Week 11 SHP 303

COURSE CODE: SHP 303
COURSE TITLE:
SHIP SURVEY AND VETTING INSPECTION
MODULE 11 (WEEK 11)
SIRE INSPECTION CHECKLIST
TOPIC LEARNING OUTCOMES:

The students shall be able to:
Chapter 7 - Maritime Security

• Answer the Policies and Procedures Questionnaires
• Answer the Cyber Security Questionnaires
ENGAGE:
If you are an officer, what would be your contribution for the
ship safety and security?
The ISM code -International Safety Management Code- has
been created to manage safety in a shipping company and on
board its ships. The ISPS code (international ship and Port
facility security code) has been created to manage the security
of the ships and the port facilities frequented by them.
The ISPS code was implemented by the International Maritime
Convention (IMO) as an amendment to the Safety of Life at Sea
convention. The main purpose of ISPS is to regulate and
control the security and safety of the crew, ships, ports, and
cargo as they travel through international waters.
EXPLORE:
If you are an officer, how will you respond if a certain number
of security declaration is declared on board?
When the vessel is at anchorage or at port, a watch is

appointed by the Ship Security Officer. The Watchman shall at
all times be equipped with a walkie-talkie, a flash light, and
Safety clothing. All communication shall be performed via
walkie-talkie, the watchman is not to leave his position under
any circumstances, unless replaced.
EXPLAIN AND ELABORATE (with Enhancement)
• SIRE INSPECTION CHECKLIST (cont’n)

• Policies and Procedures
Does the vessel have an approved Ship Security Plan?
Vessel shall have a Flag State approval letter or an

endorsement stamp on the Ship Security Plan (SSP).
Note: Watch the ISPS Slides folder in image folder Week 11

EXPLAIN AND ELABORATE:
(Enhancement)
ISPS Code part A/9.4

gives the minimum
points that must be
included in the ship
security plan.
EXPLAIN AND ELABORATE
Is the Master & Crew aware of the name and contact details of
the company security officer, and are these details
posted?
Crew should know the name of the CSO or where details are
posted.
https://www.youtube.com/watch?v=1vB4OOv6cUU
Are ship security records related to port calls being

maintained?
The ship shall keep records of the information referred to in

paragraph 2.1 (of SOLAS XI-2/9.2) for the last 10 calls at port
facilities (SOLAS XI-2/9.2.3)
A record of the following information is required to be
maintained (SOLAS XI-2/9.2.1)
EXPLAIN AND ELABORATE (Enhancement)
Ships intending to enter the port of another Contracting
Government
4.37 Regulation XI-2/9.2.1 lists the information Contracting

Governments may require from a ship as a condition of entry
into port. One item of information listed is confirmation of any
special or additional measures taken by the ship during its last
ten calls at a port facility.
Examples could include:
Ships intending to enter the port of another Contracting
Government
Examples could include:

.1 records of the measures taken while visiting a port facility
located in the territory of a State which is not a Contracting
Government especially those measures that would normally
have been provided by port facilities located in the territories
of Contracting Governments; and
.2 any Declarations of Security that were entered into with
port facilities or other ships.
4.38 Another item of information listed, that may be required

as a condition of entry into port, is confirmation that
appropriate ship security procedures were maintained during
ship-to-ship activity conducted within the period of the last 10
calls at a port facility. It would not normally be required to
include records of transfers of pilots, customs, immigration,
security officials nor bunkering, lightering, loading of supplies
and unloading of waste by ship within port facilities as
these would normally fall within the auspices of the Port
Facility Security Plan. Examples of information that might be
given include:
.1 records of the measures taken while engaged in a ship to

ship activity with a ship flying the flag of a State which is not a
Contracting Government especially those measures that would
normally have been provided by ships flying the flag of
Contracting Governments;
.2 records of the measures taken while engaged in a ship to

ship activity with a ship that is flying the flag of a Contracting
Government but is not required to comply with the provisions
of chapter XI-2 and part A of this Code such as a copy of any
security certificate issued to that ship under other provisions;
and
.3 in the event that persons or goods rescued at sea are on

board, all known information about such persons or goods,
including their identities when known and the results of any
checks run on behalf of the ship to establish the security
status of those rescued. It is not the intention of chapter XI-2
or part A of this Code to delay or prevent the delivery of those
in distress at sea to a place of safety. It is the sole intention of
chapter XI-2 and part A of this Code to provide States with
enough appropriate information to maintain their security
integrity.

