Wednesday, July 12, 2017

Draft Navigation and Vessel Inspection Circular No. 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Facilities

In the July 12, 2017 Federal Register, the Coast Guard posted the notice of the publication of Draft Navigation and Vessel Inspection Circular (NVIC) No. 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Facilities.  The NVIC is available at Comments must be submitted to the online docket via, or reach the Docket Management Facility, on or before September 11, 2017.

Facility Security Officers (FSOs) are advised that this is a draft NVIC, posted for review, to allow industry an opportunity to give feedback and commentary which the Coast Guard will evaluate and incorporate in the final version of the NVIC. This is a richly detailed performance standard on implementation of security measures to ward off the worst threat looming over us.

It is possible that Facility Security Plan sections 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, and 16 as well as the Facility Security Assessment may be affected by this NVIC. This is not a lengthy document (37 pages) so FSOs are encouraged to read it in its entirety. The amount of detail was difficult to summarize, especially Enclosure 2, and only the organization and main points are described below.

SUMMARY OF THE NVIC (largely taken from the text. My words are in italics) The NVIC has two enclosures.
(1) Cyber Security and MTSA
(2) Cyber Governance and Cyber Risk Management Program Implementation Guidance

Purpose:  MTSA-regulated facilities are instructed to analyze vulnerabilities with computer systems and networks in their Facility Security Assessments. This NVIC will assist FSOs in completing this requirement. Additionally, this NVIC provides guidance and recommended practices for MTSA regulated facilities to address cyber related vulnerabilities. Until specific cyber risk management regulations are promulgated, facility operators may use this document as guidance to develop and implement measures and activities for effective self governance of cyber vulnerabilities.

Background: The Coast Guard currently has the regulatory authority to instruct facilities and Outer Continental Shelf (OCS) facilities regulated under MTSA to analyze computer systems and networks for potential vulnerabilities within their required FSA and, if necessary, FSP.

DISCLAIMER. This guidance is not a substitute for applicable legal requirements, nor is it itself a rule. It is not intended to nor does it impose legally binding requirements on any party. It represents the Coast Guard’s current thinking on this topic and may assist industry, mariners, the general public, and the Coast Guard, as well as other federal and state regulators, in applying statutory and regulatory requirements.

Enc. 1 Cyber Security and MTSA:  33 CFR Parts 105 and 106.

The Coast Guard interprets (threats) to specifically include threats to computer systems and attacks in the electronic (cyber) domain.

In this draft document, the Coast Guard is laying out its interpretation of regulatory provisions in parts 105 and 106 as applicable to electronic and cybersecurity systems. This enclosure discusses the specific regulatory provisions that instruct owners/operators of a Maritime Transportation Security Act (MTSA) regulated facility to address cyber/computer system security in the Facility Security Assessment (FSA) and, if applicable, provide guidance within their FSPs to address any vulnerabilities identified in the Facility Security Assessment (FSA). This document intends to assist the owner/operator in identifying cyber systems that are related to MTSA regulatory functions, or whose failure or exploitation could cause or contribute to a Transportation Security Incident. If there are electronic or cybersecurity-related vulnerabilities identified in an FSA, an owner/operator may choose to provide this information in a variety of formats, such as a stand-alone cyber annex to their FSP, or by incorporating cybersecurity procedures alongside the physical security measures of their FSP.

For facilities with strong cyber programs - In many cases, companies have established cybersecurity and risk management programs that provide for strong cyber defense. For those situations, the owner/operator may demonstrate that those policies meet or exceed the requirements of 33 CFR parts 105 and 106. Owners/operators that already employ a comprehensive cybersecurity plan for their organization, or who wish to apply a standard security program that incorporates cybersecurity to multiple facilities, may wish to submit a security plan under the Alternative Security Program, 33 CFR 101.120.

How detailed does the FSA or FSP need to be? Owners/operators do not need to indicate specific or technical controls, but should provide general documentation on how they are addressing their cyber risks.

Cyber components for 33 CFR:
Recommended Cyber Analysis as part of the FSA:  The NVIC gives information on how to provide the cyber component for 105.305 (d)(2)(v).

UnderRecommendation to Address Identified Cyber Vulnerabilities (as applicable)” the NVIC gives  general, recommended guidance on how to mitigate cyber vulnerabilities determined during the FSA by regulation/FSP section. I can see most facilities describing cyber measures for most of the sections, which will require FSP amendments. There is guidance here on what the Coast Guard wants to see in the FSP sections as relating to cyber. 

