28 Feb 2024

At a time when rapid advancements in maritime connectivity and shipboard technology are leaving vessel networks increasingly vulnerable to attack, the International Association of Classification Societies’ (IACS) unified requirements (URs) E26 and E27 aim to minimise the frequency and impact of cyber incidents at sea. 

Revised E26 and E27

Initially adopted in April 2022, the URs were withdrawn ahead of their planned implementation on 1 January 2024. However, revised versions of E26 and E27 adopted in September 2023 and November 2023, respectively are set to enter into force on 1 July 2024.  

Below is an overview of the URs and the documentation maritime organisations will need to submit to their classification society to demonstrate compliance. 

UR E26: Cyber resilience of ships 

Relating to entire ships, IACS UR E26 aims to help maritime organisations establish and maintain an effective cyber-risk management system comprising five sub-goals corresponding with the five functions of the National Institute of Standards and Technology’s Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. 

Demonstrating compliance with E26 requires the submission of documents relating to three stages of the vessel lifecycle:  

  • Design and construction: The systems integrator submits a zones and conduit diagram, a vessel asset inventory, and a cyber-security design description. 
  • Commissioning: The systems integrator submits a ship cyber-resilience test procedure. 
  • Operation: The ship owner submits a ship cyber-security and resilience programme. 

UR E27: Cyber resilience of onboard systems and equipment 

IACS UR E27 describes 30 security capabilities required by all computer-based systems (CBSs)

Covering onboard systems and equipment, IACS UR E27 aims to help maritime organisations evaluate and improve cyber resilience. It describes 30 security capabilities required by all computer-based systems (CBSs) and a further 11 capabilities required by CBSs sharing an interface with untrusted networks. 

Demonstrating compliance with E27 requires the submission of a CBS asset inventory, CBS topology diagrams, a description of security capabilities, a test procedure of security capabilities, and security configuration guidelines. 

Outlook 

By providing full visibility of onboard CBSs and networks and ensuring they possess basic cyber-resilience capabilities, URs E26 and E27 will help maritime organisations to develop comprehensive risk-management policies and strengthen their cyber defences. 

However, to address the constantly evolving threat of cyber-attacks, specialist network security solutions are also needed. GTMaritime’s cyber-security offering combines next-generation anti-virus technology with end-point detection and response capabilities. This, combined with the enhanced security features included in all GTMaritime solutions, enables a holistic approach to vessel security.