ISPS stands for International Ship and Port Facility Security. This code describes the minimum safety requirements related to the security of ships, port facilities and government agencies in order to prevent intentional unlawful acts. This article explains in a nutshell where the ISPS-code comes from, what the key elements are, how certification works and how a proper Identity & Access Management (IAM) is a key security element/
The ISPS-code is created by the International Maritime Organisation (IMO). This organisation, established in the 1948 Geneva convention, is a medium to ensure cooperation betweenGovernments for different matters about maritime operations; ranging from regulation & practices on technical matters to navigation efficiency and pollution control. The organisation is also empowered to deal with administrative & legal matters related to these purposes.
The code itself stems from the IMO conference of 12 December 2002, during which amendments to the 1974International Convention for the Safety of Life at Sea (SOLAS Convention) were adopted, including this code. For more information on the IMO, visit: https://www.imo.org/en.
The ISPS-code has several objectives written out. To bring it to its most essential elements, the goal is to:
The code is applicable for ships and ports on a national, regional and international level. It applies in the 175 member states of the IMO, specifically to the following types of ships engaged on international voyages:
It also applies to port facilities serving these ships engaged on international voyages. To enforce the ISPS-code within the different countries the code is taken up in several legislations, e.g. REGULATION (EC) No 725/2004 on enhancing ship and port facility security, and the Maritime Transportation Security Act of 2002: US domestic regulations aligned with maritime security standards of SOLAS and theISPS code.
In part B of the ISPS-code practical guidelines are set out on how the mandatory requirements of the code (part A)can be fulfilled. Below is a summary of the key elements from part A and B.
The code describes a scalable system of security levels. Each level entails different measures. The security level is determined by cooperation between the ship and port authorities, taking into account the current state of national and international security and the local government. The latter ensures that the port state and ships are informed before they enter the port or when they are berthed in the port.
For port security elements, different measures are described for the following elements:
Within the code some key roles and documents are defined to establish the framework.
When putting the ISPS code into practice in a modern environment, there is one element receiving insufficient attention in the code: cybersecurity. The IMO adopted new guidelines on cybersecurity in 2017 and put into effect in 2021. These are based on the InternationalSafety Management (ISM) Code and mainly directed towards shipping, not ports.
The International Association ofPorts and Harbours (IAPH), a trade association representing ports across the globe, published a set of cyber guidelines specifically for ports and port facilities in October 2021. The IAPH is now liaising with the IMO to incorporate cyber security within the ISPS-code. The guideline published by the IAPH can be found here.
One element which is repeated consistently in the code is the establishment of an efficient and secure access management.
First, an essential requirement is to track and verify the identity of all persons handling or accessing a ship in the port. This means checking the ID of a visitor or employee to know who to give access to different locations at what time and why. It is important to make sure that a person is compliant with given safety certificates to be allowed to perform his job on the ship in a safe way. In addition to being compliant with legislation, it is also important to protect ICT systems. Cybercriminals can breach an organisation by infiltrating the physical perimeter and plugging in an infected piece of hardware, or by downloading malicious software directly to systems.
This basic element comes back indifferent sections of the code, for example in the next quote: “At security level 1, the following activities shall be carried out: controlling access to the ship, controlling the embarkation of persons and their effects, monitoring restricted areas to ensure that only authorised persons have access.”
A second element is an assessment of the up-to-date knowledge/ competence of (security) personnel in operations.Several paragraphs in the code refer to training before entering a ship, an example: “ensuring that adequate training has been provided to shipboard personnel, as appropriate.” Not only shipboard personnel have to receive training under the Code: “port facility personnel having specific security duties should have knowledge and receive training.”
The ISPS code installs a hard requirement to limit the access to different areas of the ship/port for personnel, external contractors and visitors. Depending on the security levels access specifications change, hence access management on port docks has to be flexible. There is a clear need for a software platform that makes the administration process more efficient, scales easily according to security prescriptions and is easy to use.
With NineID®, we've helped organisations with their ISPS identity and access management in three ways.
Managing a big site like a port dock or ship can be a hassle. Having a clear overview, knowing who to give access to certain zones is an important element in ISPS. The NineID platform allows you to send safety notifications to individuals or groups at (specific) locations, track user activity and monitor your site in real time. In crisis situations, you have all the tools at your disposal to track who's in the emergency zone, send out communication and take the right actions.
Knowing who is on the ship is an essential aspect of the ISPS-code. By collecting identification data (ID-documents, driver's licence, etc.), certificates and proof of following a specific security training GDPR-proof in advance, makes that every visitor or employee is verified before entering the site, instead of checking this at the moment of onboarding or even afterwards. By eliminating the need to interact with a security agent, the administrative chaos is gone, billable hours are reduced and associated costs decrease significantly. This will free up more hours for officers to do other things to increase safety, such as spot checks.
As pointed out above, unauthorised persons are a danger for either physical and cyber security. Badges can be easily stolen, passed or copied. NineID is able to grant access to authorised persons by using facial authentication, QR-codes or Bluetooth scanning. As a result, the right of access is no longer linked to a token (RFID-badge) but to the a unique person.