International Port Security Program Port Facility Cyber Security Cyber Security and Port Facility MAR'01 1 Security Plans (PFSP)
Lesson Topics Purpose of the PFSP Developing the PFSP Role of Facility Personnel Role of an RSO Basis for the PFSP Elements included in the PFSP Format of the PFSP
Lesson Topics Elements included in the PFSP (cont d) Port Facility Security Organization Communications (Systems and Processes) Security Procedures/Measures Review and Audit Procedures Reporting requirements Approval and updates
Purpose of the PFSP The aim of the PFSP is to mitigate the risks identified in the PFSA. While the PFSA is meant to identify the assets at a port that are important to protect, the PFSP outlines how they will be protected.
PFSP The PFSP should address: potential security risks identified in the PFSA countermeasures to mitigate those risks local and national security considerations security measures for each security level (1-3)
Developing the PFSP Preparation of an effective PFSP will rest on a thorough assessment of all issues that relate to the security of the port facility. This includes, in particular, a thorough appreciation of the physical and operational characteristics of the individual port facility.
Developing the PFSP As the head of the port facility s security organization, the PFSO is responsible for the development (and later revision) of the PFSP, using the PFSA as a guide.
Developing the PFSP The PFSO can also engage other port facility personnel to assist with plan development.
PFSP Development Role of RSOs: Can prepare the PFSP but cannot be engaged in the plan approval process Plan must be for a specific port facility
Basis for the PFSP The PFSA cannot be viewed separately from the PFSP since it is the basis for developing an effective and comprehensive security plan.
Basis for the PFSP Using the PFSA as a guide, the PFSP must include: Policies and procedures to address identified vulnerabilities. Security countermeasures to address the highest risk threat scenarios identified in the PFSA.
Basis for the PFSP The content of the PFSP will vary, depending on the operations of the port facility and the content of the PFSA.
Basis for the PFSP Not only must the PFSP address the assets, threats and vulnerabilities mentioned in the PFSA, it must also be compliant with the ISPS Code. PFSA ISPS Code PFSP
Basis for the PFSP Even in addressing the ISPS Code requirements, the security measures outlined in the PFSP should always point back to the elements in the PFSA.
ISPS Code Requirements 1. Port Facility Security Organization 2. Communications 3. Security Procedures/Measures 4. Review and Audit Procedures 5. Reporting Requirements 6. Approval and Updates
ISPS Code Requirements 1. Port Facility Security Organization 2. Communications 3. Security Procedures/Measures 4. Review and Audit Procedures 5. Reporting Requirements 6. Approval and Updates
Elements of the PFSP The PFSP should establish the organization and performance of port facility security duties. Role and structure Duties, responsibilities and training requirements Description of the links to other national and local authorities
Elements of the PFSP Having established the cyber security management framework through inclusion in the PFSP or the creation of the CSA and CSP, it is important that appropriate management and operational arrangements are in place, including:
Elements of the PFSP The identification of the individual(s) responsible for the cyber security of the port and port facilities, with individuals fulfilling these roles being designated as a cyber security officer (CSO);
Elements of the PFSP The establishment of a security operations centre (SOC); The arrangements for providing information to third parties; and The arrangements for managing security incidents or breaches.
Elements of the PFSP The CSO should be responsible for: Ensuring the development and maintenance of the PFSP/CSP; and Implementing and exercising the PFSP/CSP.
Elements of the PFSP The CSO should maintain awareness of legal and regulatory changes that could affect the cyber security of port assets and, where necessary, make adjustments in policies, processes and procedures to comply with those changes.
Elements of the PFSP For the PFSP/CSP and associated security policies, processes and procedures to be effective, it is essential that there is a topdown flow of responsibility within both the organization and the contracts/supply chain. Responsibility for cyber security may be shared by the CSO with other managers and service providers, although ultimate responsibility should be retained by the CSO.
Elements of the PFSP Security operations centre (SOC): A SOC acts as a centralized unit dealing with security issues that affect a port/port facility, including those relating to cyber security, and may form part of an operations centre supervising the port, controlling access and managing business continuity and disaster recovery activities.
Elements of the PFSP The key functions of a SOC are to: Observe, by maintaining situational awareness, i.e. understand potential, emerging and actual threats to the port/port facility operations. Observation includes detection of unauthorized changes to port systems or port data, nonsecure modes of operation and unauthorized access to port assets.
Elements of the PFSP Orient, by analyzing the risk to operations from new or changed threats and determine whether proactive measures are required to reduce the risk to an acceptable level. Decide what action may be appropriate either to deny further access to the port asset or to respond to the event by identifying suitable countermeasures.
Elements of the PFSP
ISPS Code Requirements 1. Port Facility Security Organization 2. Communications 3. Security Procedures/Measures 4. Review and Audit Procedures 5. Reporting Requirements 6. Approval and Updates
ISPS Code Requirements The PFSP should address communications measures including: Systems provided to allow effective and continuous communication How the cyber security of security and communications systems and equipment will be maintained.
ISPS Code Requirements A key asset to any port facility would be its communications system and devices. If unreliable, this presents a vulnerability to the security of the facility.
