CREATING A SECURITY CULTURE - THE ROLE OF THE FLAG STATE
Written and presented by: John Ramage, Managing Director
International Registries (UK) Ltd.
Lloyd's 2nd Annual Maritime Security & Safety Summit
February 18, 2004
Since the terrorist attacks on the USA in September 2001 security has become one of the major issues in
the world today. The effects of terrorism can have a major impact on a wide and diverse range of targets,
ranging from the most powerful nations to the most humble individual. As you are all aware, shipping has
also suffered at the hands of terrorists, namely the USS Cole and the Tanker Limburg.
Let us quickly look at the possible terrorist threats involving shipping:
i. Ships can be used to carry hidden weapons or other dangerous cargoes for terrorist use.
ii. Ships or containers may be used as a device to cause disruption in busy shipping lanes or port
facilities. If the ship activates a hidden explosive device or rams a jetty or is scuttled in a narrow
channel this would cause extensive disruption to the operation of that port and indeed the economy
of that country and its trading partners.
iii. Ships themselves may face terrorist attack as in the case of the USS Cole and Limburg. Ships will
be especially vulnerable when at anchor, entering or leaving port and when navigating at reduced
speed in restricted waters.
iv. Piracy. (Of which more later).
Over the last 3 years security arrangements at airports, sensitive shore based installations and monitoring of
potential terrorist groups have increased significantly. This may well have a knock on effect in the shipping
industry where vessels are vulnerable targets. The vulnerability of a ship is amply demonstrated by the
increasing number of pirate attacks around the world and how successful they are.
At what point does Piracy become terrorism?
There have been a number of articles in the shipping press recently identifying the differences between
Pirates and Terrorists. I would suggest that Pirates are a form of terrorist. They terrorise the ship’s crew, the
owner, Underwriter and can disrupt trade. For many years some terrorist groups, mainly in S.E. Asia had
resorted to piracy including kidnapping of civilians and hijacking ships and cargoes for ransom in order to
fund their terrorist activities.
There has been a blurring of the edges between the 2 groups. The Master and the crew of a hijacked ship
could not care less if their antagonists are pirates or terrorists. Their immediate concern is for their own
lives, a very real concern given the increasing levels of violence used by these so called terrorists. For the
last 15 years people have talked about the nightmare scenario of a tanker boarded by pirates in the Malacca
Straits, the Master and crew tied up and unable to free themselves before the vessel runs aground or
collides with another vessel.
There may be a difference in definition between a pirate and a terrorist but in many cases there is no
difference in effect.
The frequency of pirate attacks has rather waxed and waned over the years but the underlying reason for
attacks on Merchant Shipping is that it is an easy target. This fact has been recognised for many years and
an integral part of a ship’s contingency plan under ISM should include “Anti Piracy Procedures.” The
vulnerability of merchant shipping has also come to the notice of the US Government and the potential to
cause massive harm to the port infrastructure and the economy of a country through an act of terrorism
involving a ship.
As a result, the ISPS Code has been developed as a means of increasing security awareness on board ship,
ship operations ashore and in the ports. The ship contingency plan and its anti piracy plan is ship specific
and quite rightly only utilizes resources available on board that specific ship, the ISPS Code looks at a
much broader canvas including the ship, the coastal state and the port facility. Under the Code both the
Flag state and the coastal state have distinct responsibilities.
The implementation of the ISPS Code will not provide a miracle antidote to terrorism or piracy but it is
hoped that a properly implemented plan will reduce the opportunities for terrorists and pirates.
Security is a team effort
It is the concept of working together that will decide the success or failure of the ISPS Code. The Shipping
Industry, the Port Industry and the Coastal State will be required to work more closely than ever before and
the various components of the individual industries will likewise have to work closely together. This is
obviously never going to happen overnight but it has to develop until a culture of security is second nature
to everyone within the industry being affected by the ISPS Code.
Let us look briefly at the responsibilities of the individual entities:
1. Ship Owners and the Ship
As we only have 4.5 months remaining until the July 1st Deadline, I am sure all the owners/managers
amongst you will already have your plans prepared and in the process of being approved by the RSO. I
have included a chart of the ISPS Code activities combined in a time line.
