IACS unified requirements E26 and E27 on cyber resilience 01.03.2024 23:30

International Association of Classification Societies’ (IACS) unified requirements (URs) E26 and E27 aim to minimise the frequency and impact of cyber incidents at sea.

UR E26: Cyber Resilience of Ships

Relating to entire ships, IACS UR E26 aims to help maritime organisations establish and maintain an effective cyber-risk management system comprising five sub-goals corresponding with the five functions of the National Institute of Standards and Technology’s Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.

Demonstrating compliance with E26 requires submission of documents relating to three (3) stages of the vessel lifecycle:

1. Design and construction: the systems integrator submits a zones and conduit diagram, a vessel asset inventory, and a cyber-security design description.

2. Commissioning: the systems integrator submits a ship cyber-resilience test procedure.

3. Operation: the ship owner submits a ship cyber-security and resilience programme.

UR E27: Cyber Resilience of Onboard Systems and Equipment

Covering onboard systems and equipment, IACS UR E27 aims to help maritime organisations evaluate and improve cyber resilience. It describes 30 security capabilities required by all computer-based systems (CBSs) and a further 11 capabilities required by CBSs sharing an interface with untrusted networks.

Demonstrating compliance with E27 requires submission of a CBS asset inventory, CBS topology diagrams, a description of security capabilities, a test procedure of security capabilities, and security configuration guidelines.

By providing full visibility of onboard CBSs and networks and ensuring they possess basic cyber-resilience capabilities, URs E26 and E27 will help maritime organisations to develop comprehensive risk-management policies and strengthen their cyber defences.