Free cookie consent management tool by TermsFeed

E26 & E27: Are You Compliant? Understanding The NEW Maritime Cyber-Resilience Regulations Launching 1st July, 2024

June 28, 2024

There has been an increase in maritime attacks in the last few years. A 900% increase in cyber attacks targeting Operational Technology (OT) systems in maritime has been recorded. Keeping this in mind, the International Association of Classification Societies (IACS) has announced a new set of regulations that come into effect on 1st July, 2024. The aim of these set of guidelines is to minimize the chance of a cyber event occurring on a vessel and to ensure that maritime vessels are protected from potential cyber attacks throughout their entire life cycle. 

Why Now?

Taken from the IACS’ website, it says that “Recognising that cyber incidents on vessels can have a direct and detrimental impact on life, property, and the environment, IACS has steadily increased its focus on the reliability and functional effectiveness of onboard, safety-critical, computer-based systems.”

As a result, the IACS has published two new unified rules (UR E26 and E27) on implementing cybersecurity controls to enable cyber resiliency.

UR E26 (aka “Cyber Resilience of Ships). It provides a minimum set of cybersecurity requirements and treats the ship as a collective entity, covering five key aspects: equipment identification, protection, attack detection, response, and recovery. Its aim is to ensure the secure integration of OT and IT systems in the vessel’s network from the new build phase to the operational life of the ship.

UR E27 (aka “Cyber Resilience of On-Board Systems and Equipment”). UR E27 targets onboard computer-based systems and equipment by third-party suppliers and requires those devices to be hardened and secured at all times, as well as includes a minimum level of security to be built into the design of the products for new devices before implementing onboard ships.

Evolution: IACS Transforms Existing International Standards

The new UR E26 and E27 regulations establish a common understanding of the minimum requirements. But they are actually not completely new.

For the cybersecurity-aficionado, these standards may look very familiar. In fact, they are the natural evolution of other internationally recognised OT cybersecurity standards, starting with NIST to IEC 62443, even IMO 2021, and adopts a very similar framework: identify, protect, detect, respond, and recover. 

However, this framework has been tailored specifically for maritime vessels, ensuring a minimum level of cyber resilience for vessels, systems and equipment with built-in defenses for cyber incidents and responding when a cyber incident occurs.

UR E26 has 17 requirements included within the framework. In general, they specify the following requirements:

  • Identify: vessel asset inventory, block diagram of connections, and network arrangement of computer based systems.
  • Protect: network security zoning and segmentation, prevention (firewalls, antivirus, antimalware, antispam), access controls, remote access controls, secured wireless communications, especially mobile and portable devices.
  • Detect: continuous network monitoring, as well as verification and diagnostic functions.
  • Respond: incident response plan, network isolation, independent operations, default or fallback to minimal risk conditions.
  • Recover: backup and restore capabilities, controlled shutdown / reset / roll-back / restart, and recovery plan.

UR E27 is intended for third-party equipment suppliers and aims to provide the minimum-security capabilities for computer based systems and equipment in order to be considered cyber resilient.

What do these regulations mean for you? 

The immediate impact of these new regulations will be most significant for shipowners and ship operators, as well as shipyards or systems integrators with new builds of 500 GT or more being signed after 1st July 2024. This includes passenger ships (capable of carrying more than 12 people) and self-propelled mobile offshore units.

E26 and E27 will cover both operational technology (OT) and information technology (IT). The OT environment includes OT systems, such as propulsion, ballast, lighting, steering, and any digitally connected components that must be listed and safeguarded. For IT, it is important to emphasize that this need applies to all networks, including administrative and crew welfare systems. In essence, if there is a network connection, it should be protected. 

During the design phase, shipbuilders and systems integrators must prove a vessel’s cyber resilience as per the standards, and after vessel commissioning, ship operators and ship owners must complete and comply with annual surveys and continuous operational phases. 

As a response, MicroSec has launched the world’s first Cyber Assessor for UR E26, an automated assessment tool that will check your compliance with these standards and provide recommendations on how to bridge the gap between where you are and where you need to be. 

So if you are a shipowner, ship builder or ship operator, get in touch with us today at info@usec.io to find out if you’re compliant with these regulations or what your current cybersecurity readiness looks like. In the end, these new UR E26 and E27 standards will make maritime vessels, ports, and fleets safer from cyber threats overall.