maritime security
Recall UK govt experiment involving jamming; what systems were compromised
As the vessel entered the jamming zone a range of services failed DGPS receivers AIS transponders Dynamic positioning system Gyro system Digital selective calling system
8. Overall of Maritime security Costs: (Shoreside Perspective ppt)
B. Stolt - ~15-25% of corporate revenue
ISPS & MTSA development & results/impacts A. Applicability
The ISPS Code applies to ships International voyages Passenger ships Cargo ships > 500 GT Mobile offshore drilling units Port facilities serving such
ISPS & MTSA development & results/C. Where found i. International: which IMO convention ii. National: which Code of Federal Regulation (CFR) title / chapter
The ISPS Code is Part (Chapter XI-2) of SOLAS. Special measures to enhance maritime safety The Maritime Transportation Security Act (MTSA) is the U.S. National adoption of ISPS: 33CFR (Title 33 of Code of Federal Regulations) "Navigation and Navigable Waters" Subchapter H "Maritime Security" Parts 104 & 105
Motivations of Cyber criminals, per "CyberKeel" consultative group
Stealing money ^^^^^^^^^^^^ Deceitful direct transfer Ransomware Manipulation of market data Moving cargo - theft of goods Stealing data ^^^^^^^^^^^ industrial espionage Identification of high value cargo for theft or piracy Market insight Causing disruption ^^^^^^^^^^^^^ Financial motivation National interest Terrorism / Philosophical motivation
who was lead agency for USA at IMO ISPS convention
USCG
navigator recommendations
Take Initiative wrt VSP, SMS, everyday routine Virus Protection - "IT Hygiene" Data protection: Who can access data, spaces containing key technical equipment? Susceptible to Attack: Ship systems (navigation, cargo, control, communication) Personal devices (smart phones, laptops, USB sticks) Connecting personal devices to ship systems for exchanging data or for charging is risky Vulnerable systems include cargo, bridge, propulsion, and all external communication systems
Drills & exercises can be combined to
help ensure crew proficiency/ meet deadlines
AIS practices in high risk areas
it is recommended that AIS is left on throughout the High Risk Area
Definition of Security Exercise
means a comprehensive training event that involves several of the functional elements of the vessel security plan and tests communications, coordination, resource availability, and response. Annually.
Definition of Security Drill
means a training event that tests at least one component of the vessel security plan and is used to maintain a high level of security readiness. Every three months. (and after major crew change, vessel alteration, etc)
DoS (Declaration of Security)
means an agreement reached between a ship and either a port facility or another ship with which it interfaces, specifying the security measures each will implement.
Ship-to-ship activity
means any activity not related to a port facility that involves the transfer of goods or persons from one ship to another.
Security Incident
means any suspicious act or circumstance threatening the security of a ship, including a mobile offshore drilling unit and a high-speed craft, or of a port facility or of any ship/port interface or any ship-to-ship activity
Know the importance of the human element in cyber vulnerability
most vulnerable attack point
Ship/port interface
movement of persons Goods Provisions of port services to or from the ship.
Recall "legal implications of action / non-action...";
no known serious negative implications to date
Standing Guidance / Recommendations:
A. Vessel Security Plan B. Best Management Practices (BMP4) C. MSC Circulars (1334, 1405, 1408) D. BIMCO guidance; GUARDCON E. Nautical Institute
Pre-9/11 International measures focused on Hijacking & Terrorism (especially Achille Lauro hijacking); 1980's
ACTIONS TAKEN AS A RESULT OF ACHILLE LAURO INCIDENT: 1985 - "Measures to Prevent Unlawful Acts which Threaten Safety of Ships and Security of Passengers" 1986 - "Measure to Prevent Unlawful Acts against Passengers and Crew aboard Ships 1988 - Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation (SUA Treaties)
Be familiar with the exhaustive training requirements for VSOs (20 items - familiarity only!)
