In June 2017, the International Maritime Organization’s (IMO) Maritime Safety Committee (MSC) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems (SMSs). The resolution affirmed that an approved SMS should incorporate cyber risk management in accordance with the objectives and functional requirements of the International Safety Management (ISM) Code.

The resolution also encouraged flag Administrations to ensure that cyber risks are appropriately addressed in SMSs no later than the first annual verification of the company's Document of Compliance (DOC) after January 1, 2021.

To further support the shipping industry in managing cyber risks, the IMO published the Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3). These guidelines lay out high-level recommendations for safeguarding maritime operations from current and emerging cyber threats and vulnerabilities. For more detailed guidance, clients are directed to refer to the requirements of flag Administrations and relevant international and industry standards and best practices. In May 2024, the MSC approved the third revision of these guidelines, designated MSC-FAL.1/Circ.3/Rev.3.

In April 2022, the International Association of Classification Societies (IACS) released two new Unified Requirements (URs) relating to cyber resilience on board marine vessels:

•      IACS UR E26 – Cyber Resilience of Ships
•      IACS UR E27 – Cyber Resilience of On-Board Systems and Equipment

In September 2023, IACS announced their plan to issue revisions to URs E26 and E27 and to delay the implementation dates of the original documents.

Both URs were scheduled to have an entry into force date of January 1, 2024, for new construction vessels.

After publishing the original versions, IACS collected industry feedback and continued work to improve these URs. As a result, IACS published the Rev. 1 version of UR E27 in September 2023 and the Rev. 1 version of UR E26 in November 2023. The Rev. 1 versions of the URs indicated an entry into force date of July 1, 2024.

To avoid confusion between the two versions of these URs, IACS has decided that the Rev. 1 versions will supersede the original versions. Therefore, the original versions did not enter into force. Only the Rev. 1 versions have entered into force and with the entry into force date being July 1, 2024.

As of this entry into force date, these requirements are mandatory for new construction ships and offshore vessels.

The IACS URs E26 and E27 were developed to establish a common set of minimum functional and performance criteria to deliver a ship that can be described as cyber resilient.

UR E26 Cyber Resilience of Ships

UR E26 aims to provide the minimum set of requirements for cyber resilience of ships. It is intended for the design, construction, commissioning and operational life of the ship. This UR covers five key functional aspects for cybersecurity: Identify, Protect, Detect, Respond and Recover.

 Identify

•     Inventory of hardware and software of the applicable Computer Based Systems (CBSs)
•     Arrangements of networks connecting these CBSs to each other and to other CBSs on board or ashore

Protect

•     Security zones and network segmentation
•     Network protection safeguards
•     Antivirus, antimalware, antispam and other protections from malicious code
•     Access control
•     Wireless communication
•     Remote access control and communication with untrusted networks
•     Use of mobile and portable devices

Detect

•     Network operation monitoring
•     Verification and diagnostic functions of CBSs and networks

Respond

•     Incident response plan
•     Local, independent and/or manual operation
•     Network isolation
•     Fallback to minimal risk condition

Recover

•     Recovery plan
•     Backup and restore capability
•     Controlled shutdown, reset, roll-back and restart

Furthermore, the Rev.1 version of the UR includes information regarding demonstration of compliance (for example, during the construction phase, commissioning phase and annual surveys).

The UR also requires the Cyber Resilience Test Procedure to be developed for the vessel. The procedure would cover the testing during the construction phase and commissioning as well as during the annual surveys (i.e. operational life of the vessel).

UR E27 Cyber Resilience of On-board Systems and Equipment

UR E27 aims to provide the minimum-security capabilities for systems and equipment to be cyber resilient. It is intended for third-party equipment suppliers.

The following documents shall be submitted to ABS for review and approval in accordance with the requirements in UR E27. 

