Easy ISPS compliance with digitalised access management

ISPS stands for International Ship and Port Facility Security. This code describes the minimum safety requirements related to the security of ships, port facilities and government agencies in order to prevent intentional unlawful acts. This article explains in a nutshell where the ISPS-code comes from, what the key elements are, how certification works and how a proper Identity & Access Management (IAM) is a key security element. If you prefer video, please watch our corresponding webinar on easy ISPS compliance through digitisation.

1. ISPS background

The ISPS-code is created by the International Maritime Organisation (IMO). This organisation, established in the 1948 Geneva convention, is a medium to ensure cooperation betweenGovernments for different matters about maritime operations; ranging from regulation & practices on technical matters to navigation efficiency and pollution control. The organisation is also empowered to deal with administrative & legal matters related to these purposes.  

The code itself stems from the IMO conference of 12 December 2002, during which amendments to the 1974International Convention for the Safety of Life at Sea (SOLAS Convention) were adopted, including this code. For more information on the IMO, visit: https://www.imo.org/en.

2. ISPS objectives

The ISPS-code has several objectives written out. To bring it to its most essential elements, the goal is to:

• Establish an international framework to involve cooperation
• Determine roles and responsibilities of all parties
• Ensure early and efficient collaboration and exchange of information
• Provide a methodology for ship and port security assessments
• Ensure adequate and proportionate maritime security measures

The code is applicable for ships and ports on a national, regional and international level. It applies in the 175 member states of the IMO, specifically to the following types of ships engaged on international voyages:

• Passenger ships, including high-speed passenger craft
• Cargo ships, including high-speed craft, of 500 gross tonnage and upwards
• Mobile offshore drilling units

It also applies to port facilities serving these ships engaged on international voyages. To enforce the ISPS-code within the different countries the code is taken up in several legislations, e.g. REGULATION (EC) No 725/2004 on enhancing ship and port facility security, and the Maritime Transportation Security Act of 2002: US domestic regulations aligned with maritime security standards of SOLAS and theISPS code.

3. ISPS key elements

In part B of the ISPS-code practical guidelines are set out on how the mandatory requirements of the code (part A)can be fulfilled. Below is a summary of the key elements from part A and B.

3.1 Measures per security level

The code describes a scalable system of security levels. Each level entails different measures. The security level is determined by cooperation between the ship and port authorities, taking into account the current state of national and international security and the local government. The latter ensures that the port state and ships are informed before they enter the port or when they are berthed in the port.

1. Level 1 (Normal)

• Checking identity documents &  reasons for working
• Designate secure areas
• Segregate inbound & outbound  flows
• Identify access points
• Securing access

2. Level 2 (Heightened)

• Instate patrols during the silent  hours
• Limit & secure access points
• Deter waterside access to the ship
• Additional security briefings to  ship personnel

3. Level 3 (Exceptional)

• Single controlled access point
• Access only related to the (threat)  of the security incident
• Suspension of (dis)embarking

For port security elements, different measures are described for the following elements:

• Access to port facility
• Restricted area within port facility
• Handling of cargo
• Delivery of ship’s stores
• Handling of unaccompanied baggage
• Monitoring the security of the port facility

3.2 Roles and documents

Within the code some key roles and documents are defined to establish the framework.

Ship (operator):

• Roles: Company Security Officer (CSO), Ship Security Officer (SSO)
• Documents: Ship Security Assessment (SSA), Ship Security Plan (SSP), Declaration of Security (DoS)

Port:

• Roles: Port Facility Security Officer (PFSO)
• Documents: Port Facility Security Assessment (PFSA), Port Facility Security Plan (PFSP), Declaration of Security (DoS)

3.3 Obtaining ISPS

1. The National authorities or Recognised Security Organisation (RSO) performs a risk analysis, the Port Facility Security Assessment (PFSA).
2. The Port Facility Security Officer (PFSO) uses this assessment to construct a mitigation plan, the so-called Port Facility Security Plan (PFSP). This designated restricted areas, loading processes, etc.
3. The local team verifies the implementation & measures in the PFSP, and informs the National authorities.
4. The National authorities liaise with the IMO, informing them of the conformity of the port to the ISPS-code.
5. The IMO issues an ISPS-certificate, valid for 5 years. To ensure continued validity during this period, regular audits take place.

3.4 Future developments: cybersecurity

When putting the ISPS code into practice in a modern environment, there is one element receiving insufficient attention in the code: cybersecurity. The IMO adopted new guidelines on cybersecurity in 2017 and put into effect in 2021. These are based on the InternationalSafety Management (ISM) Code and mainly directed towards shipping, not ports.

The International Association ofPorts and Harbours (IAPH), a trade association representing ports across the globe, published a set of cyber guidelines specifically for ports and port facilities in October 2021. The IAPH is now liaising with the IMO to incorporate cyber security within the ISPS-code. The guideline published by the IAPH can be found here.

3.5 Identity and access management (IAM)

One element which is repeated consistently in the code is the establishment of an efficient and secure access management.

First, an essential requirement is to track and verify the identity of all persons handling or accessing a ship in the port. This means checking the ID of a visitor or employee to know who to give access to different locations at what time and why. It is important to make sure that a person is compliant with given safety certificates to be allowed to perform his job on the ship in a safe way. In addition to being compliant with legislation, it is also important to protect ICT systems. Cybercriminals can breach an organisation by infiltrating the physical perimeter and plugging in an infected piece of hardware, or by downloading malicious software directly to systems.

This basic element comes back indifferent sections of the code, for example in the next quote: “At security level 1, the following activities shall be carried out: controlling access to the ship, controlling the embarkation of persons and their effects, monitoring restricted areas to ensure that only authorised persons have access.”

A second element is an assessment of the up-to-date knowledge/ competence of (security) personnel in operations.Several paragraphs in the code refer to training before entering a ship, an example: “ensuring that adequate training has been provided to shipboard personnel, as appropriate.” Not only shipboard personnel have to receive training under the Code: “port facility personnel having specific security duties should have knowledge and receive training.”

4. Case study: digitalised identity and access management

The ISPS code installs a hard requirement to limit the access to different areas of the ship/port for personnel, external contractors and visitors. Depending on the security levels access specifications change, hence access management on port docks has to be flexible. There is a clear need for a software platform that makes the administration process more efficient, scales easily according to security prescriptions and is easy to use.

With NineID®, we've helped organisations with their ISPS identity and access management in three ways.

1. Increasing site safety

Managing a big site like a port dock or ship can be a hassle. Having a clear overview, knowing who to give access to certain zones is an important element in ISPS. The NineID platform allows you to send safety notifications to individuals or groups at (specific) locations, track user activity and monitor your site in real time. In crisis situations, you have all the tools at your disposal to track who's in the emergency zone, send out communication and take the right actions.

2. Increasing access flow efficiency

Knowing who is on the ship is an essential aspect of the ISPS-code. By collecting identification data (ID-documents, driver's licence, etc.), certificates and proof of following a specific security training GDPR-proof in advance, makes that every visitor or employee is verified before entering the site, instead of checking this at the moment of onboarding or even afterwards. By eliminating the need to interact with a security agent, the administrative chaos is gone, billable hours are reduced and associated costs decrease significantly. This will free up more hours for officers to do other things to increase safety, such as spot checks.

3. Increasing access security

As pointed out above, unauthorised persons are a danger for either physical and cyber security. Badges can be easily stolen, passed or copied. NineID is able to grant access to authorised persons by using facial authentication, QR-codes or Bluetooth scanning. As a result, the right of access is no longer linked to a token (RFID-badge) but to the a unique person.