What really does this mean for the ship owners and ship staff? Is it just another thing heaped on the crew to
grind them down?
The ISPS Code provides a framework, which should improve communication and co-operation on board
the ship, in the office and between the office and the ship.
The Company Security Officer has a list of duties detailed in the ISPS Code, 13 items the last time I
looked. But what do these duties actually mean?
It is the CSO’s duty to develop a culture of security within the management ashore and to develop this
culture across the fleet. His role is exactly the same as the DPA under ISM whose role it is to raise the
safety awareness of the ship’s crew and the management ashore. I know that the DPA usually has a tough
time and very often is the most unpopular person in the office, well, he won’t be lonely anymore. In both
cases the DPA and the CSO need the wholehearted support of senior management, otherwise it is just a
pointless paper chase.
How does the CSO get his message across to the ship’s staff? -via the SSO!
Likewise the SSO has a long list of items listed in the ISPS Code.
The SSO’s job can be summarised as building a culture of security on board the ship through training and
exercises, just like safety drills. Reviewing the SSP to ensure it is workable and the equipment is
maintained in good condition and ensuring there is good communication between the ship’s staff, the
management ashore and the port facility.
In many cases the success of pirate attacks on Merchant Vessels probably means that the vessel in question
does not implement piracy procedures effectively. Hopefully under the ISPS Code and the increased level
of security awareness that it brings, ship’s staff will implement an effective Ship Security Plan thereby
reducing the opportunities for pirates and terrorists to gain access to the ship.
Remember - if they can’t get on board they can’t take over the ship.
2. Coastal States and Port Facilities
Under the Code the Coastal State and Port Facilities contained within that state also have specific
This follows very much the same principle I have outlined for the ship owner and the ship.
The Coastal State has a duty to set the relevant security levels and to decide which ports within their
territory require to have a Port Facility Security Officer and PFSP. It is very encouraging to see some
nations such as Malaysia and Singapore for example maintaining strict security patrols in the Malacca
straits thereby reducing incidences of attack in their respective areas. I know that all countries do not have
the resources to carry out similar patrols in their waters but this at least shows what can be achieved. These
successes obviously have a major impact on the setting of security levels and the safety of vessels calling at
their ports or transiting their waters.
The Coastal State also has the responsibility to ensure that a security culture is developed within the port
facility and Port Facility Security Officers must be adequately trained, Port Facility Security Plans
developed and implemented.
The Port Facility Security Officer has a detailed list of responsibilities which again can be summarised as
building a culture of security within the Port Facility through training and exercises. Reviewing the PFSP to
ensure it is workable and the equipment is maintained in good condition and ensuring there is good
communication between the staff, the management and the Ship Security Officer.
Does this sound familiar!
In addition Port States will inspect ships to assess the effectiveness of their SSP and have the power to
detain vessels if necessary, in very much the same way as the ISM Code is assessed.
3. Flag States Role
Flag states are responsible for approving the SSP’s, as you are aware different approaches are taken by the
various Flag States. The MI for example, has authorised a number of the IACS members to act as RSO to
approve SSPs on its behalf.
Flag States define the requirements for a Declaration of Security. The DoS is a means for ensuring critical
security concerns are addressed prior to and during a vessel/facility interface or a vessel/vessel interface.
The SSP and the PFSP are mutually exclusive one does not take precedence over the other, the DoS is
therefore used to clarify the various responsibilities and concerns of the port facility and the ship. The
intent of the DoS is to ensure the ship and the port are not 2 distinct entities that do not talk to each other
but rather 2 distinct entities which combine to provide a whole which is greater than the sum of the
Flag States will issue a Continuous Synopsis Record CSR, this is basically a birth to death history of the
changes relating the ownership of the vessel during it’s life.
Flag States are also responsible for assessing the security threats around the world and setting the security
levels as appropriate.
