In June 2017, the International Maritime Organization’s (IMO) Maritime Safety Committee (MSC) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems (SMSs). The resolution affirmed that an approved SMS should incorporate cyber risk management in accordance with the objectives and functional requirements of the International Safety Management (ISM) Code.

The resolution also encouraged flag Administrations to ensure that cyber risks are appropriately addressed in SMSs no later than the first annual verification of the company's Document of Compliance (DOC) after January 1, 2021.

To further support the shipping industry in managing cyber risks, the IMO published the Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3). These guidelines lay out high-level recommendations for safeguarding maritime operations from current and emerging cyber threats and vulnerabilities. For more detailed guidance, clients are directed to refer to the requirements of flag Administrations and relevant international and industry standards and best practices. In May 2024, the MSC approved the third revision of these guidelines, designated MSC-FAL.1/Circ.3/Rev.3.

In April 2022, the International Association of Classification Societies (IACS) released two new Unified Requirements (URs) relating to cyber resilience on board marine vessels:

•      IACS UR E26 – Cyber Resilience of Ships
•      IACS UR E27 – Cyber Resilience of On-Board Systems and Equipment

In September 2023, IACS announced their plan to issue revisions to URs E26 and E27 and to delay the implementation dates of the original documents.

Both URs were scheduled to have an entry into force date of January 1, 2024, for new construction vessels.

After publishing the original versions, IACS collected industry feedback and continued work to improve these URs. As a result, IACS published the Rev. 1 version of UR E27 in September 2023 and the Rev. 1 version of UR E26 in November 2023. The Rev. 1 versions of the URs indicated an entry into force date of July 1, 2024.

To avoid confusion between the two versions of these URs, IACS has decided that the Rev. 1 versions will supersede the original versions. Therefore, the original versions did not enter into force. Only the Rev. 1 versions have entered into force and with the entry into force date being July 1, 2024.

As of this entry into force date, these requirements are mandatory for new construction ships and offshore vessels.

The IACS URs E26 and E27 were developed to establish a common set of minimum functional and performance criteria to deliver a ship that can be described as cyber resilient.

UR E26 Cyber Resilience of Ships

UR E26 aims to provide the minimum set of requirements for cyber resilience of ships. It is intended for the design, construction, commissioning and operational life of the ship. This UR covers five key functional aspects for cybersecurity: Identify, Protect, Detect, Respond and Recover.

 Identify

•     Inventory of hardware and software of the applicable Computer Based Systems (CBSs)
•     Arrangements of networks connecting these CBSs to each other and to other CBSs on board or ashore

Protect

•     Security zones and network segmentation
•     Network protection safeguards
•     Antivirus, antimalware, antispam and other protections from malicious code
•     Access control
•     Wireless communication
•     Remote access control and communication with untrusted networks
•     Use of mobile and portable devices

Detect

•     Network operation monitoring
•     Verification and diagnostic functions of CBSs and networks

Respond

•     Incident response plan
•     Local, independent and/or manual operation
•     Network isolation
•     Fallback to minimal risk condition

Recover

•     Recovery plan
•     Backup and restore capability
•     Controlled shutdown, reset, roll-back and restart

Furthermore, the Rev.1 version of the UR includes information regarding demonstration of compliance (for example, during the construction phase, commissioning phase and annual surveys).

The UR also requires the Cyber Resilience Test Procedure to be developed for the vessel. The procedure would cover the testing during the construction phase and commissioning as well as during the annual surveys (i.e. operational life of the vessel).

UR E27 Cyber Resilience of On-board Systems and Equipment

UR E27 aims to provide the minimum-security capabilities for systems and equipment to be cyber resilient. It is intended for third-party equipment suppliers.

The following documents shall be submitted to ABS for review and approval in accordance with the requirements in UR E27. 

•     CBS asset inventory
•     Topology diagrams
•     Description of security capabilities
•     Test procedure of security capabilities
•     Security configuration guidelines
•     Secure Development Lifecycle (SDLC) documents
•     Plans for maintenance and verification of the CBS
•     Information supporting the owner’s incident response and recovery plan
•     Management of change plan
•     Test reports

The required security capabilities and the secure development lifecycle (SDLC) requirements for CBSs are detailed in UR E27. Additionally, the steps for demonstration of compliance with UR E27 are described.

To streamline the certification process and mitigate cybersecurity vulnerabilities in the supply chain, ABS offers type approval to CBS suppliers. Type approval is voluntary and applies to CBS’ that are standardized and routinely manufactured. If a CBS has a type approval certificate covering the requirements of E27, the certification process at the vessel level is significantly expedited. Therefore, it is highly recommended that suppliers pursue type approval, as it saves time and effort when the same CBS is utilized across multiple vessels.

The steps for obtaining a System Certificate of compliance with E27 are detailed in Section 6, Demonstration of Compliance, of the UR-E27 and summarized as follows:

•     For CBS without type approved E27 security capabilities:
  •     The complete set of documents listed in Appendix 2 of the UR-E27 shall be submitted by the supplier to ABS for     plan approval.
•     The supplier shall also undergo Survey and Factory Acceptance Testing (FAT) at their premises.
•     For CBS with type approved E27 security capabilities:
  •     A reduced set of vessel-specific documents, as specified in Appendix 2 of the UR-E27, shall be submitted by the     supplier to ABS for plan approval. These documents include the CBS asset inventory, topology diagrams and test     reports.

The IACS URs E26 and E27 are applicable to the following vessels:

•     Vessels engaged in international voyages:
  •     Passenger ships
  •     Cargo ships >500 gross tons (gt)
  •     High speed craft >500 gt
•     Mobile offshore drilling units >500 gt
•     Self-propelled mobile offshore units engaged in construction:
  •     Wind turbine installation maintenance and repair
  •     Crane units, drilling tenders and accommodation

The IACS URs E26 and E27 on cyber resilience have been incorporated into the 2024 ABS Marine Vessel Rules (MVR). These requirements are detailed in the following sections:

•     4-9-13 “Cyber Resilience for Vessels”
•     4-9-14 “Cyber Resilience for On-board Systems and Equipment”

Vessels that comply with the cyber resilience requirements outlined in Section 4-9-13 of the 2024 ABS MVR will be assigned the Cyber Resilience (CR) notation. This notation is mandatory for vessels within the scope of applicability, contracted after July 1, 2024. It can also be requested by vessels out of the scope of applicability, provided they meet the requirements.

In addition, ABS offers the CS-System, CS-Ready, CS-1 and CS-2 optional notations to vessels and offshore assets that comply with ABS requirements contained in the Cybersecurity Implementation for the Marine and Offshore Industries (ABS CyberSafety® Volume 2).

1.    CS-System indicates that the original equipment manufacturer (OEM) has developed, embedded, and described cybersecurity capabilities in the critical system and communicated unresolved potential cybersecurity vulnerabilities to the shipbuilder and owner. The OEM is to have a CyberSafety Product Design Assessment (PDA) and is to be recognized as an ABS CyberSafety Service Supplier.

        a.    CyberSafety PDA is for a digitally enabled component or complex system that documents known cybersecurity         vulnerabilities to facilitate an asset owner’s cybersecurity risk analysis and remediation. The OEM’s CBS receives an         ABS CyberSafety PDA Certificate when it meets the requirements set forth in the ABS CyberSafety for Equipment         Manufacturers (ABS CyberSafety® Volume 7).

2.    CS-Ready indicates that a vessel being outfitted with cyber-enabled systems is constructed and documented in accordance with the ABS Guide for Cybersecurity Implementation for the Marine and Offshore Industries. CS-Ready pertains to a vessel under construction and ends when the vessel enters service. CS-Ready is not renewable.

3.    CS-1 indicates that cybersecurity risks have been identified onboard, and the necessary steps have been taken to implement mitigating controls based on industry-recognized cybersecurity guidance.

4.    CS-2 indicates that additional policies and procedures concerning cybersecurity system management have been implemented. The requirements for CS-1 notation must be met before a CS-2 notation can be achieved.

The United States Coast Guard (USCG) has taken significant steps to strengthen cyber defenses and compliance with cybersecurity incident reporting rules for vessels, offshore and port facilities. An executive order signed in February 2024 mandates that cyber threats be addressed through updates to Part 6 of Title 33 of the Code of Federal Regulations (CFR). This new regulation grants the Captain of the Port (COTP) and the Commandant of the USCG expanded authorities to strengthen cybersecurity measures.

The executive order defines "cyber incident" and establishes a reporting requirement for these cyber incidents. According to the updated 33 CFR Part 6, any evidence of sabotage, subversive activity, or an actual or threatened cyber incident endangering vessels, harbors, ports or waterfront facilities must be immediately reported to the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the COTP. This reporting requirement also applies to foreign-flagged vessels operating in U.S. waters and ports.

Given the expanded authority, the USCG has published a Notice of Proposed Rulemaking (NPRM) through the Federal Register to update its maritime security regulations. This proposed rule would introduce several requirements for owners or operators of U.S.-flagged vessels, facilities and Outer Continental Shelf (OCS) facilities. It would also mandate the implementation of cybersecurity measures aimed at identifying risks, detecting threats and vulnerabilities, protecting critical systems and facilitating recovery from cyber incidents. The USCG proposes an implementation period of 12 to 18 months from the effective date of the final rule.

1.    What cybersecurity framework should an operator follow for existing fleets?

An operator should follow IMO’s revised recommendation MSC-FAL.1/Circ.3; Apart from IMO’s guidance, there are several publications discussing cybersecurity in industrial controls systems, from NIST 800-82 and the NIST Cybersecurity Framework 2.0 to BIMCO’s Guidelines which are more focused on maritime cybersecurity. In addition, ABS has its own Guide on cybersecurity for existing vessels that is available here.

2.    Which vessels are subject to the new IACS Cyber Resilience requirements?

The scope of applicable vessels are vessels contracted for construction on or after July 1, 2024, that meet the following criteria:

•     Passenger ships (including passenger high-speed craft) engaged in international voyages
•     Cargo ships of 500 gt and upwards engaged in international voyages
•     High-speed craft of 500 gt and upwards engaged in international voyages
•     Mobile offshore drilling units of 500 gt and upwards
•     Self-propelled mobile offshore units engaged in construction

3.    How will these new IACS requirements for Cyber Resilience affect our company’s valid Type Approval Certificates (TAC) for computer-based systems?

These requirements will not affect the validity of any current TAC. However, these CBS will not be able to be used for vessels contracted for construction after July 1, 2024, that these requirements apply to.

For type approved equipment that will be subject to E27 requirements, upon submission and completion of reviews against URE27, we will modify the existing TAC, adding compliance to E27 with a validity date of 5 years.

It is important to note that there are still additional items that will need to be submitted after a TAC is issued for the specific vessel review. These items are listed in Appendix 2 of E27, and include the CBS asset inventory, topology drawings and test reports.

4.    What requirements will sub-suppliers need to follow for vessels and systems applicable to the new IACS requirements for Cyber Resilience?

Sub-suppliers are also subject to the cybersecurity requirements of E27. These items should be listed in purchasing spec, or agreement with sub-suppliers to ensure the relevant sections of E27 are complied with.

5.    What is the timeline for review of the applicable computer-based systems for the new IACS requirements for Cyber Resilience?

ABS has a 4-week engineering turnaround time for a review that has a complete set of documents submitted. As this is a new process for many manufacturers, we advise an 8-week lead time for this project, as there are typically a few rounds of comments that are issued between ABS and the client. Upon approval of the CBS, the client then may reach out to the local ABS survey office to set up the witnessing of the FAT. Once the engineering approval certificate and survey/FAT are complete, ABS will issue a system certificate that will accompany the CBS upon delivery to the system integrator.

6.    Do Inert Gas Systems and Exhaust Gas Cleaning Systems (EGCS) need to comply with UR E27?

Inert Gas Systems need to comply with UR E27, as their compromise could lead to dangerous situations for human safety and/or safety of the vessel.

Given that the majority of EGCS are connected to the ship’s network, data and information related to the EGCS can be relayed to various control locations onboard and onshore. However, it is possible that the EGCS will not be connected to the ship’s network, as there are no requirements stating that the EGCS must be connected to the ship’s network. 

If the EGCS is connected to the ship’s network, a cyber incident related to the EGCS can also impact other systems onboard.

As a result, the drawings and documentation for the EGCS should be submitted, so that ABS can review the actual arrangements and properly determine the applicability of the IACS Cyber Resilience URs to the EGCS.

7.     How do the ABS cyber notations align with IACS cyber resilience requirements?

ABS offers two types of notations with regards to cyber.

The CR notation fully aligns with the requirements within the cyber resilience URs.

The other ABS cyber notations, such as CS1, CS2, etc., follow a risk-based approach. It is up to the operator to perform a vigorous risk assessment and develop a risk management plan. Based on the risk assessment results, they can then select the appropriate controls to mitigate the identified cybersecurity risks. Thus, the ABS methodology provides more flexibility and is geared towards existing fleets and new construction vessels.

IACS, on the other hand, assumes that the baseline risk assessment has already been completed and it mandates selected controls as a minimum to consider the vessel as cyber resilient. 

Also, considering that existing vessels typically lack network segmentation, and certification of their systems and equipment against the select system requirements in IEC 62443-3-3, IACS requirements might be more challenging for them to meet, unless they are going through a retrofit or a major modification.