Enc. 2 Cyber Governance and Cyber Risk Management Program Implementation Guidance. The Coast Guard details how the NIST Cybersecurity Framework (CSF) can be implemented in the maritime environment. Sections 1 – 4 of this enclosure utilize the NIST CSF as the recommended foundation for development of a cyber risk management program. Facility owner/operators should consider these guidelines in conjunction with their own risk management policies to help ensure they account for cyber risks. The four sections of this enclosure are:
1.       Establishing Cyber Risk Management: Forming a Cyber Risk Management
       Team (CRMT), Defining Cyber Risk Management Policy, and Establishing a
       Cyber Risk Management Program
2.       Enterprise-Wide Inventory and Analysis
3.       Consequence Analysis, Vulnerability Analysis, and Prioritization
4.       Protect, Detect, Respond, and Recover.

These are the nuts and bolts of the cyber security measures, so to speak: how the USCG suggests that the NIST Framework can be translated over into the MTS. Each section is detailed and written in plain understandable English, unlike many cyber publications. Throughout these sections, where appropriate, the NVIC gives examples of suggested procedures to follow. There’s a lot of what-to-do and why-we-do-it. The 4.1 Protect Section is particularly rich with bulleted lists.

Appendix A contains tables and metrics - methods for measuring and scoring cyber vulnerability. Table 1 is a Consequence Evaluation Guide for vulnerability assessments, linking how bad it is to a number. Table 2 is a Consequence Score Action (document/consider/mitigate as relates to cyber, using the score from Table 1) matrix, for scoring scenarios for Facility Security Assessments. Table 3 is a Connective Vector Assessment and will assist operators in determining which systems perform or are related to these critical security and safety functions by examining the purposes and connections of each system. “Yes” responses from Table 3 are then evaluated using Table 4, the Cyber Infrastructure Vulnerability Assessment. Each system that receives a “no” in Table 4 should be evaluated through Table 5, the Vulnerability Severity Assessment, where it will receive a vulnerability score. Systems with the highest TOTAL score (at the bottom of Table 5) should be considered the most vulnerable.

Friday, June 2, 2017

New Information from MARAD About Maritime Security Communications with Industry

From the April meeting of the National Maritime Security Advisory Committee, new information from MARAD about maritime security communications with industry. Information about the new program can be found at

From this website: The U.S. Maritime Administration has established a new interagency approach to communicating with U.S. maritime industry stakeholders regarding identified maritime security threats. The new system, U.S. Maritime Advisory System, replaces Special Warnings to Mariners (previously generated by the U.S. Department of State’s Office of Transportation Policy), MARAD Advisories (previously generated by the Department of Transportation’s Maritime Administration), and global maritime security focused Marine Safety Information Bulletins (previously generated by the Department of Homeland Security’s U.S. Coast Guard), to more effectively and efficiently communicate with U.S. maritime industry stakeholders and U.S. mariners regarding identified threats in the maritime domain.

Two new instruments will be issued through the System, U.S. Maritime Alerts and U.S. Maritime Advisories. The U.S. Maritime Alert is a new tool that has been developed to expeditiously provide basic information (location, incident type, and date/time) on reported maritime security threats to U.S. maritime industry interests.  In some situations, a U.S. Maritime Alert may be issued to refute unsubstantiated claims. U.S. Maritime Alerts do not contain policy or recommendations for specific courses of action (this type of information is reserved for U.S. Maritime Advisories). A U.S. Maritime Advisory may follow the issuance of a U.S. Maritime Alert and is intended to provide more detailed information, when appropriate, through a “whole-of-government” response to an identified maritime threat.

 Both instruments will normally be transmitted by the National Geospatial-Intelligence Agency, will be emailed to U.S. maritime industry stakeholders, and will be posted to this web portal to inform mariners of identified maritime security threats. Vessel Masters, Company Security Officers, ship operators, U.S. mariners, maritime industry associations, U.S. maritime unions and professional associations, and U.S. mariner related non-governmental organizations are the intended recipients of these messages. Maritime industry stakeholders wishing to be added to the email distribution list for U.S. Maritime Alerts and U.S. Maritime Advisories should email their request to


Please note: This blog always quotes heavily from the sources identified in the opening paragraph. I acknowledge that I should probably be using quotation marks and block indentation. Readers should assume that text is from the source and not original with the blog author unless otherwise stated.

