State of access control solutions onboard passenger ships
Cruise ships need stringent security measures
Baggage x-rays, archway metal detectors, body checks, swipe card readers and more... Michael Lawton for ASSA ABLOY Future Lab delves into the world of access control security onboard cruise ships as they are subjected to the tighter security norms of the IMO and ISPS code.

If you wanted to describe the security challenges of a cruise liner, you could think of a hotel inside an airport. When it comes to the individual cabins, a cruise ship requires the same kind of security as a hotel: secure doors to the rooms, records of who has been going in and out, perhaps surveillance cameras in the corridors to check on lurkers.

But while a hotel with its lobby and restaurants is usually open to the public, nobody should be able to get on to a ship if they are not entitled to be there. So boarding procedures have to be very similar to those at airports, with boarding passes, baggage controls and body checks.

Awareness of the vulnerability of cruise ships, says Geoffrey H. Greaves, CEO of consultants International Maritime Security in London, is not new. The Achille Lauro hijacking in 1985 led the International Maritime Organization (IMO) to issue guidelines for security on cruise ships. "After that, ships, especially those going to America, had to have minimum standards," says Greaves.

But the urgency grew after 9/11, when people began to imagine that a big cruise liner could be the target of a terrorist attack, leading the US to issue its International Ship and Port Facility Security (ISPS) code. The code requires every ship over 500 tonnes to meet certain standards and ships are not allowed into the United States unless their last ports of call conformed to ISPS code.

New security rules for cruise lines
 US Coast Guard ship
Boarding procedures for ships are as detailed as those used at airports, with boarding passes, baggage controls and body checks 

Greaves says the new rules only led to a slight change in procedures for cruise lines that had already been following the IMO rules. But he says modern ships are designed to include security features. "The fibre optics for the cameras will be provided, and the wiring for the archway metal detector at the gangway will be installed," he says. "I visited a ship under construction recently where I immediately saw that the gangway was too narrow.  Nowadays a gangway has to be designed so that it's wide enough for all the security equipment."

With passengers and crew embarking and disembarking at every port, the same procedures will be followed each time. That means maybe 4,000 passengers and crew having to go past a baggage x-ray, an archway metal detector, body checks, and a swipe card reader with a crew member sitting by a computer watching the picture of the card holder come up. The picture will be taken when the card is issued. 

Access controllers could also use fingerprints as an additional check that the person who uses the card is the passenger, but nobody is using biometric fingerprint readers yet, says Preben F. Poulsen, Vice President of VingCard Marine, which makes ship security systems: "There is the problem that not everyone has good fingerprints for reading, but we offer the option.  Probably it will only come into use when a disaster happens."

Analysing security risks for passenger ships

That a disaster hasn't yet happened surprises analysts.  The number of passengers carried on the Cruise Lines International Association's ships rose from 7.2 to 11.2 million between 2000 and 2005. In 2002 the tanker Limburg was attacked in Yemen and destroyed, and there have been a couple of attacks on ferries in Indonesia, but so far cruise ships have remained untouched.  Greaves says it's not because security is so good. "I could get you on board a ship to carry out a spectacular attack,"he says. He notes it's difficult to convince cruise line operators to increase their security as long as everything is going well.

Analysts are suprised that a disaster hasn't yet happened. Greaves notes that it's difficult to convince operators to increase their security as long as everything is going well

But although one might think that passengers would want to imagine they were in a dream world where security was not an issue, in fact, they demand the safety of proper controls.  "I was standing behind a couple on a gangway recently," says Greaves, "and there was nobody there as they went through the metal detector.  The woman said to the man, 'Hey, John, I hope it's switched on." 

Stowaways are still fairly common, but their numbers have gone down. "Someone should be at every open entrance to a ship," says Greaves. "But sometimes the crew member goes round the corner to have a cigarette."  Access controls for crew have to be particularly stringent. Two stowaways got on one of his clients' ships recently pretending to be security officers. "But the crew were able to use CCTV pictures to identify them and remove them at the next port of call." 

The security issues on board a ship are usually much more mundane than the risk of terrorist attacks. "We have all kinds of crime, from theft to rape," says Greaves. "In the early nineties, there used to be cameras only at the entrance.  Now they are likely to be all over the vessel to monitor both passengers and crew."  There might be passengers who claim to have slipped in order to gain an upgrade, or accusations of sexual molestation by a crew member.

Strong, secure rope 
 9/11 drove an increase in security measures on cruise ships


New developments in access control on the horizon

Developments in the cruise ship industry are often similar to those on land. For example, some security companies offer online locks for all security areas, or the cabin key-card can be used to make purchases on the ship. "In fact, it was convenience which was driving things originally, but then came 9/11," says Preben F. Poulsen.  But there are some marine specialties, he adds:  "For example, we always include a mechanical overriding cylinder in the locks in case of evacuation."


Micheal Lawton of Assa Abloy



By Michael Lawton 
Assa Abloy Future Lab

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

How have standards changed the security market?
How have standards changed the security market?

