Inmarsat Maritime has launched a white paper urging maritime organisations to strengthen their cyber defences – as the industry continues to adopt connected technologies.
The whitepaper explores the International Association of Classification Societies (IACS)’ new unified requirements (URs) for cyber security. Compiled in collaboration with leading classification society and IACS member ClassNK, IACS Unified Requirements E26 And E27 – Beyond Compliance outlines the process of demonstrating compliance with the forthcoming URs.
Coming into force on 1 July 2024, E26 and E27 will establish minimum requirements for the cyber-resilience capabilities of newbuild vessels and their connected systems, respectively. While the paper reports that their implementation will provide “full visibility of a vessel’s computer assets and network infrastructure”, it also acknowledges the URs’ limitations, which include opportunity for a more in-depth risk-assessment process and for organizations to apply additional attention to cyber-security policy and associated procedures.
Best practice in addressing cyber-security requirements is to take a risk-based approach, where cyber-risk controls are implemented following a thorough risk assessment, and consist of people, process, and technology in a balanced manner. Among these, the human aspect is an important link, fostering cyber hygiene through training, while defining clear roles and responsibilities within an organization.
… said Makiko Tani, Deputy Manager, Cyber Security for maritime classification body ClassNK
UR E27 aims to support manufacturers and OEMs of onboard operational systems and equipment in evaluating and improving their cyber resilience. It offers comprehensive instructions relating to security philosophy, documentation, system requirements, secure development lifecycle requirements, and plan approval.
Based on and incorporating elements of the International Electrotechnical Commission standard IEC 62443, E27’s system requirements cover 30 security capabilities required by all CBSs and 11 additional security capabilities required by CBSs that share an interface with untrusted networks.
Demonstrating compliance with UR E27 requires the submission of the following documents (the classification society may request the submission of other documentation):
- CBS asset inventory including a list of hardware components detailing the manufacturer and model and providing a short description of their functionality; physical interfaces; the name/type of system software and its version and patch level; and supported communication protocols.
- CBS topology diagrams comprising a physical topology diagram illustrating the physical architecture of the system and a logical topology diagram illustrating the data flow between system components.
- Description of security capabilities demonstrating how the CBS meets required security capabilities with its hardware and software components.
- Test procedure of security capabilities describing how to demonstrate, through testing, that the system complies with requirements.
- Security configuration guidelines describing recommended configuration settings of the security capabilities and specifying default values.
Inmarsat Fleet Secure helps ship owners, operators, and managers to comply with cyber-security regulations including the new IACS URs while supporting meaningful enhancements across the three key areas: people and culture, network-connected systems and services, and an incident-response plan.
… commented Laurie Eve, Chief of Staff, Inmarsat Maritime
