HE01335 - Maritime cybersecurity using ISPS and ISM codes
In this article Alejandro Gómez Bermejo presents some ideas to incorporate maritime cybersecurity policies, procedures and controls in vessel operations using the ISPS and ISM Codes. Keywords: security, ISPS, ISM, cybersecurity
Currently neither the IMO nor the national authorities have regulated on incorporating cybersecurity controls in the maritime sector.
In this article I present some ideas to incorporate maritime cybersecurity policies, procedures and controls in vessel operations.
First, I make a brief description of the IMO security ISPS and safety ISM codes. Then, I indicate how cybersecurity could be incorporated using these codes.
ISPS code. Security of ships and port facilities.
The guidelines for preventing deliberate attacks on ships and port facilities is defined in the International Ship and Port Facility Security Code ISPS adopted by the IMO International Maritime Organization in 2002.
The ISPS code applies to ships engaged on international voyages including passenger ships and cargo ships over 500 gross tonnage. The code does not does not apply to naval ships or Government ships used on non-commercial service.
The ISPS code comprises a first part (A) of mandatory provisions and a second part (B) of optional provisions at the discretion of national authorities.
The ISPS has been enforced in the European Union by EC regulation 725/2004 confirming as compulsory the provisions in part A and some of provisions in part B.
The objectives of the ISPS code are:
Establish an international framework involving co-operation between Governments, Government agencies, local administrations and the shipping and port industries to detect security threats and take preventive measures against security incidents affecting ships or port facilities used in international trade.
Establish the respective roles and responsibilities of the Governments, Government agencies, local administrations and the shipping and port industries, at the national and international level for ensuring maritime security.
Ensure the early and efficient collection and exchange of security-related information.
Provide a methodology for security assessments so as to have in place plans and procedures to react to changing security levels.
Ensure confidence that adequate and proportionate maritime security measures are in place.
The threats considered in the ISPS Code are mainly of physical type. Ships are required to apply incremental protective security measures according to the following levels:
Security level 1: level for which minimum appropriate protective security measures shall be maintained at all times.
Security level 2: level for which appropriate additional protective security measures shall be maintained for a period of time as a result of heightened risk of a security incident.
Security level 3: level for which further specific protective security measures shall be maintained for a limited period of time when a security incident is probable or imminent, although it may not be possible to identify the specific target.
The ISPS contracting national governments are responsible for the following:
Setting of the applicable security level.
Approving a Port Facility Security Assessment and subsequent amendments to an
Determining the port facilities which will be required to designate a Port Facility
Approving a Port Facility Security Plan and subsequent amendments to an
Exercising control and compliance measures..
Establishing the requirements for a Declaration of Security.