standard Contractor Master Services Agreements which accomplish some of the above.
Feel free to call or email us if you need support in hiring security consultants.
From Chemical Facility Security News
The House Homeland Security Committee have scheduled a mark-up hearing of HR 3256, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. The bill would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for another 5 years. The new bill will also provide a number of amendments to the current bill.
To read an in-depth review of the bill, please click here and here.
Thanks again to PJ Coyle for the detailed analysis of the bill.
To read more about CFATS, click here.
The TSA has released a beta version of their TWIC Advisr app. The app allows individuals to scan a TWIC using their phone. The app will scan the barcode on the back of the TWIC, or the CIN can be entered manually, and verify if the TWIC is on the Canceled Card List (CCL).
This is a huge improvement for the TWIC program and for facility
personnel to verify if a TWIC is on the CCL. Previously the only way to do this
accurately was to have a TWIC Reader and the supporting software to run the
check against the CCL.
Click here for a link to the TWIC Advisr Beta Release presentation.
Guard Maritime Commons:
The Office of Commercial
Vessel Compliance issued Marine Safety
Information Bulletin 04-19, “Cyber Adversaries Targeting Commercial Vessels,”
to inform the maritime industry of recent email phishing and malware intrusion
attempts that targeted commercial vessels.
Cyber adversaries are
attempting to gain sensitive information including the content of an official
Notice of Arrival (NOA) using email addresses that pose as an official Port
State Control (PSC) authority such as: port @ pscgov.org. Additionally, the Coast Guard has
received reports of malicious software designed to disrupt shipboard computer
systems. Vessel masters have diligently reported suspicious activity to the
Coast Guard National Response Center (NRC) in accordance with Title 33 Code of
Federal Regulations (CFR) §101.305 – Reporting, enabling the
Coast Guard and other federal agencies to counter cyber threats across the
global maritime network.
As a reminder, suspicious activity and breaches of security must be
reported to the NRC at (800) 424- 8802. For cyber attempts/attacks that do not
impact the operating condition of the vessel or result in a pollution incident,
owners or operators may alternatively report to the 24/7 National Cybersecurity
and Communications Integration Center (NCCIC) at (888) 282-0870. When reporting to the NCCIC, it is
imperative that the reporting party notify the NCCIC that the vessel is a Coast
Guard regulated entity in order to satisfy 33 CFR §101.305 reporting
NCCIC will in turn forward the report to the NRC, which will then notify the
cognizant Coast Guard Captain of the Port.
The Coast Guards urges maritime
stakeholders to verify the validity of the email sender prior to responding to
unsolicited email messages. If there is uncertainty regarding the legitimacy of
the email request, vessel representatives should try contacting the PSC
authority directly by using verified contact information. Additionally, vessel
owners and operators should continue to evaluate their cyber defense measures
to reduce the effect of a cyber-attack.
To read more on Coast Guard Maritime Commons, click here.
MPS-ISAO Warning Report, “Malicious Port Security Grant-Themed Email“. The MPS-ISAO received an email sample from a U.S. Port customer this morning, and have confirmed that it is malicious. The distribution list for this port security grant-themed email was over 500. Please click here to see the report for email indicators.
Thanks Lester Millet for the report.
Lester J. Millet III, LEM
Safety Agency Risk Manager / FSO Workgroup Chairman
Port of South Louisiana
Since 2013 there has been 159 homegrown jihadist cases in 30 states. Recent examples of homegrown terror-related incidents cited in the report include the case of a 28-year-old Ohio resident, Laith Alebbini, who was arrested Sept. 5 and charged with attempting to provide material support to ISIS. Also on Sept. 5, 26-year-old Alexander Ciccolo of Adams, Mass., was sentenced to 20 years in prison for the same crime. According to the snapshot, Ciccolo “planned to use pressure cooker explosives and firearms to target places where large numbers of people congregated, such as college cafeterias.” Ciccolo is the son of a Boston police captain.
To read more, click here.
There are still circumstances which may require your facility to resubmit a Top-Screen today, even if you have already resubmitted using CSAT 2.0. For example, a facility must report material modifications to its chemical holdings or facility operations, as these changes may alter a facility’s tier. Material modifications may include:
- The addition or removal of COI at the STQ and concentration
- Changes to quantity, location, or packaging of a COI as previously reported on a Top-Screen
Facilities are encouraged to report the highest expected quantity and concentration of COI they anticipate possessing over the lifecycle of their operations. By taking this approach, facilities can maintain a more efficient reporting process as they will not need to resubmit a Top-Screen when the quantity or concentration of a COI is reduced through normal operations.
Additionally, CFATS-covered facilities are required to update their Top-Screens on a regular basis, as determined by their tier:
- A Tier 1 or Tier 2 facility must update its Top-Screen two years after its SSP is approved
- A Tier 3 or Tier 4 facility must update its Top-Screen three years after its SSP is approved
Let us know if we can help you prepare and submit your CFATS Top Screen and prepare your facility for a Compliance Inspection.
To read about what to expect from a CFATS CI, click here.
Security planning must take into consideration that the Adversary sets the agenda and is better informed when plotting than the security strategist.
The threat adversary sets the agenda. This is an important and too little discussed reality.
Building occupants, even building security, do not know that an adversary is considering an adverse attack or criminal intrusion. The building and suite occupants “blindly” implement security measures that are customary and often “cosmetic”. However, the adversary has an agenda:
- They have an objective ranging from simple theft of purses and wallets to incidents of workplace violent, including rage killings.
- They know the “territory” – they have studied and surveilled the building and avenues of access. They know how ineffective the lobby guard is. They have a target and a plan.
- They want to enter incognito – their observations of building activity show they what to do to maintain a low profile.
- In active shooter situations, they may be suicidal and have no plan of escape, which makes them very dangerous.
- They will likely identify the same vulnerabilities that have been identified during a security assessment.
Security countermeasures must mitigate these risk as far as is reasonable and possible. They should be deterred by at least two access-controlled perimeters to complicate their plan and increase their risk of detection.
Watch for our series of blogs on the security assessment process.
On August 2nd, President Trump signed into law the Transportation Worker Identification Credential Accountability Act of 2018 (HR.5729). This formally prohibits the Coast Guard from implementing the Rule until DHS submits a satisfactory assessment of the TWIC program to Congress.
Furthermore, a U. S. District Court (Eastern, Virginia) issued a court order delaying the Rule at certain CDC facilities “until a further order of the court.” This is in response to lawsuits from several industry groups.
We will track this activity closely and keep you all informed.