Professional Documents
Culture Documents
navigational administration and compliance with company’s procedure are conducted by shore
staff at least once per year.
Unrestricted bridge access during navigation, anchorage and pilotage is limited to only those with
operational bridge responsibilities. Only tasks and works in relation to safe navigation of the ship
allowed.
• The use of mobile phones and other personal electronic devices including media and social
entertainment equipment, including personal computers prohibited.
Back ground noise from navigational and communication equipment) should be controlled.
Correction of charts and publications not allowed during the own watch of responsible officer.
• Internal and external communications are restricted to those related to the safe navigation of the
ship
The bridge should be free from distractions and all non-essential activity should be avoided.
OOW should not be or allow themselves to be distracted
It is the duty of the Officer of the Watch to be aware of any work being carried out near the radar
and radio aerials, and of sound signaling apparatus, so that the appropriate warnings can be given.
The use of warning notices to hang one equipment controls when such work is in progress is
recommended,
It is the Deck Watch Officer's responsibility to ensure that the Helmsmen are trained to steer
properly in the various modes and that they are fully aware of the vessel's steering peculiarities and
capabilities,
Helmsmen shall not change the steering mode (hand, gyro, non-follow-up control) unless supervised
and instructed to do so by the Officer in charge. Changeover instructions must be prominently posted
near the ship's wheel, and During lengthy periods with increased bridge manning; When the Master
feels due to prolonged time of standby (i.e. long river passages, traffic separation schemes) that he
need rest or must leave the bridge, the Chief Officer shall relieve him in the Navigation Bridge
Masters standing orders should include reference to the ECDIS in use on board the vessel. This may
include vessel specific instructions for watchkeeping officers which are unique to its ECDIS
installation. Reference should be made to the Individual Vessel Specific Risk Assessment which will
identify the potential hazards associated with ECDIS operation on board that particular vessel.
The windlass is designed to lift minimum 3 lengths of chain (82.5 m) and weight of the anchor as IACS
minimum requirement. The maximum water depth in which routine anchoring may be carried out is
80 m. Anchoring in deeper water (more than 80 meters) is only to be carried out in an emergency
situation in which the Master considers it acceptable that the windlass may not be capable of
recovering the anchor, or unless design characteristics differ, which must be taken into account in the
Risk Assessment process which has to be carried out and with Company’s approval
Almost all of the ships are designed to lift or lower an anchor and three shackles of cable through a
maximum 82.5 meters of water in a vertical lift and anchor system is designed to hold the vessel at
anchor position in conditions which the wind speed of 22 knots and current velocity of 3 knots and
maximum significant wave heights 2 meters.
For anchorage; wind force should be less than 28knots or current should be less than 3 knots (1knot
current=9knots wind) and the sea/swell condition should be considered depending the size of the
vessel.Otherwise vessel should stay adrift.
During anchorage when the wind force reaches to 34 knots vessel should left anchorage and stay
adrift.
Bunker barge or supply boats shall not be allowed alongside until completion of anchoring operations
When an anchorage position has been selected a planned approach can be made. Often, the
best direction of approach to the anchorage will be determined by noting the direction in which
other vessels of similar type, size and draught are heading. By approaching the anchorage on the
same heading,manoeuvring in a confıned area can be minimised.
Check the main engine for ahead/astern test before arrival to anchorage area
The safety swinging circle to be calculated and checked for enough availability of sea room in width
and depth. (Safety swinging circle = Length of anchor cable + Length of vessel + Safety margin)
Small and Medium Size Vessels
For anchoring small and medium size vessels (under 65,000 DWT) in shallow water (below 40 meters
depth),
the anchor should be walked out to the water, disengage the windlass clutch, holding the anchor on
the brake.
When the vessel is in position and the vessel nearly stopped the anchor is “let go” and the chain paid
out,
controlled by the brake. If required, the engines should be used to take the weight off the chain. The
position
of the vessel should be recorded at the time of letting go so that the position of the anchor can be
ascertained.
For anchoring small and medium size vessels (under 65,000 DWT) in water depth above 40 meters,
the anchor
should be walked out all the way controlled by the windlass and brake until the vessel is brought up to
the
required number of shackles. The windlass should be disengaged and the anchor and cable held on
the brake
and stopper bar. (The advantage is to avoid excessive strain on the brakes, on the bitter end and
damage to
windlass gear, less brake wear)
Large Vessels
For anchoring large vessels (over 65,000 DWT), DO not “LET GO” anchor and should be walked back
with the
windlass under power/gear.
