Cyber Security and Port State Control

This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security.

In our last blog we reported the advice put out by the US Coast Guard (USCG) in response to cyber security incidents reported to them. At present (March 2020) other Flag States have not issued a huge amount of advice to their vessels, largely due to a lack of technical cyber expertise on their staff. We can expect this to change after January 2021 if their vessels start to come under scrutiny by Port State Control (PSC). All Flags are very interested in their PSC ranking in the White, Grey and Black list performance tables.

The Flag States Eazisecurity have talked to generally take the same position on PSC activity with regard to cyber security. That is, as long as vessels can show to the PSC inspector that they have a cyber security plan, and that it is broadly being followed, they don’t expect detailed investigation by PSC Inspectors.

As an ex-PSC Inspector, I would be looking for fact based evidence that basic security measures were being followed on board. I say “fact based”, because as a PSC inspector it is always easier to defend raising a fact based defect. For example, the chart is not updated to the latest correction, is very easy to prove and not deniable (hence why it is cited so many times as a defect in PSC inspections), whereas the observation of an emergency drill is subjective. I have had instances where a drill was absolutely appalling in my opinion, but quite satisfactory to the Master and Company Superintendent!

PSC inspectors quite rightly like to look for defects that have the biggest effect on safety. Therefore, do expect their cyber security questions to concentrate around the use and updating of the ECDIS. Specific questions may include (in sequential order):-

“Can you show me the computer that receives the weekly ECDIS updates from ashore”?

“Is that computer updated with the latest anti-virus software”?

“How is the weekly update transferred to each ECDIS”?

“If the updates are by USB/solid media, what controls are in place to ensure that there are no viruses introduced to that media outside the process of transfer”?

“Show me the latest correction on the ECDIS – is it up to date”?

And if the PSC inspector is really switched on…”show me the latest update to the operating system on the ECDIS – is the kernel up to date”?

In the context of the above questions, the advice from the USCG in Safety Alert 06-19, (please see our previous blog), is most relevant.

If you wish to know more about Eazi Security and their world leading cyber security software solutions please contact Mr David Clayden   Email Tel +44 (0)7711 351463 Web