.1 security administration .2 relevant international conventions, codes and recommendations; .3 relevant Government legislation and regulations; .4 responsibilities and functions of other security organizations; .5 methodology of ship security assessment; .6 methods of ship security surveys and inspections; .7 ship and port operations and conditions; .8 ship and port facility security measures; .9 emergency preparedness and response and contingency planning; .10 instruction techniques for security training and education, including security measures and procedures; 11 handling sensitive security-related information and security- related communications (SSI); .12 knowledge of current security threats and patterns; .13 recognition and detection of weapons, dangerous substances and devices; .14 recognition, on a non-discriminatory basis, of characteristics and behavioral patterns of persons who are likely to threaten security; .15 techniques used to circumvent security measures; 16 security equipment and systems and their operational limitations; .17 methods of conducting audits, inspection, control and monitoring; .18 methods of physical searches and non-intrusive inspections; .19 security drills and exercises, including drills and exercises with port facilities; and .20 assessment of security drills and exercises.
9. BMP4 Best Management Practices
A. Best Management Practices B. Recommendations & guidelines C. Promulgated by international commercial consortium D. Recommends just send basic AIS message in high risk areas; per Thomas Brown "Notes from the Fields(s), ships often include "armed guards on board" in their AIS message. E. Remember the Master can turn off the AIS at his discretion.
Costs associated with Anti-piracy measures include
A. Cost of PMSC if utilized (~$4K-$8K) B. Cost of Fuel while diverting C. Insurance Premiums D. Cost of Security equipment E. Cost of maintaining security equipment F. Labor associated with deployment of equipment & G. Loss of man-hours to routine functions H. Total cost for one company: ~20% (15%-25%) I. INTERTANKO industry estimate (2014) - $2.2 - $2.3 Billion
8. Overall of Maritime security Costs: (Shoreside Perspective ppt)
A. INTERTANKO: $2.2 - $2.3 B in one year
Costs associated with a piracy incident:
A. Injury / death of personnel - certainty of legal and human costs B. Damage to or loss of vessel C. Time off-hire D. Damage to corporate reputation E. Time / expense of overall crisis management process
5. Current Intel sources
A. Office of Naval Intelligence (ONI): WWTS, PAWW B. International Maritime Bureau (IMB) C. USCG Port Security Advisories D. Marine Security Review E. CMF - Combined Maritime Forces F. (CTF 150, 151, 152) G. Oceans Beyond Piracy H. ReCAAP I. USCG Port Security Advisories J. Marad MSCI portal
7. PMSC's: (Shoreside Perspective ppt)
A. Political sensitivities B. $4K-$8K/day; substantial; decision-making point C. Topic of arms aboard merchant ships ongoing debate D. "No ship with armed guards has been taken"
PMSC's private maritime security companies
A. Political sensitivities B. $4K-$8K/day; substantial; decision-making point C. Topic of arms aboard merchant ships ongoing debate D. "No ship with armed guards has been taken"
Be familiar with A.B.S. class notations for Cyber Security
CS1 Informed Cybersecurity Implementation CS2 Rigorous Cybersecurity Implementation CS3 Adaptive Cybersecurity Implementation (Highest level of Readiness)
Who sets MARSEC level in ports?
Captain of port
Goals / Objectives of ISPS / MTSA - remember goals are NOT commercial enhancement of industry
Detect security threats and implement security measures Establish roles and responsibilities concerning maritime security Collate and promulgate security-related information Provide a methodology For security assessments Plans Procedures to react to changing security levels
Event(s) that hastened the adoption & implementation of ISPS / MTSA
Development and implementation were sped up September 11, 2001 attacks Bombing of the French oil tanker Limburg
Dangers associated with weak passwords, unsecured computers, use of charging ports, data transfers via USB, email attachments, web links, etc
Don't open unfamiliar email attachments Control Access to USB ports!!!
DOES IMO promulgate security levels?
IMO DOES NOT promulgate security levels
ISPS & MTSA development & results/ B. Know difference between Part A&B of ISPS (mandatory / recommendatory)
ISPS is a two-part document describing minimum requirements for security of ships and ports Part A provides mandatory requirements Part B provides guidance for implementation
The VSA is undertaken before VSP; then VSA becomes part of the VSP. Once these are in place the ship can apply for a ?
ISSC (International Ship Security Certif
Validity: 5 years?
