In April 2022, the International Association of Classification Societies (IACS) released two new Unified Requirements relating to cyber resilience on board marine vessels:
IACS UR E26 – Cyber Resilience of Ships
IACS UR E27 – Cyber Resilience of On-Board Systems and Equipment
Both of these requirements have an entry into force date for new construction vessels that have a contract signing on or after January 1, 2024. Upon this entry into force date, these requirements will be mandatory for new construction ships and offshore vessels.
As technologies have expanded and automation systems have become complex and integrated between systems, the probabilities for cyber-attacks increase affecting personnel, data, safety of people and vessels and the environment. The need for robust cybersecurity programs has become a critical component to the overall operations of marine assets.
Attackers may target any combination of people and technology to achieve their aim, wherever there is a network connection or any other interface between onboard systems and the external world. Safeguarding ships, and shipping in general, from current and emerging threats involves a range of measures that are continually evolving.
The recently released IACS URs, E26 and E27, were developed to establish a common set of minimum functional and performance criteria to deliver a ship that can be described as cyber resilient.
UR E26 Cyber Resilience of Ships
UR E26 aims to provide the minimum set of requirements for cyber resilience of ships. It is intended for the design, construction, commissioning and operational life of the ship. This UR covers five key functional aspects for cybersecurity: Identify, Protect, Detect, Respond, and Recover.
Identify (Inventory of Computer Based Systems (CBS))
- Functional description
- Block diagram of connections
- Inventory/register of hardware
- Feature, protocols, data flows
- Arrangements of networks connecting CBSs
- Inventory of software
Protect (Security zones)
- Firewalls
- Protection from network storm / overloads
- Antivirus, antimalware, antispam
- Access control, remote access control
- Wireless communication
- Use of mobile and portable devices
Detect
- Network monitoring
- Diagnostic functions
Respond
- Incident response plan
- Local, independent, and/or manual operation
- Network isolation
- Fallback to minimal risk condition
Recover
- Recovery plan
- Backup and restore capability
- Controlled shutdown, reset, roll-back and restart
Test plans
- Design and construction phase
- Ship commissioning
- Operational life
UR E27 Cyber Resilience of On-board Systems and Equipment
UR E27 aims to provide the minimum-security capabilities for systems and equipment to be considered cyber resilient. It is intended for third party equipment suppliers.
System documentation
- List of equipment
- Details of hardware
- List of software
- Network flows
- Network security equipment
- Secure Development Lifecycle Document
- Plans for maintenance
- Recovery plan
- System test plan
- Ops manuals, User manual
- Change management
Hardware inventory
Software inventory
Early adopters (suppliers, integrators and owners) can benefit from ABS services by getting certified early. By acting early your organization will be ready to provide services in line with upcoming requirements before the January 1, 2024 entry into force date.
ABS recommends that your organization familiarize yourself with these new requirements. If you have any questions or comments regarding the application of these requirements, please contact your local ABS office or send a message to RSD@eagle.org