Under normal circumstances when the vessel is at the required position and stopped relative to the
ground, the
anchor should be walked out to the bottom. Continue to walk out the anchor, controlled by the
windlass gear
and brake until the vessel is brought up to the required number of shackles. Once anchored the
stopper bar and
brakes engaged prior disengaging the gear
n light of the above captioned subjects, approach the anchoring position by heading into the
predominant
force (either wind or current/tidal stream, usually the latter), take way off the ship and then make
very slightly
sternway, let go the anchor, controlling with the brake once the anchor is on the sea bed and slowly
paying out
as the ship moves astern. After the vessel anchored, display the proper signal (ball daytime, lights at
night)
.7.8.1 Additional Precautions when anchoring in water depth exceeding 40 meters depth
There have been many incidents in the industry that resulted in the loss of anchors or severe damage
to the
anchor windlasses. When anchoring in water depth exceeding 40 meters, great care must be taken to
ensure
the anchoring manoeuvre is carried out safely and the anchor is holding well.
This is the ideal condition of a windlass but this may deteriorate with age, level of maintenance and
wear and
tear. This must be considered when planning anchoring.
The following would need to be considered;
1. The vessel should be stopped over ground when walking out the anchor
2. The water depth must be ascertained before anchoring
3. The anchor and chain should be walked out until the anchor is fully deployed. The anchor should
not be
led go by gravity as this can damage the brake lining and result in the letting go not being fully
controllable.
4. The extended turning circle of the vessel must be considered when dropping anchor in narrow
anchorages. A dragging anchor could result in close quarter situations developing fast.
5. The holding ground must be considered. Anchoring should not be attempted when the holding
ground
is poor. Mud is the best ground type and holds the anchor better. Shell and Sand ground are poor
holding ground types.
6. The condition of the windlass brake must be fully considered this can be obtained from the latest
brake
holding capacity test and a visual inspection of the lining and the brake arrangements
Minimise the tension in the chain and keep the chain as vertical as possible
In windy weather conditions or strong current, the rudder and engine must be fine-tuned to
prevent
too high tension in the chain and overload of the windlass motor. This will also prevent dragging of
anchor and breaking out the anchor. The heaving up speed is typically nine metres/ min so speed
over
ground should be less than this ie 0.3 knots.
Close communication between bridge and anchor party on deck is essential
The anchor party should know the vessel’s windlass capacity to heave up maximum free-hanging
shackles
Vessel to prevent the overloading of high pressure windlasses which can result in their catastrophic
failure, the ‘heaving in’ should be stopped as soon as any significant tensioning is observed, or
difficulty is experienced.
At a convenient time – at least one hour - before entering confined or restricted waters the
following shall
be carried out:
Communication between bridge and steering gear compartment to be tested
Rudder response to manual steering from all bridge positions using each steering gear power unit
singly
and together
Anchors to be cleared
Company Poster No: 24 should be referred for required Bridge Watch Composition, Engine and
Helm
requirements.
Radar must be used at all times. Position fixing shall be carried out as per company requirements
n heavy weather conditions the master required to alter speed and course and at his direction in
order to
ensure the safety of life onboard, the vessel and its cargo.
Engine RPM must be reduced to the extent that the vessel makes headway without causing
shuddering and
excessive vibration.
Master must ensure that the speed was reduced in bad weather to avoid damage or stress to the
ship and
engines. To reduce the effect of bad sea/weather on the ship;
Critical equipment (such as life boat, life raft, steering system, radar etc.) must be controlled before
entering
the bad weather.
Ballast tanks should be filled, if necessary heavy weather ballast tanks are also to be filled.
Instead of long period navigation with low speed (1-2 days 2-3 knots), should be preferred to
proceed to the
closest sheltered area.
Steering system must be on hand steering position.
The Master should check and approve the passage plan before departure.
If a fleet vessel using ECDIS as primary means of navigation will call an area where ENC charts are
not
available;
Master will inform the company immediately (by e-mail) and inform the requested paper charts
covering
such area.
Risk assesment and Management of change process required
Depending on the previous called ports, the charts will be provided by the Company / worldwide
suppliers
or by the Company's local agent.