•     CBS asset inventory
•     Topology diagrams
•     Description of security capabilities
•     Test procedure of security capabilities
•     Security configuration guidelines
•     Secure Development Lifecycle (SDLC) documents
•     Plans for maintenance and verification of the CBS
•     Information supporting the owner’s incident response and recovery plan
•     Management of change plan
•     Test reports

The required security capabilities and the secure development lifecycle (SDLC) requirements for CBSs are detailed in UR E27. Additionally, the steps for demonstration of compliance with UR E27 are described.

To streamline the certification process and mitigate cybersecurity vulnerabilities in the supply chain, ABS offers type approval to CBS suppliers. Type approval is voluntary and applies to CBS’ that are standardized and routinely manufactured. If a CBS has a type approval certificate covering the requirements of E27, the certification process at the vessel level is significantly expedited. Therefore, it is highly recommended that suppliers pursue type approval, as it saves time and effort when the same CBS is utilized across multiple vessels.

The steps for obtaining a System Certificate of compliance with E27 are detailed in Section 6, Demonstration of Compliance, of the UR-E27 and summarized as follows:

•     For CBS without type approved E27 security capabilities:
  •     The complete set of documents listed in Appendix 2 of the UR-E27 shall be submitted by the supplier to ABS for     plan approval.
•     The supplier shall also undergo Survey and Factory Acceptance Testing (FAT) at their premises.
•     For CBS with type approved E27 security capabilities:
  •     A reduced set of vessel-specific documents, as specified in Appendix 2 of the UR-E27, shall be submitted by the     supplier to ABS for plan approval. These documents include the CBS asset inventory, topology diagrams and test     reports.

The IACS URs E26 and E27 are applicable to the following vessels:

•     Vessels engaged in international voyages:
  •     Passenger ships
  •     Cargo ships >500 gross tons (gt)
  •     High speed craft >500 gt
•     Mobile offshore drilling units >500 gt
•     Self-propelled mobile offshore units engaged in construction:
  •     Wind turbine installation maintenance and repair
  •     Crane units, drilling tenders and accommodation

The IACS URs E26 and E27 on cyber resilience have been incorporated into the 2024 ABS Marine Vessel Rules (MVR). These requirements are detailed in the following sections:

•     4-9-13 “Cyber Resilience for Vessels”
•     4-9-14 “Cyber Resilience for On-board Systems and Equipment”

Vessels that comply with the cyber resilience requirements outlined in Section 4-9-13 of the 2024 ABS MVR will be assigned the Cyber Resilience (CR) notation. This notation is mandatory for vessels within the scope of applicability, contracted after July 1, 2024. It can also be requested by vessels out of the scope of applicability, provided they meet the requirements.

In addition, ABS offers the CS-System, CS-Ready, CS-1 and CS-2 optional notations to vessels and offshore assets that comply with ABS requirements contained in the Cybersecurity Implementation for the Marine and Offshore Industries (ABS CyberSafety® Volume 2).

1.    CS-System indicates that the original equipment manufacturer (OEM) has developed, embedded, and described cybersecurity capabilities in the critical system and communicated unresolved potential cybersecurity vulnerabilities to the shipbuilder and owner. The OEM is to have a CyberSafety Product Design Assessment (PDA) and is to be recognized as an ABS CyberSafety Service Supplier.

        a.    CyberSafety PDA is for a digitally enabled component or complex system that documents known cybersecurity         vulnerabilities to facilitate an asset owner’s cybersecurity risk analysis and remediation. The OEM’s CBS receives an         ABS CyberSafety PDA Certificate when it meets the requirements set forth in the ABS CyberSafety for Equipment         Manufacturers (ABS CyberSafety® Volume 7).

2.    CS-Ready indicates that a vessel being outfitted with cyber-enabled systems is constructed and documented in accordance with the ABS Guide for Cybersecurity Implementation for the Marine and Offshore Industries. CS-Ready pertains to a vessel under construction and ends when the vessel enters service. CS-Ready is not renewable.

