Aiming to establish minimum requirements for the cyber-resilience of newbuild vessels and their connected systems, IACS unified requirements (URs) E26 and E27 provide a new benchmark for shipping’s response to its growing exposure to cyber-attacks.
Officially in force from 1 July 2024 and broadly welcomed by industry, the new URs represent another step forward in strengthening Maritime's resilience to the evolving cyber threat. However, according to a thought-provoking discussion recently hosted by Edwin Lampert, Executive Editor of Riviera in partnership with Inmarsat Maritime (a Viasat company), shipping companies must still conduct comprehensive risk assessments and implement appropriate mitigation measures.
Vessel’s cyber security
They ensure all stakeholders are responsible for the vessel’s cyber security
Kostas Grivas, Information Security Officer, Angelicoussis Group told the ‘IACS URs E26 & E27: Bridging the gap between regulation and implementation’ session that the URs bring “obvious benefits” such as eliminating “scattered requirements”. They provide “common and crystal-clear ground for auditing and control purposes”, and establish “a solid description of the minimum technical, procedural, and other criteria that govern a vessel’s cyber resilience,” he said. Finally, they ensure “all stakeholders are responsible for the vessel’s cyber security”.
Makiko Tani, Deputy Manager, Cyber Security at classification society ClassNK, also acknowledged that the new requirements will “contribute to the visibility of ever-digitalising shipboard networks and their assets”, however, as there is no one-size-fits all cybersecurity solution to all, she continued, “additional controls beyond those specified in the requirements may be necessary, depending on the vessel’s connectivity”.
Digital transformation strategy
To properly address the cyber risks that a specific vessel is exposed to, she said, “shipowners must conduct a thorough cyber-risk assessment. This relies on a ‘C-level commitment’ to establishing a cyber-security programme that facilitates compliance with URs E26 and E27 and any other future industry requirements while supporting the organisation’s digital transformation strategy”.
The importance of looking beyond the IACS URs was also emphasised by Laurie Eve, Chief of Staff, Inmarsat Maritime, who proposed three key areas where companies should “focus and invest not only to meet new requirements but also to go beyond compliance and build good cyber resilience”.
Quality management system and standards
The firm should focus on training and grasping, managing user rights, investing in a regime system
“The first key area, ‘people and culture’, addresses the notion that people are the weakest link in cyber security. According to a 2023 report from the United States Coast Guard as well as findings from Inmarsat’s security operations centres, phishing is the most common initial access vector in cyber-attacks. Investing in people, therefore, should be an absolute no brainer”, commented Eve.
Specifically, he continued, a company should focus on training and awareness, managing user privileges, investing in a quality management system and standards such as ISO 27001, assessing suppliers’ risk-management practices, and embedding cyber-security in the organisation’s continuous improvement culture.
Risk-management approach
The third and final key area according to Eve is an ‘incident response plan’ (IRP).
The second key area is ‘network-connected systems and services’. Given the number of attack surfaces on board a vessel and the ever-growing volumes of data moving between systems, many companies lack the time and resources to address all possible weaknesses. The solution, Eve said, is a risk-management approach in which the organisation assesses the risks, sets its risk appetite, and implements security measures according to the costs it is willing and able to bear.
The third and final key area according to Eve is an ‘incident response plan’ (IRP). It’s prudent to assume that at some point there will be failures and a breach, an IRP comprises a robust set of contingencies to keep the cost of business disruption to a minimum. It requires investment in backup and data systems as well as regular staff training. “Having a plan is good; training, rehearsing, and improving the plan is better,” explained Eve.
Cyber-security requirements
While these recommendations apply to all ship owners, Eve acknowledged that there are differences from small to large operators in terms of the budget and internal capability invested in cyber resilience. “Inmarsat’s Fleet Secure offers a ‘one-stop shop’ for cyber-security requirements which makes it a particularly good fit for “smaller operators without the in-house capability to put together their own solutions”, he said.
| Inmarsat’s Fleet Secure offers a ‘one-stop shop’ for cyber-security requirements |
Combining three powerful components – Fleet Secure Endpoint, Fleet Secure Unified Threat Management, and Fleet Secure Cyber Awareness Training – the Fleet Secure portfolio provides the tools and facilitates a risk-management approach, supporting “compliance with the new requirements” and, more broadly, “increasing cyber resilience”, Eve added.