New IACS Cybersecurity Requirements Effective Today: UR E26 and E27

As of July 1, 2024, two new Unified Requirements (URs) developed and adopted by the International Association of Classification Societies (IACS), UR E26 and UR E27, have officially come into effect. These new requirements aim to enhance the cyber resilience of ships and ensure the safety of maritime transportation.

Recognizing that cyber incidents on vessels can have a direct and detrimental impact on life, property, and the environment, IACS has steadily increased its focus on the reliability and functional effectiveness of onboard, safety-critical, computer-based systems. IACS identified early on that for ships to be resilient against cyber incidents, all parts of the industry needed to be actively involved. To this end, a Joint Working Group (JWG) on Cyber Systems was convened to help identify best practices, appropriate existing standards in risk and cybersecurity, and a practical risk-based approach.

Building on this extensive collaboration and utilizing the experience gained from its existing Recommendations, as well as developments at the International Maritime Organization (IMO) including, in particular, IMO Resolution MSC.428(98) applicable to in-service vessels since January 1, 2021, IACS has adopted two new Unified Requirements on the cyber resilience of ships:

UR E26: This requirement aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship. UR E26 targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.

UR E27: This requirement aims to ensure system integrity is secured and hardened by third-party equipment suppliers. UR E27 provides requirements for the cyber resilience of onboard systems and equipment and includes additional requirements relating to the interface between users and computer-based systems onboard, as well as product design and development requirements for new devices before their implementation onboard ships.

These new URs will be applied to new ships contracted for construction on and after July 1, 2024, although the information contained therein may be applied in the interim as non-mandatory guidance. With the implementation of these new requirements, it is expected that the cybersecurity of maritime transportation will be significantly enhanced. This step will ensure that the maritime industry is more resilient to the cyber threats encountered in the process of digitalization.

Inline Feedbacks
View all comments
LOGINSIGN UPHOMEPlease login to access the content.

If you are not a member, you can access all contents
on Cyber Onboard with a free membership.
Go Back