The Code of Practice is primarily intended for those with responsibility for protection of the port / port facility and ships (when docked or berthed), persons, cargo, cargo transport units and ship’s stores within the port from the risks of a security incident, but it will also be of interest to those involved more generally in ports and port facilities.
The Code of Practice includes guidance on the measures recommended to maintain the integrity and availability of the information and systems at UK ports and port facilities. It highlights the strategic importance of cyber security in protecting the complex systems that operate UK ports and port facilities and the potential impact if elements (or all) of these systems are lost or comprised including:
- the speed and efficiency at which the port can operate
- the ability of the port to be able to safely carry out particular operations
- the health and safety of staff and other people impacted upon by the work activities being undertaken and to whom a duty of care is owed.
The Code of Practice identifies port assets affected by cyber security as being:
- port control and administration
- security control and administration
- customs and border control
- cargo reception, handling and storage
- supply chain facilities.
The measures recommended in the Code of Practice include:
Developing a cyber security assessment (CSA)
In addition to the security assessments otherwise required for ports and port facilities, the Code of Practice recommends a CSA designed to build upon the existing security assessment. The CSA should identify, amongst other things, the assets and infrastructure needing protection, the port business processes using the assets and infrastructure and the risks arising from possible threats to such assets and infrastructure.
Developing a cyber security plan (CSP)
The CSP should address the issues identified in the CSA. To this extent, the Code of Practice acknowledges that a holistic approach should be adopted, and specifically in relation to cyber security, the CSP should contain or reference: relevant policies setting out security-related business rules, relevant processes, and the procedures in place to operate those processes.
As with all business continuity and cyber security plans, the CSP should be reviewed on a regular basis to ensure that it remains fit for purpose.
Managing cyber security
The Code of Practice also highlights the importance of ensuring that specific individuals are identified as having responsibility for cyber security. The Code of Practice recommends such individuals being designated as a cyber security officer (CSO). It also goes on to suggest the formation of port security committees, a security operations centre, and the establishment of arrangements for providing information to third parties and managing security incidents or breaches.
The appendices to the Code of Practice include some detailed guidance elaborating on the practical measures suggested.