logo

NEWS

In an increasingly digitalised and interconnected world, where the maritime industry continues to adopt, at pace, new digital technologies, it remains imperative to focus on cyber threats and attacks that could compromise operations, safety and data integrity.

To address the need to enhance the cyber resilience of ships, last year IACS published UR E26 “Cyber Resilience of Ships”, and UR E27, “Cyber Resilience of On-Board Systems and Equipment”, which applied to new ships contracted for construction on or after 01 July 2024.

Additionally, and to address the challenges regarding the implementation of new cyber requirements in smaller and non-conventional vessels, the scope of applicability of these URs have been categorised as mandatory and non-mandatory compliance depending on vessel types and sizes.

IACS Secretary General, Robert Ashdown, said ‘Incorporating industry feedback to ensure IACS requirements are clear in their applicability and are capable of being consistently applied in ship surveys, is important in ensuring that measures to enhance cyber resilience have the desired impact. As a result, and given that the original requirements had not yet entered into force, IACS has decided to apply only the revised requirements from 1 July 2024. It is believed that industry will welcome the clarity that this decision brings.’

UR E26 - Cyber Resilience of Ships

UR E26 is structured around the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is divided into five core functions:

  • Identify
    • Develop an understanding of cybersecurity risks to facilitate their identification. This involves creating an inventory of all assets, systems, and networks to pinpoint vulnerabilities.
  • Protec
    • Establish safeguards to protect the ship from cyber-attacks. These measures include implementing access controls, encryption, and other security technologies to prevent unauthorized access and data breaches.
  • Detect
    • Implement measures for detecting cyber incidents on board. This involves deploying monitoring systems and intrusion detection tools to identify potential threats in real-time.
  • Respond
    • Set up protocols for responding to detected cyber-attacks. This includes creating incident response plans, conducting regular drills, and ensuring that the crew is trained to handle cyber incidents effectively.
  • Recover
    • Adopt procedures to recover any capabilities and/or services impaired by a cyber incident. This involves developing contingency plans and backup strategies to restore normal operations quickly.

image

UR E27 - Cyber Resilience of Onboard Systems and Equipment

UR E27 supports manufacturers and OEMs in evaluating and improving the cyber resilience of onboard operational systems and equipment. This requirement offers comprehensive instructions related to security philosophy, documentation, system requirements, secure development lifecycle requirements, and plan approval. By incorporating elements of the International Electrotechnical Commission (IEC) standard IEC 62443, UR E27 ensures that onboard systems meet stringent cybersecurity standards.

UR E27’s system requirements cover 30 security capabilities required by all Computer-Based Systems (CBSs) and 11 additional security capabilities required by CBSs that interface with untrusted networks. These requirements ensure that all onboard systems and equipment are designed and maintained to withstand cyber threats effectively

Demonstrating Compliance

Demonstrating compliance with UR E27 requires the submission of several detailed documents to the classification society. These documents provide a comprehensive overview of the onboard systems' cybersecurity measures and their effectiveness.

  1. Demonstrating Compliance
    • This includes a list of hardware components detailing the manufacturer and model, a short description of their functionality, physical interfaces, the name/type of system software and its version and patch level and supported communication protocols. This inventory ensures that all hardware and software components are accounted for, and their security attributes are well documented.
  2. CBS Topology Diagrams
    • These comprise two diagrams – a physical topology diagram illustrating the physical architecture of the system and a logical topology diagram illustrating the data flow between system components. These diagrams provide a visual representation of the system’s structure and data interactions, facilitating the identification of potential vulnerabilities.
  3. Description of Security Capabilities
    • This document demonstrates how the CBS meets the required security capabilities with its hardware and software components. It provides detailed descriptions of the security features implemented in the system, ensuring that all necessary measures are in place to protect against cyber threats.
  4. Test Procedure of Security Capabilities
    • This describes how to demonstrate, through testing, that the system complies with the security requirements. It includes detailed test plans and procedures to validate the effectiveness of the implemented security measures.
  5. Security Configuration Guidelines
    • This document describes recommended configuration settings of the security capabilities and specifies default values. It provides guidelines for configuring the system securely, ensuring that it operates in a manner that minimizes the risk of cyber-attacks.

Reference: https://www.linkedin.com/in/mario-eisenhut-77041726/?originalSubdomain=de