Master will inform the Company to confirm that the charts and publications were received.
If the voyage is fixed at sea, company will try to supply related chart before arrival to port. (at
anchorage
area with supply boat, with pilot boat etc.). Providing Raster charts will be considered.If this is not
possible, company will consider sending scanned copies of the paper chart with monitoring the
vessel’s
position on the paper chart at office simultaneously). This is also subject to risk assessment and
management of change process. Flag state to be notified
When planning the vessels next passage, the Master, in conjunction with the navigator, should lay off
courses such that the vessel complies with the company UKC requirements. UKC calculations should
be
completed for each leg of passage where the depth of water is less than two times of the vessel’s
maximum static draft. For the areas where the depth of water exceeds two times the vessel’s
maximum
static draft, a full review of each leg to be completed to verify compliance with company
requirements
and this is to be referred on passage plan form. Where the depth of water exceeds two times the
vessel’s
maximum static draft, further UKC calculations are not required but this excludes berths and pilot to
berth/berth to pilot passages. In any case; UKC calculations must be completed for berths. For pilot
to
berth/berth to pilot passages; even the depth of water exceeds two times the vessel’s maximum
static
draft; at least one calculation should be completed for the most critical leg of passage. (Min ukc
expected
leg of passage). When in open water, however, Masters shall plan their voyages to avoid, wherever
practical, transiting areas of charted depth less than two times the vessel’s maximum draft.
If during the passage planning it becomes apparent that the allowed minimum UKC above is to be
breached,
situation must be re-checked. Reducing the speed or the quantity of cargo loading should be
considered.
With the final conclusion, the Company must be immediately informed such that a full appraisal
and Risk
Assessment may be carried out. The infringing section of the passage plan is NOT to be carried out
until the
vessel has received permission from the Office to proceed
2.4.16 Squat
Squat depends on the relationship between Speed, Draft of vessel and the Depth and Width of a
navigable
channel. Squat is defined as the increase in draft due to speed and its effect should be allowed for by
adding
appropriate corrections to the ship’s deepest draft.
The amount of squat is largely dependent on speed and any situation in which loss of under keel
clearance due
to squat may give cause for concern, can be resolved by slowing down, and subject to the
manoeuvring
limitations of the ship involved. The necessity to further reduce speed may also be signalled by:
Increased helm requirements.
Increased or excessive vibration.
A sudden reduction in speed over the ground for the same RPM
The formation of heavy bow and stern waves.
Charterers undertake to exercise due diligence to ensure that chartered ships are only employed
between and
at safe ports, places, berths, docks, anchorages and submarine lines. Allowance for known or likely
effects of
squat is implicit in voyage instructions and additional allowance need not therefore be made.
Calculating the effects of squat for the passage plan, consideration should be given to determining
the
maximum speed permissible that will avoid contravening the minimum UKC required, rather than
simply
determining the UKC for a proposed transit speed.
The following formula should be used to calculate SQUAT as recorded on NAVOPS-08 Passage Plan
UKC
Calculation Section.
A rough mathematical guide for squat calculation can be used as follows:
A ship transiting through shallow waters experiences an increase of draft and this effect is known as
‘Squatting’. Vessels start to ‘Squat’ when the depth of the water decreases to approximately one and
a
half (1.5) times the maximum draft
The company policy regarding the minimum permissible air clearance of 1.5 meters of vessels ballast
or in
loaded condition considering, draught, water density, squat etc from the Bridge, Cables etc. Bearing
in mind
that cables are vulnerable to movement at a result of wind effect. Also static electricity should be
considered
when passing under cables
CPA and TCPA values should be set as safe as possible but not less
than 0,5 nm and 8 min for coastal waters, not less than 0,1nm and 5 min for canals, straits, buoyed
channels,
pilotage waters etc.
Vessels transiting the English Channel and Dover Straits are to note that there is a minimum required
under
keel clearance which must be complied with. Refer to BA Chart 5500 ‘Passage Planning in the English
Channel’.
Reference should be made to the appropriate section of the ‘Annual Summary of Notices to
Mariners’
regarding ‘under keel clearance’
Attention necessary when navigating in or near a traffic separation scheme (TSS); and
• Defects affecting aids to navigation, propulsion and steering.