Tuesday, May 2, 2017

Draft NVIC on Cybersecurity Coming Soon

During the April 25-26 2017 meeting of the National Maritime Security Advisory Committee (NMSAC), the Committee was given a regulatory update by U.S. Coast Guard personnel. During this update, the Committee was advised that the draft Navigation and Vessel Inspection Circular (NVIC) on cybersecurity would soon be published. Below are some thoughts on this NVIC and what the Coast Guard has said about the need for a proactive approach to cybersecurity.

During the Maritime Cyber Security Standards Public Meeting on January 15, 2015, discussing the need for voluntary cyber standards, Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy, stated, “The Coast Guard just recently conducted a study about the cost burden to industry of all the regulations that we have published since 1973. We found that 88% of the entire cost burdens of all regulations, over all those years, were due to two regulations, OPA 90 and MTSA. Both of these regulations followed predictable disasters.  The lesson learned should be that we should not wait for an incident to occur that will make us move forward on reactive, more expensive, regulations; we need to be proactive in approaching this. We are here to have a discussion with industry so we can develop a standard together, one that works and is reasonable in terms of the cost benefit.  If we wait until an incident occurs, that opportunity goes away.” (as quoted in Cyber Risk Management, by LCDR Josh Rose & LT Josie Long,

In the Rose/Long AAPA presentation, there was a slide concerning the cybersecurity NVIC. Bullet points about this NVIC content include:
• How do we incorporate cyber into risk assessments?
•What tools are available for industry to use for risk assessments?
•MTS standard terms (definitions)
•What are examples of industrial control systems in the maritime environment (what is the scope of NVIC)?

I think one issue that may be addressed in the NVIC is the link between the NIST framework and the Facility Security Plan (FSP) – incorporation of cyber into facility security assessments; guidance for construction of a possible voluntary cyber annex or new FSP section that directly addresses the Framework elements of identify, protect, detect, respond, and recover; guidance for inspectors who encounter these new sections or annexes in annual compliance inspections or during incident post-review. (We'll see how well my crystal ball is functioning.)

This will be a draft NVIC, probably titled “For review and comment only. Not to be used as final guidance.” As a draft NVIC, it will probably be numbered 17-XX, rather than receiving two numbers as the terminal designation. In the Federal Register notice of its publication, there will probably be a section titled Public Participation and Request for Comments.  In this section, there will probably be sub-sections explaining how to submit comments ad how to view comments and documents. (Lots of probably’s!)

Monday, April 3, 2017

Coast Guard Maritime Commons Clarifies CDC and TWIC Reader Rule

There has been a lot of discussion about facilities who are not in Risk Group A but are concerned that they might be included because they “handle CDC” by truck or railcar away from the MTSA nexus. The TWIC reader final rule seems to indicate that these facilities will be included in the rule (p. 57681), although the rule also states that the facility may  “define its MTSA footprint in such a way as to exclude that area.” It is presumed that this would require a Facility Security Plan (FSP) amendment.

On March 31, 2017, on Coast Guard Maritime Commons, CG-FAC used the blog to push out important information to industry, clarifying the USCG stance on facilities that handle CDC. The blog states that facilities should look to an older Policy Advisory Council decision, 20-04, for guidance on who is and who is not subject to 33 CFR 105.295 and thus included in Risk Group A. I was using Chrome to access Maritime Commons and the link to Homeport was not successful. For other users who also have trouble linking to Homeport, the text of the PAC is included below in its entirety. Scenarios D and E refer directly to facilities who handle their CDC by modes other than maritime.

To get to this PAC on Homeport, go to  then MTSA>MTSA/ISPS Policy Advisory Council FAQs>20-04 Certain Dangerous Cargo Facilities.pdf

May 6, 2004
Certain Dangerous Cargo Facilities
Issue: What is a CDC facility?

Discussion: Certain Dangerous Cargoes (CDC’s) are defined in 33 CFR 160.204, and the
preamble to the Final Rule states that facilities that handle such CDC’s are considered CDC
Facilities. The Final Rule preamble also notes the Coast Guard disagrees “that 105.295 should only apply when CDC is actually present on a facility, because the measures required by the section must be taken in advance so that they can be implemented when CDC is present.” The Final Rule preamble does not define what the word handles means, and the purpose of this paper is to decide how to interpret this term.

