Basics of cybersecurity in shipping and an analysis of the maritime standards IACS UR E26 and E27, including their integration into the EU legal framework.
Legal situation in the European Union
The legal framework for maritime cybersecurity in the EU is based on an interplay of international regulations and EU-specific directives. For ships engaged in international voyages, the requirements of the International Maritime Organization (IMO) apply first and foremost, setting out rules for different ship types and their equipment (https://www.imo.org/).
Within the EU, the Marine Equipment Directive (MED) 2014/90/EU plays a central role. It harmonizes test standards and certification procedures for marine equipment in the EU and integrates IMO standards into the EU legal framework (https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=CELEX%3A32014L0090). Implementation and verification of these regulations fall to flag states, with specialized notified bodies responsible for conformity assessments.
The MED is regularly updated to reflect new technologies and safety standards, including aspects of cybersecurity. In addition, other EU directives such as NIS 2 also play a role in maritime cybersecurity.
This legal framework provides the basis for implementing cybersecurity standards like IACS UR E26 and E27 in the EU. It ensures that ships flying an EU flag and equipment used within the EU comply with both international and EU-specific requirements, contributing to a more resilient and secure maritime infrastructure.
Requirements and objectives of the new regulations
The new IACS Unified Requirements E26 and E27 mark a turning point in maritime cybersecurity. These requirements are not merely technical guidelines; they encompass a holistic approach that spans design, operation and maintenance.
By integrating established industry standards and taking into account maritime-specific challenges, these requirements set new benchmarks for cybersecurity at sea. The essential requirements and objectives of these pioneering regulations are examined in detail below.
IACS UR E26 - Cyber resilience of ships
IACS UR E26 sets requirements for the cyber resilience of ships. It applies to passenger ships, cargo ships over 500 GT, high-speed craft over 500 GT and mobile offshore drilling units that operate on international voyages.
The core elements of E26 are:
- Identifying: developing a comprehensive understanding of cybersecurity risks on board
- Protecting: implementing proactive protective measures against potential cyber incidents
- Detecting: establishing advanced systems for early detection of cyber incidents
- Responding: developing detailed and effective response plans for various cyber-incident scenarios
- Recovering: preparing comprehensive plans for rapid recovery after cyber incidents
E26 not only defines these areas but also specifies how compliance must be demonstrated. This includes regular audits, documentation and crew training.
IACS UR E27 - Cyber resilience of on-board systems and equipment
IACS UR E27 complements E26 and specifies requirements for the cyber resilience of on-board systems and equipment. It applies to the same ship types as E26. UR E27 focuses on the security of individual on-board systems and devices. Key requirements include:
- Identification and authentication of users
- Access control and authorization management
- Protection against tampering and malware
- Secure communications
- Logging of security-relevant events
- Backup and recovery functions
In addition, requirements are set for the secure development process (secure development lifecycle) of systems. The standard also specifies which documentation manufacturers must provide and how compliance is to be demonstrated.
Relationship between IACS UR E26 and E27
IACS UR E26 and UR E27 complement each other:
- E26 defines overarching requirements for the cyber resilience of the entire ship and is primarily aimed at shipowners and operators.
- E27 specifies concrete technical requirements for individual systems and devices and primarily addresses manufacturers of ship systems.
Together they create a holistic framework that covers both organizational and technical aspects of maritime cybersecurity.
Relationship with IEC 62443 and the NIST CSF
IACS UR E26 "Cyber Resilience of Ships" focuses on ship operations and is based on the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST) (https://www.nist.gov/cyberframework). This framework has proven effective across industries as an approach to improving cybersecurity.
NIST CSF and IACS UR E26
E26 adopts the five core functions of the NIST framework - identify, protect, detect, respond and recover - and adapts them to the context of shipping. This risk-based approach allows shipowners and operators to design their cybersecurity measures flexibly and at scale.
A central aspect of the NIST framework that E26 embraces is the emphasis on continuous improvement. In the constantly evolving landscape of cyber threats, it is essential that security measures in ship operations are regularly reviewed and adjusted.
IEC 62443 and IACS UR E27
While E26 focuses on the overarching organizational aspects of cybersecurity in ship operations, IACS UR E27 specifically addresses the technical aspects of on-board systems and equipment. Here, E27 is closely aligned with the international IEC 62443 standard series for IT security in automation technology. IEC 62443 is considered the gold standard for cybersecurity in industrial control systems and provides a comprehensive framework for securing networked systems.
Specifically, E27 adopts detailed technical requirements for the security capabilities of on-board systems and devices from IEC 62443-3-3. This includes aspects such as access controls, secure communications and event logging for specific on-board components. In addition, E27 integrates concepts from IEC 62443-4-1 on the secure development lifecycle to ensure that cybersecurity is considered not only during operation but already during the development and manufacture of maritime systems and equipment.
Zones and conduits in the IACS URs
A key concept adopted from IEC 62443 by both E26 and E27 is that of zones and conduits. This network segmentation concept is particularly relevant for the complex and interconnected systems of modern ships. It enables granular control of data flows between different on-board systems and thus increases overall security both in ship operations and for individual on-board systems.
The combination of the operational approaches from the NIST framework (E26) with the technical specifications from IEC 62443 (reflected in both E26 and E27) creates a comprehensive framework for maritime cybersecurity. This integrated approach addresses both the management level of ship operations and the technical implementation in on-board systems, providing the maritime industry with a robust guide to tackling current and future cybersecurity challenges.
Conclusion
These new regulations signal a paradigm shift in the maritime industry, underscoring the importance of cybersecurity and the need for proactive measures. They represent a forward-looking approach to protecting maritime infrastructure from increasingly complex and potentially devastating cyber threats. With the implementation of IACS UR E26 and E27, the maritime industry will become not only safer but also more resilient and future-ready.
Overall, IACS UR E26 and E27 are an important step toward a more secure maritime future, but they also pose significant challenges for an industry that must adapt to new digital realities. The regulations make it clear that cybersecurity can no longer be ignored and that proactive measures are required to safeguard the integrity and security of global trade.
Support in implementing IACS UR E26 and E27
The increasing interconnectivity and digitization of modern ships bring new cybersecurity requirements. Operators, shipyards and system suppliers face the task of demonstrating security not only technically but also from a regulatory perspective - particularly with regard to the requirements of classification societies and international regulations.
Secuvi supports maritime stakeholders in developing appropriate security measures for ship systems and integrating them into existing processes. Services include risk analyses, technical protections, organizational measures and the preparation of auditable documentation. The goal is to implement security requirements in a traceable way without unduly hindering operations.
Whether for new builds, retrofit projects or as part of system development, we help you implement cybersecurity in shipping in a practical and standards-compliant manner.
More information: secuvi.com