Port Digitization and Maritime Security Accreditation Program
Back in March of 2017, the NMLEA had released a White Paper titled A SMARTER Approach to Maritime Security, and in it, we spoke about how we can look at the Maritime Transportation System (MTS) with all its parts, (the ports with all of the complexities and nuances, the public safety professionals protecting that domain and its 30 million workers, and the private sector trying to manage its functions and services) and explore how we can work together to solve some of the problems we face by providing “Security Solutions through the Maritime [Accreditation] Alliance for Research, Technology, Training, Exercises, Education, Equipment and Resources,” otherwise known as a “SMARTER” Approach.
In a new White Paper released in January of 2022, we introduce an actual application of that SMARTER Approach to Maritime Security. It will show you how we can come together, and implement a program that will Increase the Readiness and Resiliency of our ports and maritime infrastructure through the creation of a National Digital Library, Enhance our Security Capabilities while dramatically Reducing the Costs of security regulatory compliance-related expenses (Vulnerability Assessments, Training, Exercises, and Cybersecurity Maturity,) You can download the White Paper by clicking the button/link below.
MARSEC Accreditation and Digitization:
Program Goals and Objectives
With the areas where we can get “SMARTER” identified in the first section of the White Paper referred to above, and with the questions raised after each discussion within the paper – we've laid out a pathway towards a solution. From discussions with a multitude of maritime stakeholders, and input from recognized subject matter experts, we have developed a solution package and plotted a course. Here are the program’s Goals and Objectives.
Program Goal: Take the Nation’s port security community into the digital age, by facilitating steps that can effortlessly, effectively, and efficiently enable that transformation, with clearly defined cost-savings and operational benefits, while establishing a National Standard for Maritime Security.
Program Mission: Establish a Maritime Security Accreditation and Digitization Program (MARSEC ADaPt) for U.S. Ports, hosted by the National Maritime Law Enforcement Academy and powered by “best in class” security software, in partnership with the maritime domain’s leading organizations – and one that is recognized by the USCG, and establishes/demonstrates that accreditees have met a pre-requisite standard for Maritime Security Vulnerability Assessments, Training, Exercises, and Cybersecurity Maturity.
Create a Digital Twin for every U.S. Port.
Provide the U.S. Coast Guard a National Digital Library of maritime critical infrastructure.
Decrease the costs to ports for Vulnerability Assessments and provide continuous improvement through a 24/7/365 active “machine learning” tool – integrated with a port’s “Digital Twin.”
Ensure that the tools are validated and recognized by agencies like DOD, DOE, and DHS.
Decrease the costs of training and exercises, through industry-recognized software – integrated with a port’s “Digital Twin,” and allowing for accessible, affordable, adaptable, and accredited readiness and preparedness.
Provide a cybersecurity evaluation and measurement of maturity tool that is easy to implement, affordable, and allows port entities, their managers, and their leadership an easily and readily available “living” dashboard with quick access to improvement recommendations.
Provide access to regionally positioned port security specialists, and subject matter experts, so that “on the ground” knowledge, expertise, and experience can be provided quickly and easily.
Be able to share, collect and analyze cyber threat data on a national level, that can improve the security of each port.
Be able to demonstrate to participants in this program, first-year return on investment, and long-term, sustainable benefits.
Set the National Standards in each aspect of a port's DOMAIN for Maritime Security, and recognize those that meet them through Accreditation.
These are the parts of the Maritime Security Accreditation and Digitization Program, that make it an essential, foundational, and maturation step for every maritime stakeholder and port partner. What is underlined are the parts of the elements that are required in the execution of this Program.
1. A Digital Twin: The first element of the program will provide organizations with a “digital twin” of their port and facilities. This will be a digital representation, or ‘twin’, of the physical components and systems, taking all the components of the physical entity – such as a port complex or terminal – and creating a 3D virtual map representation of the port, allowing interface and providing organized datasets for the user, that in turn can be used in the following components of the program.
The ARES Security Digital Twin transforms unstructured data into a smart, digital asset
that is used to visualize, design, build, test, manage, and secure maritime critical
infrastructure. The ARES Digital Twin then creates substantial and sustainable
business value by facilitating safe, secure, and efficient security lifecycle operations
through digital innovation and automation.
Used as an operational tool, it can also be used as a vulnerability assessment
tool, an exercise tool, and a training tool (see elements below), a Digital Twin
will provide ports with a critical component that will directly impact preparedness,
readiness, responsiveness, and resiliency.