maintained?
.1 that the ship possesses a valid Certificate and the name of

its issuing authority;
.2 the security level at which the ship is currently operating;
.3 the security level at which the ship operated in any previous
port where it has conducted a ship/port interface within the
timeframe specified in paragraph 2.3;
Declaration of Security
Declaration of Security

maintained?
.4 any special or additional security measures that were taken

by the ship in any previous port where it has conducted a
ship/port interface within the timeframe specified in
paragraph 2.3;

maintained?
.5 that the appropriate ship security procedures were

maintained during any ship to ship activity within the
timeframe specified in paragraph 2.3; or
.6 other practical security related information (but not details
of the ship security plan), taking into account the guidance
given in part B of the ISPS Code.

maintained?
If requested by the Contracting Government, the ship or the

Company shall provide confirmation, acceptable to that
Contracting Government, of the information required above.

maintained?
Note: These records are required to be maintained to ensure

compliance with the requirements of SOLAS chapter XI-2 prior
to entry into port with the aim of avoiding the need to impose
control measures or steps by officers duly authorized by the
Government of the port state. Inspectors do not need to
review the details of the information maintained in the records
but should note whether records are maintained or not.
Is the hull free from visible structural defects that warrant

further investigation?
(Cannot find)
Are records of training and maintenance of equipment related

to the ship security plan available?
Records related to training and maintenance of equipment

required by the ship security plan should be maintained.
These may include but not be limited to:
• Training, drills and exercises;
o Training drills should be conducted in accordance with the
ship security plan.

• Changes in security level;

o Changes should be recorded in log books.
o Communication with Flag State & CSO.
• Communications relating to the security threats or port
facilities the ship is, or has been, in.
• Date of internal audits and reviews of security activities
conducted;

• Date of review of the ship security plan;

• Maintenance, calibration and testing of any security
equipment provided on board, including testing of the ship
security alert system.

Any security related equipment fitted on board should be

periodically inspected and maintained, this may include: -
• Razor/ barbed wire
• Water cannons
• Security locks /locking arrangements
• Lockable hatches/ stairwells etc.
Has the ship’s security officer been trained to undertake this

role and do they understand their responsibilities?
The duties and responsibilities of the ship security officer shall

include, but are not limited to:
• Ensuring regular security inspections of the ship to ensure
appropriate security measures are maintained;
• Maintaining and supervising the implementation of the ship
security plan, including any amendments to the plan;

• Knowing the procedure for proposing modifications to the

ship security plan;
• Knowing the procedure for reporting to the company
security officer any deficiencies and non-conformities
identified during internal audits, periodic reviews, security
inspections and verifications of compliance and implementing
any corrective actions;

• Evidence of enhancing security awareness and vigilance on

board;
o Posters/training.
• Ensuring adequate training has been provided to shipboard
personnel, as appropriate;
o View record of training.
• Reporting all security incidents;

• Knowing the procedure to co-ordinate and implement the

ship security plan with the company security officer (CSO) and
the relevant port facility security officer. (ISPS Code Part
A/12.2)

Note: The recommended training is detailed in the ISPS Code

Part B/13.1 and 2 and includes the requirement for adequate
knowledge of the ship and of the ship security plan and
related procedures.
If fitted, is the vessel’s dedicated standalone security

communications equipment regularly tested?
Records of testing should be maintained. ISPS Code Part