3.    CS-1 indicates that cybersecurity risks have been identified onboard, and the necessary steps have been taken to implement mitigating controls based on industry-recognized cybersecurity guidance.

4.    CS-2 indicates that additional policies and procedures concerning cybersecurity system management have been implemented. The requirements for CS-1 notation must be met before a CS-2 notation can be achieved.

The United States Coast Guard (USCG) has taken significant steps to strengthen cyber defenses and compliance with cybersecurity incident reporting rules for vessels, offshore and port facilities. An executive order signed in February 2024 mandates that cyber threats be addressed through updates to Part 6 of Title 33 of the Code of Federal Regulations (CFR). This new regulation grants the Captain of the Port (COTP) and the Commandant of the USCG expanded authorities to strengthen cybersecurity measures.

Reporting Requirement for Cyber Incidents

The executive order defines "cyber incident" and establishes a reporting requirement for these cyber incidents. According to the updated 33 CFR Part 6, any evidence of sabotage, subversive activity, or an actual or threatened cyber incident endangering vessels, harbors, ports or waterfront facilities must be immediately reported to the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the COTP. This reporting requirement also applies to foreign-flagged vessels operating in U.S. waters and ports.

Final Rule: Cybersecurity in the Marine Transportation System

Given the expanded authority, on January 17, 2025, the USCG published a final rule titled Cybersecurity in the Marine Transportation System in the Federal Register (90 FR 6298). This rule establishes minimum cybersecurity requirements to enhance threat detection, safeguard critical systems, and support recovery from cyber incidents across the Marine Transportation System (MTS).

The rule applies to the owners and operators of U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to the Maritime Transportation Security Act (MTSA) that are required to have security plans under 33 CFR parts 104, 105, and 106. It does not apply to foreign-flagged vessels subject to 33 CFR part 104. However, such vessels should anticipate increased Port State Control scrutiny regarding cybersecurity under the International Safety Management (ISM) Code.

Key Requirements

1.    Cybersecurity Officer (CySO) (33 CFR 101.625)

Owners or operators must designate a Cybersecurity Officer (CySO) responsible for:

• Ensuring the Cybersecurity Plan is developed, implemented, and exercised.
• Conducting annual audits and updating the Cybersecurity Plan as needed.
• Executing and exercising the Cyber Incident Response Plan.
• Arranging cybersecurity inspections.
• Correcting deficiencies identified through exercises, audits, or inspections.
• Ensuring personnel receive adequate cybersecurity training.
• Recording and reporting all reportable cyber incidents to the owner or operator and taking steps to mitigate them.
• Maintaining required records and submitting reports.
• Submitting the Cybersecurity Plan and amendments for approval to the appropriate authority (COTP, OCMI, or MSC).

The CySO may hold other roles within the organization and may serve multiple U.S.-flagged vessel or facilities. CySO requirements may be satisfied either directly by the organization or through third‑party service providers.

2.    Cybersecurity Plan (33 CFR 101.630)

Owners or operators must ensure the development and maintenance of a Cybersecurity Plan that addresses preparation, prevention, and response to cybersecurity threats and vulnerabilities. The plan must include the following sections:

1.    Cybersecurity organization and identity of the Cybersecurity Officer (CySO)

2.    Personnel training

3.    Drills and exercises

4.    Records and documentation

5.    Communications

6.    Cybersecurity systems and equipment with associated maintenance

7.    Cybersecurity measures for access control, including computer, IT, and OT areas

8.    Physical security controls for IT and OT systems

9.    Cybersecurity measures for monitoring

10.  Audits and amendments to the Cybersecurity Plan

11.  Cybersecurity audit and inspection reports to include documentation of resolution or mitigation of all identified vulnerabilities

12.  Documentation of all identified unresolved vulnerabilities to include those that are intentionally unresolved due to risk acceptance by the owner or operator

13.  Cyber incident reporting procedures in accordance with part 101 of subchapter 101

14.  Cybersecurity Assessment

Each owner or operator must submit one copy of their Cybersecurity Plan for review and approval to the cognizant COTP or the Officer in Charge, Marine Inspections (OCMI) for a facility or OCS facility, or to the Marine Safety Center (MSC) for a U.S.-flagged vessel. A Plan that is approved by the COTP, OCMI, or MSC is valid for 5 years from the date of its approval.

