Ship Specific Cyber Security Plan
Cybersecurity should be part of ship safety and security prevention. A cyber-attack could affect a ship’s security and be treated as an SSP violation. Therefore, it is worthy of refreshing ISPS Code requirements and existing problems in the light of cybersecurity.
A ship-specific Cyber Security Plan should at least verify ISPS Code requirements as below:
1. What the ISPS Code Requires in General
The ISPS Code was introduced as a complement to the ISM Code but for security measures. The text was clear with detailed information on what should be done at each requirement by a ship management company, port administration and crewmembers.
The format of the ISPS Code consists of Parts A and B as adopted by the Organisation. Initially, there was some misinterpretation, with many parties believing that only Part A should be compulsory. However, this argument failed as IMO clarified that Part B is mandatory as it contains essential instructions for compliance with Part A.
Cybersecurity Challenges:
However, the Code does not describe any cyber measures but implies electronic data protection.
2. What the ISPS Code Requires for Risk Assessment
A ship should demonstrate compliance with the ISPS Code by following precise procedures. Initially, a risk assessment should be carried out to identify the security threats of a ship. The risk assessment should consider issues such as ship construction, service speed, available lighting, workforce and security equipment such as metal detectors.
Cybersecurity Challenges:
Regarding cybersecurity, it could affect several ship operations in case of a successful attack and cause security issues such as:
- Loss of security information
- Leak of security information, for example embarkation of armed guard
- Leak of personal data
- Jamming of SSAS, AIS or communication systems
- Ship equipment maintenance including ECDIS, FBB, VSAT, crew welfare and USB devices
- IT inspections
- Vulnerability management
- Maintenance of software
3. What ISPS Code Requires for Formal Procedures
The outcome of this assessment will be the revision of a ship-specific Ship Security Plan, SSP. The SSP should be reviewed and approved by a Recognised Security Organization, RSO, such as a class or the flag state of a ship.
The SSP shall address at least the following:
| ISPS Code Requirements | Cybersecurity Concerns |
|---|---|
| Measures designed to prevent weapons, dangerous substances and devices intended for use against persons, ships or ports and the carriage which is not authorised from being taken on board the ship | Leak of information |
| Identification of restricted areas and measures for the prevention of unauthorised access to them | Which equipment can be hacked? |
| Measures for the prevention of unauthorised access to the ship | Which equipment can be hacked? |
| Procedures for responding to security threats or breaches of security, including provisions for maintaining critical operations of the ship or ship/port interface | Electronic security of data, logs and records |
| Procedures for responding to any security instructions Contracting Governments may give at security level 3 | Leak of information |
| Procedures for evacuation in case of security threats or breaches of security | Denial of communication services |
| Duties of shipboard personnel assigned security responsibilities and of other shipboard personnel on security aspects | Cyber awareness and response |
| Procedures for auditing the security activities | Revised audit checklists |
| Procedures for training, drills and exercises associated with the SSP | Cyber awareness and response |
| Procedures for interfacing with port facility security activities | Leak of information; verification of communications |
| Procedures for the periodic review of the SSP and for updating the same | Revised audit checklists |
| Procedures for reporting security incidents | Leak of information |
| Identification of the SSO | Leak of information |
| Identification of the CSO, including the 24-hour contact | Leak of information |
| Procedures to ensure the inspection, testing, calibration and maintenance of any security equipment provided onboard, if any | Firewall, antivirus |
| Frequency for testing or calibration of any security equipment provided onboard, if any | Include antivirus and firewalls; maintenance and updates of all PC or electronic devices onboard |
| Identification of the locations where the ship security alert system activation points are provided | — |
| Procedures, instructions and guidance on the use of the ship alert system, including testing, activation, deactivation and resetting, and limiting false alerts | — |
Cybersecurity Challenges:
The above requirements could be met and stored electronically. However, then files are vulnerable to cyber-attacks. A new Cyber manual may be an option for a transition period of 2021. It should include straightforward, compact procedures for ship and office, audit checklists, and an inventory of specific equipment used onboard. The structure of ISO 27001 could be used for GAP analysis.
4. What the ISPS Code Requires for Security Officers
Initially, the Ship Security Officer, SSO, with specific qualifications and certifications should be responsible onboard a ship. Up to now, the SSO enforces security measures as per SSP. Evidence of the smooth security operation of a ship could be found in the approved records such as drills, familiarisation, gangway control, documents and keys control.
Cybersecurity Challenges:
The concept of cybersecurity is relatively new in the maritime industry. Some terms need to be reviewed. Nowadays, an SSO should also be aware of cyber threats. For instance, leak from the ship’s information for security equipment or guards’ boarding schedule. Including cyber threats in the SSP is the responsibility of the Company Security Officer, CSO, and the DPA. The qualifications of CSO and DPA need to be revised.
5. What the ISPS Code Requires for Security Levels
Another new concept that needs to be revised is the definition of Security Level, meaning the qualification of risk that a security incident will be attempted or will occur. Level 1 is a routine operation. Level 2 applies when appropriate additional protective security measures shall be maintained for some time because of a heightened risk of a security incident.
Cybersecurity Challenges:
These Security Level definitions should be revised to include cyber threats as well. In addition, SSP should describe when a cyber incident could fall in this category.
