UPDATE 13 July 2022
As part of our research into writing this post, we noticed that IACS UR E26 (below) had been released at exactly the same time as the amendment to IACS Rec 166 Recommendation on Cyber Resilience.
Interestingly, the Rec 166 document was amended to replace mandatory wording such as "requirement" with optional wording such as "consideration" making cyber largely optional for existing ships, and through UR E26, mandatory for new build ships commissioned after 01 January 2024.
Can we assume this is because whilst the IACS understand the importance of Cyber Security onboard vessels, the resistance to implement cyber on existing ships was too great?
At CND we have successfully retrofitted robust cyber security packages onto existing ships with minimal disruption or additional expense.
IACS has adopted 2 new requirements for ships contracted for construction after 01 January 2024, although it is suggesting that they may be applied before this date. These new requirements build upon the IMO Resolution MSC.428(98) which has been in force for in-service vessels since 01 Jan 2021.
Whilst the original IMO resolution fell slightly short of a mandate and consisted of guidelines, it's refreshing seeing Flag States and member governments outlining requirements to mandate the enforcement of cyber security.
IACS Unified Requirement E26 - Cyber resilience of ships
UR E26 aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel's network during the design, construction, commissioning, and operational life of the ship. This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.
Identify: Develop an organisational understanding to manage cybersecurity risk to onboard systems, people, assets, data, and capabilities.
Protect: Develop and implement appropriate safeguards to protect the ship against cyber incidents and maximize continuity of shipping operations.
Detect: Develop and implement appropriate measures to detect and identify the occurrence of a cyber incident onboard.
Respond: Develop and implement appropriate measures and activities to take action regarding a detected cyber incident onboard.
Recover: Develop and implement appropriate measures and activities to restore any capabilities or services necessary for shipping operations that were impaired due to a cyber incident.
IACS Unified Requirement E27 - Cyber resilience of on-board systems and
equipment
UR E27 aims to ensure system integrity is secured and hardened by third-party equipment suppliers. This UR provides requirements for cyber resilience of onboard systems and equipment and provides additional requirements relating to the interface between users and computer-based systems onboard, as well as product design and development requirements for new devices before their implementation onboard ships.
Comments