Maritime Cybersecurity

item_1782310699455

Overview

As technologies have expanded and automation systems have become more complex and integrated between systems, the probabilities for cyberattacks increase, along with their potential effects on personnel, data, the safety of people and vessels and the environment. The need for robust cybersecurity programs has become a critical component of the overall operations of marine assets.

Attackers may target any combination of people and technology to achieve their aim, wherever there is a network connection or any other interface between onboard systems and the external world. Safeguarding ships, and shipping in general, from current and emerging threats involves a range of continually evolving measures.

The regulatory landscape surrounding cybersecurity is rapidly evolving, driven by the shipping industry's increasing reliance on digitalization, which heightens its vulnerability to cyber threats associated with Information Technology (IT) and Operational Technology (OT).

  • Information Technology (IT) encompasses the hardware and software used to store, process and deliver data to improve its confidentiality and integrity. Examples of IT include office computers, phones, routers, electronic certificates and manuals, spare parts list, planned maintenance system, crew list and charter party. A compromise of IT systems can lead to loss of sensitive data, damage to the company’s reputation and scheduling delays. While these     consequences can have a negative financial impact on the company, they may not directly threaten the safety of the crew, vessel or environment.

  • Operational Technology (OT) refers to the automated systems, hardware and software that monitor and control     physical devices, processes and events. OT focuses on the safe physical operation of on-board control systems to increase their availability and integrity. Examples of OT include propulsion control, steering control, power management, cargo management, dynamic positioning, data logger, ECDIS, RADAR, GNSS, PLC and SCADA. A compromise of OT systems could result in ship delays, regulatory non-compliance, equipment and cargo damage and jeopardize the safety of the crew, ship and environment.

Despite their critical importance, OT systems often exhibit lower levels of cybersecurity maturity compared to IT systems. Integrating IT and OT systems facilitates communication, data sharing and operational efficiency, but this connectivity also introduces additional cyber risks that must be effectively managed.  

As the maritime industry continues to evolve, it is imperative for stakeholders to prioritize cybersecurity strategies that address the unique challenges posed by IT and OT environments. Proactive measures, regular assessments and adherence to emerging regulations will be vital in safeguarding maritime operations against the growing threat of cyber incidents.

ABS Rules and Notations

The IACS URs E26 and E27 on cyber resilience have been incorporated into the ABS Marine Vessel Rules (MVR). These requirements are detailed in the following sections:

  •     4-9-13 “Cyber Resilience for Vessels”

  •     4-9-14 “Cyber Resilience for On-board Systems and Equipment”

Vessels that comply with the cyber resilience requirements outlined in Section 4-9-13 of the Part 4 of the  ABS MVR (January 2026) will be assigned the Cyber Resilience (CR) notation. This notation is mandatory for vessels within the scope of applicability, contracted after July 1, 2024. It can also be requested by vessels out of the scope of applicability, provided they meet the requirements.

In addition, ABS offers the CS-1, CS-2, and CR-Ex optional notations to vessels and offshore assets that comply with ABS requirements contained in the Cybersecurity Implementation for the Marine and Offshore Industries (ABS CyberSafety® Volume 2, June 2025).

  1. CS-1 indicates that cybersecurity risks have been identified onboard, and the necessary steps have been taken to implement mitigating controls based on industry-recognized cybersecurity guidance.

  2. CS-2 indicates that additional policies and procedures concerning cybersecurity system management have been implemented. The requirements for CS-1 notation must be met before a CS-2 notation can be achieved.

  3. CR-Ex indicates compliance with the applicable requirements for existing vessels and provides a method for applying the elements of Cyber Resilience to existing vessels through an established cyber security program.

IMO Requirements

In June 2017, the International Maritime Organization’s (IMO) Maritime Safety Committee (MSC) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems (SMSs). The resolution affirms that an approved SMS should incorporate cyber risk management in accordance with the objectives and functional requirements of the International Safety Management (ISM) Code.

The resolution further encourages Administrations to ensure that cyber risks are appropriately addressed in SMSs no later than the first annual verification of the Company’s Document of Compliance (DOC) after 1 January 2021. 

To further support implementation, IMO issued the Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3), which provide high-level, risk-based recommendations for safeguarding shipping from cyber threats and vulnerabilities. These guidelines are intended to be incorporated into existing risk management processes and are complementary to established safety and security management practices.

On 4 April 2025, IMO published the latest revision, MSC-FAL.1/Circ.3/Rev.3, which supersedes the previous version and reflects the increasing reliance on digitalization, integration, and automation within the maritime sector. Compared with Rev.2, Rev.3 enhances the guidance by aligning the functional elements with NIST Cybersecurity Framework (CSF) 2.0, including the addition of the Govern function alongside Identify, Protect, Detect, Respond and Recover, thereby strengthening the governance dimension of effective cyber risk management. Rev.3 also updates the section on standards and best practices for implementation of cyber risk management by adding IACS UR E26 (Cyber resilience of ships) and IACS UR E27 (Cyber resilience of onboard systems and equipment), In addition, the revised guidelines adopt updated terminology, including the broader concept of Computer Based Systems (CBS), and place greater emphasis on embedding cyber resilience throughout the lifecycle of shipboard systems and within the Safety Management System (SMS). 

IACS Unified Requirements

In April 2022, the International Association of Classification Societies (IACS) issued Unified Requirements (UR) E26, Cyber Resilience of Ships, and UR E27, Cyber Resilience of On-Board Systems and Equipment.  

Following industry feedback, IACS revised both requirements and delayed their implementation. The revised versions — UR E27 Rev. 1, published in September 2023, and UR E26 Rev. 1, published in November 2023 — superseded the original documents and entered into force on July 1, 2024.  

As of that date, these requirements are mandatory for new construction ships and offshore vessels.  

  • IACS UR E27 – Cyber Resilience of On-Board Systems and Equipment 

 

The IACS URs E26 and E27 were developed to establish a common set of minimum functional and performance criteria to deliver a ship that can be described as cyber resilient. 

In addition to the Unified Requirements, IACS has also issued Recommendations that provide supplementary guidance to support implementation, including: 

  • IACS Recommendation No. 190 – Vessel Asset Inventory for Computer-Based Systems, published in June 2025, provides further guidance on the development and maintenance of asset inventories (hardware and software) of CBSs, required under UR E26 and E27, across design, construction and operation. 
  • IACS Recommendation No. 194 – Cybersecurity Controls for Existing Ships, published December 2025, provides guidance on identifying a minimum set of technical and procedural controls to existing vessels, with a clear focus on OT environments. Rec. 194 complements the ISM Code and MSC.428 (98), addressing the existing fleet where UR E26 does not apply. 

 

UR E26 Cyber Resilience of Ships

UR E26 aims to provide the minimum set of requirements for cyber resilience of ships. It is intended for the design, construction, commissioning and operational life of the ship. This UR covers five key functional aspects for cybersecurity: Identify, Protect, Detect, Respond and Recover

 Identify

  • Inventory of hardware and software of the applicable Computer Based Systems (CBSs) 
  • Arrangements of networks connecting these CBSs to each other and to other CBSs on board or ashore 

Protect

  • Security zones and network segmentation 
  • Network protection safeguards 
  • Antivirus, antimalware, antispam and other protections from malicious code 
  • Access control 
  • Wireless communication 
  • Remote access control and communication with untrusted networks 
  • Use of mobile and portable devices 

Detect

  • Network operation monitoring 
  • Verification and diagnostic functions of CBSs and networks 

Respond

  • Incident response plan 
  • Local, independent and/or manual operation 
  • Network isolation 
  • Fallback to minimal risk condition 

Recover

  • Recovery plan 
  • Backup and restore capability 
  • Controlled shutdown, reset, roll-back and restart 

Furthermore, the Rev.1 version of the UR includes information regarding demonstration of compliance (for example, during the construction phase, commissioning phase and annual surveys). 

The UR also requires the Cyber Resilience Test Procedure to be developed for the vessel. The procedure would cover the testing during the construction phase and commissioning as well as during the annual surveys (i.e. operational life of the vessel). 

  

UR E27 Cyber Resilience of On-board Systems and Equipment

UR E27 aims to provide the minimum-security capabilities for systems and equipment to be cyber resilient. It is intended for third-party equipment suppliers. 

The following documents shall be submitted to ABS for review and approval in accordance with the requirements in UR E27.  

  • CBS asset inventory 
  • Topology diagrams 
  • Description of security capabilities 
  • Test procedure of security capabilities 
  • Security configuration guidelines 
  • Secure Development Lifecycle (SDLC) documents 
  • Plans for maintenance and verification of the CBS 
  • Information supporting the owner’s incident response and recovery plan 
  • Management of change plan 
  • Test reports 

The required security capabilities and the secure development lifecycle (SDLC) requirements for CBSs are detailed in UR E27. Additionally, the steps for demonstration of compliance with UR E27 are described. 

 

To streamline the certification process and mitigate cybersecurity vulnerabilities in the supply chain, ABS offers type approval to CBS suppliers. Type approval is voluntary and applies to CBS’ that are standardized and routinely manufactured. If a CBS has a type approval certificate covering the requirements of UR E27, the certification process at the vessel level is significantly expedited. Therefore, it is highly recommended that suppliers pursue type approval, as it saves time and effort when the same CBS is utilized across multiple vessels. 

The steps for obtaining a System Certificate of compliance with UR E27 are detailed in Section 6, Demonstration of Compliance, of the UR E27 and summarized as follows: 

  •     For CBS without type approved E27 security capabilities: 
    • The complete set of documents listed in Appendix 2 of the UR E27 shall be submitted by the supplier to ABS for plan approval. 
  •     The supplier shall also undergo Survey and Factory Acceptance Testing (FAT) at their premises. 
  •      For CBS with type approved UR E27 security capabilities: 
    • A reduced set of vessel-specific documents, as specified in Appendix 2 of UR E27, shall be submitted by the supplier to ABS for plan approval. These documents include the CBS asset inventory, topology diagrams and test reports. 

 

The IACS URs E26 and E27 are applicable to the following vessels: 

  •     Vessels engaged in international voyages: 
    • Passenger ships 
    • Cargo ships >500 gross tons (gt) 
    • High speed craft >500 gt 
  • Mobile offshore drilling units >500 gt 
  • Self-propelled mobile offshore units engaged in construction: 
    • Wind turbine installation maintenance and repair 
    • Crane units, drilling tenders and accommodation 

EU Framework

The European Union’s cybersecurity framework is becoming increasingly relevant to the maritime sector as digitalization expands across ships, ports, ship-shore interfaces and supporting supply chains. Two key instruments are the NIS2 Directive and the Cyber Resilience Act (CRA). While these are horizontal EU measures rather than maritime-specific regulations, they may apply directly to maritime stakeholders depending on their role, activities and products.

 

NIS2 Directive

The NIS2 Directive, applicable since 18 October 2024, addresses cybersecurity at the entity/operator level. In the maritime sector, it may apply to shipping companies, operators and other organizations that fall within scope as essential or important entities under EU law.

  • Focuses on cyber risk management and incident reporting

  • Strengthens expectations for governance, accountability and oversight

  • Relevant to maritime organizations where in scope under EU law

     

Cyber Resilience Act (CRA)

The CRA establishes cybersecurity requirements for products with digital elements, including hardware, software and related remote data processing solutions placed on the EU market. For the maritime sector, it is particularly relevant to shipboard products and equipment that may fall within scope.

  • Applies from 11 December 2027

  • Certain reporting obligations apply from September 2026

  • Relevant to manufacturers, importers and distributors

  • May affect onboard IT and OT products placed on the EU market

Frequently Asked Questions

1. What cybersecurity framework should an operator follow for existing fleets?

An operator should follow IMO’s revised recommendation MSC-FAL.1/Circ.3; Apart from IMO’s guidance, there are several publications discussing cybersecurity in industrial controls systems, from NIST 800-82 and the NIST Cybersecurity Framework 2.0 to BIMCO’s Guidelines which are more focused on maritime cybersecurity. In addition, ABS has its own Guide to cybersecurity for existing vessels that is available here.

2. Which vessels are subject to the new IACS Cyber Resilience requirements? 

The scope of applicable vessels are vessels contracted for construction on or after July 1, 2024, that meet the following criteria:

  •     Passenger ships (including passenger high-speed craft) engaged in international voyages

  •     Cargo ships of 500 gt and upwards engaged in international voyages

  •     High-speed craft of 500 gt and upwards engaged in international voyages 

  •     Mobile offshore drilling units of 500 gt and upwards

  •     Self-propelled mobile offshore units engaged in construction

3. How will these new IACS requirements for Cyber Resilience affect our company’s existing Type Approval Certificates (TAC) for computer-based systems (CBS)? 

Existing TACs remain valid; however, equipment covered by those TACs cannot be applied to vessels contracted after July 1, 2024, where the new cyber resilience requirements apply.

If the equipment already has an existing Type Approval Certificate (TAC) and it now needs to meet UR E27 cyber requirements, ABS will review it for E27 and provided it meets the applicable requirements will amend the existing TAC to show that compliance.

It is important to note that there are still additional items that will need to be submitted after a TAC is issued for the specific vessel review. These items are listed in Appendix 2 of E27, and include the CBS asset inventory, topology drawings, and test reports.

  

4. What requirements will sub-suppliers need to follow for vessels and systems applicable to the new IACS requirements for Cyber Resilience?

Sub-suppliers are also subject to the cybersecurity requirements of E27. These items should be listed in a purchasing spec, or agreement with sub-suppliers so that the relevant sections of E27 are complied with.

5. What is the timeline for review of the applicable computer-based systems for the new IACS requirements for Cyber Resilience? 

As this is a new process for many manufacturers, we advise an 8-week lead time to cover the engineering review and witness testing. Once the engineering approval certificate and survey/FAT are complete, ABS will issue a system certificate that will accompany the CBS upon delivery to the system integrator.

6. Do Inert Gas Systems and Exhaust Gas Cleaning Systems (EGCS) need to comply with UR E27?

Inert Gas Systems need to comply with UR E27, as their compromise could lead to dangerous situations for human safety and/or safety of the vessel. 

Given that the majority of EGCS are connected to the ship’s network, data and information related to the EGCS can be relayed to various control locations onboard and onshore. However, it is possible that the EGCS will not be connected to the ship’s network, as there are no requirements stating that the EGCS must be connected to the ship’s network. 

If the EGCS is connected to the ship’s network, a cyber incident related to the EGCS can also impact other systems onboard.

As a result, the drawings and documentation for the EGCS should be submitted, so that ABS can review the actual arrangements and properly determine the applicability of the IACS Cyber Resilience URs to the EGCS.

  

7. How do the ABS cyber notations align with IACS cyber resilience requirements?

ABS offers two types of notations with regard to cyber.

The CR notation fully aligns with the requirements within the cyber resilience URs.

The other ABS cyber notations, such as CS1, CS2, etc., follow a risk-based approach. It is up to the operator to perform a vigorous risk assessment and develop a risk management plan. Based on the risk assessment results, they can then select the appropriate controls to mitigate the identified cybersecurity risks. Thus, the ABS methodology can provide more flexibility and is geared towards existing fleets and new construction vessels. 

IACS, on the other hand, assumes that the baseline risk assessment has already been completed, and it mandates selected controls as a minimum to consider the vessel as cyber resilient. 

Also, considering that existing vessels typically lack network segmentation, and certification of their systems and equipment against the select system requirements in IEC 62443-3-3, IACS requirements might be more challenging for them to meet, unless they are going through a retrofit or a major modification.

8. Who is responsible for ensuring cybersecurity training under the USCG’s final rule? 

  • The owner or operator of an MTSA regulated facility or vessel is ultimately responsible for ensuring that all required personnel receive cybersecurity training relevant to the Cybersecurity Plan and procedures of that regulated facility or vessel and in accordance with 33 CFR 101.650(d).

  • Under 33 CFR 101.625(d), the Cybersecurity Officer (CySO), who acts on behalf of the owner/operator, has the responsibility to ensure adequate cybersecurity training of personnel.

9. Will the USCG accept and review the submission of a Cybersecurity Plan in accordance with the final rule right now? 

  • Plans are not being approved yet: The Coast Guard is not currently approving Plans for these regulations. Review and approval procedures are being developed to ensure consistent application of standards for the maritime industry.

  • Previously Submitted Plans: If a Plan has already been submitted, it will be securely retained until the review and approval process is finalized.

10. In accordance with USCG’s final rule, can similar vessels share one Cybersecurity Plan? 

  • Yes, owners/operators may submit one Cybersecurity Plan for two or more U.S.-flagged vessels with similar operations.

  • The Plan must address any specific cybersecurity risk differences between individual vessels

11. Based on USCG’s final rule, what is the purpose and expected frequency of mandatory cyber assessments and audits? 

Cybersecurity assessments are intended to identify risks and vulnerabilities to inform the development and ongoing maintenance of the Cybersecurity Plan. For this reason, an initial assessment must be conducted no later than 16 July 2027, before developing the Cybersecurity Plan. Assessments must be conducted annually thereafter, or sooner if there is a change of ownership.

Internal cybersecurity audits are intended to identify any issues or changes since the previous audit and determine whether amendments to the Cybersecurity Plan are necessary. Audits must be carried out at least annually, and more frequently in cases of owner or operator change or modifications to cybersecurity measures [per 33 CFR 101.630(f)].