2. Digital Twin Library: The second element of this program is to create a digital library of all the Nation’s maritime critical infrastructure and provide access to the U.S. Coast Guard in order to better prepare for, respond to, manage the actions and mitigate the outcomes surrounding a significant port security event. This will be critical in our National Security, given the rising threats, both natural and man-made, and it will enable the Coast Guard to maximize the impact of the elements listed in the following paragraphs.
3. Vulnerability Assessment Software: Building off the Digital Twin component of the program, this element will provide ports with an intuitive user interface quickly create realistic 3D models of a facility that include interior and exterior features or structures, access points and entrances, natural features, and the placement of both active and passive barriers and detection tools. Once a site is modeled, the solution shall use Monte Carlo simulations in order to evaluate the comprehensive security design. An exclusive pathing algorithm will be utilized to determine the various pathways of adversaries, responders, and even natural hazards.
These assessments shall provide an organization with a complete understanding of their facility’s security and response to address vulnerabilities and optimize their configuration for both effectiveness and costs. The parameters must be easily changed within the model to address a wide range of security system configurations, threats and targets. Once the vulnerabilities and pathways have been identified and analyzed, users must be able to change and test new modeled sensors, systems, and procedures to improve their facility’s posture and thoroughly understand your return on investment. This quantitative approach shall provide a cost-effective means to continually assess risks and optimize a maritime partner’s security effectiveness against their budget.
AVERT Security Design and Assessment Solutions was chosen to execute this element of the Program. Developed by ARES Security Corp, AVERT will provide unique modeling and simulation software that visualizes and quantifies the performance of security and response configurations. The results provide clients with a detailed understanding of their comprehensive security and response configuration's effectiveness. Whether performing a cost-benefit analysis on security systems or a comprehensive vulnerability analysis, the AVERT solutions have saved clients millions of dollars while increasing their effectiveness.
AVERT software has been accredited by the Department of Defense and the Department of Energy, certified by the Department of Homeland Security, and published as a “Best Practice” by the World Institute of Nuclear Security.
4. Virtual Exercise Software: The Virtual Tabletop element of this Program will be able to mimic real-time scenarios and asset tracking for training purposes. Using the Virtual Tabletop, users must be able to run and control detailed simulations while commanding a virtual blue force against adversaries and see the real-time impacts of their decisions through a common operating picture. As a simulation runs, force commanders will be provided with limited information in which they must make decisions and position their forces based on adversary advances. The commander's decisions will update the agents and objectives within the simulation which in turn will change the simulations’ outcome. Users must be able to select specific scenarios that are relevant to their facility and study the direct effects of each decision or an entire response.
Because of its DHS “SAFETY Act Certified” Software, the capability of AVERT Virtual Tabletop Physical Security software was chosen to run simulations on the various threats facing an organization. Upon discovering a facility's weaknesses and most likely attack avenues, executives will be able to host training exercises within those specific simulations. With the capability to simulate anything from terrorists and cyber-attacks to natural disasters, the Virtual Tabletop shall have a direct impact on a staff’s preparedness, readiness, and responsiveness.
5. Training Software & Learning Management System: This element of the program will allow operators and their security forces to perform realistic training scenarios on a regular basis and stay prepared for any situation, using the Digital Twin and tools/elements described in the preceding paragraphs. Additionally, any training for any personnel working in the maritime domain will be integrated into online/virtual and instructor-led training tools, that can dramatically lower the cost of training, ease the scheduling of training, and allow all training to be readily and easily accessed.
PortTraining, operated by the NMLEA, began as the nation's only comprehensive
seaport security curriculum with flexible delivery options and its online training
management system was developed with Department of Homeland Security
funding in 2005 and direct oversight by the US Coast Guard, the US Maritime
Administration, and FEMA. A team of 72 Florida State University instructional designers and staff developed this single-point training solution for ports, terminal operators, and first responder agencies. An active Industry Advisory Group guided every phase of work with the goal of creating a whole-system approach that "meets regulatory requirements...while recognizing seaports' central purpose of commerce." Today, PortTraining is a resource for ports all across the country, providing an accessible, adaptable, and affordable means to meet the MTSA requirements – and much more.
aLEX is an NMLEA sponsored and developed product that provides a solution to an industry confronted with increased challenges to time, budgets, and an evolving workforce that public safety agencies are facing all across the country (see the White Paper: Navigating the Changing Seascape ofMaritime Public Safety).
The Academy has used its knowledge, relationships, resources, adult learning
expertise, and technology partnerships to provide a mobile, easily accessible,
and affordable solution for every officer, department, and maritime stakeholder.