A VDR is required to maintain a sequential record of information, covering at least a 48 hour period,
which as a
Preserving Records
Records should be retained for at least 30 days/720 hours on the VDR long term recording element,
and at
least 48 hours on its fixed and float-free recording element. After these times, older records on each
of the
recording elements may be overwritten with new data and will be lost. Watchkeeping officers should
understand and be familiar with the procedures for preserving records as required by the SMS.
Course recording equipment should normally be operated continuously and when the vessel is being
steered
by automatic pilot the appropriate adjustments should be made to ensure that the best course is
being
steered as indicated by the recorder.
It is recommended that the course recorder is not switched off even in port. Should the vessel
breakaway from
the moorings the information on the recorder roll will be valuable.
It is important that the course recorder should be set to GMT and the time synchronized daily at
ships noon.
Rolls should be stored for 3 years.
The Course Recorder shall be checked for pen alignment and clock agreement, recording paper and
ink supply,
and proper printing/marking as applicable, at the conclusion of each watch, and during pre-arrival
testing and
testing prior to getting underway.
The Master should expect the Pilot(s) to be qualified, certified and experienced for the intended
pilotage and
adequately rested and alert. The Master has a right to request a replacement Pilot should it be
deemed
necessary.
Trainee pilots are not allowed to take command or give advice for maneuvering onboard fleet
vessels.
The Master must remain in charge of the Bridge at all times when a Pilot is on board, except when
pilotage is
temporarily suspended and vessel safely anchored or navigating in a safe are such as lake or inland
sea (Lagoa
dos Patos, Azov Sea). When the Master feels due to prolonged time of standby (i.e. long river
passages, traffic
separation schemes) that he need rest or must leave the bridge, the Chief Officer shall relieve him in
the
Navigation Bridge. At Panama Canal, the Pilot has full authority and is in control of the vessel’s
navigation and
movement
Base' Display
This is the minimum Level of information which has to be displayed at all times. It is not intended to
be
sufficient for safe navigation. Some ECDIS do not allow the mariner to reduce the level of information
shown
to the 'Base' display. The 'Base' display is a subset of the 'Standard' display.
'Standard' Display
This is the display mode that the ECDIS should use when it is first switched on, and it should be
possible to
return to this display mode by a single key press. Under normal circumstances, this should be
considered to
be the minimum information that must be displayed at all times and, depending upon the needs of
the
mariner, is the starting point from which the mariner can modify their display by adding relevant
information,
especially during appraisal and passage planning.
Other
This display mode presents all of the information available in the ENC data. The ECDIS display is likely
to be
very cluttered when this mode is used, particularly if there is a lot of textual descriptions or magenta
information symbols on display. To assist the mariner, most ECDIS manufacturers address this using
one of
two approaches. Either they allow the mariner to 'build' the chart display by adding feature
categories to the
'Standard' display, or they allow feature classes to be progressively removed from the 'ALL'
Information mode.
This tailoring of the display is commonly referred to as 'Other' or 'Custom' display mode, depending
on ECDIS
type.
Whilst 'Standard' display may be considered to be the minimum information that must be
displayed at all
times, some important features such as soundings, submarine cables, and pipelines are not
included in this
display mode, and so must be switched on using the appropriate 'Custom' display settings
available.
The 'Standard' display mode does not show all seabed features, including submarine cables and
pipelines. The
ECDIS user should therefore familiarise themselves with the 'Custom' display options of the ECDIS to
ensure
the display can be configured safely, It is required the voyage plan includes a list of the settings
required for
each phase of the voyage.
Customisation of the display is a powerful tool. Used sensibly, it can significantly improve safety by
enhancing
the clarity of display. Used unwisely, particularly during voyage planning, it can lead to a dangerous
display
where the mariner cannot see, and so has not taken into account, all of the important information
required to
prepare a safe voyage plan.
The 'Custom'/'Other' display mode functionality should therefore be used with care to make sure
that only
non-essential information is switched off.
These values will be used by the ECDIS until the OOW changes parameters. If the value of the safety
contour is
changed, the boundary between the two depth shades will change accordingly. Changing the value of
the
shallow or deep contours will have no effect on the display.
However, if the 'Two shades' option is switched off, the ECDIS should then display four different
shades, using
the values that are set for the shallow and deep contour options.
