New IACS Cyber Requirements

The International Association of Classification Societies (IACS) recently released two new Unified Requirements relating to cyber resilience.

These guidance documents set out the IACS’ latest views on maintaining cybersecurity for vessels (UR E26 - Cyber Resilience of Ships) and for third-party equipment suppliers with regard to systems and equipment (UR E27 - Cyber Resilience of On-Board Systems and Equipment). 

UR E26 aims to provide the minimum set of requirements for the cyber resilience of ships. It is intended for the design, construction, commissioning, and operational life of the ship. Specifically, it applies to computer-based systems that use data to control or monitor physical processes that can be vulnerable to cyber incidents and, if compromised, could lead to dangerous situations for human safety, safety of the vessel and/or threat to the environment.  This includes the following systems:

• Propulsion

• Steering

• Anchoring and mooring

• Electrical power generation and distribution

• Fire detection and extinguishing systems

• Cargo handling system (limited to safety-related elements)

• Bilge and ballast systems, loading/unloading control systems, loading computer

• Boiler control system

• Scrubber control system and other systems needed for compliance with class or international regulations to prevent pollution to the environment

• Watertight integrity and flooding detection

• Lighting (e.g. emergency lighting, low locations, navigation lights, etc.)

• Any other OT system whose disruption or functional impairing may pose risks to ship operations (e.g. LNG monitoring and control system, relevant gas detection system etc.)

• Navigational systems required by statutory regulations

• Internal and external communication systems required by class rules and statutory regulations

The second guidance document, UR E27 Cyber Resilience of On-Board Systems and Equipment, aims to provide the minimum-security capabilities for systems and equipment to be considered cyber resilient and is intended for third party equipment suppliers.  It includes an extensive table of required security capabilities for all computer-based systems.

These two guidance documents build on the classification society guidance for cybersecurity promulgated over the last couple of years, including, for example, the ABS Guide for Cybersecurity Implementation for the Marine and Offshore Industries published in February 2021, and IACS UR E22 – On Board Use and Application of Computer based systems.

These new requirements enter into force for new construction vessels with a contract signing that is on or after January 1, 2024.

ABS is currently working on incorporating these requirements into their rules and identifying any gaps or overlap between ABS’ publications and these new requirements.