Decision: In order for a facility to be classified as a CDC Facility, a vessel-to-facility
interface must occur, or be capable of occurring, and involve the transfer of CDC’s in bulk.
Facilities designated as CDC facilities would need to comply with the regulations contained in 33 CFR 105.295. A facility that is required to complete a Security Plan but that is not designated as a CDC Facility must develop security procedures for the safeguarding of the CDC while it is present on the facility. The following scenarios are examples of how this might be accomplished:

Scenario A: Facilities that receive vessels and engage in vessel-to-facility interfaces that
involves the transfer of bulk Certain Dangerous Cargoes from the vessels that they receive.

Scenario A Decision: Facilities would be designated as Certain Dangerous Cargo (CDC)
Facilities and would be required to comply with 33 CFR 105.295.

Scenario B: Facilities that receive vessels and engage in vessel-to-facility interfaces that
involves the transfer of packaged Certain Dangerous Cargoes from the vessels that they receive.

Scenario B Decision: Facilities would not be required to comply with 33 CFR 105.295. The
Facility Security Plan for these facilities must address the fact that they handle such cargoes and the provisions that the facilities have to secure such cargoes. Scenario C: Facilities that receive vessels that carry CDC’s in bulk but the transfer of CDC’s does not occur between the vessels and the facility.

Scenario C Decision: Facilities would not be required to comply with 33 CFR 105.295. Under 33 CFR 105. 245(b), prior to the arrival of a vessel to the facility, the Facility Security Officer and the Vessel Security Officer, or their designated representatives, would be required to coordinate security needs and agree upon the contents of a DoS. The vessel and facility representatives would then need to sign and implement this DoS. As part of the Security that the two agree upon, provisions should be implemented to safeguard the CDC onboard the vessel.

Scenario D: Facilities, already subject to 33 CFR Part 105, receiving Certain Dangerous
Cargoes from entities other than vessels, such as rail cars and tanker trucks.

Scenario D Decision: Facilities would not be required to comply with 33 CFR 105.295. The
Facility Security Plan for these facilities must address the fact that they handle such cargoes and the provisions that the facilities have to secure such cargoes. At a minimum, these facilities would need to designate the areas where CDC’s are present as restricted areas.

Scenario E: Facilities, already subject to 33 CFR Part 105, through which train cars travel
carrying CDC’s. These CDC’s are not received at the facility, but the train cars might be present for extended periods of time.

Scenario E Decision: Facilities would not be required to comply with 33 CFR 105.295. The
facility should be aware of the movement of such cargoes and have included this in their Facility Security Plans. At a minimum, the facility should incorporate the checking of railcars duringsecurity rounds on the facility.

Friday, March 31, 2017

Sen John Thune (R-S.D.) introduces S.763, the Surface Transportation and Maritime Security Act.

On March 30, 2017, Sen John Thune (R-S.D.) introduced S.763, the Surface Transportation and Maritime Security Act.  Sen. Thune is Chairman of the Senate Committee on Commerce, Science, and Transportation. He’s been in the Senate since 2005 and has served in powerful positions within that body. From Sen. Thune’s website, at
U.S. Sen. John Thune (R-S.D.), chairman of the Senate Committee on Science, Commerce, and Transportation, joined Sens. Bill Nelson (D-Fla.), Deb Fischer (R-Neb.), and Cory Booker (D-N.J.) in reintroducing S. 763, the Surface Transportation and Maritime Security Act. The legislation, which is substantially similar to the bill introduced late last Congress, would address deficiencies in the Transportation Security Administration’s (TSA) efforts to protect rail, transit, highway, and maritime passenger and freight transportation.

“To keep Americans safe, Congress must continually focus attention on areas of neglect and potential weakness to keep them from becoming targets for terrorism,” said Thune. “The Commerce Committee will soon vote on these important reforms for the TSA.”
The legislation would address concerns, raised by independent government watchdog agencies, that TSA is not adequately positioned to identify security risks across different modes of transportation or effectively support federal, state, local and private providers of transportation security. TSA has previously said in testimony to Congress that it uses only three percent of its budget on surface transportation security.

