Professional Documents
Culture Documents
MBU IACS UR E26 E27 Whitepaper June 2024.pdf - GC
MBU IACS UR E26 E27 Whitepaper June 2024.pdf - GC
requirements
E26 and E27
Cyber security
beyond
compliance
Cyber
Security
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
2
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
IACS unified
requirements
E26 and E27
Cyber security
beyond compliance
Contents
Introduction 4
UR E26 – Cyber resilience of vessels 6
Demonstrating compliance 6
Design and construction 6
Commissioning 7
Operation 7
UR E26 – Cyber resilience of onboard systems and equipment 8
Demonstrating compliance 8
The class perspective 10
Inmarsat key recommendations 12
People and culture 12
Network-connected systems and services 13
Incident-response plan 13
Inmarsat solution 14
inmarsat.com 3
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
4
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Introduction
As shipping companies worldwide look to reap the
rewards of advanced shipboard technologies to support
digitalisation, decarbonisation, and crew welfare initiatives,
data usage is soaring. According to the latest Inmarsat
statistics, data consumption by commercial vessels on
Inmarsat’s network rose 37% in 2023 vs 2022, and 13%
on offshore supply vessels during the same period.
inmarsat.com 5
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Cyber resilience
of vessels
The primary objective of UR E26 is to help Demonstrating compliance
maritime organisations to establish and The documentation required for demonstrating
maintain a secure onboard environment. This compliance with UR E26 relates to three stages
is divided into five sub-goals corresponding of the vessel lifecycle: design and construction,
with the five functions of the National Institute commissioning, and operation. Demonstrating
of Standards and Technology’s Cybersecurity compliance with E26 during the first two phases
(NIST) Framework, as summarised below: is the responsibility of the systems integrator
– whether the ship builder or an appointed
NIST framework five functions and sub-goals third party – with responsibility passing to
the ship owner at the operation phase.
Design and construction
INDENTIFY To demonstrate compliance with UR E26 at the design
and construction phase, the systems integrator must
submit the following three documents to the
ER
PR
OTECT
ND E
D ET provided by the suppliers (see below
‘Demonstrating compliance with UR E27’, item 2);
and illustrations of network communication
IDENTIFY Develop an understanding of cyber security risks to between systems within a security zone, between
facilitate their identification. systems in different security zones, and between
PROTECT Establish safeguards to protect the ship from systems in a security zone and untrusted networks.
cyber attacks.
2. Vessel asset inventory covering hardware and
DETECT Implement measures for detecting cyber incidents
on board. software – application programs, any operating
RESPOND Set up a protocol for responding to detected systems, firmware, and other software components
cyber attacks. – of the CBSs relevant to E26; and networks
RECOVER Adopt procedures to recover any capabilities and/or connecting these systems to each other and to
services impaired by a cyber incident. other CBSs on board or ashore.
6
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
inmarsat.com 7
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Cyber resilience of
onboard systems and
equipment
UR E27 aims to support manufacturers and OEMs 2. CBS topology diagrams comprising a physical
of onboard operational systems and equipment in topology diagram illustrating the physical
evaluating and improving their cyber resilience. It architecture of the system and a logical topology
offers comprehensive instructions relating to security diagram illustrating the data flow between system
philosophy, documentation, system requirements, components.
secure development lifecycle requirements, and 3. Description of security capabilities demonstrating
plan approval. Based on and incorporating elements how the CBS meets required security capabilities
of the International Electrotechnical Commission with its hardware and software components.
standard IEC 62443, E27’s system requirements cover
30 security capabilities required by all CBSs and 11 4. Test procedure of security capabilities describing
additional security capabilities required by CBSs how to demonstrate, through testing, that the
that share an interface with untrusted networks. system complies with requirements.
5. Security configuration guidelines describing
Demonstrating compliance recommended configuration settings of the security
Demonstrating compliance with UR E27 requires capabilities and specifying default values.
the submission of the following documents
(The classification society may request the
submission of other documentation):
1. CBS asset inventory including a list of hardware
components detailing the manufacturer and model
and providing a short description of their
functionality; physical interfaces; the name/type of
system software and its version and patch level; and
supported communication protocols.