ISPS Code Requirements PFSA entry: RFID cards are subject to cyber attack.
ISPS Code Requirements Port facility security guards will positively identify 10% of individuals swiping into facility by a government issued ID at security level 1.
ISPS Code Requirements 1. Port Facility Security Organization 2. Communications 3. Security Procedures/Measures 4. Review and Audit Procedures 5. Reporting Requirements 6. Approval and Updates
ISPS Code Requirements Cyber Security Procedures: Information on cyber security responsibilities and links to organizations that will assist the port/port facility in the event of a cyber security incident. How the cyber security of security and communications systems and equipment will be maintained.
ISPS Code Requirements Cyber Security Procedures (cont): The cyber security drills to be practiced to test the port's response to cyber security incidents. Cyber security measures required for any connection between ship systems and those of the port/port facility.
ISPS Code Requirements Cyber Security Procedures (cont): The cyber security of communications, including those: a) between personnel with security responsibilities; b) between those responsible for technical security and the wider security team; and c) that provide information about the port and port assets to third parties.
ISPS Code Requirements Cyber Security Procedures (cont): Processes and procedures for approving the electronic or wireless connection of ship and port systems. Access control measures to sensitive IT systems and accommodation, for example, networking, communications and server rooms.
ISPS Code Requirements Cyber Security Procedures (cont): Any changes to systems or system operations required at higher security levels, including any increased security measures required for admission of IT and systems maintenance contractors to the port and port facilities when the port is operating at security levels 2 and 3.
ISPS Code Requirements Cyber Security Procedures (cont): Cyber security measures pertinent to the protection/assurance of cargo-related data and the systems that process, store and transmit it. Where the port has automated systems handling cargo, the plan should address the security measures required to protect the operational IT/cyber-physical systems.
ISPS Code Requirements Cyber Security Procedures (cont): Cyber security measures pertinent to the protection and assurance of ships' stores and bunkering data and any systems that process, store and transmit it. Response to cyber security threats, breaches and security incidents.
ISPS Code Requirements Cyber Security Procedures (cont): Cyber security measures pertinent to the protection and assurance of ships' stores and bunkering data and any systems that process, store and transmit it. Response to cyber security threats, breaches and security incidents.
ISPS Code Requirements Cyber Security Procedures (cont): Arrangements for auditing of cyber security measures. Contractual measures for the adoption of relevant cyber security measures within the supply chain to the port/port facility. Cyber security awareness and training required by staff.
ISPS Code Requirements Security Procedures/Measures: Procedures to maintain and update records of dangerous goods and hazardous substances to include their location on the port facility Means for alerting and obtaining the services of specialized response resources
ISPS Code Requirements Security Procedures/Measures: Procedures for assisting Ship Security Officers with access control Procedures for facilitating the shore leave of shipboard personnel and access to the ship for visitors
ISPS Code Requirements Remember that the security measures contained in the PFSP must address how they will be implemented at all three security levels.
ISPS Code Requirements 1. Port Facility Security Organization 2. Communications 3. Security Procedures/Measures 4. Review and Audit Procedures 5. Reporting Requirements 6. Approval and Updates
ISPS Code Requirements The PFSP should describe how it will be audited to ensure the continued effectiveness of the plan.
ISPS Code Requirements The PFSP can be reviewed at the discretion of the PFSO and in the following instances: If the PFSA is altered If an audit identifies failings or issues with the PFSP
ISPS Code Requirements Following security incidents or threats to the port facility If there is a change of ownership or operational control at the port facility
ISPS Code Requirements Amendments to the PFSP should be: Recommended by the PFSO following any review of the plan Approved by the Contracting Government if they alter the security approach at the port facility or involve the removal, alteration, or replacement of essential security equipment and/or systems.
ISPS Code Requirements 1. Port Facility Security Organization 2. Communications 3. Security Procedures/Measures 4. Review and Audit Procedures 5. Reporting Requirements 6. Approval and Updates
ISPS Code Requirements The PFSP should outline the reporting requirements for each security level. What is reported to the CG POCs? Specific types of security incidents? What is the reporting schedule?
ISPS Code Requirements 1. Port Facility Security Organization 2. Communications 3. Security Procedures/Measures 4. Review and Audit Procedures 5. Reporting Requirements 6. Approval and Updates
ISPS Code Requirements PFSP Approval by the Contracting Government should consider: Submission Process Approval Process Approval of Amendments Audit Procedures
PFSP Formats There are several PFSP formats available; however, there is no one preferred format. The important thing to note is that the PFSP should mirror the PFSA. All areas of the PFSA should have a corresponding section in the PFSP.
PFSP Formats Any threats, vulnerabilities, key assets or critical infrastructure mentioned in the PFSA should be addressed in the PFSP with specific security measures outlined for each at all security levels.
Questions
Works Cited Code of Practice Cyber Security for Ports and Port Systems Authors: Hugh Boyes, Roy Isbell and Alexandra Luck Published by: Institution of Engineering and Technology, London, United Kingdom First published 2016