Double-Blind Password strategy: Additional Layer

Understanding about the IACS Cyber Resilience Classifications UR E26 and E27


In an era increasingly dominated by digitalization, where the maritime industry is rapidly embracing new digital technologies, it is crucial to remain vigilant against cyber threats and attacks that could jeopardize operations, safety, and data integrity.

Recognizing the imperative to bolster the cyber resilience of ships, IACS released UR E26 "Cyber Resilience of Ships" and UR E27 "Cyber Resilience of On-Board Systems and Equipment" in 2022, applicable to new ships from January 1, 2024.

Since the publication of these requirements, and as experience of cyber security oversight in the maritime sector grows, the need for a standardized survey approach has emerged, driven by industry feedback and a desire for continual improvement.

Furthermore, addressing challenges in implementing new cyber requirements for smaller and non-conventional vessels, the applicability of these URs has been categorized as mandatory or non-mandatory depending on vessel types and sizes.


Who are IACS?


The International Association of Classification Societies (IACS) is a global organization that consists of major classification societies. These societies work collaboratively to develop and publish technical standards and guidelines for the design, construction, and survey of marine-related facilities such as ships and offshore structures. Classification societies play a crucial role in ensuring the safety, environmental performance, and reliability of maritime assets.

IACS member societies work together to establish common rules and standards that are recognized and applied internationally. These rules cover various aspects of ship design, construction, and operation, with the goal of promoting safety at sea, preventing marine pollution, and fostering innovation in the maritime industry.

The member societies of IACS include well-known classification societies such as the American Bureau of Shipping (ABS), Bureau Veritas (BV), Lloyd's Register (LR), DNV GL, and others. IACS provides a platform for these societies to collaborate, share expertise, and contribute to the development of industry standards that promote best practices in maritime safety and environmental protection.


What is IACS UR E26 Resolution?


The IACS E26 resolution talks about “Cyber resilience of ships” which is to be effective on 1st January 2024, with the aim to establish minimum requirements for the cyber resilience of ships, to provide technical guidance to stakeholders, and create more resilient ships to cyber-attacks. The resolution focuses on the ship, not individual systems, or components, and is meant to be used in conjunction with other industry standards and regulations.

NOTE: The classification has been introduced in April 2022. Currently, the classification has been “withdrawn in September 2023 before coming into force on 1 January 2024, and have been replaced with Revision 1 in Q4 of 2023.”


IACS UR E26

Snapshot of IACS UR E26 Resolution. Click to know more.

This resolution applies to Operational Technology (OT) systems on ships, which are computer-based systems that control or monitor physical processes and can be vulnerable to cyber incidents. If compromised, these systems could lead to dangerous situations for human safety, the safety of the vessel, and or the environment. The resolution specifically applies to computer-based systems used for the operation of functions and systems such as propulsion, steering, anchoring, and mooring, electrical power generation and distribution, cargo handling systems, and other systems needed for compliance with class or international regulations to prevent pollution to the environment.

Additionally, it applies to navigational systems required by statutory regulations, internal and external communication systems required by class rules, and statutory regulations, as well as any IP-based communication interface from these systems to other systems such as passenger-facing networks, administrative networks, crew welfare systems, or any other systems connected to OT systems, either permanently or temporarily.

The revised version of UR E26 is available on the IACS website (https://iacs.org.uk/resolutions/unified-requirements/ur-e).


UR E26 Cyber Resilience of Ships


UR E26 aims to provide the minimum set of requirements for cyber resilience of ships. It is intended for the design, construction, commissioning, and operational life of the ship. This UR covers five key functional aspects for cybersecurity: Identify, Protect, Detect, Respond, and Recover.