Put simply, aLEX provides a complete Learning Management System
at no cost to its users and partners.
6. Cybersecurity Maturity Model Software: Because cyber risk is a persistent, ever-evolving danger to port and maritime operators, effective cyber risk management cannot be achieved through an annual checklist-based approach. Therefore, this element of the program will provide a maturity-model methodology that will help an organization align with established best practices, nationally recognized standards, federal and international guidelines.
To successfully address the complexities of today’s cyber threat environment, it is recognized that effective cyber risk management requires both persistent engagement and a multi-disciplined approach. Managing cyber risk is not just the responsibility of the IT department. And therefore, this element of the program must facilitate a shared obligation of all the key stakeholders and include them in the maturity assessment process - security, operations, health and safety, administration, finance, accounting, incident response, training, legal, communications, and procurement.
PortLogix, developed by HudsonCyber and recognized by Lloyd’s as a Digital Innovation Winner, was selected to provide an organizational “starting point” for assessing cybersecurity. PortLogix is not a scanning tool, monitoring application, or form of network defense. It is a cloud-based application that brings together stakeholders from across the organization to stimulate in-person (or virtual) cross-functional collaboration, promote awareness, and enhance communication and information sharing. It facilitates self-assessments that baseline, target, measure, and support cybersecurity capability growth and cybersecurity resilience over time.
PortLogix is based on a maturity-model methodology that helps an organization align with the below standards, best practices, and guidelines:
U.S. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (V1.1) (commonly referred to as the “NIST CSF”);
NIST Special Publication 800-82 (Rev. 2) Guide to Industrial Control Systems Security;
U.S. Department of Homeland Security Cybersecurity Capability Maturity Model (C2M2);
Center for Internet Security Critical Security Controls for Effective Cyber Defense (V7);
U.S. Coast Guard Navigation and Inspection Circular No. 01-20: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Regulated Facilities (2020);
The IMO’s Guidelines on Maritime Cyber Risk Management (MSC-FAL. 1/Circ. 3 (2017);
ISO/IEC 27001:2013 RE: Information Security Management Systems – Requirements;
European Union Agency for Cybersecurity (ENISA) Cyber Risk Management for Ports: Guidelines for Cybersecurity in the Maritime Sector (December 2020); and,
U.S. Customs and Border Protection Customs-Trade Partnership Against Terrorism (CTPAT) Minimum Security Criteria: Cybersecurity
7. Deployed Port Security SME’s Throughout the Country: The last element, but just as important, is to provide ports with the availability and access to recognized security professionals to provide consultation, training, component facilitation, grant writing, and more. Because the dynamic post-pandemic workforce challenges are affecting every organization, port participants will have access to knowledgeable, experienced, and skilled trusted partners located throughout the country. Participants in this program will be able to reach out at any time, to people serving over 100 ports – and get what they need, when they need, from trusted partners.
Accreditation and Digitization Overview:
It's About “ADaPting”
The maritime industry continues to face challenges such as chronic labor shortages, rapid digitalization, evolving physical and cybersecurity threats, and accelerating climate change. To address these challenges, the National Maritime Law Enforcement Academy (NMLEA) has launched a Maritime Security Accreditation and Digitization Program (MARSEC ADaPt) to deliver material benefits across the entire maritime industry through the establishment of a baseline, pre-requisite standard integrating asset digitalization capabilities with maritime security vulnerability assessments, training, exercises, and cybersecurity. More specifically, accreditation will be focused on enhancing maritime security readiness and resiliency through formalized U.S. Coast Guard recognition and the creation of a National Digital Library of Maritime Critical Infrastructure. Ports will benefit through a reduction in annual costs associated with ongoing Maritime Transportation Security Act (MTSA) regulatory compliance. Through the NMLEA MARSEC ADaPt program, ports will be able to implement a nationally-recognized baseline standard for maritime security – a standard that has not previously been established.
In founding MARSEC ADaPt, the NMLEA has assembled a world-class team of industry experts, who will support the implementation of the Accreditation Program. Members of our maritime accreditation team are respected leaders from academia, government, and industry.
The MARSEC ADaPt program is founded on the core capabilities of three key organizations: the NMLEA, ARES Security, and HudsonCyber. The NMLEA is the lead organization and the accrediting body. Established in 2000, the NMLEA fills a critical capabilities gap that continues to impact law enforcement, emergency response, port security, and maritime defense operations throughout the United States. The NMLEA provides industry thought leadership, education, and training for professionals who patrol, protect and preserve our maritime domain.