A/10.1.5
Inspectors are not required to check the details of any
communications equipment but verify with the Master
whether there is a record of testing and maintenance.
Does the vessel have a routine to regularly test the ship

security alert system?
Inspectors are not required to sight the records of testing

and/or maintenance but verify with the Master of its existence
ISPS Code Part A/10.1.10
(Enhancement)
Testing Of SSAS :
The SSAS should be tested for its

proper function to ensure it is
working properly as the
functionality of the SSAS is crucial
in case of a real emergency
Testing Of SSAS :
Also, as per the Maritime Safety Committee circular- 1155, the

companies must ensure to notify the flag state well ahead of
the test so that it should not be misunderstood as a real
emergency
Most of the flag states (administration) responsible for

receiving and acting on the signal have laid down rules for
communicating the test procedures of SSAS. For e.g. some flag
state has the requirement to notify about the SSAS test not
more than 2 days in advance and not less than 4 hours prior to
the test
Testing Of SSAS :
The shipmaster is responsible to notify the same by a pre-test

notification email to the email address provided by the flag
state dedicated to testing communications. This helps the flag
state and the ship representative in effectively tracking the
alert notifications and ensuring there is no miscommunication
as it may lead to unintended emergency response actions,
which will cost valuable time and money
Testing Of SSAS :
The email or message sent to the flag state must contain

“TEST” word in the subject and inside the message to ensure
there is no confusion whatsoever
Once the test has been performed, the Master of the ship
should send another email/ message to the administration
about the conclusion of the test, as soon as possible. This
ensures the administration will be ready to respond to the
emergency in case another alert comes of a real emergency
Testing Of SSAS :
It may happen that the SSAS button and instrument associated

with it are faulty and continuously sending alerts to the
administration. In such case, the company security officer
(CSO) must inform the situation to the administration using
the proper channel and ensure the repair is carried out at the
earliest possible situation.
Once the SSAS equipment has been rectified and restored to
the normal operation, the Ship Security Officer (SSO) must
inform the Company Security Officer (CSO), and then he/she
will inform the same to the flag state.
Does the Passage Plan include security-related information for

each leg of the voyage?
The security related information on the passage plan should

include but not be limited to:
• Changes to security levels.
• Changes in bridge manning levels (e.g.: extra lookouts).
• Points where the vessel should be hardened (refer OCIMF
Guidelines for vessel hardening).
Does the vessel have a voyage/transit security risk

assessment?
The voyage/transit security risk assessment should be

reviewed and updated prior to entering an area which
requires an increased state of readiness and vigilance.
Does the vessel have procedures for vessel hardening?
The OCIMF information paper “Ship Security – Guidelines to

Harden Vessels’ provides guidance on establishing procedures
and implementing a vessel hardening plan.
Does the vessel have procedures for vessel hardening?
The ship should maintain records to demonstrate

implementation, when required through risk assessment, of
hardening procedures such as entries in log book or work
plans.
If the vessel does not have procedures for vessel hardening,

then provide reasons in comments.
Does the Master/SSO have a clear understanding of the

procedures for voluntary security reporting?
Note: Check evidence of participation in voluntary security

reporting such as reporting to UKMTO when passing through
the Indian Ocean.
Is an adequate deck watch being maintained to prevent

unauthorized access in port?
There should be a continuous gangway watch and a routine

for regular rounds of the deck to monitor potential access
points (e.g. hawse pipes; mooring ropes; etc).
Remote monitoring of different areas on ships is increasingly
being used. Where technology such as CCTV is employed to
monitor potential access points to the ship this should be
noted in comments.
Has the company provided a list of security charts,

publications and guidelines to the ship?
Such security charts, publications and guidelines’ may include:

• Relevant UKHO security charts
• Industry best management practice guidance
• Any other company specific guidance
• Cyber Security
Are Cyber Security Policy and Procedures part of the Safety

Management System and is there a Cyber Response Plan
onboard?
Note: Do the procedures include a risk assessment of issues

such as:
• Threats such as from malware; phishing attacks etc.
• Identification and protection of Vulnerable systems (ECDIS
etc)
• Cyber Security

onboard?
• Mitigation measures, (USB control etc)