Take the example where the following settings are applied to the ECDIS:
Shallow Contour 5.0 meters
Safety Contour 10.0 meters
Deep Contour 30.0 meters
Two Shades Off
The use of four depth shades reduces the contrast difference between adjacent depth areas. This
may make
it more difficult to distinguish between safe and unsafe waters under certain lighting conditions,
particularly
at night where its use is not recommended.
The new and conspicuous symbol, shown Left, is displayed where one of these
features is known
to have a depth Less than or equal to the safety contour value entered by the user, and it sits in
the deeper waters beyond the safety contour as depicted by the ECDIS (i.e. it is a hazard to
navigation Located in otherwise 'safe waters')
Note:
This isolated danger symbol is only applied to wrecks, rocks and obstructions that are submerged. It
is not
applied to soundings. The symbol most commonly represents a point feature, but will appear in the
centre for
obstructions which are area features (e.g. foul area).
6.1.5.7.5 Scamin
Where it is likely that an ENC cell may be required to be used at smaller scales in certain situations,
ENC
producers are able to use the scale minimum attribute (SCAMIN) that forms part of the S-57
standard, and
which allows the ENC producer to define the minimum display scale at which they wish individual
features in
the ENC data to remain on display. If the ECDIS is zoomed out beyond this scale, it will no Longer
display the
feature, and therefore reduce clutter.
So Scamin ensures navigation features on the chart are only displayed at their assigned scale. (For
example:
An anchorage area which is assigned for 1:45000 will display at this scale, not at 1:350000 for ex. or
other
scales etc)
OOW should be aware that the SCAMIN value of an object determines the display scale below which
the
object is no longer displayed and if not correct scale used navigational data could be missing. In case
an object
has no SCAMIN value, it will be displayed at all scales. The problem, however, is that SCAMIN is not
universally
applied by IHO in the same way and OOW should be aware of this and use correct scale always.
l. During voyage monitoring, the ECDIS must be operated at compilation scale when appropriate
scale ENCs
are available
2. When the OOW zooms out to improve situational awareness, the ECDIS may indicate an
underscaLe
warning and may Limit this operation to a certain scale factor. The OOW must be conversant with the
procedure for resetting to the ENC compilation scale as soon as wider situational awareness has been
established
3. During the planning phase, where the Deck Officer may use smaller scale charts or zoom away
from
compilation scale to manipulate waypoints, checks and visual inspections for dangers should be
carried out at
compilation scale
4. Where the ECDIS allows the selection of SCAMIN off/on:
a. The system must be set to operate with SCAMIN OFF for appraisal, planning and review phases to
ensure aLL information is seen
b. SCAMIN must be selected ON for execution and monitoring of the Voyage Plan in order to reduce
the
effects of an over-crowded display
SAFETY CONTOUR: The value of the safety contour should be calculated during the planning phase
and
entered by the OOW. The Safety Contour marks the division between "safe‟ and "unsafe‟ water.
When the
safety contour is not displayed to the specified value set by the navigator, then the safety contour is
shown to
the next deepest contour as per the default layers in the electronic charts. During route planning, an
indication
will be made if the route is planned to cross the ship’s safety contour. At the time of route
monitoring, ECDIS
should give an alarm if, within a specified time set by the navigator, own ship is likely to cross the
safety
contour.
Before commencing any voyage, an appropriate value for the safety contour based on the vessels
draught and
required under-keel clearance, taking into consideration the quality of the ENC data available and
expected
operating conditions should be set. Company requires setting of this parameter as per below table.
When building the chart display, the ECDIS software will then draw the next available deeper depth
contour in
the ENC data with a thick bold contour line style, and shade all areas of the chart between this depth
and the
zero metre drying line in a dark blue shallow water colour.
In the example below, the mariner has set the safety contour value to be 6 metres. The next
available deeper
contour in the ENC is 10 metres which is therefore drawn in the bold line style
The dynamic method of display ensures that the mariner quickly see which areas are potentially
dangerous for
the ship to enter.
Whilst in route monitoring mode, an alarm will be activated when the look-ahead watch vector
crosses the
safety contour, giving the mariner advance warning that the ship is approaching potentially
dangerous shallow
waters
AFETY DEPTH: The Safety Depth highlights individual soundings in bold that would appear where the
sounding is less than the level set on the safety depth alarm. This is generally set the same as the
safety
contour.
Most ENC cells only contain the same standard range of depth contours that are shown on paper
charts. (2m,
5m, 10m, 20m, 30m, 50m are common).