Highlights of the Surface Transportation and Maritime Security Act:

Enhances Risk-Based Security Planning
  • Requires the TSA administrator to conduct a risk analysis and implement a risk-based security model for surface transportation facilities.
  • Mandates risk-based budgeting for surface transportation security focusing resources on current threats with annual reviews of program effectiveness.

Canine Explosive Detection Teams for Surface Transportation
  • Authorizes as many as 70 additional canine teams to work in surface transportation security as soon as possible.
  • Requires a review of the number, location, and utilization of canine teams in surface transportation security to ensure effective use.
  • Following this review and the implementation of recommendations, TSA may then raise the total number of canine teams to 200 or higher as identified in TSA’s risk-based analysis. 
Increases Transparency
  • Mirroring the advisory committee for aviation established by the Aviation Security Stakeholder Participation Act of 2014, establishes a Surface Transportation Advisory Committee to provide stakeholders and the public with the opportunity to coordinate with the agency and comment on policy and pending regulations. 
  • Requires that TSA budget submissions clearly indicate which resources will be used for surface transportation security and which will be dedicated to aviation.
  • Directs TSA to regularly update Congress on the status of long overdue surface transportation rulemakings.

Enhances Passenger Rail Security
  • Authorizes the use of computerized vetting systems for passenger rail at the request of Amtrak police and the Amtrak Board of Directors.
  • Allows grant funding to be used to enhance passenger manifest data so that rail passengers can be identified in case of emergency.
From a quick read of the text of the bill, link from the Senator's website:
The vulnerability assessment off surface transportation modes required of the bill must evaluate  the vetting and security training of employees in maritime transportation and other individuals with access to sensitive or secure areas of transportation networks.
The  Commandant of  the  Coast Guard shall  coordinate  with  the Administrator (of the TSA) to  provide  input  and  other  information regarding  the vulnerabilities of  and  risks  to maritime facilities.  

(1)   In GENERAL - Not   later   than   180 days after  the  date  the  security  assessment  from subsection (a)  is  complete, the  Administrator  shall  use the  results  of  the assessment-
(A)  to develop  and  implement  a cross-cutting, risk-based  security strategy that      includes
(i) all surface transportation modes;
(ii)  to the  extent  the Transportation Security  Administration   provides support in maritime transportation security efforts, maritime  transportation;
(B)  coordinate with  the  Commandant   of the  Coast Guard-
(i)         to evaluate existing maritime transportation  security  programs, policies, and initiatives   for  consistency with  the risk-based  security strategy and, to the extent practicable, avoid any unnecessary duplication   of effort;
(ii)  to   ensure   there  are   no security gaps between  jurisdictional  authorities that a threat can exploit to  cause  harm;
(iii)  to determine  the  extent  to which    stakeholder   security programs, policies, and   initiatives  address  the  vulnerabilities and  risks to  maritime transportation systems, identified in subsection (a); and
(iv)  subject  to clauses  (ii)  and (iii), to mitigate each  vulnerability and       risk   to maritime transportation systems identified in subsection (a).

180 days after the date that the security assessment is completed, TSA shall submit to the appropriate Congressional committees a report that includes, among other items, any   recommended   changes  to the National  Infrastructure Protection  Plan, the  modal   annexes  to the NIPP, or  relevant surface  or  maritime transportation security  programs,   policies, or initiatives.

BUDGET TRANSPARENCY - ln submitting the annual  budget  of  the  United  States  Government under Section 1105  of title 81,  United States Code,  the President  shall clearly distinguish  the  resources requested for surface and maritime transportation  security from  the  resources requested for aviation security.

SURFACE TRANSPORTATION SECURITY ADVISORY COMMITTEE   - The   TSA Administrator shall establish  within  the TSA the Surface Transportation  Security Advisory  Committee.  Voting members to serve in a volunteer, non-paid  basis and consist of representatives from associations  representing the  modes of surface transportation;  labor organizations  representing the modes; groups representing  the  users of the modes, including asset manufacturers,  as appropriate;  relevant  law enforcement, first  responders, and security experts; and other   groups   as   the Administrator considers appropriate.