6. What the ISPS Code Requires for Port Interface
The security level of a ship should be the same as the level of the port. Therefore, if the port has security level 2, the ship has to follow. The record for such a change of security level onboard will be the Declaration of Security, DOS. It is evidence of an agreement between a ship and port facility or another ship specifying the security measures each will implement.
Cybersecurity Challenges:
However, ports should verify communication through secure channels and cargo documents must not be lost because of a cyber-attack.
The flag state issues a list with ports where the ship should raise its security level at 2. However, the port authorities may deny the completion of DOS. In that case, the SSO should make relevant entries in logbooks and maintain security level 2 after consultation with CSO.
Finally, of course, there is the option for SSO or Master to refuse cargo operation. In this case, the pressure against him by authorities and charterers will be enormous. It will be much harder for the crew to refuse operations for cyber threats.
7. What the ISPS Code Requires for Ship-to-Ship Activity
Several operations are not carried out in a port facility involving the transfer of goods or persons from one ship to another. Such activities may include supply boats and bunker ships, which sometimes, because of their size, are not required to comply with the ISPS Code.
Cybersecurity Challenges:
Areas of concern are the completion of a DOS with cyber requirements into a ship-to-ship activity.
8. What the ISPS Code Requires for Incident Handling
As per ISPS Code, “Security Incident” means any suspicious act or circumstance threatening a ship’s security. Such an incident should be required to be recorded to CSO and occasionally to the flag state.
The major challenge with incidents is that if they are reported, they are admitted to SSP failure by ship. As a result, the flag state may require external security audits in that case.
Cybersecurity Challenges:
A cyber-attack should fall in this category. The industry should be more active in developing guidance on how audits must be changed to include cyber threats.
For example, the crew may think that a minor incident should not be recorded in SSP forms. This practice makes the ship’s master, the SSO and CSO liable for hiding security information from authorities, which is a severe offence.
9. What the ISPS Code Requires for SSP Review
The effectiveness of SSP implementation is carried out similarly to ISM Code with internal and external shipboard audits. In addition, the ship will be certified with an International Ship Security Certificate, ISSC.
The ISPS Code requires reviews of the SSP and security risk assessment. Although there is no requirement for an interval regarding reviews, it is expected that it should not be excessive, for example over one year.
A critical problem with reviewing an SSP is that it should be approved by the RSO, which requires extra charges and more bureaucracy.
Cybersecurity Challenges:
When it comes to cyber evaluation, the crew may not be able to understand and identify risks.
10. What the ISPS Code Requires for Security Equipment
With the introduction of the ISPS Code, additional equipment was installed on ships: the Ship Security Alert System, SSAS, required by SOLAS XI-2/6, and the Automatic Identification System, AIS, required by SOLAS V/19.
The SSAS should be frequently tested regularly and initiates a distress message to CSO and flag state. However, there have been cases where a ship transmitted an SSAS message faulty. As a result, the authorities ordered to deviate to the nearest port for inspection despite confirmation by the ship’s master and CSO that it was accidentally transmitted.
With AIS, there is a significant concern regarding its operation in areas with high pirate activity. The purpose of AIS is to transmit information about a ship, such as speed, cargo and type, which could be helpful for pirates to decide if they can attack a ship. On the other hand, if the AIS is switched off in the case of an attack, it will be difficult for navy ships to find the ship. It falls, therefore, to the CSO and ship’s master to make the appropriate decision.
Cybersecurity Challenges:
AIS can easily be jammed because of a cyber-attack. Also, the free web information of AIS ship position is a leak of sensitive information.
11. What the ISPS Code Requires for Ship High-Risk Areas
The implementation of the ISPS Code created some issues still under consideration. Initially, there were cases where security measures may be unsafe for a ship, such as locking of accommodation doors.
However, the Code does not require sealing nor locking any space such as a restricted area that damages a ship or hides drugs or stowaways as defined in the SSP.
Cybersecurity Challenges:
These measures may be harder to be revised for cybersecurity. For instance, Wi-Fi spots, routers, firewalls and ship antennas need special attention.
12. What the ISPS Code Requires for Access Restrictions of Ship High-Risk Areas
A preventive measure for prohibiting an intruder from going to a restricted area is patrolling well-trained crewmembers. In case of a security breach, they will report to SSO to initiate actions.
As per SOLAS, an entrance to the accommodation or engine room should be inward and outward permissible for evacuation and rescue purposes. On the other hand, if areas such as stores with pollution prevention equipment or access to accommodation are not locked, the equipment will likely be stolen in some ports, which is also a security breach.
Cybersecurity Challenges:
Similarly, denial of the crew to use USB sticks for printing reports may cause delays and aggression at ports.
13. What the ISPS Code Requires for Training
Another issue is the small number of crewmembers working onboard ships. The flag state is issuing the Minimum Manning Certificate with the minimum number of people required onboard for safe navigation.
There is not any concern about security duties onboard. The IMO highlighted this issue, clarifying that a ship sailing with crew only as required by the Minimum Manning Certificate is very likely to have security issues.
Cybersecurity Challenges:
Seafarers need to be trained for cyber threats and follow procedures within 2021. However, no IMO module was developed to include training standards for cyber threats.
E-training could be a solution, not mandatory, but good practice implied through safety management systems. Training certification may be required, such as:
- Diploma cybersecurity auditor for office staff
- Crew awareness training schedule
- Cybersecurity officer
Pelorus 