From physical security to cyber resilience: Reassessing the ISPS code and port governance in South Africa

Over the past two decades, the global maritime sector has undergone profound digital transformation.

Ports that once relied on analogue and manually coordinated systems now operate as complex digital ecosystems integrating vessel traffic management, cargo-handling platforms, customs clearance systems, logistics coordination tools, booking interfaces, and enterprise resource infrastructures, amongst others. This transformation reflects the increased convergence of Operational Technology (“OT”), which governs physical processes such as navigation, crane operations, automated stacking systems and fuel infrastructure, with Information Technology (“IT”), which manages data, communications and commercial transactions. While this convergence has enhanced efficiency and global connectivity, it has fundamentally reconfigured the risk architecture of maritime operations. 

As OT and IT environments merge, the maritime attack surface expands correspondingly. A compromise in a corporate network or third-party software provider can cascade into terminal shutdowns, cargo release failures, vessel scheduling disruption and interference with shipboard systems. Unlike conventional IT breaches confined to data loss or reputational harm, cyber intrusions into OT-enabled environments may produce tangible physical consequences - including collision, grounding, environmental damage, systemic supply-chain paralysis and potential risks to human life.

In contemporary port ecosystems, digital systems are not ancillary; they are embedded within operational infrastructure. The infamous 2017 NotPetya attack on Maersk remains the clearest demonstration of this structural vulnerability. Malware introduced through a compromised software update propagated across the company’s global network, disabling thousands of servers and paralysing terminal operations across multiple jurisdictions, with losses exceeding USD 300 million. Subsequent ransomware attacks, navigation system spoofing events, supply-chain infiltrations, and cyber disruptions at major international ports, and stakeholders confirm that cyber compromise can immobilise critical maritime infrastructure. South Africa’s 2021 Transnet cyber-attack similarly exposed the fragility of port operations, forcing terminals into manual processes and disrupting national trade flows. These incidents underscore that maritime cybersecurity is not a speculative threat but an operational and economic reality. 

The Allianz Risk Barometer 2026 identifies cyber incidents as the leading global business risk, including within the marine and shipping sector. Similarly, the International Association of Ports and Harbors (“IAPH”) reports that cybersecurity is now regarded as the foremost risk priority among port authorities worldwide. In a recent survey of global ports, 62 per cent identified cybersecurity as their highest risk concern, significantly exceeding other major categories such as natural disasters (44 per cent) and climate change (38 per cent). Cyber risk is therefore systemic, insurable, and financially material. If port security frameworks are to safeguard critical infrastructure and ensure the continuity of maritime trade, cybersecurity can no longer be treated as a technical adjunct. It must be embedded as a core function of maritime governance. This recalibration is increasingly reflected in evolving global risk governance frameworks and regulatory initiatives.

Against this backdrop, a central legal question arises as to whether existing uniform international regulatory frameworks - particularly the International Ship and Port Facility Security (“ISPS”) Code and, from a regional perspective, its domestic implementation in South Africa - are structurally equipped to address a converged operational technology and information technology threat environment. This article accordingly analyses selected provisions of the ISPS Code (with particular focus on certain provisions dealing with the scope of its training obligations, imposed upon contracting states). It further evaluates the Code’s implementation within South Africa, identifying deficiencies in the domestic regulatory framework, and situates this analysis within the broader context of increasing international regulatory attention to cyber-physical vulnerabilities in port environments. In doing so, it underscores the need for more explicit and targeted cybersecurity regulation within maritime security governance.

Binding international regulatory framework: The international ship and port facility security (ISPS) code

The ISPS Code was developed in the aftermath of the attacks of 11 September 2001, at a time when the primary concern was the threat of physical terrorist attacks against critical infrastructure - from a maritime perspective, being vessels and port facilities. 

The Code derives binding legal force through Chapter XI-2 of the International Convention for the Safety of Life at Sea (“SOLAS”), which obliges contracting governments/states to implement prescribed security measures in their territories for vessels engaged on international voyages and the port facilities serving them. Although drafted with terrorism (i.e. physical threats) in mind, the Code adopts a risk-based architecture. Pursuant to a liberal interpretation, the Code’s scope is not limited textually to physical threats. This structural openness provides a potential foundation for the inclusion of cybersecurity within its framework. The Code itself is apportioned into two parts, Part A and Part B. The former comprises mandatory security-related requirements, and the latter recommendatory guidelines necessarily providing guidance on how to satisfy the requirements encompassed in Part A of the Code. 

