Your browser version is outdated. We recommend that you update your browser to the latest version.

For more case studies check our book

Risk Analysis of Ship Operations: Research and Case Studies of Shipboard AccidentsRisk Analysis of Ship Operations: Research and Case Studies of Shipboard Accidents

Ship Cyber Security Plan 


Cybersecurity should be part of ship safety and security prevention. A cyber-attack could affect a ship’s security and be treated as an SSP violation. Therefore, it is worthy of refreshing ISPS code requirements and existing problems in the light of cybersecurity.

A ship-specific Cyber Security Plan should at least verify ISPS Code requirements as below:


 1. What Ithe SPS Code Requires in General:

The ISPS Code was introduced as a complement to the ISM code but for security measures. The text was clear with detailed information on what should be done at each requirement by a ship management company, port administration and crewmembers. The format of the ISPS Code consists of Parts A and B as adopted by the Organisation. Initially, there was some misinterpretation, with many parties believing that only Part A should be compulsory. However, this argument failed as IMO clarified that Part B is mandatory as it contains essential instructions for compliance with Part A.


Cybersecurity Challenges:

However, the Code does not describe any cyber measures but implies electronic data protection.


 2. What the ISPS Code Requires for Risk Assessment:

A ship should demonstrate compliance with ISPS Code by following precise procedures. Initially, a risk assessment should be carried out to identify the security threats of a ship. The risk assessment should consider issues such as ship construction, service speed, available lighting, workforce and security equipment such as metal detectors.


Cybersecurity Challenges:


Regarding cybersecurity it could affect several ship operations in case of a successful attack and cause security issues such as:

  • Loss of security information
  • Leak of security information (e.g. embarkation of armed guard)
  • Leask of personal data
  • Jamming of SSAS, AIS or communication systems
  • Ship equipment maintenance including ECDIS, FBB, VSAT, Crew Welfare, USB devices
  • IT inspections   
  • Vulnerability management
  • Email
  • Maintenance of software

 3. What ISPS Code requires for formal Procedures:

The outcome of this assessment will be the revision of a ship-specific Ship Security Plan (SSP). The SSP should be reviewed and approved by a Recognised Security Organization (RSO), such as a class or the flag state of a ship.


The SSP shall address at least the following:



ISPS Code Requirements

Cybersecurity Concerns

Measures designed to prevent weapons, dangerous substances and devices intended for use against persons, ships or ports and the carriage which is not authorised from being taken on board the ship

Leak of information

Identification of restricted areas and measures for the prevention of unauthorised access to them

Which equipment can be hacked?

Measures for the prevention of unauthorised access to the ship

Which equipment can be hacked?

Procedures for responding to security threats or breaches of security, including provisions for maintaining critical operations of the ship or ship/port interface

Electronic security of data, logs & records

Procedures for responding to any security instructions Contracting Governments may give at security level 3

Leak of information

Procedures for evacuation in case of security threats or breaches of security

Denial of Communication Services

Duties of shipboard personnel assigned security responsibilities and of other shipboard personnel on security aspects

Cyber awareness and response

Procedures for auditing the security activities

Revised audit checklists

Procedures for training, drills and exercises associated with the SSP

Cyber awareness and response

Procedures for interfacing with port facility security activities

Leak of information

Verification of communications

Procedures for the periodic review of the SSP and for updating the same

Revised audit checklists

Procedures for reporting security incidents

Leak of information

Identification of the SSO

Leak of information

Identification of the CSO, including the 24-hour contact

Leak of information

Procedures to ensure the inspection, testing, calibration and maintenance of any security equipment provided onboard, if any

Firewall, antivirus

Frequency for testing or calibration of any security equipment provided onboard if any

Include antivirus & firewalls

Maintenance and updates of all PC or electronic devices onboard

Identification of the locations where the ship security alert system activation points are provided


Procedures, instructions and guidance on the use of the ship alert system, including testing, activation, deactivation and resetting, and limiting false alerts.




Cybersecurity Challenges:


The above requirements could be met and stored electronically. However, then files are vulnerable to cyber-attacks. A new Cyber manual may be an option for a transition period of 2021. It should include straightforward, compact procedures for ship & office, Audit checklists, and an Inventory of specific equipment used onboard. The structure of ISO 27001 could be used for GAP analysis.



4. What the ISPS Code Requires for Security Officers:

Initially, the Ship Security Officer (SSO) with specific qualifications and certifications should be responsible onboard a ship. Up to now, the SSO enforces security measures as per SSP. Evidence of the smooth security operation of a ship could be found in the approved records such as drills, familiarisation, gangway control, documents and keys control.


Cybersecurity Challenges:

The concept of cybersecurity is relatively new in the maritime industry. Some terms need to be reviewed. Nowadays, an SSO should also be aware of cyber threats. For instance, leak from the ship’s information for security equipment or guards’ boarding schedule. Including cyber threats in the SSP is the responsibility of the Company Security Officer (CSO) and the DPA. The qualifications of CSO and DPA need to be revised.


5. What the ISPS Code Requires for Security Levels:

Another new concept that needs to be revised is the definition of Security Level, meaning the qualification of risk that a security incident will be attempted or will occur. Level 1 is a routine operation. Level 2 applies when appropriate additional protective security measures shall be maintained for some time because of a heightened risk of a security incident.


Cybersecurity Challenges:

These Security Level definitions should be revised to include cyber threats as well. In addition, SSP should describe when a cyber incident could fall in this category.