A standard is a document that establishes uniform engineering or technical criteria, methods, processes, and/or practices. Standards surround every aspect of our business. For example, the physical security marketplace is impacted by industry standards, national and international standards, quality standards, building codes and even environmental standards, to name just a few. We asked this week’s Expert Panel Roundtable: How have standards changed the security market as we know it?

Managing security during unprecedented times of home working
Managing security during unprecedented times of home working

Companies are following government guidance and getting as many people as possible working from home. Some companies will have resisted home working in the past, but I’m certain that the sceptics will find that people can be productive with the right tools no matter where they are. A temporary solution will become permanent. But getting it right means managing risk. Access is king In a typical office with an on-premise data centre, the IT department has complete control over network access, internal networks, data, and applications. The remote worker, on the other hand, is mobile. He or she can work from anywhere using a VPN. Until just recently this will have been from somewhere like a local coffee shop, possibly using a wireless network to access the company network and essential applications. CV-19 means that huge numbers of people are getting access to the same desktop and files, and collaborative communication toolsBut as we know, CV-19 means that huge numbers of people are getting access to the same desktop and files, applications and collaborative communication tools that they do on a regular basis from the office or on the train. Indeed, the new generation of video conferencing technologies come very close to providing an “almost there” feeling. Hackers lie in wait Hackers are waiting for a wrong move amongst the panic, and they will look for ways to compromise critical servers. Less than a month ago, we emerged from a period of chaos. For months hackers had been exploiting a vulnerability in VPN products from Pulse Secure, Fortinet, Palo Alto Networks, and Citrix. Patches were provided by vendors, and either companies applied the patch or withdrew remote access. As a result, the problem of attacks died back.  But as companies race to get people working from home, they must ensure special care is taken to ensure the patches are done before switching VPNs on. That’s because remote desktop protocol (RDP) has been for the most part of 2019, and continues to be, the most important attack vector for ransomware. Managing a ransomware attack on top of everything else would certainly give you sleepless nights. As companies race to get people working from home, they must ensure special care is taken to ensure the patches are done before switching VPNs on Hackers are waiting for a wrong move amongst the panic, and they will look for ways to compromise critical serversExposing new services makes them also susceptible to denial of service attacks. Such attacks create large volumes of fake traffic to saturate the available capacity of the internet connection. They can also be used to attack the intricacies of the VPN protocol. A flow as little as 1Mbps can perturbate the VPN service and knock it offline. CIOs, therefore, need to acknowledge that introducing or extending home working broadens the attack surface. So now more than ever it’s vital to adapt risk models. You can’t roll out new services with an emphasis on access and usability and not consider security. You simply won’t survive otherwise. Social engineering Aside from securing VPNs, what else should CIO and CTOs be doing to ensure security? The first thing to do is to look at employee behaviour, starting with passwords. It’s highly recommended that strong password hygiene or some form of multi-factor authentication (MFA) is imposed. Best practice would be to get all employees to reset their passwords as they connect remotely and force them to choose a new password that complies with strong password complexity guidelines.  As we know, people have a habit of reusing their passwords for one or more online services – services that might have fallen victim to a breach. Hackers will happily It’s highly recommended that strong password hygiene or some form of multi-factor authentication (MFA) is imposedleverage these breaches because it is such easy and rich pickings. Secondly, the inherent fear of the virus makes for perfect conditions for hackers. Sadly, a lot of phishing campaigns are already luring people in with the promise of important or breaking information on COVID-19. In the UK alone, coronavirus scams cost victims over £800,000 in February 2020. A staggering number that can only go up. That’s why CIOs need to remind everyone in the company of the risks of clickbait and comment spamming - the most popular and obvious bot techniques for infiltrating a network. Notorious hacking attempts And as any security specialist will tell you, some people have no ethics and will exploit the horrendous repercussions of CV-19. In January we saw just how unscrupulous hackers are when they started leveraging public fear of the virus to spread the notorious Emotet malware. Emotet, first detected in 2014, is a banking trojan that primarily spreads through ‘malspam’ and attempts to sneak into computers to steal sensitive and private information. In addition, in early February the Maze ransomware crippled more than 230 workstations of the New Jersey Medical Diagnostics Lab and when they refused to pay, the vicious attackers leaked 9.5GB or research data in an attempt to force negotiations. And in March, an elite hacking group tried to breach the World Health Organization (WHO). It was just one of the many attempts on WHO and healthcare organisations in general since the pandemic broke. We’ll see lots more opportunist attacks like this in the coming months.   More speed less haste In March, an elite hacking group tried to breach the World Health Organization (WHO). It was just one of the many attempts on WHOFinally, we also have bots to contend with. We’ve yet to see reports of fake news content generated by machines, but we know there’s a high probability it will happen. Spambots are already creating pharmaceutical spam campaigns thriving on the buying behaviour of people in times of fear from infection. Using comment spamming – where comments are tactically placed in the comments following an update or news story - the bots take advantage of the popularity of the Google search term ‘Coronavirus’ to increase the visibility and ranking of sites and products in search results. There is clearly much for CIOs to think about, but it is possible to secure a network by applying some well thought through tactics. I believe it comes down to having a ‘more speed, less haste’ approach to rolling out, scaling up and integrating technologies for home working, but above all, it should be mixed with an employee education programme. As in reality, great technology and a coherent security strategy will never work if it is undermined by the poor practices of employees.

