In our previous article on maritime cyber security, we discussed the importance of robust practices to safeguarding shipping from cyber threats and vulnerabilities. The maritime industry is a complex ecosystem, and the sector is an attractive target for hackers. Any vulnerabilities, if exploited, could massively disrupt the trade routes so important to our global economy.

In an increasingly digitized and interconnected world, it is no surprise that governing bodies like the International Maritime Organization (IMO) and the International Association of Classification Societies (IACS) are striving to develop regulations and keep up with the new technologies continuously being adopted in the maritime industry - and all the novel risks they bring with them.

Among the latest have been the IACS’s UR E26, which covers the “Cyber Resilience of Ships”, and UR E27 for “Cyber Resilience of On-Board Systems and Equipment”, which applied to new ships from 1 January 2024. New improvements to these requirements, along with further enhancements resulting from industry feedback, are set to come into force on 1 July 2024. Here’s what you need to know about the expected updates.

What are UR E26 and UR E27?

According to the IACS, their Unified Requirements (URs) E26 and E27 are a result of “recognizing that cyber incidents on vessels can have a direct and detrimental impact on life, property, and the environment”. Relevant for ship owners and managers, design offices, shipyards and suppliers, they focus on the reliability and functional effectiveness of onboard computer-based systems (CBS) in the maritime industry. UR E26 targets the ship as a collective entity for cyber resilience, while UR E27 provides requirements for cyber resilience of onboard systems and equipment and aims to ensure system integrity is secured and hardened by third-party suppliers.

To summarize, the URs cover the following main topics: the scope of applicability of systems for important vessel functions; the identification of, and protection against, cyber threats; incident detection, response and recovery, and the improvement of security capabilities of systems and components. Having been applicable to in-service vessels since January 2024, additional improvements which will supersede the previous URs will be applied to new ships contracted for construction on and after 1 July of this year.

What do the updates mean?

The revised URs coming into force in July can be expected to have profound implications and challenges for the maritime industry. They are mandatory requirements for the CBSs on the following types of vessels engaged in international voyages:

• Passenger ships
• Cargo ships of 500 GT (gross tonnage) and upwards
• High speed craft of 500 GT and upwards
• Mobile offshore drilling units of 500 GT and upwards
• Self-propelled mobile offshore units engaged in construction (such as wind turbine installation, maintenance and repair, crane units, drilling tenders, or accommodation)

In addition, they act as non-mandatory guidance to smaller vessels and ships not engaged in trade, such as pleasure yachts, fishing vessels and ships of war.

The documents emphasized the importance of a comprehensive security management program, from risk assessment to incident response and recovery planning. They provide specific requirements for manufacturers of on-board systems and equipment. Compliance with UR E26 demands thorough documentation of all three stages of a ship’s life cycle - design and construction, commissioning, and operation, and the submission of these documents to relevant authorities. UR 27 requires the submission of documents relating to onboard systems and equipment, from CBS asset inventories and topology diagrams to descriptions and test procedures of security capabilities. It details a total of 30 security capability requirements for all CBSs, along with 11 more capabilities required from CBSs that share an interface with untrusted networks.

What should you do to prepare, and why?

The IMO highlights the importance of supporting safe and secure shipping that is resilient to cyber risks. A breach of a vessel's onboard systems can cause reputational and financial impacts as well as jeopardize the safety of the vessel, crew, and passengers.

Knowledge and understanding of the scope of these requirements is imperative in order to ensure compliance - therefore, the documents in question should be read and understood in full. With all the requirements for ship design, construction and operations, it is crucial for people in the industry to keep their documentation up to date and make sure companies have a holistic view on their operations at sea as well as their onshore infrastructure. Regular risk assessments, safety testing, and staff training are important, and seeking out experts in cyber security is essential.

These days, every vessel sailing the seas is a floating data platform and the varying connections, systems, and crew and passenger behaviours create a shifting vulnerability profile. These weaknesses can only be fully revealed and remediated through detailed, bespoke design reviews and in-depth scanning, pentesting, and monitoring. This is what Firesand’s cyber security maritime services are designed for. To find out more, visit the Maritime Cyber Security Services page on our website.