• Identify key personnel within the company (including who
the master reports suspected incidents to)
• Hard copy of key contacts (e.g. DPA; CSO etc).
• Password management/record?
• Cyber Security

onboard?
• Contractor compliance
Note: Does the Cyber Response plan contain guidance on:
• What ‘symptoms’ to look for,
• Immediate actions to be taken and
• Name, position, phone number and email for the
Responsible Person to be contacted
• Cyber Security
Are the crew aware of the company policy on the control of

physical access to all shipboard IT/OT systems?
Note: Inspectors should observe if access to USB ports on

'Shipboard IT/OT' terminals are controlled (i.e. there are
measures in place to block/lock USB/RJ-45 ports on these
terminals. Procedures should include the protection of Critical
equipment such as ECDIS from malware and virus attacks.
• Cyber Security
Are the crew aware of the company policy on the control of

physical access to all shipboard IT/OT systems?
Procedures should include the control of access to all

shipboard IT/OT terminals including access to Servers which
should be in a secure location. The procedures should also
include access by any third-party contractors and technicians.
IT Security - From Show Off to Pay Off
Since the introduction of the first virus in the 1970s and
more so with the rise of the internet in the 1980s, the need
to secure information and keep it private has become
increasingly important.
Over the years, the IT world has been witnessing a shift in

cyber threats. It used to be that programmers launched
bothersome viruses and malware to gain reputation in their
communities. Today, with the increased reliance of
civilization on computers, and the advancements of
technology, attackers have become much more
sophisticated.
Up until recent years, cyber-attacks remained almost solely

within the IT realm – affecting what we would call
“standard” computers.
In 2010, the Industrial Cyber Threat Landscape Took a Turn

STUXNET - Though it was not the first cyber-attack to target
an industrial environment, STUXNET was the first ICS
dedicated attack to receive such global attention. STUXNET is
a malicious computer worm believed to be responsible for
causing substantial damage to Iran’s nuclear program,
ruining almost 20% of its nuclear centrifuges.
Since then, there has been a constant increase in cyber-

attacks targeting industrial organizations, affecting different
industries such as power grids (Industroyer), energy (Black
Energy) petrochemical (Havex), and oil & gas (TRISIS).
Hackers are infiltrating industrial networks in order to shut
down machines, demand ransom, steal data, and more. The
hardware and software that monitor and control the
physical components of an industrial network are often
referred to as Operational Technology (OT).
The New Age of Operational Technology

Traditionally, OT was an ‘air-gapped’ environment, meaning
that it was not connected to external networks or digital
technologies. In recent years, what was known as “traditional
OT” has started to change, since the rise of the fourth
industrial revolution, also known as "Industry 4.0". Companies
taking part in this change have begun implementing new
digital solutions in their networks looking to stay ahead of
their competition. These solutions aim to increase
automation, add “smart” devices, make data more efficient
and available, and interconnect networks for convenience.
The New Age of Operational Technology

As part of the interconnection, and in order to make OT
components more accessible while being able to collect and
analyze data about them, IT and OT networks are also
becoming interconnected. This movement is referred to as IT-
OT Convergence.
While connecting operational with information technology
opens a great door to new opportunities, it also introduces a
vast landscape of cybersecurity threats to what was once an
air-gapped network.
OT Security Has Undergone Fundamental Changes

OT has been relying on computers for several decades to
monitor or change the physical state of a system, such as the
use of SCADA systems to control train traffic on a rail system.
In traditional industries, OT security is composed mostly of
straightforward physical tasks, including making sure that a
machine repeats the same task correctly, an assembly line
continues, etc. Since the inception of IT-OT convergence,
there has been a shift in how OT is seen in factories, and in its
security
Today, OT security mainly stands for the protection of
traditional operations and assets from cyber incidents due to
the increased connectivity between cyber and physical
realms. It involves the detection and mitigation of weak spots
and changes in systems that control physical devices such as
valves and pumps as well as vulnerabilities stemming from
their integration with enterprise software.
Though operational and information technologies are

becoming more connected, there are several important
differences that both IT and OT staff need to be aware of.
• Cyber Security
Does the company have a policy or guidance on the use of

personal devices onboard?
Personal devices include phone/tablets etc and storage

devices such as USB sticks.
Check if the policy is implemented by both, crew and visitors,
e.g. all third-party contractors and technicians.
• Cyber Security
Is Cyber Security awareness actively promoted by the

company and onboard?
Note: Examples of active promotion include:

