On 01/17/2017,
the U.S. Coast Guard Maritime Commons site advised that the Coast Guard had
recently published CG-5P Policy Letter 08-16: Reporting Suspicious Activity and
Breaches of Security, which outlines the criteria and process for suspicious
activity (SA) and breach of security (BoS) reporting. http://mariners.coastguard.dodlive.mil/2017/01/17/cyber-reporting-updated-coast-guard-policy-reporting-suspicious-activity-breaches-security/
The document
can be found at Homeport >Maritime Security > Policy. The purpose of the policy
document, dated 12/14/2016, is to promulgate policy for use by MTSA-regulated
vessels and facilities outlining the criteria and process for suspicious
activity and breach of security reporting. Because plausible terrorist attack
scenarios include combined cyber and physical incidents, vessel and facility
operators should consider this possibility when evaluating a cyber incident,
including the possibility that a cyber incident is a precursor to a physical
attack. As a security measure, The Coast Guard strongly encourages vessel and
facility operators to minimize, monitor, and wherever possible, eliminate cyber
connections between the business/administrative systems and the operational,
industrial control and security systems. The USCG handles all reports of
security incidents as SSI.
What is really
new in this policy document is:
1. Inclusion of cyber incidents into BoS and SA;
2. An expanded
definition of SA;
3. Permission
to report cyber incidents to the National Cybersecurity and Communications Integration Center under certain conditions
The document
then proceeds to describe U.S. Coast Guard requirements for reporting BoS and
SA for both physical and network or computer-related events. The inclusion of
cyber here is new and helpful. Industry has been reporting physical BoS and SA
since 2004 but cyber is much newer and many FSOs are less certain when to
report.
Breaches of security
include:
a)
“Intrusion into telecommunications equipment, computer, and
networked systems linked to security plan functions (e.g., access control,
cargo control, monitoring), unauthorized root or administrator access to
security and industrial control systems, successful phishing attempts or
malicious insider activity that could allow outside entities access to internal
IT systems that are linked to the MTS;
b)
Instances of viruses, Trojan Horses, worms, zombies or other
malicious software that have a widespread impact or adversely affect one or
more on-site mission critical servers that are linked to security plan
functions; and/or
c)
Any denial of service attacks that adversely affect or degrade
access to critical services that are linked to security plan functions.
Note that
routine spam, phishing attempts, and other nuisance events that do not breach a
system’s defenses are NOT BoS.
Furthermore, breaches of telecommunications equipment, computer, and
networked systems that clearly target business or administrative systems unrelated
to safe and secure maritime operations are outside the U.S. Coast Guard’s jurisdiction and need not be reported to
the U.S. Coast Guard.
Suspicious Activity includes:
A.
Suspicious Activity
i.
Reference (c) defines SA as “observed
behavior reasonably indicative of pre-operational planning related to
terrorism or other criminal activity.”
ii.
Computer-related suspicious activity presents additional
vulnerabilities, and companies should be able to distinguish untargeted cyber
incidents from targeted incidents on vessel or waterfront facility computer
related systems. Untargeted cyber incidents are part of the normal information
technology landscape and commonly include “phishing” or persistent scanning of
networks, and these are not considered SA or
BoS.
iii.
In contrast, targeted incidents may be large, sustained attacks
on important cyber systems in an apparent attempt to exploit them for nefarious
purposes. Spear phishing campaigns, a marked increase in network scanning, or
other attacks may be considered SA if the volume, persistence, or
sophistication of the attacks is out of the ordinary.
iv.
Unsuccessful but apparently targeted incidents may be SA if they
threaten systems that could contribute to a TSI, have a link to the MTS portion
of the facility or are otherwise related to systems, personnel, and procedures
addressed by security plans or MTSA requirements.
v.
SA may include, but is not limited to, any of the following:
a)
Unfamiliar persons in areas that are restricted to regular employees;
b)
Unusual behavioral patterns, such as:
(1)
Not responding to verbal interaction;
(2)
Walking slowly in a deliberate fashion towards a potential
target;
(3)
Inappropriately dressed (e.g., wearing excessive clothing as to
conceal something, or looking out of place);
(4)
Excessive nervousness or “doomsday” talk;
(5)
Excessive questions;
(6)
Lack of photo identification;
(7)
Agitation or rage;
(8)
Picture taking, especially if the suspect has been asked earlier
not to take photos;
(9)
Note taking or drawing;
(10)
Taking measurements; and/or
(11)
Attempting to access unauthorized areas.
c)
Potentially dangerous devices found by screeners prior to
loading persons or cargo or items found on or near the facility that seem out of place.
d)
Vehicles parked or standing for excessive amounts of time near
the facility perimeter;
e)
Unmanned Aircraft System (UAS) activity, including but not
limited to:
(1)
Reconnaissance and surveillance activities, indicated by
repeated activities at a particular place and time (e.g., fly-overs, hovering
at low altitudes, and prolonged time on station); and/or
(2)
Testing of facility security protocols using UAS, indicated by
flying by a target, moving into sensitive areas, and observing the reaction of
security personnel (e.g., the time it takes to respond to an incident or the
routes taken to a specific location).
f)
Unauthorized personnel accessing IT spaces linked to security
plan functions.
g)
Unsuccessful attempts to access telecommunication, computer, and
network systems linked to security plan functions.
vi.
The Coast Guard recognizes that the cyber domain includes
countless malicious but low-level events that are normally addressed via
standard anti-virus programs and similar protocols. Operators should only
report events that are out of the ordinary in terms of sophistication, volume,
or other factors which, from the operator’s perspective, raise suspicions.
Cyber incidents
may be reported to the National
Cybersecurity and Communications Integration Center. It is imperative that the
reporting party inform the NCCIC that they are a Coast Guard regulated entity
in order to satisfy the reporting requirements of 33 CFR part 101.305.
The NCCIC will forward the report electronically to the NRC, who will notify
the appropriate COTP. Reporting
cyber incidents in this manner, including notifying the NCCIC that the
reporting source is regulated by the Coast Guard, meets Coast Guard regulatory
requirements. Note that this is applicable for only a cyber incident; if there
are other factors involved, such as pollution or a physical breach of security,
operators must report the incident directly to the NRC.
The policy
document then discusses other Critical Infrastructure and Cyber Incident resources,
including ICS-CERT, InfraGard, National Suspicious Activity Reporting (SAR)
Initiative, and the local AMSC.