Whilst this approach avoids display clutter, it limits the effectiveness of the safety contour feature. In
the
previous example, the ECDIS operator set a safety contour value of 6m, but the next available depth
contour
was only 10m. The ECDIS will therefore highlight waters between 6 m and 10 m deep as potentially
dangerous.
In order to provide an improved visualisation, the mariner is usually able to set a safety depth value
independently of the safety contour value. The ECDIS will then use this value to control the display of
the
sounding information contained in the ENC data. Any sounding with a value equal to or less than, the
safety
depth value entered by the operator will be displayed in bold to make them more prominent.
Returning to the previous example, three of the soundings within the 10 m contour are less than 6
metres in
depth and will therefore be displayed in bold, if the safety depth is set to 6 metres. The 7.3 m
sounding in the
northern portion is deeper than 6 m, indicating that this part of the blue shaded area may still be
safe.
Company requires safety contour and safety depth to be set equally as per below table.
SHALLOW CONTOUR: This value is considered to be the grounding depth. The shallow water pattern
is a
diagonal lattice drawn over the waters behind the safety contour. This value should be set as per
below table.
GUARD ZONE -NAVIGATIONAL DANGER (SAFETY FRAME – SAFETY CONE): Safety Frame or Safety
Cone is
equally as important as the Safety Contour, as this will provide early indication of the vessel running
into
danger or approaching an area of concern. Equally, if the safety frame is set too large then the ECDIS
is likely to
provide alarm overload with the result that an essential alarm may possibly be ignored.
Setting the appropriate length of guard zone is extremely important as it should give the deck officer
time to
investigate the alarm and take appropriate action before the potential hazard is reached. In all cases
navigation officer should calculate and insert into the voyage plan the length of the guard zone to be
used
based on the likely maximum speed over the leg.
Some ECDIS have functionality for the operator to define the sector width or angular vectors ahead
of the
vessel that defines the area to be searched for dangers, safety contours and warning areas.
Guard zone set with a wide sector in a narrow channels etc. will result in increased alerts so should
be set
properly. Company requires setting of this parameter as per below table.
XTE: CROSS TRACK ERROR: cross track error should be entered leg by leg in the passage plan
considering
intended safety distance from the dangers, because of ECDIS consider only area, between the port
and
starboard XTE, during the safety checks. During the confined waters, channel passage etc. 0,1 nm
should be
set (wherever possible and practicable). During pilotage and confined waters, canals etc. if 0,1 nm is
not
practicable (for example due to width of channel) the setting must be adjusted at minimum as for
sum of port
and stbd: the width of the safe area of channel/canal etc – 0,02 nm. In the coastal waters 1 nm is
required
wherever possible and practicable. If this is not practicable, it can be reduced but never less than 0,3
nm. For
open waters it should be set to 3 nm.
“Port-Stbd-fwd-aft” and also “width” values will be same with xte setting but max 3 cables.
During Ocean/Open Water Passages the safety Contour should take into account the lowest
possible height
of tide during the voyage. During Coastal or pilotage Navigation, the safety Contour should be
calculated
more accurately so as to maximise navigable water within a harbour or constrained Navigation.
This
calculation should take into account the safety depth using the precise time the safety Contour will
be in
force for and the lowest tidal height for this period, squat at the Planned speed, the vessels current
draft
and any effects of the current/expected weather conditions. This more precise Safety Contour will
be only
valid for the time period used in the calculation which should be borne in mind if the vessel
encounters a
delay/advancement when using the safety Contour.
The vessels should calculate the minimum UKC by correcting the depth data with accuracy
corrections (ZOC)
and if during the passage planning it becomes apparent that the allowed minimum UKC is to be
breached,
then the Company must be immediately informed such that a full appraisal and Risk Assessment
may be
carried out. The infringing section of the passage plan is NOT to be carried out until the vessel has
received
permission from the Office to proceed.
The vast technological advancements in Information Technology (IT) have resulted to the
networking
of ships which are interconnected via the World Wide Web. Due to the latter’s given
proneness to
cyber-attacks, in conjunction with the increased complexity of electronic equipment on
board resulting
in high risk of human error in the use of this equipment, the marine industry should be
prepared to
face increased cyber threat. This means that the company needs to assess risks arising from
the use of
IT and OT (Operation Technology) on board ships and establish appropriate safeguards
against cyber
incidents
Operational technology (OT): The technology commonly found in cyber-physical systems
that is used
to manage physical processes and actuation through the direct sensing, monitoring and or
control of
physical devices, for example, motors, valves, pumps, etc. In a vessel these systems include:
plant and
machinery, RF communications, on and off board sensors and navigation systems.