Flag States will provide security advice to owners, should a level 3 be initiated and a round the clock
In more general terms the Flag States have an obligation to assist their owners in understanding what is
required under the ISPS Code. The Marshall Islands administration has for example carried out a number of
seminars on the ISPS Code in Europe, Asia and the Americas.
I hope I have shown some of the common threads running through the ISPS requirements for Coastal States
and their Port facilities, Ship Owners and Ships and Flag States, namely:
1. Security Awareness
The ISPS Code has been developed using a similar framework to the ISM Code and the procedures for
implementation, review and reporting are already in use.
The ISPS Code will never work – What?? Never!!
There are undoubtedly many reasons why it will be difficult to effectively implement the ISPS Code,
conversely there are many reasons why it must be implemented. But the time for argument has long gone
and it must be implemented by 1st July 2004. Not only is it to be implemented but it must be effectively
implemented, if PSC believes there are clear grounds to suspect a vessel is not complying with the ISPS
Code the vessel can be detained, delayed or refused entry to port.
The ISM Code doesn’t work and neither will the ISPS Code!
This is another heading I’m sure most of you are familiar with. I would agree that the ISM Code is not
100% effective but those Companies which have a serious approach to safety from the top management
down have over the years built up a culture of safety on board and ashore. These are the companies that
will implement the ISPS Code effectively. Tanker operators may find it easiest as they are used to a high
level of safety awareness on board and security whilst in port. In fact many already have security measures
Those Companies which are not serious about safety and expend huge efforts avoiding their responsibilities
under ISM will eventually land in trouble with the Flag State and PSC. If they spent as much effort
implementing ISM as avoiding it they would have no worries. These are the Companies which will have
most difficulty with ISPS.
It is all dependent on the commitment of senior management.
In general the level of security awareness of the average seafarer is almost non existent, this must change
Just as in any quality system, procedures have to be reviewed and modified to make them workable, the
SSP must be reviewed and modified if required. The SSP is not cast in stone, it is a living document and
subject to change from time to time.
Costs vary quite considerably but estimates for initial implementation range from USD 20,000 to USD
37,000 per vessel and annual costs of around USD 12,000. These costs are obviously dependent on the
level of equipment supplied and their maintenance costs.
Balanced against the cost of implementing ISPS is the potential cost of any terrorist damage to port
facilities, which could be enormous. The OECD report concluded that the potential cost to the USA
economy could be in the region of USD 58 billion.
It is worth emphasising that PSC can delay, detain or impose other controls on a vessel if Inspectors have
Clear Grounds to believe that the vessel is not complying with the Code or SOLAS XI-2.
The USA and the EU will rigorously enforce the implementation date of 1st July as are many Asian
countries and Australia. The USCG, Paris MOU countries and Singapore are already carrying out pre-
enforcement checks, those vessels not in compliance with the ISPS Code will be informed in writing that
the vessel does not meet the Code requirements and of the need to comply by 1st July otherwise the vessel
will be refused entry to that Country.
As far as the MI is aware there will be no extension of the implementation date and as from 1st July the
ISPS Code will be strictly enforced. The US has already started imposing fines on those US Companies
which have not submitted their SSPs.
In conclusion I would just like to reiterate that ships are vulnerable, especially when entering and leaving
port, at anchor and navigating at reduced speed in confined waters.
The ISPS Code is an attempt to create a level of cooperation and communication between Coastal States
and Port Facilities, ship operators and ships and Flag States never previously seen in the Maritime Industry.
It is this level of cooperation which will ultimately determine the success or failure of the ISPS Code.
The Code is not a “perfect” deterrent to terrorist attack but it should raise security awareness levels which
are pitifully low on many ships and in many ports. The vulnerability of ships is highlighted by the ease with
which pirates are able to gain access to Merchant Ships. Increased security awareness on board ship and
increased security patrols by Coastal States should reduce opportunities for terrorists.
Implementation of the ISPS Code is not going to be easy and time is now very short – in fact it was always
All ships and Port Facilities must have an effective Security Plan in place by 1st July 2004. PSC regimes
around the world are preparing to rigidly enforce the Code from this date and there will be no extensions.