6. What the ISPS Code Requires for Port Interface:

The security level of a ship should be the same as the level of the port. Therefore, if the port has security level 2, the ship has to follow. The record for such a change of security level onboard will be the Declaration of Security (DOS). It is evidence of an agreement between a ship and port facility or another ship specifying the security measures each will implement.


Cybersecurity Challenges:

However, ports should verify communication through secure channels and cargo documents must not be lost because of a cyber-attack.

The flag state issues a list with ports where the ship should raise its security level at 2. However, the port authorities may deny the completion of DOS. In that case, the SSO should make relevant entries in logbooks and maintain security level 2 after consultation with CSO. Finally, of course, there is the option for SSO or Master to refuse cargo operation. In this case, the pressure against him by authorities and charterers will be enormous. It will be much harder for the crew to refuse operations for cyber threats.


7. What the ISPS Code Requires for Ship-to-Ship Activity:

Several operations are not carried out in a port facility involving the transfer of goods or persons from one ship to another. Such activities may include supply boats and bunker ships, which sometimes, because of their size, are not required to comply with the ISPS code.

Cybersecurity Challenges:

Areas of concern are the completion of a DOS with cyber requirements into a Ship-to-Ship Activity


8. What the ISPS Code Requires for Incident Handling:

As per ISPS Code, “Security Incident” means any suspicious act or circumstance threatening a ship’s security. Such an incident should be required to be recorded to CSO and occasionally to the flag state. The major challenge with incidents is that if they are reported, they are admitted to SSP failure by ship. As a result, the flag state may require external security audits in that case.


Cybersecurity Challenges:

A cyber-attack should fall in this category. The industry should be more active in developing guidance on how audits must be changed to include cyber threats. For example, the crew may think that a minor incident should not be recorded in SSP forms. This practice makes the ship’s master, the SSO and CSO, liable for hiding security information from authorities, which is a severe offence.


9. What the ISPS Code Requires for SSP Review:

The effectiveness of SSP implementation is carried out similarly to ISM code with internal and external shipboard audits. In addition, the ship will be certified with an International Ship Security Certificate (ISSC). The ISPS Code requires reviews of the SSP and security risk assessment. Although there is no requirement for an interval regarding reviews, it is expected that it should not be excessive, e.g. over one year. A critical problem with reviewing an SSP is that it should be approved by the RSO, which requires extra charges and more bureaucracy.


Cybersecurity Challenges:  

When it comes to cyber evaluation, the crew may not be able to understand and identify risks.


10. What the ISPS Code Requires for Security Equipment:


With the introduction of the ISPS Code, additional equipment was installed on ships: the Ship Security Alert System (SSAS) required by SOLAS XI-2/6 and the Automatic Identification System (AIS) required by SOLAS V19. The SSAS should be frequently tested regularly and initiates a distress message to CSO and flag state. However, there have been cases where a ship transmitted an SSAS message faulty. As a result, the authorities ordered to deviate to the nearest port for inspection despite confirmation by the ship’s master and CSO that it was accidentally transmitted. With AIS, there is a significant concern regarding its operation in areas with high pirate activity. The purpose of AIS is to transmit information about a ship, such as speed, cargo, and type, which could be helpful for pirates to decide if they can attack a ship. On the other hand, if the AIS is switched off in the case of an attack, it will be difficult for navy ships to find the ship. It falls, therefore, to the CSO and ship’s master at making the appropriate decision.


Cybersecurity Challenges:

AIS can easily be jammed because of a cyber-attack. Also, the free web information of AIS ship position is a leak of sensitive information.


11. What the ISPS Code Requires for Ship High-Risk Areas:


The implementation of the ISPS Code created some issues still under consideration. Initially, there were cases where security measures may be unsafe for a ship, such as locking of accommodation doors. However, the Code does not require sealing nor locking any space such as a restricted area that damages a ship or hides drugs or stowaways as defined in the SSP.  


Cybersecurity Challenges:  

These measures may be harder to be revised for cybersecurity. For instance, Wi-Fi Spots, routers, firewalls, and ship antennas need special attention.


12. What the ISPS Code Requires for Access Restrictions of Ship High-Risk Areas:

A preventive measure for prohibiting an intruder from going to a restricted area is patrolling well-trained crewmembers. In case of a security breach, they will report to SSO to initiate actions. As per SOLAS, an entrance to the accommodation or engine room should be inward and outward permissible for evacuation and rescue purposes. On the other hand, if areas such as stores with pollution prevention equipment or access to accommodation are not locked. The equipment will likely be stolen in some ports, which is also a security breach.


Cybersecurity Challenges:  

Similarly, denial of the crew to use USB sticks for printing reports may cause delays and aggression at ports.


13. What the ISPS Code Requires for Training:


Another issue is the small number of crewmembers working onboard ships. The flag state is issuing the Minimum manning certificate with the minimum number of people required onboard for safe navigation. There is not any concern about security duties onboard. The IMO highlighted this issue, clarifying that a ship sailing with crew only as required by the minimum manning certificate is very likely that have security issues.

Cybersecurity Challenges:

Seafarers need to be trained for cyber threats and follow procedures within 2021. However, not any IMO module was developed to include training standards for cyber threats.
E-training could be a solution, not mandatory, but good practice implied through safety management systems. Training certification may be required, such as

  • Diploma cybersecurity auditor for office staff
  • Crew awareness training schedule
  • Cybersecurity officer


Cookie Policy

This site uses cookies to store information on your computer.

Do you accept?