What is cyber security?
Cyber security can be defined as “the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best practices,
assurance and
technologies that can be used to protect the cyber environment and organization and user's
assets”.
Within this definition, “cyber environment” comprises the interconnected networks of both
IT and
cyber-physical systems utilizing electronic, computer-based and wireless systems, including
the
information, services, social and business functions that exist only in cyberspace. On a ship
the
computer-based systems will comprise a range of information technology components (for
example,
personal computers (PCs), laptops, tablet devices, servers and networking component such
as routers
and switches, etc.) and operational technology (for example, control systems, sensors,
actuators,
radars, etc.).
he maritime sector is a vital part of the global economy, whether it is carrying cargo,
passengers or
vehicles. Ships are becoming increasingly complex and dependent on the extensive use of
digital and
communications technologies throughout their operational life. Poor security could lead to
significant loss of customer and/or industry confidence, reputational damage, potentially
severe financial losses
or penalties, and litigation affecting the companies involved. The compromise of ship
systems may also
lead to unwanted outcomes, for example:
(a) physical harm to the system or the shipboard personnel or cargo – in the worst-case
scenario
this could lead to a risk to life and/or the loss of the ship;
(b) disruptions caused by the ship no longer functioning or sailing as intended;
(c) loss of sensitive information, including commercially sensitive or personal data;
and
(d) permitting criminal activity, including kidnap, piracy, fraud, theft of cargo,
imposition of
ransomware.
(b) Cyber safety is as significant as cyber security. Both have equal potential to affect the
safety of on board
personnel, ships, and cargo. Cyber security is concerned with the protection of IT, OT
and data from
unauthorised access, manipulation and disruption. Cyber safety covers the risks from
the loss of
availability or integrity of safety critical data and OT.
Cyber safety incidents can arise as the result of:
A cyber security incident, which affects the availability and integrity of OT, for
example
corruption of chart data held in an Electronic Chart Display and Information System
(ECDIS).
A failure occurring during software maintenance and patching.
Loss of or manipulation of external sensor data, critical for the operation of a ship.
This includes
but is not limited to Global Navigation Satellite Systems (GNSS).
Whilst the causes of a cyber safety incident may be different from a cyber security
incident, an effective
response to both is based upon training and awareness of appropriate company
policies and
procedures. As a result of all mentioned above, cyber risk management should be
incorporated into
the company SMS
1.6. What are the threats that cyber security is seeking to address?
The motivation for a cyber-attack on a ship system may be generated from one of the
following six
purposes.
a) cyber misuse – this includes low-level criminal activities including vandalism and
disruption of
systems, defacement of web sites and unauthorized access to systems. The acts may
be
perpetrated by script kiddies or through insider activity by disgruntled personnel and
contractors. Where researchers access a system without authority from the system's
owner,
their actions may not be malicious but are nevertheless deemed as a criminal act.
b) activist groups – (also known as “hacktivism”) – seeking publicity or creating
pressure on
behalf of a specific objective or cause, for example, to prevent the handling of
specific cargoes
or to disrupt the operation of the ship. The target may be the ship itself, the operator
of a ship
or a third party such as the supplier or recipient of the cargo.
c) espionage – seeking unauthorized access to sensitive information (intellectual
property,
commercial information, corporate strategies, personal data, pattern of life) and
disruption
for state or commercial purposes.
d) organized crime – largely driven by financial gain, this may include criminal
damage, theft of
cargo, smuggling of goods and people, and seeking to evade taxes and excise duties.
e) terrorism – use of the ship to install fear and cause physical and economic
disruption.
f) warfare – conflict between nation states, where the aim is disruption of tranship
systems/infrastructure to deny operational use or disable specific ships, such as
product
tankers.
.7. What are the effects that threat actors are trying to achieve?