  1. Identify (Inventory of Computer Based Systems (CBS))
    • • Functional description
    • • Block diagram of connections
    • • Inventory/register of hardware
    • • Feature, protocols, data flows
    • • Arrangements of networks connecting CBSs
    • • Inventory of software
  2. Protect (Security zones)
    • • Firewalls
    • • Protection from network storm / overloads
    • • Antivirus, antimalware, antispam
    • • Access control, remote access control
    • • Wireless communication
    • • Use of mobile and portable devices
  3. Detect
    • • Network monitoring
    • • Diagnostic functions
  4. Respond
    • • Incident response plan
    • • Local, independent, and/or manual operation
    • • Network isolation
    • • Fallback to minimal risk condition
  5. Recover
    • • Recovery plan
    • • Backup and restore capability
    • • Controlled shutdown, reset, roll-back and restart
  6. Test plans
    • • Design and construction phase
    • • Ship commissioning
    • • Operational life


What is IACS UR E27 Resolution?


The IACS E27 resolution talks about “Cyber resilience of on-board systems and equipment”, which introduces a comprehensive approach to cyber security that covers both Information Technology (IT) and Operational Technology (OT). The resolution provides a guide on the design, installation, operation, and maintenance of computer-based systems on board ships. These standards will be enforced for ships that are contracted for construction on or after the 1st of January 2024, but are recommended for ships of all shapes and sizes in the marine industry.

NOTE: The classification has been introduced in April 2022. Currently, the classification has been “withdrawn in September 2023 before coming into force on 1 January 2024 and Rev.1 will come into force on 1 July 2024.”


IACS UR E27

Snapshot of IACS UR E27 Resolution. Click to know more.

The standard guides ship design and operation to reduce the risk of cyber-attacks and includes measures such as secure design, communications, access control, monitoring, and incident response. By following the standard, ships can become more resilient against cyber threats and ensure the safety of their crew, passengers, and cargo. Organizations can also use compensating countermeasures and a Secure Development Life Cycle (SDLC) to ensure the confidentiality, integrity, and availability of their data and that their systems and equipment are secure and compliant with E27 requirements.

The revised version of UR E27 is available on the IACS website (https://iacs.org.uk/resolutions/unified-requirements/ur-e).


UR E27 Cyber Resilience of On-board Systems and Equipment


UR E27 aims to provide the minimum-security capabilities for systems and equipment to be considered cyber resilient. It is intended for third party equipment suppliers.

  1. System documentation
    • • List of equipment
    • • Details of hardware
    • • List of software
    • • Network flows
    • • Network security equipment
    • • Secure Development Lifecycle Document
    • • Plans for maintenance
    • • Recovery plan
    • • System test plan
    • • Ops manuals, User manual
    • • Change management
  2. Hardware inventory
  3. Software inventory



In a recent press release published by IACS, their Secretary General, Robert Ashdown, said:

"Incorporating industry feedback to ensure IACS requirements are clear in their applicability and are capable of being consistently applied in ship surveys, is important in ensuring that measures to enhance cyber resilience have the desired impact. As a result, and given that the original requirements had not yet entered into force, IACS has decided to apply only the revised requirements from 1 July 2024. It is believed that industry will welcome the clarity that this decision brings."


Conclusion


Compensating countermeasures is an important part of security and can be used to reduce the risk of cyber-attacks on such kind of equipment. They provide an additional layer of protection against cyber threats and can include a variety of different measures such as physical security, network segmentation, access control, encryption, and authentication. They can also be used in combination with other security measures such as firewalls, intrusion detection systems, and antivirus software.

By using these countermeasures, organizations can ensure that the confidentiality, integrity, and availability of their data is preserved and that their systems and equipment are secure and compliant with E27 requirements.

The guideline outlines several examples of equipment commonly found on ships, such as computers, networking devices, security devices, automation devices, and virtual machines, all of which are vulnerable to potential cyber threats. By following this standard, ships can become more resilient against cyber threats and ensure the safety of their crew, passengers, and cargo.


UPDATE

The content has been updated to add the revised resolution for IACS E26 and E27 which has been updated to come into force on 1st July 2024.


REFERENCE


About the Author

Ruben George