Friday, February 3, 2017

gCaptain Article Concerning the Impact of the President’s Order on Immigration and Travel on U.S. Shipping

 On Feb. 1, 2017, gCaptain printed a sobering article concerning the impact of the president’s order on immigration and travel on U.S. shipping, at  The entire content of the article is reprinted below, with permission.
FSOs who foresee an upcoming ban-related problem with mariners should immediately contact the local COTP for guidance.
“President Trump’s Executive Order on immigration and travel to the United States has immediate implications for ships calling at U.S. ports, particularly those ships with crew members hailing from any one of the seven countries whose citizens are banned under the order, P&I clubs are warning.
As the Executive Order bans entry into the US for citizens from Syria, Yemen, Sudan, Somalia, Iraq, Iran and Libya for the next 90 days, crewmembers aboard ships entering US waters who are citizens of these countries will be denied entry to the US during this time, says The Standard Club, a specialist marine and energy insurer. The club is telling its members to anticipate that shore leave will be denied for those crewmembers and that enhanced security of the ship, including the use of armed guards, may be ordered by local immigration officials while the ship is in a U.S. port.
At this time however, it is not believed that ships carrying crew from these countries will be denied entry into U.S. ports, The Standard Club said.
The UK P&I Club offered similar guidance to its members.
“For the next 90 days crewmembers from Syria, Yemen, Sudan, Somalia, Iraq, Iran and Libya, whether or not they hold visas, will be denied entry to the U.S.,” the UK P&I Club wrote in a alert to members. The club is warning members to avoid crew changes in the United States for those citizens of the seven countries targeted by the order.
Regarding medical emergencies, both the UK P&I Club and The Standard Club say if a crewmember from Syria, Yemen, Sudan, Somalia, Iraq, Iran and Libya requires emergency medical treatment while in the United, there is an exception under the order that MAY allow the crewmember to be removed from the ship for medical treatment.
The Executive Order says that the Departments of State and Homeland Security (CBP) may determine on a case by case basis to issue visas or other immigration benefits to nationals of countries for which visas and benefits are otherwise blocked. Therefore, government authorities may be able to use the exception to allow the crewmember to be treated in the U.S. if there is a true medical emergency.
At this time it is unclear how many ships and crew members may be impacted by the Executive Order.
Both the UK P&I Club and The Standard Club say they will continue to monitor the situation and update its members with any developments.

In addition to banning citizens from the seven countries for 90 days, the Executive Order also bars the entry of refugees from Syria indefinitely and stops admission of all refugees to the United States for the next four months, among other things.”

Friday, January 27, 2017

Final rule - Civil monetary penalties assessed by the USCG adjusted for inflation in today’s FR effective immediately for violations occurring after 11/02/2015

In the January 27, 2017 Federal Register, at, the Department of Homeland Security established the schedule of civil monetary penalties as adjusted for inflation. As explained in the Final Rule, in 2015 government agencies were required to “(1) Adjust the level of civil monetary penalties with an initial ‘‘catch-up’’ adjustment through issuance of an Interim Final Rule (IFR) and (2) make subsequent annual adjustments for inflation”. This final rule reflects this adjustment, is effective immediately, and applies to violations that occurred after November 2, 2015.

The Coast Guard has a lengthy list of civil violation costs; port security appears near the end of this list on p. 8577. Amending 46 U.S.C. 70119 (cited in 33 CFR 101.415, Penalties) the new penalty for a port security violation is $33,333. The penalty for a continuing violation is $59,893.

Wednesday, January 18, 2017

On 01/17/2017, the U.S. Coast Guard Maritime Commons site advised that the Coast Guard had recently published CG-5P Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security, which outlines the criteria and process for suspicious activity (SA) and breach of security (BoS) reporting.

The document can be found at Homeport >Maritime Security > Policy. The purpose of the policy document, dated 12/14/2016, is to promulgate policy for use by MTSA-regulated vessels and facilities outlining the criteria and process for suspicious activity and breach of security reporting. Because plausible terrorist attack scenarios include combined cyber and physical incidents, vessel and facility operators should consider this possibility when evaluating a cyber incident, including the possibility that a cyber incident is a precursor to a physical attack. As a security measure, The Coast Guard strongly encourages vessel and facility operators to minimize, monitor, and wherever possible, eliminate cyber connections between the business/administrative systems and the operational, industrial control and security systems. The USCG handles all reports of security incidents as SSI.

What is really new in this policy document is:
1.  Inclusion of cyber incidents into BoS and SA;
2. An expanded definition of SA;
3. Permission to report cyber incidents to the National Cybersecurity and Communications Integration Center under certain conditions

The document then proceeds to describe U.S. Coast Guard requirements for reporting BoS and SA for both physical and network or computer-related events. The inclusion of cyber here is new and helpful. Industry has been reporting physical BoS and SA since 2004 but cyber is much newer and many FSOs are less certain when to report.