Security technology and AI: A powerful duo in the fight against COVID-19
Security technology and AI: A powerful duo in the fight against COVID-19

A person infected with the Coronavirus (COVID-19) infects an average of 2.5 other people within five days. You do not need to be a mathematician to realise that early detection of infected people is key to successful pandemic containment. The aim of effective containment strategies is therefore not so much to reduce the number of absolute cases as it is to extend the time frame within which they occur. Without effective containment measures, the virus spreads rapidly and is beyond the capacity of the health care system. However, if infection rates can be minimised through early detection and rapid, targeted identification of further infections, cases will continue to occur over a longer period of time and remain within the capacity of the health care system. Identifying, testing and results For example, the goal of many countries is to carry out as many Corona tests as possible to quickly identify infected people. It is then necessary to identify and reach potentially-infected people and isolate them in quarantine. This is a tried and tested procedure. But this method also costs valuable time in the fight against the virus and has many unknowns. The determination of a concrete test result alone sometimes takes up to 48 hours due to limited laboratory capacity. Added to this is the imprecise and slow procedure for determining contact persons. Or do you still remember exactly who and where you shook hands with in the last ten days - and could you provide information on this? Security technology to the rescue When it comes to the time factor, security technology can be a great help. Thermal imaging cameras and temperature sensors, for example, can help to detect a person with elevated body temperatures. Fever can also be one of the symptoms in those infected with the Coronavirus. At neuralgic points such as airports and train stations, or at entrances to hospitals, thermal imaging cameras can quickly reveal which people have fever. Presumably infected people can be easily separated and asked about other symptoms. Physical security technology can make a great contribution here. Dr. Frank Gillert, a professor at the University of Applied Sciences in Wildau, Germany states, however, as one of the leading scientists for logistics-centric security research, he demands "rapid innovation in dealing with situations like COVID-19 should be a priority". He sees enormous potential in the possibilities of IT and artificial intelligence; "We should use the disruptive changes that are currently taking place and that are challenging global orders to strengthen the significance in IT infrastructure development and also in security technology development.“ The goal in a global crisis And he is right: In global crises such as the Corona pandemic, security-related deficits become apparent and space is created for technical innovations. The goal of governments and companies is to restore security and save human lives as quickly as possible. The German data analytics powerhouse G2K, for example, has developed a Corona Detection & Containment System (CDCS) that is ready for immediate use in record time. Detection takes place in combination with AI-supported data analysis to specifically identify virus hotspots and distribution routes, as well as to identify other potentially infected persons. When developing the system, the focus was on two questions: How do I detect a suspected infected person in crowded environments and even more importantly, how do I quickly and comprehensively determine the person's contacts and previous whereabouts, and find correlations and patterns in this information? The data experts of the Berlin-based company found the answer in the combination of physical security technology and their existing data analytics platform. The G2K system The system is based on G2K's scalable IoT platform "Situational Awareness Builder" (SAB), which is already in use in several projects worldwide and sets standards in process automation and process optimisation, including security management. As soon as a person with fever is detected by the system, he or she can be immediately screened to avoid contact with other people and thus prevent possible new infections, i.e. to interrupt the chain of infection. For this purpose, stationary thermal imaging cameras or smartphones equipped with a temperature sensor accessory can be used. The potentially infected person must now be registered and referred to a doctor or hospital for further specific diagnostic measures. The entire process is covered by a mobile G2K application. A combination of security and medicine The platform can bring together available hospital capacity, infection reports, movement and contact profiles and provide an excellent picture of the source of infection. Thus, medically necessary isolations can be implemented quickly. At the same time, infected patients can use the app to document their recovery and become actively involved. All this data is centrally managed and analysed, using deep learning methods. This provides crisis managers with a single monitoring, control and resource management tool that enables immediate action to be taken to combat the spread of the virus and gives officials full transparency on the status of the pandemic. Karsten Neugebauer, founder and CEO of the company behind the solution, explains his commitment as follows "A few weeks ago we too were faced with increasing difficulties due to the Corona crisis. As we have a strong presence in Europe in particular, we had to struggle with postponed project starts and limited resources". But instead of burying their heads in the sand, G2K's dedicated team decided to declare war on the virus." "In our entrepreneurial duty, we, therefore, decided to use our available technology and equip it to fight COVID-19. Our team has been working day and night over the last few weeks to expand our software platform to enable us to contain the pandemic quickly and effectively. Politicians must now immediately push ahead with the unbureaucratic implementation of prevention and control measures such as our CDCS to ensure the stability of our public systems," demands Karsten Neugebauer. The pandemic continues As the COVID-19 pandemic spreads from continent to continent, researchers around the world are working to develop antidotes to the virus. As long as this has not been found, the spread of the virus must be slowed down internationally. Only by this can system-relevant infrastructure be held consistently. Combining modern physical security technology with platform technology and artificial intelligence provides an excellent possibility to slow down the current and for sure, future pandemics.