Core Obligations under SOLAS Chapter XI-2: 

Under SOLAS, each contracting government (or State Party) must ensure that port facilities its jurisdiction serving vessels of 500 gross tonnage or more engaged on international voyages comply with four principal obligations, imposed by the Code, namely:

1. Conduct a Port Facility Security Assessment (PFSA) [ISPS Code PartA, Section 15 at para 15.2) ;
2. Develop and maintain a Port Facility Security Plan (PFSP) and appoint a Port Facility Security Officer (PFSO) [ISPS Code Part A, Section 16 at paras 16.1 and Part A, Section 17 at 17.1, respectively)];
3. Monitor and update security measures as threats evolve [ISPS Code Part A, section 16, at paragraph 16.5]; and 
4. Provide training, drills and exercises [ISPS Code Part A, Sections 18, at paras 18.1 – 18.4].

The Port Facility Security Assessment is essentially a risk analysis to ascertain which components of the port facility are susceptible or vulnerable as a target for a potential attack, and to establish which security measures will be effective to reduce the likelihood of known threats (ISPS Code, Part A section15 at para 15.5).

It is evident that the drafters of the ISPS Code regarded the disruption of communications within a port facility, or between vessels and port authorities, as a material security risk, particularly in the context of physical attacks. Although Part A of the Code refers in general terms to the identification and evaluation of “important assets and infrastructure,” a purposive interpretation of this language reasonably extends to digital and cyber-related assets.

This interpretation is reinforced by the guidance contained in Part B of the Code. Paragraph 15.3 specifies that a Port Facility Security Assessment should address both physical security considerations - including relevant transportation infrastructure - and “radio and telecommunication systems, including computer systems and networks.” The express inclusion of communication and computer systems within the assessment framework indicates that the security architecture contemplated by the Code is not confined to purely physical installations but encompasses technologically mediated systems integral to port operations.

If the International Ship and Port Facility Security Code is interpreted as encompassing cybersecurity, a number of its existing provisions assume renewed significance. The guidance in Part B, paragraph 15.4 requires that those conducting a Port Facility Security Assessment have access to expertise concerning “current security threats,” “techniques used to circumvent security measures,” and “radio and telecommunications systems, including computer systems and networks.” Read purposively, this language supports the inclusion of cyber expertise within the assessment process. Further, paragraphs 15.6 to 15.8 of Part B require that security measures be prioritised according to the importance of assets to operational continuity and recovery. In a digitised port environment, computing systems and communication networks are integral to continuity of operations, suggesting that they fall squarely within the category of “important assets and infrastructure.” Part A, paragraph 15.5.4 also mandates consideration of “weaknesses, including human factors in the infrastructure, policies and procedures,” while paragraph 15.16.11 requires monitoring of deficiencies identified through training and drills. These provisions underscore that vulnerability assessment extends beyond physical barriers to encompass organisational and systemic weaknesses. The Port Facility Security Plan must likewise ensure the “continuous operation of the organization and its links with others, including ships in port” (Part A, paragraph 16.3.2), a requirement directly relevant to the protection of digital communication systems. In addition, the Port Facility Security Officer is tasked with enhancing personnel “awareness and vigilance” and ensuring “adequate training” (Part A, paragraphs 17.2.6 and 17.2.7). Part B, paragraph 18.1 elaborates that such officers should possess knowledge of current threat patterns, techniques used to circumvent security measures, and the operational limitations of security systems, with similar expectations extending to other personnel performing security-related functions (paragraph 18.2). Paragraph 18.3 further promotes an organisation-wide security culture by requiring general familiarity among port personnel with relevant security provisions.

However, paragraph 18.4 stipulates that personnel must be trained to perform “all assigned security duties, at all security levels.” In the absence of explicit recognition of cybersecurity as an assigned duty, a restrictive interpretation could confine training to conventional physical security roles. This ambiguity is significant in the contemporary context, where cyber resilience depends upon organisation-wide awareness rather than the competence of designated security officers alone. Without clearer articulation, the Code risks insufficiently preparing port personnel for digitally mediated threats that require collective vigilance and cross-functional expertise.

Comparative International Developments in Maritime Cybersecurity (in respect of Port Facilities): 

Notwithstanding any liberal interpretation, ultimately, the ISPS Code remains principally oriented toward the physical protection of vessels and port facilities. Although the International Maritime Organization has stated that the Code is sufficiently broad to address vulnerabilities “regardless of their nature,” no binding amendment has yet incorporated explicit cybersecurity obligations. In 2015, proposals to clarify and strengthen the Code’s application to cyber threats were considered by the Maritime Safety Committee, but amendments - particularly to Part B - were not pursued. As a result, cybersecurity has been addressed primarily through non-binding guidance rather than enforceable regulatory reform. This regulatory restraint has led to increasingly divergent national approaches. 

