Improving Safety Onboard Ships: IACS Puts Cybersecurity on the Roadmap
With the release of two unified requirements, "UR E26 Cyber resilience of ships"and "UR E27 Cyber resilience of on-board systems and equipment", the International Association of Classification Societies, IACS, solidifies its position on cyber safety onboard ships. The new unified requirements (UR) will be uniformly implemented by IACS member societies on ships contracted for construction on or after 1 January 2024, complementing “UR E22 On Board Use and Application of Computer based systems”.
IACS identified that, for ships to be resilient against cyber incidents, all parts of the industry needed to be actively involved. A Joint Working Group (JWG) on Cyber Systems helped identify best practices, appropriate existing standards in risk and cyber security and a practical risk-based approach.
Cybersecurity and New Construction: A Priority for the Maritime Industry
According to IACS, the industry’s stakeholders play an important role in building maritime cyber resiliency. Shipowners, designers, shipyards, integrators and suppliers should expect new rules or guidelines from classification societies for conducting engineering reviews and surveys onboard vessels built after 1 January 2024.
- Identify: Develop an organizational understanding to manage cybersecurity risk to onboard systems, people, assets, data and capabilities.
- Protect: Develop and implement appropriate safeguards to protect the ship against cyber incidents and maximize continuity of shipping operations.
- Detect: Develop and implement appropriate measures to detect and identify the occurrence of a cyber incident onboard.
- Respond: Develop and implement appropriate measures and activities to take action regarding a detected cyber incident onboard.
- Recover: Develop and implement appropriate measures and activities to restore any capabilities or services necessary for shipping operations that were impaired due to a cyber incident.
These requirements apply to all Computer Based Systems (CBS) on board vessels, including those that are not critical to safety, following the categorization included in the UR E22, as shown in the table below.
UR E26 includes 19 requirements that classification societies need to be aware of from design to operation depending on the stage of the ship’s lifecycle. Each stakeholder is responsible for meeting the predefined tasks per cyber requirement as defined below.
- Approve. The document shall be submitted to Class Society for approval
- Check. The Surveyor shall verify the availability and update status of the document
- Info. The document shall be submitted to Class Society for information
- Maintain. The indicated stakeholder shall keep the document up to date and aligned with the actual implementation of CBSes, networks and risk mitigation measures
- Make available. The indicated stakeholder shall make documentation available to the Surveyor
- Provide. The indicated stakeholder shall provide the documentation
The requirements are primarily met through the delivery of documented evidence and each stakeholder has different responsibilities depending on the ship’s operational lifecycle.
For the maritime industry, these new requirements (UR E26 and UR E27) are a way to implement cyber resiliency uniformly across fleets. Although these requirements are non-mandatory for ships already in operation, shipowners should consider the adoption of these requirements in their existing fleets. The implementation of operational cyber resiliency on today’s fleet will better prepare them for the 1 January 2024 deadline, and better facilitate the process adaptation for new construction, making it easier to maintain across the entire fleet in the long run.
Why SWOT24? We're the Experts.
SWOT24™, Operational Technology (OT) Cybersecurity by ABS Group, is highly skilled in understanding how to manage cyber risk – and address it as an operational safety issue – across the maritime supply chain. From assessing and planning, to developing network protections, to managing your detection and incident response, SWOT24 will work with you to understand and help you reduce your cyber risk. Thanks to our vendor-agnostic approach, we can support all original equipment manufacturers (OEM) and control systems, throughout the ship’s lifecycle, from design to operation.