International Ship security certificate
MFIC's
Maritime Intelligence Fusion Centers
MIFC's
Maritime Intelligence Fusion Centers
MOTR process
Maritime Operational Threat Response process
MSST
Maritime Safety & Security Teams
Be familiar with main points & recommendations in "The Navigator" June 2016 issue posted on eCampus
Minimizing risk is central to navigation Hacking and spoofing contribute to risk GNSS does not always give a continuous and accurate position; Assuming that it does so is dangerous Compare and integrate all the data sources Maintain proficiency in traditional Navigational methods Celestial: Sextant, tables, accurate timepiece Terrestrial: Magnetic compass, alidade, bearing circle
Initially, no direct mention of ?
Piracy or Cyber Threats
Significant results of ISPS / MTSA At the ship / mariner level
SSAS Ship Security Alert System ("Panic Button"; bank teller alarm) AIS - Accelerated TWIC - Not required by ISPS
Measures taken by IMO & US govt prior to 9/11; establishment of COTP construct
Safety of Life at Sea Convention - 1974 1983 - "Measures to Prevent Acts of Piracy and Armed Robbery Against Ships" 1985 - "Measures to Prevent Unlawful Acts which Threaten Safety of Ships and Security of Passengers" 1986 - "Measure to Prevent Unlawful Acts against Passengers and Crew aboard Ships 1988 - Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation (SUA Treaties)
Three basic security levels
Security level 1, normal Security level 2, heightened Security level 3, exceptional
SSAS
Ship Security Alert System ("Panic Button"; bank teller alarm)
VSA & VSP
Ship/Vessel Security Assessment (SSA / VSA) is an essential and integral part of the process of developing and updating the ship security plan
Objective of Drills & Exercises
The objective of drills and exercises is to ensure that shipboard personnel are proficient in all assigned security duties at all security levels and the identification of any security-related deficiencies which need to be addressed.
no action
The only thing necessary for the triumph of evil is for good men [and women] to do nothing
Who is (are) primarily responsible for carrying out the VSA?
The vessel owner or operator must ensure that a written VSA report is prepared and included as part of the VSP.
i. VSO / CSO / PFSO construct
VSO/CSO/FSO requirements (VSO = SSO) Training of VPDSDs Drills/exercises Security Incident recognition / reporting Knowledge of MARSEC level (USCG COTP) Establishment / Adjustment of Vessel Security Level Declaration of Security Security Equipment Handling Security Sensitive Information (SSI) Introduction of the International Ship Security Certificate
C. Examples: (SENSITIVE SECURITY INFORMATION ppt, slide 17)
Vessel Security Assessment Vessel Security Plan All Security Records Security Directives, incl MARSEC Threat Reporting SOME NVICs internal and external
Can a vessel operate above security level?
Vessel can operate ABOVE promulgated security level; never below
Early rudimentary "spoofing" - shipwreckers of 1700's; recognize definition of spoofing
WRECKING": A traditional legend Rudimentary "Spoofing" Deliberately misleading ships with false lights Ships run ashore and can be plundered
Pre-9/11 National measures focused on Open Hostilities and Internal Threats; dating back to WWI.
WWI Espionage Act of 1917 - Broad Legislation; some maritime applicability U. S. Coast Guard first designated officers as Captains of the Port WWII Safety of Naval Vessels Act of 1941 authorized COTP control of anchorage and movement of any vessel in the navigable waters of the United States COTP charged with the security of U.S. ports "from subversive or clandestine attacks"
VSP
annual audit; also if ownership changes or substantial structural modifications to vessel
VSP vessel security plan
annual audit; also if ownership changes or substantial structural modifications to vessel
MARSEC level requirement if ship vs port level differs
vessel must operate at or above security level of port
TWIC required by ISPS
required by MTSA but not ISPS
Additional drill ?
required if 25% of crew change out. a drill should be conducted within one week of the change
AIS accelerated implementation because of what
result of ISPS / MTSA
Required periodicity of drills & exercises
should be conducted at least once every three months.
Shipboard automation systems were largely developed prior advent of internet
thus protections against cyber-attacks not required at the time
B. Know definition of SSI; understand relationship to nationally classified information
unwarranted invasion of personal privacy reveal trade secrets privileged or confidential information Commercial financial information