An audit of the Cybersecurity Plan and its implementation must be conducted annually, beginning no later than 1 year from the initial date of approval. A report must be attached to the Plan certifying that the Plan meets the applicable requirements of subpart F. In addition to the annual audit, an audit of the Cybersecurity Plan must occur if there is a change in the owner or operator of the U.S.-flagged vessel, facility, or OCS facility, or if there have been modifications to the cybersecurity measures. The audits are intended to identify any issues or changes since the previous audit and prompt necessary amendments to the Cybersecurity Plan.

3.    Drills and exercises (33 CFR 101.635)

Drills and exercises must be conducted to test the personnel proficiency in assigned cybersecurity duties and the effective implementation of the Security and Cybersecurity Plans. An owner or operator may conduct a drill that involves multiple facilities or vessels simultaneously, provided that all requirements of 33 CFR 101.635 are met for each facility or vessel. These activities will assist the CySO in identifying and addressing cybersecurity deficiencies.

• Drills:
  • Must be conducted at least twice per calendar year.
  • May be held in conjunction with other security or non-security drills.
  • Must test individual elements of the Cybersecurity Plan, including responses to threats and incidents.
• Exercises:
  • Must be conducted at least once per calendar year, with no more than 18 months between exercises.
  • May be full-scale/live, tabletop simulations, or combined with other exercises.
  • Must test communication and notification procedures, coordination, resource availability, and response.
  • Must fully test the cybersecurity program and include substantial and active participation of the CySO(s).

4.    Cybersecurity measures (33 CFR 101.650)

Each owner or operator of a U.S.-flagged vessel, facility, or OCS facility must implement the following measures:

• Account Security Measures:
  • Automatic account lockout after repeated failed login attempts.
  • Replacement of default passwords or implementation of compensating controls.
  • Enforcement of minimum password strength.
  • Multifactor authentication for IT and remotely accessible OT systems, or compensating controls.
  • Least privilege principle for administrative accounts.
  • Use of separate credentials for critical systems.
  • Revocation of credentials upon personnel departure.
• Device Security Measures:
  • Inventory of approved hardware, firmware, and software.
  • Default disabling of executable code applications on critical systems.
  • Accurate inventory of network-connected systems.
  • Documentation of network map and OT device configuration.
• Data Security Measures:
  • Secure logs accessible only to privileged users.
  • Deployment of encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic, where technically feasible.
• Cybersecurity Training for Personnel:
  • Annual training covers roles, responsibilities, and incident response procedures.
• Risk Management:
  • Cybersecurity assessments.
  • Penetration testing.
  • Routine system maintenance.
• Supply Chain Security:
  • Evaluation of cybersecurity capabilities during procurement of systems and services.
  • Vendor notification of vulnerabilities or reportable incidents.
  • Monitoring and documentation of third-party connections.
• Resilience:
  • Reporting of cyber incidents to the National Response Center (NRC).
  • Development, implementation, and maintenance of the Cyber Incident Response Plan.
  • Annual validation of the Cybersecurity Plan through exercises or post-incident reviews.
  • Backup of critical systems with adequate protection and testing.
• Network Segmentation:
  • Segmentation between IT and OT networks.
  • Logging and monitoring of all IT/OT connections for suspicious activity or incidents.
• Physical Security:
  • Restricted physical access to OT and related IT equipment.
  • Securing, monitoring, and logging access to human machine interfaces (HMIs) and other hardware.
  • Blocking or disabling unused physical ports and establishing exception-based access procedures.