In the United States, maritime cybersecurity has been expressly integrated into the Maritime Transportation Security Act framework. Guidance under Navigation and Vessel Inspection Circular 01-20 recommends the inclusion of a dedicated Cyber Annex in Facility Security Plans and alignment with the National Institute of Standards and Technology Cybersecurity Framework. Subsequent developments, including Executive Order 14116 (2024) and the United States Coast Guard’s 2025 Final Rule on “Cybersecurity in the Marine Transportation System,” have introduced mandatory cybersecurity plans, formal risk assessments, designation of a Cyber Security Officer, compulsory training, and reporting obligations, with an implementation deadline by July 2027. The United States has therefore moved beyond interpretive inclusion toward explicit statutory regulation. Within the European Union, the revised Network and Information Security Directive (NIS2) and Regulation (European Union) 2019/881 (Cybersecurity Act) classify ports as essential or highly critical entities subject to governance-level cybersecurity risk management, incident reporting, and supervisory oversight. The European Union Agency for Cybersecurity has issued sector-specific guidance for ports, and certain Member States have adopted even more prescriptive measures. As reflected in the Italian Ministry of Transport’s Circular MIT 177/2025, national implementation now requires structured cyber risk management, integration of cybersecurity into safety management systems under the International Safety Management Code, and incorporation into ship and port facility security plans under the ISPS Code  The Italian approach explicitly recognises Computer-Based Systems as encompassing both information technology and operational technology systems relevant to navigation safety and port operations, and places emphasis on structured risk management, incident response planning, and personnel training and familiarisation of onboard and shore-based personnel.  Similarly, Malta requires coordination with national Computer Security Incident Response Teams and the appointment of liaison officers responsible for cybersecurity governance and business continuity. In the United Kingdom, cybersecurity guidance for ports has been developed collaboratively with the Department for Transport, and the Cyber Security and Resilience Bill is expected to further strengthen incident reporting requirements and regulatory oversight, particularly in relation to supply-chain risk.

At the multilateral level, the International Maritime Organization has progressively embedded cyber resilience within its broader safety and digitalization agenda. Broadly speaking, Resolution MSC.428(98) [“Maritime Cyber Risk Management in Safety Management Systems”] requires cyber risk management to be incorporated into ship safety management systems, while the Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3/Rev.3) emphasise senior management engagement, risk-based assessment, defined responsibilities, and continuous improvement. However, these instruments remain recommendatory and largely ship-centred. Recognising the acceleration of digital transformation, the International Maritime Organization is currently developing a cross-cutting Strategy on Maritime Digitalization (which is set to be adopted by the IMO assembly by the end of 2027) to support a “fully interconnected” maritime transport chain, that: “harnesses emerging technologies to turbo-charge efficiency, safety and sustainability”. This initiative builds on the implementation of the Maritime Single Window regime and includes dedicated workstreams addressing cybersecurity risks associated with digital facilitation systems. It reflects growing institutional acknowledgment that digital integration simultaneously enhances efficiency and expands systemic exposure to cyber threats. Parallel to these developments, the IAPH has taken a leadership role in port-focused cyber governance. Its 2020 report on Port Community Cybersecurity represented the first comprehensive industry-led examination of cyber risk specifically within port ecosystems, responding to the urgent call to accelerate digitalization across the maritime transport chain. The 2021 IAPH Cyber Security Guidelines for Ports and Port Facilities shifted the focus decisively to executive-level governance, advising chief executives on assessing vulnerabilities, structuring cybersecurity programmes, and embedding risk management at board level. These guidelines were developed in alignment with the International Maritime Organization’s cyber risk guidance and were formally recognised within the Organization’s framework following the Facilitation Committee’s forty-sixth session in 2022. The IAPH Cyber Resilience Guidelines for Emerging Technologies further reinforce this trajectory. As emphasised in the Preface, cybersecurity is now rated by 62 per cent of surveyed global ports as their highest risk priority, surpassing even natural disasters and climate change. The guidelines characterise digital integration as a “stress test” for global supply chains and underscore that cybersecurity is not merely an information technology function but a top-level governance responsibility. They advocate a “cybersecurity by design” approach to emerging technologies, including automation, artificial intelligence, and integrated port community systems, and highlight the need for stronger collaboration across maritime supply-chain actors, noting that less than half of surveyed ports fully participate in broader cybersecurity networks.

