10 DECEMBER 2017 • FOGHORN FOGHORNFOCUS: SECURITY/VESSEL REVIEW O n December 14, 2016, the U.S. Coast Guard published CG-5PPolicy Letter 08-16: Reporting SuspiciousActivity and Breaches of Security. In accordance with parts 104, 105 or 106 of Title 33, Code of Federal Regulations, Subchapter H, an owner or operator of a vessel or facility that is required to maintain an approved security plan shall report activities that may result in a trans- portation security incident to the National Response Center, including security activity and breach of security, without delay. This policy letter is applicable to Passenger Vessel Association owners and operators who have implemented the PVA Alternative Security Program (ASP). This policy letter also covers reporting requirements of 33 CFR 101.305 and guidance on reporting cybersecurity related events to Department of Homeland Security (DHS) National Cyber Security and Communications Integration Center (NCCIC). Suspicious Activity TheDHSInformationSharingEnvironmentforSuspicious Activity Reporting Initiative (ISE-FS-200) defines suspicious activity as, “Observed behavior reasonably indicative of pre- operational planning related to terrorism or other criminal activity.” Suspicious activity can be difficult to identify and in some cases very subjective. While it is impossible to cover all scenarios, as defined in Policy Letter 08-16, suspicious activity incidents may include, but are not limited to, the following: • Unfamiliar persons in areas that are restricted to regular employees; • Unfamiliar behavioral patterns (i.e., not responding to verbal interaction, inappropriately dressed, excessive questions, picture/note taking, nervousness, agitation, or rage, attempting to access unauthorized areas); • Potentially dangerous devices found by screeners that seem out of place; • Vehicles parked or standing near the facility perimeter for excessive amounts of time; • Unmanned Aircraft System activity (i.e. reconnaissance/ surveillance into sensitive areas); • Unauthorized personnel accessing information technology (IT) spaces linked to security plan functions; and • Unsuccessful attempts to access telecommunication, computer, and network systems linked to security plan functions. Breach of Security The Code of Federal Regulations define breach of security as, “An incident that has not resulted in a Transportation Security Incident but in which security measures have been circum- vented, eluded, or violated.” This definition also contains breach of telecommunications equipment, computer, and networked system security measures wherein these systems conduct or support functions described in vessel or facility security plans or wherein successful exploitation of these systems could result or contribute to a transportation security incident. Breach of security incidents may include, but are not limited to, the following: • Unauthorized access to regulated areas, • Unauthorized circumvention of security measures, • Acts of piracy and/or armed robbery against ships, • Intrusion into telecommunications equipment computer and networked systems linked to security plan functions, • Successful phishing attempts or malicious insider activity that allows unauthorized administration access to security, industrial control systems, or other IT systems that are linked to the marine transportation system (MTS), and • Instances of viruses, worms, denial of service or other malicious software that impact mission critical servers linked to security plan functions. Due to the increasing reliance on telecommunications equipment, computers, and networked systems for con- trolling physical operations, a growing portion of many security risks have a network or computer nexus. These IT systems have the potential to impact the security of the MTSA regulated facility and may require maritime industry to mitigate cyber security vulnerabilities. Coast Guard Captains of the Port (COTP), Area Maritime Security Committees (AMSC), and the owners/operators of vessels and facili- ties regulated under MTSA should use this policy letter when evaluating suspicious activities and breach of security incidents. PVA owners and operators should report suspicious activity and breach of security to the National Response Center (NRC) at 1-800-424-8802, in accordance with 33 CFR 101.305, as well as the local COTP. For cyber incidents that do not involve physical or pollution effects, reporting parties should call and report the incident to NCCIC at 1-888-282- 0870 in lieu of the NRC, as the NCCIC may be able to provide technical assistance to the reporting party. Furthermore, reporting parties are encouraged to report suspicious UAS activity to Americas Waterway Watch at 1-877-24-WATCH (1-877-249-2824). For more details regarding suspicious activity and breach of security reporting, please see Policy Letter 08-16 by accessing the website https://Homeport.uscg.mil. Select the “Missions” tab and navigate into “Maritime Security” and select “Policy” link. This policy letter is titled: CG-5P Ltr No. 08-16, Reporting Suspicious Activity & Breach of Security. n Suspicious Activity and Breach of Security Reporting for MTSA-regulated Vessels and Facilities By LT Angela Alonso, Office of Port and Facility Compliance, U.S. Coast Guard