The NMLEA selected ARES Security to “power” the accreditation initiative by digitizing maritime critical infrastructure (Digital Twins) and offering software utilizing digital data to continuously optimize security, risk management, vulnerability analysis, and security training functions. Numerous U.S. ports have invested in and continue to rely on ARES Security’s digital solutions, to optimize critical security functions.
The NMLEA also selected HudsonCyber to drive cybersecurity resilience through its PortLogix platform. PortLogix is a practical, cost-efficient cyber risk management solution that was purpose-built to serve the maritime industry. Framed by leading international cybersecurity guidelines, including the U.S. Department of Homeland Security Cybersecurity Capability Maturity Model, and the Cybersecurity Guidelines for Ports and Port Facilities, published by the International Association of Ports and Harbors, PortLogix delivers value by significantly enhancing cybersecurity readiness through a continuous improvement process.
The MARSEC Accreditation and Digitization Process (ADaPt)
The Maritime Security Accreditation and Digitization Process involves an examination of People, Processes, Platforms, and Performance (the “4 P’s” of Public Safety, talked about in an NMLEA White Paper: Navigating the Changing Seascape of Maritime Public Safety), and through the utilization of tools recognized nationally for their capabilities and application, the Accreditation team assesses a port entity’s DOMAIN. The questions asked and evaluated within each part of the DOMAIN are outlined here:
DIGITIZATION: Does the port have a Digital Twin, a virtual representation of the physical site and facilities (critical infrastructure) that are being protected? Has that Digital Twin been shared with the USCG? How is the Digital Twin being used?
OPTIMIZATION: Leveraging that digitization, does the port have a means of conducting continuous vulnerability assessments (vs. done just once every five years) using machine learning technologies recognized by the Department of Defense, Department of Energy, and the Department of Homeland Security?
MATURITY: Does the port have a means of looking at its cybersecurity posture, and assessing its maturity in the areas of risk management through a multi-discipline, consistent engagement, (vs. an annual checklist-based approach) that aligns with established best practices, nationally recognized standards, and federal/international guidelines for cybersecurity? Does their cybersecurity risk assessment stimulate in-person (or virtual) cross-functional collaboration, promote awareness, and enhance communication and information sharing? Does their process facilitate, encourage, and foster self-assessments that baseline, target, measure, and support cybersecurity capability growth and cybersecurity resilience over time?
ACADEMIC ADVANCEMENT: How is the port advancing its workforce? What training tools are in place and utilized to not only ensure regulatory compliance, but to also expand the knowledge, skills, and attitudes of its employees? How are records of training kept (Learning Management System)? Is the training accessible, affordable, adaptable in this new mobile environment? Are continuing education opportunities available and promoted? Is the training program linked to a national institution?
INTERCONNECTIVITY, INTELLIGENCE, AND INFORMATION SHARING: Who is the port connected with? Is threat intelligence information being shared to and from federal, state, and local entities? Is any information that diminishes the resiliency of port operations being shared, and with whom? Is there a predicative and anticipatory variety of information sharing to include cyber, strategic competition, environmental (weather, pollution, disease/pandemic, critical infrastructure conditions, etc.), and other critical data sets that can directly impact a port's safety and security?
NAVIGATION: The last part of the DOMAIN, how does the port enterprise respond to incidents, events? What are the procedures, and processes? How well do they do it, as evidenced in actual events or in exercises? More importantly, how do they ensure continuous improvement? How resilient are they?
By investing in this process, a port will “ADaPt” and establish itself as a leader in port digitalization. The ADaPt process, including the Digital Twin and state-of-the-market decision support tools, training resources, and access to national leaders in port security will optimize essential risk management activities, streamline regulatory compliance security functions (such as vulnerability assessments, training, exercises, and cybersecurity compliance,) and put the power of digitization to work. Accrediting a port will announce to all that this is a “Maritime Security ADaPting SMART Port.”
Why you should become MARSEC Accredited:
Deliverables and Value
Although some ports may have many of the DOMAIN elements already in place and can go right to the Accreditation phase, many ports many do not have all the ingredients. This portion of the proposal outlines how we can assist any port to “ADaPt,” with “best-in-class” tools and processes in order to achieve that Accreditation status. The following section breaks down each DOMAIN element and outlines the deliverable for each part of the process.
For a complete breakdown of each deliverable and the associated benefits, click on the button below.
A Maritime Security Alliance for Accreditation
The following assembly of partners in this endeavor were chosen because they are each already recognized in their respective areas as “Best in Class, or as “Best Practices”.