Whatever the aim and motivation for attacking a ship or fleet of ships, the threat
actors will have an
outcome that they are attempting to achieve. These effects may be aimed at the
overall business, the
ship or the ship subsystems and are grouped into the following categories:
a) destroy – examples may include the destruction of cargo, ship, or port in such a
way that they
are no longer available for use.
b) degrade – examples may include impacting the speed or manoeuvrability of the
ship, the
ability to navigate accurately or monitor the local environment accurately to the
point where
the ability of the ship to operate is significantly impaired.
c) deny – examples may include the denial of access to ship systems or
information/data possibly
for such reasons as extortion for financial gain or to mount a physical attack on the
ship for
kidnap and ransom purposes.
d) delay – examples may include to delay the timely operation of the ship or ship
subsystems so
that the knock-on effect may impact business operations or cause penalties to be
incurred.
e) deter – examples may include influencing the business from operating in certain
areas of the
world oceans, operating in specific markets or accessing specific ports from a
commercial
perspective.
f) detect – examples may include the detection and tracking of people, cargo or ship
locations
so that planned physical theft or cargo manipulation might take place.
g) distract – examples include the ability to alter the state of a sensor so as to
provide a
distraction whilst a data/information extraction takes place.
Need for Cyber Security Risk Management
Cyber Security risk management exists to:
identify the roles and responsibilities of users, key personnel and management
both ashore and
on board,
identify the systems, assets, data and capabilities, which if disrupted, could pose
risks to the
ship’s operations and safety,
implement technical measures to protect against a cyber incident and ensure
continuity of
operations. This may include configuration of networks, access control to networks
and
systems, communication and boundary defence and the use of protection and
detection
software,
implement activities and plans (procedural protection measures) to provide
resilience against
cyber incidents. This may include training and awareness, software maintenance,
remote and
local access, access privileges, use of removable media and equipment disposal,
implement activities to prepare for and respond to cyber incidents.
such protection measures are:
physical security of the ship in accordance with the ship security plan (SSP),
protection of networks, including effective segmentation,
intrusion detection,
software whitelisting,
access and user controls,
appropriate procedures regarding the use of removable media and password
policies,
personnel’s awareness of the risk and familiarity with appropriate procedures.
EXAMPLE VULNERABILITIES
Firewall mounted in engine performance monitoring cabinet, but not connected
No Anti-virus on “island-mode” workstations
Skype installed on tank sounding computer
Undetected infection of Loading computer
No password change policy, passwords pre-set by shore IT; Passwords printed on paper
and
posted on the wall
Unnecessary Administrator access on engine performance monitoring PC
No automatic lock out, and users stay logged in to workstations, because reporting tasks
are so
time consuming that they cannot be handled by a single person
Lack of physical security, all equipment in scope is accessible
Weak passwords, e.g. “123”
Personal use of company network; E-mail (bypassing corporate filtering), browsing, and
social
networkingon on-board PCs
4 base functions of on-board firewall disabled, including event-logging & Broadcast
storm
protection disabled in switches
Limited alarm and event logging; Security products generate alarms, but there is no
central
collection or review of events
Lackof Windows patching & hardening; Windows updated only during major upgrades,
i.e. up
to 3 years outdated // Windows installations configured with standard settings // Default
credentials on networking gear,e.g. switches, routers
15 Anti-virus alarms in a week on sample PC on-board
Anti-virus installed on all hosts: However, no scheduled scans. Last scan in 2014
No monitoring/alarming of network load within Network panel of Alarm server HMI
Alarm servers running unused/unnecessary services
Adequate malware protectionnot installed on HMI PCs (Alarm monitoring and Engine
Performance monitoring)
Alarm overflow: After a certain number, no further alarms can be received
OS security patches ~twice a year (except ship’s firewall)
Unencrypted e-mail communication
No defined policies to follow by associated vendors/service personnel; Service provider
technician uses own USB stick to print reports from on-board PCs
Dedicated USB stick for updating ECDIS, however physically not secured and no malware
scanning
Single USB stick policy; Single USB used to transfer loading condition data to shore via
Bridge //
SD card used between camera and on-board workstations // Gradually all of business
network
on-board infected
All data and configuration backups stored in a single cabinet on-board
All backup HDDs stored in a single rack (together with all IT servers), and not transferred
to
shore
IT dept. responsible for comm. networks, but Master is responsible on the vessel; No
incident
response policy defined. The Master would contact IT dept. // AIS kept on in piracy area
despite
policy to switch off: No policy regarding sharing geo-tagged photos
If a vessel is involved in a cyber incident, the Master will inform the company in the following
manner: