Frequently Asked Questions
1. What cybersecurity framework should an operator follow for existing fleets?
An operator should follow IMO’s revised recommendation MSC-FAL.1/Circ.3; Apart from IMO’s guidance, there are several publications discussing cybersecurity in industrial controls systems, from NIST 800-82 and the NIST Cybersecurity Framework 2.0 to BIMCO’s Guidelines which are more focused on maritime cybersecurity. In addition, ABS has its own Guide to cybersecurity for existing vessels that is available here.
2. Which vessels are subject to the new IACS Cyber Resilience requirements?
The scope of applicable vessels are vessels contracted for construction on or after July 1, 2024, that meet the following criteria:
3. How will these new IACS requirements for Cyber Resilience affect our company’s existing Type Approval Certificates (TAC) for computer-based systems (CBS)?
Existing TACs remain valid; however, equipment covered by those TACs cannot be applied to vessels contracted after July 1, 2024, where the new cyber resilience requirements apply.
If the equipment already has an existing Type Approval Certificate (TAC) and it now needs to meet UR E27 cyber requirements, ABS will review it for E27 and provided it meets the applicable requirements will amend the existing TAC to show that compliance.
It is important to note that there are still additional items that will need to be submitted after a TAC is issued for the specific vessel review. These items are listed in Appendix 2 of E27, and include the CBS asset inventory, topology drawings, and test reports.
4. What requirements will sub-suppliers need to follow for vessels and systems applicable to the new IACS requirements for Cyber Resilience?
Sub-suppliers are also subject to the cybersecurity requirements of E27. These items should be listed in a purchasing spec, or agreement with sub-suppliers so that the relevant sections of E27 are complied with.
5. What is the timeline for review of the applicable computer-based systems for the new IACS requirements for Cyber Resilience?
As this is a new process for many manufacturers, we advise an 8-week lead time to cover the engineering review and witness testing. Once the engineering approval certificate and survey/FAT are complete, ABS will issue a system certificate that will accompany the CBS upon delivery to the system integrator.
6. Do Inert Gas Systems and Exhaust Gas Cleaning Systems (EGCS) need to comply with UR E27?
Inert Gas Systems need to comply with UR E27, as their compromise could lead to dangerous situations for human safety and/or safety of the vessel.
Given that the majority of EGCS are connected to the ship’s network, data and information related to the EGCS can be relayed to various control locations onboard and onshore. However, it is possible that the EGCS will not be connected to the ship’s network, as there are no requirements stating that the EGCS must be connected to the ship’s network.
If the EGCS is connected to the ship’s network, a cyber incident related to the EGCS can also impact other systems onboard.
As a result, the drawings and documentation for the EGCS should be submitted, so that ABS can review the actual arrangements and properly determine the applicability of the IACS Cyber Resilience URs to the EGCS.
7. How do the ABS cyber notations align with IACS cyber resilience requirements?
ABS offers two types of notations with regard to cyber.
The CR notation fully aligns with the requirements within the cyber resilience URs.
The other ABS cyber notations, such as CS1, CS2, etc., follow a risk-based approach. It is up to the operator to perform a vigorous risk assessment and develop a risk management plan. Based on the risk assessment results, they can then select the appropriate controls to mitigate the identified cybersecurity risks. Thus, the ABS methodology can provide more flexibility and is geared towards existing fleets and new construction vessels.
IACS, on the other hand, assumes that the baseline risk assessment has already been completed, and it mandates selected controls as a minimum to consider the vessel as cyber resilient.
Also, considering that existing vessels typically lack network segmentation, and certification of their systems and equipment against the select system requirements in IEC 62443-3-3, IACS requirements might be more challenging for them to meet, unless they are going through a retrofit or a major modification.
8. Who is responsible for ensuring cybersecurity training under the USCG’s final rule?
Under 33 CFR 101.625(d), the Cybersecurity Officer (CySO), who acts on behalf of the owner/operator, has the responsibility to ensure adequate cybersecurity training of personnel.
9. Will the USCG accept and review the submission of a Cybersecurity Plan in accordance with the final rule right now?
10. In accordance with USCG’s final rule, can similar vessels share one Cybersecurity Plan?
11. Based on USCG’s final rule, what is the purpose and expected frequency of mandatory cyber assessments and audits?
Cybersecurity assessments are intended to identify risks and vulnerabilities to inform the development and ongoing maintenance of the Cybersecurity Plan. For this reason, an initial assessment must be conducted no later than 16 July 2027, before developing the Cybersecurity Plan. Assessments must be conducted annually thereafter, or sooner if there is a change of ownership.
Internal cybersecurity audits are intended to identify any issues or changes since the previous audit and determine whether amendments to the Cybersecurity Plan are necessary. Audits must be carried out at least annually, and more frequently in cases of owner or operator change or modifications to cybersecurity measures [per 33 CFR 101.630(f)].