SECTION CSMP

CYBER SECURITY PAGE NO. 1

MANAGEMENT PLAN REVISION 0
ISSUE DATE 14/09/2018

QUEEN PROTOCOL
IMO 9260031

CYBER SECURITY PLAN

This plan has been developed in accordance with:

• IMO Resolution MSC.428 (98)

• BIMCO guide lines on Cyber Security
• EU reg.679/2016
• USCG Cyber Bulletins
• UK Department of Transport - Cyber Security Code of Practice for ships

This plan should be kept with the IT manager (In office) & the
Master (On Board) and used as a practical guide regarding CYBER
SECURITY, in supplement to the company Safety Management
System.

THIS PLAN CONTAINS CONFIDENTIAL INFORMATION

The present manual is property of the manager of the vessel and may not be removed from the vessel or
reproduced wholly or partly in any manner without the prior agreement of the manager of the vessel.
 SECTION CSMP
CYBER SECURITY PAGE NO. 2
MANAGEMENT PLAN REVISION 0
ISSUE DATE 14/09/2018

CYBER SECURITY MANAGEMENT PLAN CONFIDENTIALITY

The present Security Plan is considered “CONFIDENTIAL”

A. On board vessel shall be kept secured by the Master in his Cabin (Identified
as Restricted Area). Only Master, Ship Security Officer/Cyber Security
Officer, Company Security Officer shall have access to this plan
B. Within Company’ premises shall be kept by Company Security officer. Only
Top Management, head of departments, CSO and IT personnel assigned,
shall have access to this plan.

NOTE: This plan contains confidential information. Confidential

information is defined as any data, whether it be technical, financial,
operational, or strategic, this is improperly used or disclosed to the
unauthorized parties, could adversely affect Company itself or
Company’s employees (Including crew members on board vessels).
Confidential information can be presented or stored in many form,
including but not limited to: paper documents, information on
electronic storage media, information passed by voice, Charts and
graphic presentations, audio and video tapes, and email.

It is each employee’s and crew member’s responsibility to protect the confidential

information included in this plan and report immediately any kind of attemps or
actions which may result the inception of this information.
 SECTION CSMP
CYBER SECURITY PAGE NO. 3
MANAGEMENT PLAN REVISION 0
ISSUE DATE 14/09/2018

INDEX
ALL DOCUMENTS LISTED BELOW ARE CONTROLLED

Doc Title Revision Issue Date Pg

Code
Introduction 00
PROCEDURES
CSMP-1 Introduction to Procedures 00
CSMP-2 Threats / Risks 00
CSMP-3 Managing the Risk 00
CSMP-4 Networks 00
CSMP-5 Training, Audits & Reviews 00
CSMP-6 Roles & Responsibilities 00
CYBER SECURITY POLICY
CSP-1 Office Contingency Plan 00
CSP-2 Vessel Contingency Plan 00
CSP-3 Cyber Security Incident Investigation 00
FORMS
APP-1 Intial – Cyber Incident Report 00
APP-2 Cyber Incident Investigation (Part-1 & 2) 00
APP-3 Root Cause Identification 00
APP-4 Cyber Risk Assessment 00
APP-5 Self-Assessment – Company Cyber 00
Security
APP-6 Self-Assessment – Ship Cyber Security 00
RISK ASSESSMENT
CSRA-1 Communication Systems 00
CSRA-2 Navigation Bridge Systems 00
CSRA-3 Propulsion, machinery and power control 00
systems
CSRA-4 Access Control Systems 00
CSRA-5 Cargo Management Systems 00
CSRA-6 Core Infrastructure Systems 00
CSRA-7 Administrative and Welfare Systems 00
 SECTION CSMP
CYBER SECURITY PAGE NO. 4
MANAGEMENT PLAN REVISION 0
ISSUE DATE 14/09/2018

CSMP-1 : Introduction to Procedures

1.0 SCOPE & PURPOSE

a) The aim of this document is to offer guidance to office and ship staff on how to assess
their operations and put in place the necessary procedures and actions to maintain the
security of cyber systems on board their ships and in office.

b) The measures to lower cyber security risks include:

 How to raise awareness of the safety, security and commercial risks if no cyber security
measures are in place
 How to protect shipboard IT infrastructure and connected equipment;
 How to manage users, ensuring appropriate access to necessary information;
 How to protect data used onboard ships and office, according to its level of sensitivity;

c) Company recognizes that due to fast changes to IT technologies this guidance is not the
best solution. Hence continuous efforts are being made to understand and develop the
required counter measures as and when possible.

d) Company would like to draw attention about the Cyber Security Guidelines as available
in MDCS which are to be referred to part of these guidelines

2.0 PERSON RESPONSIBLE FOR CYBER SECURITY

a) Master on board ships shall be responsible to ensuring compliance with company cyber
security guidelines and security

b) IT manager in each office shall be the designated Cyber Security officer (CySO) for
ensuring cyber security and procedures. Overall command of Cyber Security shall be in
Indonesia head office.

3.0 RISK ASSESSMENT FOR CYBER SECURITY ON SHIPS

a) A ship is a complex cyber-physical engineered system that encompasses both waterborne

activities and systems, and remote elements such as navigation signals. A ship comprises
six main asset types (Bridge/Navigation systems, Communication System, Propulsion and
Machinery systems, Access Control System and Crew Welfare System) that are used to
provide a range of operational services and where technology plays an increasingly
important role.

b) While assessing the risk related to Cyber Security following systems have been included
which are vulnerable to cyber-attack or may be affected from a successful cyber-attack
on board ships:
 SECTION CSMP
CYBER SECURITY PAGE NO. 5
MANAGEMENT PLAN REVISION 0
ISSUE DATE 14/09/2018

3.1 Bride Systems:

 ECDIS
 GPS
 AIS
 VDR
 RADAR

3.2 Communication Systems:

 Inmarsat
 Iridium Phone
 Wireless communication system
 Email communication PC / systems
 Data

3.3 Cargo Systems:

 Cargo Load computers

 CCR Console

3.4 Propulsion and Machinery:

 Engine Console
 Alarm Systems
 Power Management
 Real Time data collection

3.5 Access control systems:

 SSAS
 BNWA
 CCTV

3.6 Crew Welfare Systems:

 Crew Communication PC

c) Company may take external expert assistance for cyber security related issues and
planning.
 SECTION CSMP
CYBER SECURITY PAGE NO. 6
MANAGEMENT PLAN REVISION 0
ISSUE DATE 14/09/2018

4.0 RISK ASSESSMENT FOR CYBER SECURITY IN OFFICES

a) While assessing the risk related to Cyber Security following systems have been included
which are vulnerable to cyber-attack or may be affected from a successful cyber-attack
in offices:

 Email communication system

 Data saved in server

5.0 CONTIGENCY PLAN FOR CYBER ATTACK / CYBER THEFT

a) Company’s planning on potential cyber-attack is based on:

 What measures to be taken in case of disabling systems identified as vulnerable for cyber
attack
 How to secure data
 How to verify that data is intact in cases where penetration is suspected but not
confirmed
 What to do if it’s know that data is compromised
 Procedures for handling ransomware incidents
 Procedures when data is lost on board or in office
 Chain of responsibilities and decision-making authority under such scenario

b) Company shall ensure that procedures and contingency planning / actions are available
in hard copy format in each office and on board each ship.

c) Indonesia Head Office: Office internet is protected with hardware firewall router-
Fortigate, all client computers protected with TrendMicro business anti-virus. All servers
are located in Azure cloud service with regularly backups and recovery enable.
Conducting Cyber awareness training throughout group and branch offices. Each office
Intranet is protected by hardware firewalls against intrusion, computers by updated
antivirus software and data by cloud-based off-site data storage servers.

d) Singapore Branch: Office internet system is protected with a hardware firewall router –
FortiGate, all servers/client computers protected with Symantec Endpoint Protection
anti-virus system installed. Regular backups are available with password protected
images in NAS for recovery.

e) Delhi Branch: Office internet system is protected with a hardware firewall router –
FortiGate, all computers additionally have Trend Business anti-virus system installed.
Head office regularly conducts Cyber awareness training
 SECTION CSMP
CYBER SECURITY PAGE NO. 7
MANAGEMENT PLAN REVISION 0
ISSUE DATE 14/09/2018

5.1 Response Plan

a) As part of response plan, company shall ensure the following:

Identification of cyber security incident

Actions subsequent to identification
Recovery of systems, data and connectivity

b) Aggregate all relevant information into IT Team. IT Team reviews the content and
immediately takes the necessary action.

5.2 Investigation of Cyber incidents

c) Company recognizes that investigating cyber incidents can be a complex and challenging
task. It Manager, after discussing with top management shall decide which incidents are
to be investigated.
d) Industry guidelines on Cyber security shall be referred to under such circumstances.
e) Company may use external expert assistance to investigate such incidents as appropriate.

Ref:

The guidelines for Cyber Security on Ships – BIMCO/CLIA/ICS/INTERCARGO and INTERTANKO

Code of Practice- Cyber Security for Ships – DOT, UK

6.0 REVIEW OF CYBER SECURITY GUIDELINES

It shall be reviewed at every six months as a minimum or after an incident of breach in cyber
security or cyber theft.