ClassNK has released ‘Guidelines for Cyber resilience of ships’, based on the new IACS Unified Requirements (UR) to support the consideration of measures to ensure the cybersecurity of ships.
As explained by ClassNK, IACS has established UR E26 for ships and UR E27 for on-board systems and equipment as URs setting minimum requirements for cyber resilience, which is the capability to reduce the occurrence and mitigate the effects of cyber incidents due to cyber-attacks or other threats. The URs have been applied to new ships contracted for construction on or after 1 July 2024.
In the guidelines issued this time, guidance mainly for shipbuilders, shipowners, and ship management companies is described. It covers the application scope of the rules, approval process, required documents, and surveys.
UR E26: Cyber resilience of ships
UR E26 aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship. This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.
Chapter 5, Part X (UR E26) outlines the requirements for cyber resilience of ships. Cyber resilience refers to the capability to reduce the occurrence of and mitigate the effects of operational technology (OT) disruptions on ships caused by cyber attacks or other threats, thereby safeguarding human and ship safety as well as the environment. Additionally, it includes the ability to quickly recover from such disruptions when they occur. The aim of Chapter 5, Part X (UR E26) is to equip ships with these capabilities, making them resistant to cyber attacks or other threats.
To ensure cyber resilience on ships, Chapter 5, Part X (UR E26) is divided into five functional elements: Identify, Protect, Detect, Respond, and Recover, each with its specific requirements. ClassNK explains these requirements as follows:
Identify
The main purpose of “Identify” is to make the assets owned by the ship, such as systems and network devices, “visible.” Specifically, this involves creating an inventory of the ship’s assets. This inventory is called the vessel asset inventory and clarifies what CBSs and equipment are currently onboard.
Protect
The main purpose of “Protect” is to minimize the scale and frequency of potential cyber incidents. The requirements related to implementing necessary safeguards are specified. A particularly important aspect is “segmenting” the networks connected to the ship’s assets. Segmentation means to partitioning computer systems based on their purpose and criticality in network design.
Detect
The main purpose of “Detect” is to find attacks. Specifically, it involves network operation monitoring and ensuring the effectiveness of onboard security functions. During normal operations, periodic functional verification is carried out, and in the event of anomalies, alarms are triggered to enable early recognition of cyber attacks or other threats that the ship has experienced.
Respond
The main purpose of “Respond” is to examine and implement means to minimize the impact of detected cyber incidents. Specifically, it requires creating an Incident response plan that specifies how to respond to incidents and acting according to that plan.
The plan must include the following information:
- Local, independent and/or manual operation: Detailed procedures on who will implement local or manual control over main engines, controllable pitch propellers, and other propulsion equipment as required in the event of a cyber incident.
- Network isolation: Detailed procedures on who will implement network isolation and how it will be done in the event of a cyber incident.
- Fallback to a minimal risk condition: “Fallback to minimal risk condition” means a stable, stopped condition that reduces safety risks in the event of a cyber incident. The plan should create specific procedures for how to achieve a s stable, stopped condition for each computer system provided by the systems integrator, referring to information on each system.
Recover
The main purpose of “Recover” is to an operational state after a disruption or failure caused by a cyber incident. By planning and implementing a recovery plan according to these requirements, CBSs and networks can be quickly restored.