5.    Cyber Incident Response Plan (33 CFR 101.615)

Owners or operators must prepare and document a Cyber Incident Response Plan that outlines instructions for responding to a cyber incident and identifies key roles, responsibilities, and decision-makers amongst personnel. Depending on operational conditions and cybersecurity risks, the Cyber Incident Response Plan may be developed as a standalone document or incorporated into the Cybersecurity Plan. Vessels with identical IT/OT systems can share a single Cybersecurity Plan or Assessment, provided any deviations are addressed individually.

Training Verification Job Aid

The USCG Office of Maritime Cybersecurity Policy (MCP) has published a Cyber Training Verification Job Aid that equips Coast Guard Vessel and Facility inspectors with key questions and answers to verify cybersecurity training requirements. It provides a foundational framework for addressing common cybersecurity concerns and includes targeted queries for effective inspection procedures. This training compliance checklist is to be incorporated into a cybersecurity inspection job aid to be promulgated for use after July 16, 2027.

The questions are intended to verify the following information:

• Establishment and content of the required cybersecurity training program
• Maintenance and accessibility of the required training documentation
• Safety measures for personnel who have not yet completed the required training

Implementation Timeline:

• As of the effective date, July 16, 2025, all reportable cyber incidents must be reported to the NRC.
• Starting January 12, 2026, and annually thereafter, all personnel must complete the cybersecurity training.
• By July 16, 2027:
  • Designate the CySO.
  • Conduct a Cybersecurity Assessment, repeated annually.
  • Submit the Cybersecurity Plan to USCG for review and approval.

1.    What cybersecurity framework should an operator follow for existing fleets?

An operator should follow IMO’s revised recommendation MSC-FAL.1/Circ.3; Apart from IMO’s guidance, there are several publications discussing cybersecurity in industrial controls systems, from NIST 800-82 and the NIST Cybersecurity Framework 2.0 to BIMCO’s Guidelines which are more focused on maritime cybersecurity. In addition, ABS has its own Guide on cybersecurity for existing vessels that is available here.

2.    Which vessels are subject to the new IACS Cyber Resilience requirements?

The scope of applicable vessels are vessels contracted for construction on or after July 1, 2024, that meet the following criteria:

•     Passenger ships (including passenger high-speed craft) engaged in international voyages
•     Cargo ships of 500 gt and upwards engaged in international voyages
•     High-speed craft of 500 gt and upwards engaged in international voyages
•     Mobile offshore drilling units of 500 gt and upwards
•     Self-propelled mobile offshore units engaged in construction

3.    How will these new IACS requirements for Cyber Resilience affect our company’s valid Type Approval Certificates (TAC) for computer-based systems?

These requirements will not affect the validity of any current TAC. However, these CBS will not be able to be used for vessels contracted for construction after July 1, 2024, that these requirements apply to.

For type approved equipment that will be subject to E27 requirements, upon submission and completion of reviews against URE27, we will modify the existing TAC, adding compliance to E27 with a validity date of 5 years.

It is important to note that there are still additional items that will need to be submitted after a TAC is issued for the specific vessel review. These items are listed in Appendix 2 of E27, and include the CBS asset inventory, topology drawings and test reports.

4.    What requirements will sub-suppliers need to follow for vessels and systems applicable to the new IACS requirements for Cyber Resilience?

Sub-suppliers are also subject to the cybersecurity requirements of E27. These items should be listed in purchasing spec, or agreement with sub-suppliers to ensure the relevant sections of E27 are complied with.

5.    What is the timeline for review of the applicable computer-based systems for the new IACS requirements for Cyber Resilience?

