top of page

ship cyber security plan

PERIMETROS cyber security assessment of the ship becomes the foundation for the development of the cyber security plan. The plan PERIMETROS will develop will address all the identified issues in the relevant assessment (e.g. cyber, physical and personnel issues) through the establishment of appropriate security controls designed to minimise the likelihood of a breach of security and the consequences of potential risks. It is intended that wherever appropriate, the CSP will build upon the existing ship security plan and most likely will be an annex to it. Therefore the measures aimed at reducing the risk of unauthorised access to the ship should also give a degree of protection to its operational technology cyber-physical systems. PERIMETROS's CSP will perform the same function for the issues identified in the CSA, also taking into consideration the impact of measures set out in the security plan for the ship and its systems. When developing the CSP, we are adopting a holistic approach, covering all people, process, physical and technological aspects of the ship. From a cyber security perspective, PERIMETROS CSP will contain:

  1. The cyber security principles that set the minimum baseline for security and drive the continous improvement of the ship security posture;

  2. The organisation structure for cyber security across the ship organisation and ashore;

  3. The policies that set out the security-related business rules derived from the ship security plan (SSP);

  4. The processes that are derived from the security policies and provide guidance on their consistent implementation throughout the lifecycle and use of the ship assets;

  5. The procedures that comprise the detailed work instructions relating to repeatable and consistent mechanisms for the implementation and operational delivery of the processes.

With a large proportion of security breaches caused by people and poor processes, it is essential that personnel, process and physical aspects directly related to the technological systems for which cyber security measures are required, are also considered and appropriate measures put in place. For example, sensitive ship systems will have to be protected from unauthorised access or modification as follows:

  1. Physical – the system and its components may be located in a restricted access area, to which only those personnel who have been authorised for access are permitted unsupervised access, a log of all authorised personnel is kept and regularly updated;

  2. Personnel – personnel with privileged (administrative, engineering or technical support) access to the systems are subject to pre-employment screening and periodic background checks;

  3. Process – processes are in place to ensure that all access to the systems is monitored and logged, and that personnel accessing controlled spaces or sensitive system, who were not subjected to the screening and background checks are supervised by a person who is authorised to access the systems;

  4. Technical – measures are in place to check any removable media or portable devices that will be connected to the system for malware (for example, software updates on USB memory sticks or diagnostic software on laptops or tablet devices). Access to systems consoles, displays, etc is password protected.


The measures required in each of the aspects will also depend on the level of resilience that the ship may call upon. Regular training and assessment should be established for all those who are granted 'authorised' status for access to systems and subsystems to ensure that appropriate cyber hygiene is carried out when accessing systems for whatever reason. The completed CSP for the ship should be protected from unauthorised access or disclosure and should form an annex of the SSP.

Review of the csp

PERIMETROS will perform at least annual, reviews of the CSP to verify that it remains fit for purpose. Where necessary, the CSP will be updated to reflect any identified gaps, shortcomings or organizational changes, or changes which have arisen for political, economic, social, technological, legal or environmental reasons, and which have an impact on the ship or ship assets. The CSP will contain suitable mechanism for performing ad-hoc risk reviews to identify and assess the impact of any changes on ship assets and to update the ship CSA.

monitoring and auditing of the csp

PERIMETROS will monitor and audit the CSP across the lifecycle of all ship assets. This monitoring or auditing will be in addition to any actions that may result from an incident or breach. Example areas that we are assessing are:

  • The implementation of all security policies, processes and procedures affecting the ship assets, including the handling or storage arrangements implemented for security-sensitive and sensitive information;

  • The compliance of its supply chain with the security policies, processes and procedures specified in the CSP, as a minimum on a risk-based sampling approach; and

  • The management of security controls that operate throughout the operational lifecycle of the ship assets.

bottom of page