Domestic implementation of the ISPS code:

South Africa is a member state to the IMO and a signatory to the International Convention for the Safety of Life at Sea, 1974 (SOLAS). Chapter XI-2 of SOLAS gives legal force to the International Ship and Port Facility Security (ISPS) Code, which South Africa has implemented domestically through the Merchant Shipping (Maritime Security) Regulations, 2004 “the Merchant Shipping (Maritime Security) Regulations” and / or “the Regulations”, promulgated under section 356 of the Merchant Shipping Act 57 of 1951.

The Regulations apply to the countries eight major commercial ports (including Cape Town, Durban, Richards Bay, Saldanha Bay, Gqeberha and Ngqura, among other) incorporating the structural architecture of the ISPS Code, requiring:

• Port Facility Security Assessments (regulation 18);
• Port Facility Security Plans and training drills and exercises (regs 19–21);
• Appointment of Port Facility Security Officers and Port Service Provider Security Officers (regulations 2–4; 33–34; 46–47);
• Contracting Government Responsibilities (i.e. Approval and oversight of security plans by the Director-General of Transport (regulations 47–56 and regulation 101)).

Institutionally, maritime security governance within the South African port sector is distributed across multiple actors. The South African Maritime Safety Authority Act 5 of 1998 establishes the South African Maritime Safety Authority (“SAMSA”) as the national regulator responsible for maritime safety and security compliance, including enforcement of the ISPS Code. The National Ports Act 12 of 2005 establishes the Transnet National Ports Authority (“TNPA”) as the landlord and regulator of port infrastructure within port limits. In addition, the South African Revenue Service (“SARS”) exercises customs control functions, while private terminal operators, port service providers, shipping lines, transport companies, port users, information technology service providers, and private security firms form part of the broader operational ecosystem. While this bifurcated governance model functions adequately in relation to traditional physical security threats, it does not clearly allocate responsibility for cybersecurity oversight.

A High-Level Overview of Certain Structural Deficiencies in South Africa’s Maritime Cybersecurity Framework: 

At the policy level, the National Cybersecurity Policy Framework (“NCPF”), 2015 prioritises the protection of “National Critical Information Infrastructure” (NCII), defined broadly to include : “all ICT systems, databases, networks (including people, buildings, facilities and processes that are fundamental to the effective operation of the Republic”. Given that the overwhelming majority of South Africa’s trade by volume transits through its commercial ports, the digital systems underpinning port operations - including terminal operating systems, vessel traffic services, customs clearance platforms, and logistics coordination networks - logically fall within this category. Notwithstanding this recognition, no maritime-sector-specific cybersecurity implementation plan has been adopted (nor has a broader cyber security implementation plan yet been developed (despite being referenced in the NCPF). National structures such as the Cybersecurity Hub and the State Security Agency’s Computer Security Incident Response Team (CSIRT) operate at a general level and do not provide tailored maritime coordination. This gap becomes particularly pronounced when considered against the binding maritime security regime applicable to ports. Whilst not exhaustive certain of these gaps are broadly dealt with below. 

Although the Merchant Shipping (Maritime Security) Regulations incorporate the ISPS framework, they do not expressly recognise digital infrastructure as protected security assets. Regulation 18 requires Port Facility Security Assessments to identify “strategically important assets,” threats and vulnerabilities, yet unlike Part B of the ISPS Code, the Regulations do not specifically refer to radio and telecommunication systems, computer networks or digital control systems. Nor do they mandate that assessments draw upon specialised cybersecurity expertise. This omission produces interpretive ambiguity. While digital systems may fall within the ordinary meaning of “assets” the absence of explicit reference creates uncertainty as to whether cybersecurity must be addressed in risk assessments, training programmes and drills. Consequently, Port Facility Security Plans may remain confined to conventional physical-security paradigms. Moreover, the non-binding guidance in Part B of the ISPS Code has neither been endorsed, nor been published by SAMSA. 

Enforcement mechanisms further illustrate this uncertainty. Although the Director-General may approve, revise or cancel security plans, the Regulations do not explicitly empower authorities to require cybersecurity provisions. Regulation 101 grants SAMSA authorised officers broad inspection powers, yet it is unclear whether these extend to technical cyber audits to be conducted, raising potential concerns regarding mandate and institutional capacity. Moreover,  they lack the specialised technical expertise, institutional resources, or an explicit statutory mandate to apply these powers to cybersecurity oversight without raising concerns of acting ultra vires.

Information-sharing obligations are similarly underdeveloped. The Regulations provide for coordination between operators and authorities, but do not establish compulsory cyber-incident reporting or structured threat-intelligence exchange. In a landlord port model, TNPA lacks a clear statutory basis to compel disclosure of cyber-risk assessments from facility operators and service providers. The July 2021 Transnet cyber-attack, which disrupted terminal operations and led to force majeure declarations, illustrates the practical consequences of this regulatory lacuna. The incident demonstrated the interdependence of corporate IT systems and port operational continuity, underscoring that cyber risk in ports is neither theoretical nor peripheral but systemic and economically material.