• 'Cyber Awareness Material' displayed by all IT terminals and
in crew rest rooms
• Training films shown to crew
• Crew specific training
• Cyber Security
Is Cyber Security awareness actively promoted by the

company and onboard?
• Instruction on safeguarding of passwords

• Responsible use of social media.
• Policy on the use of personal devices and its inclusion in
shipboard joining familiarisation checklists.
• May include companies own employee/contractor
Authorised User Policy (AUP) agreements.
• Company certified as per ISO 27001
EVALUATE
1. What should the officers and crews know regarding with
their company security officers?
2. How are the ship security alert system tested?
3. What should be related to the ship security plan?
4. What should the vessel maintain, relating to ports of call?
5. What kind of assessment a vessel must possess?
6. What should be maintained by the ship to prevent
unauthorized access in port?
7. What should be provided by the company to the ship
EXTEND
Describe the ship cyber security policy, procedures, and plan.
Why do you think it is necessary?

Week 11 SHP 303

Uploaded by

Copyright:

Available Formats

Week 11 SHP 303

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Week 11 SHP 303

Uploaded by

Copyright:

Available Formats

COURSE CODE: SHP 303

TOPIC LEARNING OUTCOMES:

Chapter 7 - Maritime Security

When the vessel is at anchorage or at port, a watch is

Chapter 7 - Maritime Security

Does the vessel have an approved Ship Security Plan?

Vessel shall have a Flag State approval letter or an

Note: Watch the ISPS Slides folder in image folder Week 11

ISPS Code part A/9.4

Are ship security records related to port calls being

The ship shall keep records of the information referred to in

4.37 Regulation XI-2/9.2.1 lists the information Contracting

Examples could include:

4.38 Another item of information listed, that may be required

.1 records of the measures taken while engaged in a ship to

.2 records of the measures taken while engaged in a ship to

.3 in the event that persons or goods rescued at sea are on

Are ship security records related to port calls being

.1 that the ship possesses a valid Certificate and the name of

Are ship security records related to port calls being

.4 any special or additional security measures that were taken

Are ship security records related to port calls being

.5 that the appropriate ship security procedures were

Are ship security records related to port calls being

If requested by the Contracting Government, the ship or the

Are ship security records related to port calls being

Note: These records are required to be maintained to ensure

Is the hull free from visible structural defects that warrant

Are records of training and maintenance of equipment related

Records related to training and maintenance of equipment

Are records of training and maintenance of equipment related

• Changes in security level;

Are records of training and maintenance of equipment related

• Date of review of the ship security plan;

Are records of training and maintenance of equipment related

Any security related equipment fitted on board should be

Has the ship’s security officer been trained to undertake this

The duties and responsibilities of the ship security officer shall

Has the ship’s security officer been trained to undertake this

• Knowing the procedure for proposing modifications to the

Has the ship’s security officer been trained to undertake this

• Evidence of enhancing security awareness and vigilance on

Has the ship’s security officer been trained to undertake this

• Knowing the procedure to co-ordinate and implement the

Has the ship’s security officer been trained to undertake this

Note: The recommended training is detailed in the ISPS Code

If fitted, is the vessel’s dedicated standalone security

Records of testing should be maintained. ISPS Code Part

Does the vessel have a routine to regularly test the ship

Inspectors are not required to sight the records of testing

The SSAS should be tested for its

Also, as per the Maritime Safety Committee circular- 1155, the

Most of the flag states (administration) responsible for

The shipmaster is responsible to notify the same by a pre-test

The email or message sent to the flag state must contain

It may happen that the SSAS button and instrument associated

Does the Passage Plan include security-related information for

The security related information on the passage plan should

Does the vessel have a voyage/transit security risk