The National Maritime Law Enforcement Academy (NMLEA): Following a vision and the leadership of Admiral Siler, a former U.S. Coast Guard Commandant, the National Maritime Law Enforcement Academy (NMLEA) was established in 2000 to fill a capabilities gap that continues to effect law enforcement, emergency response, port security and defense operations on the water across America and internationally. The NMLEA provides education and training for professionals who patrol, protect and preserve our maritime domain. As an extension of an agency's training staff, the NMLEA provides nationally recognized training and exercise programs, assisting agencies and departments of all sizes to improve tactical and response operations within an agency, with coordination among partners at times of catastrophic events exercising the National Incident Management System (NIMS).
ARES Security Corporation: Since 1999 when the company began developing the AVERT risk assessment solution as ARES Corporation with the support of the US Department of Defense, the mission has been to provide solutions that safeguard a diverse client base’s critical assets from the World’s dynamic threat environment. On October 1, 2012, ARES Security Corporation was officially established as a stand-alone company to invest in future technologies and continue delivering the AVERT solutions to a growing list of government and commercial clients. With extensive expertise in developing advanced solutions, ARES has delivered multiple complex solutions in various regions, states, and countries. The AVERT family of products are currently being utilized in 67% of the North American nuclear reactors, U.S Air Force Bases, public safety departments, education, transit agencies, and a third of the top-tier seaports.
HudsonCyber: Combining decades of knowledge and expertise with best-in-class capabilities and technologies, HudsonCyber designs and delivers practical and sustainable cyber security and cyber risk management solutions to clients around the world, supporting the global maritime transportation industry, spanning ports, terminal operators, commercial shipping, oil/gas companies (both national and commercial), flag states, insurance companies, and national and regional government bodies.
Moran Shipping - Office of Maritime & Port Security (MOMPS): For over 75 Years MOMPS has provided services, technology, equipment, manpower and consulting to the maritime industry -representing niche organizations, governmental agencies, ship owners, operators, charterers, cargo facilities, seafarers, ferry operators, and virtually all sectors within the maritime realm in the US and globally. MOMPS provides a real time, boots on the ground perspective unmatched by any other in the security realm. With 20 locations directly servicing over 100 U.S. ports with remote offices and staff, the MOMPS team can work globally on assignments and projects anywhere in the world. MOMPS is the only organization dedicated exclusively to maritime and capable of providing security in all 361 U.S. ports and around the world.
The National Maritime Intelligence - Integration Office (NMIO): The terrorist attacks of 9/11 prompted changes in U.S. Intelligence Community business practices. Integrating intelligence for improved Maritime Domain Awareness (MDA) was deemed vital. NMIO is an office under the Director of National Intelligence (DNI), administered by the Navy, and responsible for ensuring that the intelligence and information that matters to the Global Maritime Community of Interest (GMCOI) is getting to those who need it. NMIO exists to prevent gaps & seams in the maritime domain. Partnership is NMIO’s cornerstone, as they serve at the nexus of the Global Maritime Community of Interest to champion key initiatives that support and enhance maritime intelligence needs. NMIO integrates maritime intelligence, improves information sharing, and fosters domain awareness to protect the United States, its allies, and partners against threats to, from, and in the global maritime domain.
The Stephenson Technologies Corporation: Part of Louisiana State University, STC was founded in 2015 as a non-profit, federal compliant contractor focused on providing solutions to the Department of Defense (DoD), Department of Homeland Security (DHS), Intelligence Community (IC), and other federal markets. The tools and technologies they have develop have far-reaching applications across all aspects of U.S. critical infrastructure. Currently working with the USCG and Naval Research Laboratory, STC is playing a critical part in the collection of threat data, its analysis, and sharing of information with the entire Maritime Transportation System.
The University of South Florida, Center for Maritime and Port Studies (CMPS): The mission of the CMPS is to address the needs of the coastal community stakeholders: (1) providing on-line education, training, and continuing professional development for careers in the maritime transportation industry; (2) conducting research on security, sustainability, and resilience of the maritime transportation system and related activities; and (3) providing rigorous, independent testing and evaluation of maritime security and environmental monitoring technologies. These capabilities will be developed from CMPS’s extensive experience in these areas, including a 20-year-plus collaboration with the local port and maritime transportation community, its work with the National Oceanic and Atmospheric Administration (NOAA) Office of Coastal Management (OCM) on their Port Tomorrow Resilience Planning Tool, and its 15-year experience leading the Alliance for Coastal Technologies.