On 01/17/2017, the U.S. Coast Guard Maritime Commons site advised that the Coast Guard had recently published CG-5P Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security, which outlines the criteria and process for suspicious activity (SA) and breach of security (BoS) reporting. http://mariners.coastguard.dodlive.mil/2017/01/17/cyber-reporting-updated-coast-guard-policy-reporting-suspicious-activity-breaches-security/

The document can be found at Homeport >Maritime Security > Policy. The purpose of the policy document, dated 12/14/2016, is to promulgate policy for use by MTSA-regulated vessels and facilities outlining the criteria and process for suspicious activity and breach of security reporting. Because plausible terrorist attack scenarios include combined cyber and physical incidents, vessel and facility operators should consider this possibility when evaluating a cyber incident, including the possibility that a cyber incident is a precursor to a physical attack. As a security measure, The Coast Guard strongly encourages vessel and facility operators to minimize, monitor, and wherever possible, eliminate cyber connections between the business/administrative systems and the operational, industrial control and security systems. The USCG handles all reports of security incidents as SSI.

What is really new in this policy document is:

1.  Inclusion of cyber incidents into BoS and SA;

2. An expanded definition of SA;

3. Permission to report cyber incidents to the National Cybersecurity and Communications Integration Center under certain conditions

The document then proceeds to describe U.S. Coast Guard requirements for reporting BoS and SA for both physical and network or computer-related events. The inclusion of cyber here is new and helpful. Industry has been reporting physical BoS and SA since 2004 but cyber is much newer and many FSOs are less certain when to report.

Breaches of security include:

a)            “Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorized root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the MTS;

b)           Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions; and/or

c)            Any denial of service attacks that adversely affect or degrade access to critical services that are linked to security plan functions.

Note that routine spam, phishing attempts, and other nuisance events that do not breach a system’s defenses are NOT BoS.  Furthermore, breaches of telecommunications equipment, computer, and networked systems that clearly target business or administrative systems unrelated to safe and secure maritime operations are outside the U.S. Coast Guard’s jurisdiction and need not be reported to the U.S. Coast Guard.

Suspicious Activity includes:

A.         Suspicious Activity

i.             Reference (c) defines SA as “observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.”

ii.           Computer-related suspicious activity presents additional vulnerabilities, and companies should be able to distinguish untargeted cyber incidents from targeted incidents on vessel or waterfront facility computer related systems. Untargeted cyber incidents are part of the normal information technology landscape and commonly include “phishing” or persistent scanning of networks, and these are not considered SA or BoS.

iii.         In contrast, targeted incidents may be large, sustained attacks on important cyber systems in an apparent attempt to exploit them for nefarious purposes. Spear phishing campaigns, a marked increase in network scanning, or other attacks may be considered SA if the volume, persistence, or sophistication of the attacks is out of the ordinary.

iv.         Unsuccessful but apparently targeted incidents may be SA if they threaten systems that could contribute to a TSI, have a link to the MTS portion of the facility or are otherwise related to systems, personnel, and procedures addressed by security plans or MTSA requirements.

v.           SA may include, but is not limited to, any of the following:

a)            Unfamiliar persons in areas that are restricted to regular employees;

b)           Unusual behavioral patterns, such as:

(1)         Not responding to verbal interaction;

(2)         Walking slowly in a deliberate fashion towards a potential target;

(3)         Inappropriately dressed (e.g., wearing excessive clothing as to conceal something, or looking out of place);

(4)         Excessive nervousness or “doomsday” talk;

(5)         Excessive questions;

(6)         Lack of photo identification;

(7)         Agitation or rage;

(8)         Picture taking, especially if the suspect has been asked earlier not to take photos;

(9)         Note taking or drawing;

(10)      Taking measurements; and/or

(11)      Attempting to access unauthorized areas.

c)            Potentially dangerous devices found by screeners prior to loading persons or cargo or items found on or near the facility that seem out of place.

d)           Vehicles parked or standing for excessive amounts of time near the facility perimeter;

e)            Unmanned Aircraft System (UAS) activity, including but not limited to:

(1)         Reconnaissance and surveillance activities, indicated by repeated activities at a particular place and time (e.g., fly-overs, hovering at low altitudes, and prolonged time on station); and/or

(2)         Testing of facility security protocols using UAS, indicated by flying by a target, moving into sensitive areas, and observing the reaction of security personnel (e.g., the time it takes to respond to an incident or the routes taken to a specific location).

f)            Unauthorized personnel accessing IT spaces linked to security plan functions.

g)           Unsuccessful attempts to access telecommunication, computer, and network systems linked to security plan functions.

vi.         The Coast Guard recognizes that the cyber domain includes countless malicious but low-level events that are normally addressed via standard anti-virus programs and similar protocols. Operators should only report events that are out of the ordinary in terms of sophistication, volume, or other factors which, from the operator’s perspective, raise suspicions.

Cyber incidents may be reported to the National Cybersecurity and Communications Integration Center. It is imperative that the reporting party inform the NCCIC that they are a Coast Guard regulated entity in order to satisfy the reporting requirements of 33 CFR part 101.305. The NCCIC will forward the report electronically to the NRC, who will notify the appropriate COTP. Reporting cyber incidents in this manner, including notifying the NCCIC that the reporting source is regulated by the Coast Guard, meets Coast Guard regulatory requirements. Note that this is applicable for only a cyber incident; if there are other factors involved, such as pollution or a physical breach of security, operators must report the incident directly to the NRC.

The policy document then discusses other Critical Infrastructure and Cyber Incident resources, including ICS-CERT, InfraGard, National Suspicious Activity Reporting (SAR) Initiative, and the local AMSC.