Cyber incident response within South Africa is governed by overlapping statutory regimes. The Cybercrimes Act 19 of 2020 criminalises unlawful access to and interference with computer systems. The Protection of Personal Information Act 4 of 2013 (“POPIA”) requires breach notification to the Information Regulator (section 22). National CSIRT functions are housed within the State Security Agency. However, no maritime-specific reporting or coordination mechanism exists. A significant cyber incident affecting port operational technology may require engagement with multiple institutions - including SAPS, SAMSA, TNPA, the Information Regulator and national cybersecurity structures - without a dedicated maritime coordination framework. This fragmentation risks delayed containment and inconsistent response in environments where cyber compromise may produce physical consequences.

Lastly, both the ISPS Code (Part A section 18) and the Regulations require training, drills and exercises. Yet the Regulations do not prescribe cyber-specific training content, frequency, or scope. Training obligations remain largely confined to designated security officers and reflect a traditional physical-security orientation. In digitised port environments characterised by converged IT and OT systems, this narrow conception is inadequate. Cyber-resilience depends upon organisation-wide awareness, encompassing operational staff, contractors and executive leadership. The absence of mandatory cybersecurity training standards or integration of cyber scenarios into drills represents a structural weakness within the current framework.

Conclusion: Advancing a Coherent Maritime Cybersecurity Architecture both Nationally and Abroad 

South Africa’s maritime port security regime remains predominantly oriented toward physical threats. The absence of explicit cybersecurity provisions, combined with fragmented institutional mandates and limited cyber-specific training obligations, generates systemic vulnerability within port infrastructure that is central to national economic stability. This regulatory deficit is increasingly untenable in light of South Africa’s accelerating port modernisation agenda. Transnet’s recent Memorandum of Understanding with the Port of Antwerp-Bruges International and the Antwerp/Flanders Port Training Center-aimed at advancing operational excellence, digitalisation, sustainability and infrastructure development-reflects a strategic commitment to deeper technological integration and automation across the port system. As digital interdependence intensifies, so too does exposure to cyber-physical risk.

Closing this gap requires deliberate regulatory reform aligned with the National Cybersecurity Policy Framework. Digital infrastructure must be expressly recognised as critical security assets; cyber-risk assessment obligations must be clearly articulated; enforcement authority must be strengthened; and institutional coordination mechanisms must be formalised. Without such measures, digitisation risks outpacing security governance. By modernising its regulatory architecture in tandem with its digital transformation strategy, South Africa can enhance port resilience, safeguard trade continuity, and position itself as a regional leader in maritime cyber governance. Addressing this regulatory deficit therefore requires reform at three interrelated levels.

i)    First, the Merchant Shipping (Maritime Security) Regulations should be amended to expressly recognise digital and information systems as protected security assets, require cyber-risk assessments within Port Facility Security Assessments, prescribe minimum cybersecurity training standards, and clarify enforcement powers;

ii)    Second, institutional coordination must be strengthened through the establishment of a maritime-sector cybersecurity coordination mechanism or dedicated maritime Computer Security Incident Response Team (CSIRT) to centralise reporting, facilitate structured threat-intelligence exchange, and coordinate multi-agency response;

iii)    Third, cybersecurity governance must be embedded within the executive structures of port authorities and operators. Board-level oversight, dedicated resource allocation, and the integration of cyber scenarios into security drills and exercises are necessary to align regulatory compliance with operational resilience. 

At the international level, recent regulatory developments reflect an emerging consensus: cyber resilience must be embedded across vessels, ports, logistics platforms, and digital service providers, underpinned by executive accountability and structured risk management. Yet regulatory fragmentation persists. While the ISPS Code is sufficiently adaptable to permit a purposive interpretation, it remains silent on explicit cybersecurity obligations. In response, national administrations and industry bodies have adopted increasingly varied-and in some instances more prescriptive - frameworks.

In the absence of harmonised binding standards, states are confronted with a fundamental question: whether reliance on interpretive extensions of existing security instruments is adequate, or whether explicit regulatory reform is required to ensure coherent and enforceable maritime cybersecurity governance. As port ecosystems become progressively digitised and cyber-physical interdependencies deepen, interpretive flexibility alone is no longer sufficient. Clear regulatory obligations, strengthened oversight, structured training requirements, and coordinated incident-response mechanisms are indispensable to achieving a consistent and enforceable global approach to maritime cybersecurity.