Breaches of security include:
a)            “Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorized root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the MTS;
b)           Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions; and/or
c)            Any denial of service attacks that adversely affect or degrade access to critical services that are linked to security plan functions.
Note that routine spam, phishing attempts, and other nuisance events that do not breach a system’s defenses are NOT BoS.  Furthermore, breaches of telecommunications equipment, computer, and networked systems that clearly target business or administrative systems unrelated to safe and secure maritime operations are outside the U.S. Coast Guard’s jurisdiction and need not be reported to the U.S. Coast Guard.

Suspicious Activity includes:

A.         Suspicious Activity
i.             Reference (c) defines SA as “observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.”
ii.           Computer-related suspicious activity presents additional vulnerabilities, and companies should be able to distinguish untargeted cyber incidents from targeted incidents on vessel or waterfront facility computer related systems. Untargeted cyber incidents are part of the normal information technology landscape and commonly include “phishing” or persistent scanning of networks, and these are not considered SA or BoS.
iii.         In contrast, targeted incidents may be large, sustained attacks on important cyber systems in an apparent attempt to exploit them for nefarious purposes. Spear phishing campaigns, a marked increase in network scanning, or other attacks may be considered SA if the volume, persistence, or sophistication of the attacks is out of the ordinary.
iv.         Unsuccessful but apparently targeted incidents may be SA if they threaten systems that could contribute to a TSI, have a link to the MTS portion of the facility or are otherwise related to systems, personnel, and procedures addressed by security plans or MTSA requirements.
v.           SA may include, but is not limited to, any of the following:
a)            Unfamiliar persons in areas that are restricted to regular employees;
b)           Unusual behavioral patterns, such as:

(1)         Not responding to verbal interaction;
(2)         Walking slowly in a deliberate fashion towards a potential target;
(3)         Inappropriately dressed (e.g., wearing excessive clothing as to conceal something, or looking out of place);
(4)         Excessive nervousness or “doomsday” talk;
(5)         Excessive questions;
(6)         Lack of photo identification;
(7)         Agitation or rage;
(8)         Picture taking, especially if the suspect has been asked earlier not to take photos;
(9)         Note taking or drawing;
(10)      Taking measurements; and/or
(11)      Attempting to access unauthorized areas.
c)            Potentially dangerous devices found by screeners prior to loading persons or cargo or items found on or near the facility that seem out of place.
d)           Vehicles parked or standing for excessive amounts of time near the facility perimeter;
e)            Unmanned Aircraft System (UAS) activity, including but not limited to:
(1)         Reconnaissance and surveillance activities, indicated by repeated activities at a particular place and time (e.g., fly-overs, hovering at low altitudes, and prolonged time on station); and/or
(2)         Testing of facility security protocols using UAS, indicated by flying by a target, moving into sensitive areas, and observing the reaction of security personnel (e.g., the time it takes to respond to an incident or the routes taken to a specific location).
f)            Unauthorized personnel accessing IT spaces linked to security plan functions.
g)           Unsuccessful attempts to access telecommunication, computer, and network systems linked to security plan functions.
vi.         The Coast Guard recognizes that the cyber domain includes countless malicious but low-level events that are normally addressed via standard anti-virus programs and similar protocols. Operators should only report events that are out of the ordinary in terms of sophistication, volume, or other factors which, from the operator’s perspective, raise suspicions.

Cyber incidents may be reported to the National Cybersecurity and Communications Integration Center. It is imperative that the reporting party inform the NCCIC that they are a Coast Guard regulated entity in order to satisfy the reporting requirements of 33 CFR part 101.305. The NCCIC will forward the report electronically to the NRC, who will notify the appropriate COTP. Reporting cyber incidents in this manner, including notifying the NCCIC that the reporting source is regulated by the Coast Guard, meets Coast Guard regulatory requirements. Note that this is applicable for only a cyber incident; if there are other factors involved, such as pollution or a physical breach of security, operators must report the incident directly to the NRC.

The policy document then discusses other Critical Infrastructure and Cyber Incident resources, including ICS-CERT, InfraGard, National Suspicious Activity Reporting (SAR) Initiative, and the local AMSC.