ABS has a 4-week engineering turnaround time for a review that has a complete set of documents submitted. As this is a new process for many manufacturers, we advise an 8-week lead time for this project, as there are typically a few rounds of comments that are issued between ABS and the client. Upon approval of the CBS, the client then may reach out to the local ABS survey office to set up the witnessing of the FAT. Once the engineering approval certificate and survey/FAT are complete, ABS will issue a system certificate that will accompany the CBS upon delivery to the system integrator.

6.    Do Inert Gas Systems and Exhaust Gas Cleaning Systems (EGCS) need to comply with UR E27?

Inert Gas Systems need to comply with UR E27, as their compromise could lead to dangerous situations for human safety and/or safety of the vessel.

Given that the majority of EGCS are connected to the ship’s network, data and information related to the EGCS can be relayed to various control locations onboard and onshore. However, it is possible that the EGCS will not be connected to the ship’s network, as there are no requirements stating that the EGCS must be connected to the ship’s network. 

If the EGCS is connected to the ship’s network, a cyber incident related to the EGCS can also impact other systems onboard.

As a result, the drawings and documentation for the EGCS should be submitted, so that ABS can review the actual arrangements and properly determine the applicability of the IACS Cyber Resilience URs to the EGCS.

7.     How do the ABS cyber notations align with IACS cyber resilience requirements?

ABS offers two types of notations with regards to cyber.

The CR notation fully aligns with the requirements within the cyber resilience URs.

The other ABS cyber notations, such as CS1, CS2, etc., follow a risk-based approach. It is up to the operator to perform a vigorous risk assessment and develop a risk management plan. Based on the risk assessment results, they can then select the appropriate controls to mitigate the identified cybersecurity risks. Thus, the ABS methodology provides more flexibility and is geared towards existing fleets and new construction vessels.

IACS, on the other hand, assumes that the baseline risk assessment has already been completed and it mandates selected controls as a minimum to consider the vessel as cyber resilient. 

Also, considering that existing vessels typically lack network segmentation, and certification of their systems and equipment against the select system requirements in IEC 62443-3-3, IACS requirements might be more challenging for them to meet, unless they are going through a retrofit or a major modification.

8.    Who is responsible for ensuring cybersecurity training under the USCG’s final rule?

• The owner or operator of an MTSA regulated facility or vessel is ultimately responsible for ensuring that all required personnel receive cybersecurity training relevant to the Cybersecurity Plan and procedures of that regulated facility or vessel and in accordance with 33 CFR 101.650(d).
• Under 33 CFR 101.625(d), the Cybersecurity Officer (CySO), who acts on behalf of the owner/operator, has the responsibility to ensure adequate cybersecurity training of personnel.

9.    Will the Coast Guard accept and review the submission of a Cybersecurity Plan in accordance with the final rule right now?

• Plans are not being approved yet: The Coast Guard is not currently approving Plans for these regulations. Review and approval procedures are being developed to ensure consistent application of standards for the maritime industry.
• Previously submitted Plans: If a Plan has already been submitted, it will be securely retained until the review and approval process is finalized.

10.    In accordance with USCG’s final rule, can similar vessels share one Cybersecurity Plan?

• Yes, owners/operators may submit one Cybersecurity Plan for two or more U.S.-flagged vessels with similar operations.
• The Plan must address any specific cybersecurity risk differences between individual vessels

11.     Based on USCG’s final rule, what is the purpose and expected frequency of mandatory cyber assessments and audits?

Cybersecurity assessments are intended to identify risks and vulnerabilities in order to inform the development and ongoing maintenance of the Cybersecurity Plan. For this reason, an initial assessment must be conducted no later than 16 July 2027, before developing the Cybersecurity Plan. Assessments must be conducted annually thereafter, or sooner if there is a change of ownership.

Internal cybersecurity audits are intended to identify any issues or changes since the previous audit and determine whether amendments to the Cybersecurity Plan are necessary. Audits must be carried out at least annually, and more frequently in cases of owner or operator change or modifications to cybersecurity measures (per 33 CFR 101.630(f)).