In January 2024, the International Association of Classification Societies (IACS) introduced two critical Unified Requirements (URs)—E26 and E27—aimed at enhancing cybersecurity in maritime operations. These requirements are pivotal for shipbuilders and system suppliers, ensuring that cybersecurity is integrated into the ship design and construction process from the outset.

Why are these cybersecurity requirements necessary?

As of July 1, 2024, compliance with IACS UR E26 and E27 is mandatory for vessels with design and build contracts signed after this date. This makes it imperative for shipbuilders and operators to understand and implement these requirements to ensure safety, security, and operational integrity.

Building and maintaining a large vessel is inherently complex, and the introduction of additional cybersecurity regulations may not be welcomed by all. However, as with other industries, the maritime sector faces an increasing risk of cyber-attacks, particularly as older technical components and configurations become more vulnerable.

While the new requirements may initially seem complex and daunting, they are rooted in a solid understanding of cyber threats, effective defense techniques, and the necessary measures for detection and response. Although detailed, these requirements are practical and achievable.

What are the real cyber risks to modern vessels?

Assessing risk for most situations is usually answered through a formal evaluation, often calculated as Impact x Likelihood.  While the impact of losing the integrity or control of a vessel’s technical features remains significant, the likelihood of a cyber-attack is increasing dramatically as connectivity and digitalization expand.

Consider this evolving scenario

Fifty years ago, a new ship may have been built with manual valves and a small highly trained and trusted crew to operate them.  Opening a valve required physical access and possibly a supervisor’s key, making malicious interference unlikely.

In the next iteration, valves could be opened with a button on a panel, still requiring a key, but now vulnerable to electrical shorts due to salt contamination from seawater. The likelihood of unexpected behavior increased, but resilient design mitigated some risks.

In further iterations, manufacturers replaced manual controls with reliable computers, allowing for more efficient operations without physical keys—access now required a password. Enhanced connectivity enabled remote monitoring, improving operational efficiency and safety.

However, as technology advances, new vulnerabilities emerge. For example, embedded passwords used for new diagnostics may be discovered and exploited, prompting updates for better security. During refits, integrating valve control with propulsion systems on the same network can simplify design, but also introduce new vulnerabilities.

Over time, ship owners find themselves managing fleets with complex systems connected at remote locations, exposing them to potential cyber threats. Fleet operators are also feeling tremendous pressure to manage and reduce time in port, which can also limit potential onboard upgrades and updates to critical security infrastructure on the vessel.

These scenarios illustrate the growing risk landscape, making compliance with IACS E26 and E27 not just advisable, but essential for the safety and security of modern maritime operations.

What are the new UR E26 and E27 requirements trying to achieve?

E26: Cyber Resilience of Ships

IACS UR E26 outlines the requirements for certifying vessels for cyber resilience during the design, commissioning, and operational phases. This requirement is comprehensive, addressing the entire vessel as a collective entity and emphasizing the importance of cybersecurity throughout its lifecycle.

E26 is now asking ship builders to consider, ensure and demonstrate that these accidental pathways have been carefully considered and avoided, or risk managed, and that they always know what critical systems (and versions) of systems are on each vessel.  This will help quickly identify if a device has become vulnerable to an attack and needs to be updated or replaced.

E27: Requirements for Computerized Systems and Equipment Onboard

IACS UR E27 focuses on the individual Computer Based Systems (CBS) onboard, including IT and Operational Technology (OT) systems. It mandates compliance for all computerized systems, particularly those that manage critical functions such as propulsion, steering, anchoring, and electrical power.

Both E26 and 27 are applicable to commercial and offshore vessels of 500 Gross Tonnage (GT) or more, with certain exemptions for fishing vessels and smaller yachts.

E27 is specifying that individual critical components being used on these vessels have the required security features to ensure that they are not easily compromised or damaged, and that in the event of a cyber incident the intrusion can be detected and the data required to effectively respond is available.  The requirements are comprehensive but not excessive.

How Speedcast SIGMA Addresses IACS E26 and E27

As a leading remote communications provider, Speedcast is committed to supporting these new security requirements. The SIGMA platform provides a robust framework for addressing IACS’s latest mandates, offering several key features:

1. Protecting Against Unauthorized Access: SIGMA ensures robust security by requiring all users to authenticate with provided credentials before accessing the system. With full user account management and role-based access control (RBAC), SIGMA supports granular permissions for users and groups.

2. Ensuring Data Integrity: SIGMA protects the integrity of critical systems with strong encryption protocols, including IPSEC using AES256 for secure communications. The Next Generation Firewall (NGFW) capabilities provide malware detection at the traffic level, while configuration data is securely stored in the cloud, allowing for quick recovery in case of device damage.

3. Preventing Unauthorized Disclosure: All information stored on SIGMA devices is encrypted, safeguarding sensitive data from unauthorized access. Access is restricted to users with appropriate permissions, utilizing industry-standard encryption algorithms and key lengths.

4. Monitoring and Incident Response: SIGMA generates comprehensive audit logs for system, firewall, and user activities, which can be securely sent to external SIEM servers for analysis. This capability enhances incident response and monitoring of system operations.

5. Comprehensive Security Features: Leveraging Secure Access Service Edge (SASE) technology, SIGMA’s advanced firewall protection, data encryption, and Zero Trust role-based access controls ensure that only authorized users can access critical systems.

The introduction of IACS E26 and E27 marks a significant step towards enhancing cybersecurity in the maritime industry. By leveraging Speedcast’s SIGMA platform, shipbuilders and operators can confidently meet these requirements, safeguarding their operations and ensuring a resilient future.

Consult our cyber compliance experts to navigate the complexities of IACS UR E26 and E27 compliance.