8
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
UR E27 aims to
support maritime
organisations in
evaluating and
improving their
cyber resilience.
inmarsat.com 9
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
The class
perspective
According to ClassNK, an IACS member, the Capturing the cyber security challenges with
implementation of URs E26 and E27 will provide regard to the growing connected ships, ClassNK
full visibility of a newbuild vessel’s computer will work proactively with the technology enablers
assets and network infrastructure throughout and adopters of the technologies to develop
its life. It will also ensure that IACS-classed ships and provide services to ensure cyber resilient
have been delivered with a required minimum digital transformation of the industry. ClassNK
level of cyber resilience capabilities regardless of will also update its existing ClassNK Guidelines
the vessel’s type or technical specifications. on Cyber Security Management to help cyber
security champions streamline risk-based cyber
However, ClassNK also acknowledges several security controls effectively by people, process
limitations of the new URs. From the society’s and technology and further integrate them with
perspective, best practice in addressing cyber the organisation’s strategy and operations.
security requirements is to take a risk-based
approach, with cyber-risk controls to be decided and The other aspect to be noted in this paper, ClassNK
deployed following a thorough risk assessment on continues, is requirements in the “Detect” and
the asset onboard, considering risk factors such as “Respond” elements of the cyber resilience goals
the safety criticality and connectivity of the asset, included in UR E26 are quite limited and heavily
the awareness and capabilities of the crew and dependent on human operation. As higher-speed
shore-personnel, voyage patterns, cargo carried and lower-latency connectivity becomes more
and other factors that may be found necessary widespread, digital technologies to support or
by the owner. Yet since the URs are intended to automate vigilance over the ship’s networks
achieve uniform application, applicable systems and CBSs can be applied and effective.
and corresponding requirements have been
predetermined to form only a risk-assessment on In the immediate term, vessels using LEO services are
the safety criticality. As a result, additional cyber- also likely to be more attractive targets for malicious
risk controls may be necessary – particularly for attacks. Inmarsat emphasises that this makes it all the
vessels with a high degree of systems integration more imperative that they are protected and properly
and interconnectivity. ClassNK also underlines that secure in their onboard network and IT infrastructure,
it is also essential that the onboard operation is for example by using solutions like Fleet Secure UTM.
governed by established policy and procedures.
Human factors should be carefully considered. With To be better prepared for the future, ClassNK’s
humans having the potential to become either the approach is to collaborate continuously with
weakest or the strongest link in the chain, fostering industry leaders in order to establish the
cyber hygiene through training, while establishing capabilities required of the technology and
clear roles and responsibilities, plays a pivotal role processes that effectively monitor the security
in creating a cyber resilient organisation capable of of a vessel's OT network from onshore.
responding to the growing threat of network attacks.
10
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Class surveys
E26
Ship's lifecycle Design & construction
› Commissioning
› Operational
Zones and
conduit diagram
Documents and Vessel asset Ship cyber resilience Ship cyber security
demonstration inventory test procedure and resilience program
E27
System document
System topology System configuration
to support incident
diagrams guidelines
response and recovery
inmarsat.com 11
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Inmarsat key
recommendations
Inmarsat believes that while IACS URs E26 and E27 People and culture
will play an important role in helping maritime Feedback from Inmarsat security operations
organisations to strengthen their cyber defences centres (SOCs) reveals that phishing attacks
and develop comprehensive risk-management are the most frequent type of cyber incident.
policies, companies should look beyond compliance Companies should therefore pay close attention
with the URs and take a more holistic approach to their people and organisational culture,
to onboard cyber security. The connectivity investing, for example, in training and awareness
solutions provider recommends that organisations programmes and implementing standards
focus on, and invest in, three key areas: people such as ISO/IEC 27001. They should also closely
and culture, network-connected systems and assess suppliers’ risk-management practices and
services, and an incident-response plan. ensure user privileges are correctly assigned.
IACS
REGULATION NIST FUNCTION REQUIREMENTS FS UTM FUNCTION DESCRIPTION
Firewall and Fleet Secure UTM monitors and controls
Ships must have the Intrusion Prevention network traffic to prevent unauthorized
capability to identify Systems (IPS) access and detect malicious activity
Identify & Protect
and protect against Regular scanning and real-time protection
potential cyber threats Gateway AV against viruses and malware ensure
the ship’s systems are secure
Continuous monitoring of network activities
E26 Cyber Real-time Network
helps in the early detection of suspicious
Resilience Ships must be able to Monitoring / SOC
activities or potential cyber threats
of Ships Detect detect cyber incidents
in a timely manner Intrusion Detection This function alerts operators about unauthorized
Systems (IDS) access attempts or unusual network behaviour
By integrating these features, the Fleet Secure Portfolio can contribute significantly to meeting IMO cyber security regulations, which are designed to enhance the
resilience of maritime systems against cyber threats. The portfolio provides a centralized and effective approach to cyber security, helping shipping companies
comply with regulatory requirements and protect critical maritime infrastructure.
12
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Network-connected Companies
systems and services
Vessels have numerous potential attack should look
surfaces, and maintaining cyber resilience
across all of them may not be feasible from
a cost and/or time perspective. Inmarsat
beyond
therefore recommends a risk-management
approach that involves identifying onboard
compliance with
assets, assessing risks, deciding which areas
require investment, and implementing
the URs and take
security measures accordingly.
a more holistic
Incident-response plan
While following cyber security regulations
approach to
and best practices is critical to reducing
the risk of breaches, it is prudent to assume
onboard cyber
that the threat cannot be controlled
through compliance alone. Maritime
security.
organisations should therefore have a
robust response plan in place to ensure
swift recovery from network attacks and
to keep financial losses to a minimum.
Makiko Tani,
Deputy Manager, Cyber Security, ClassNK
Laurie Eve,
Chief of Staff, Inmarsat Maritime
inmarsat.com 13
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Inmarsat
solution
Fleet Secure Meanwhile, Fleet Secure Unified Threat
Inmarsat’s Fleet Secure portfolio helps maritime Management (UTM) comprises a suite of
organisations to comply with cyber security network security tools consolidated on a single
regulations including the new IACS URs while device, designed to continuously inspect, detect
supporting meaningful enhancements across and protect all the data traffic going to and
the key three areas described above. from a vessel and backed by a dedicated SOC.
Intelligently scanning all connected systems for
For instance, Fleet Secure Endpoint allows users to
malicious traffic, UTM facilitates the continuous
protect network-connected onboard systems and
inspection of the entire vessel network as well
evaluate risks using the Risk Assessment Report
as the detection and monitoring of threats.
feature. The endpoint-security solution includes
access to the Fleet Secure Cyber Awareness training Deployed as part of a holistic, risk-based approach,
programme, which helps companies to minimise Inmarsat Fleet Secure enables organisations to
risk by ensuring crew are aware of vulnerabilities integrate cyber security into their connectivity
and suspicious online behaviour. The crew training strategy to support regulatory compliance and keep
completion rate can be tracked by companies, their assets – and people – safe from online threats.
and the course material is updated frequently.
14
IACS UNIFIED REQUIREMENTS
E26 AND E27
CYBER SECURITY BEYOND COMPLIANCE
Inmarsat’s Fleet
Secure portfolio
helps maritime
organisations to
comply with cyber
security regulations
including the
new IACS URs
while supporting
meaningful
enhancements
across the key
three areas
described above.
inmarsat.com 15
Contact
For further information and questions,
please contact the Inmarsat Maritime
team: maritime@inmarsat.com
inmarsat.com
While the information in this document has been prepared in good faith, no representation, warranty, assurance or undertaking (express or implied) is or will be made,
and no responsibility or liability (howsoever arising) is or will be accepted by Inmarsat, or any of its affiliates, officers, employees or agents in relation to the adequacy,
accuracy, completeness, reasonableness or fitness for purpose of the information in this document. All and any such responsibility and liability is expressly disclaimed
and excluded to the maximum extent permitted by applicable law. Coverage as shown on maps is an approximation and subject to change at any time.
Copyright © 2024 Inmarsat Global Limited. All rights reserved. The INMARSAT trademark is owned by the International Mobile Satellite Organisation licensed to
Inmarsat Global Limited. The Inmarsat LOGO is owned by Inmarsat Global Limited. All other product or company names mentioned are used for identification
purposes only and may be trademarks of their respective owners. IACS Unified Requirements E26 and E27 Cyber Security Beyond Compliance. JUNE 2024.