New requirements will be implemented in two months to ensure the cyber resilience of newly built ships and integrated systems.
The efficiency of the maritime industry is being streamlined by the combination of new technology, increasing automation, and digitalization. But along with the increasing number of integrated vessels featuring multiple interconnected systems comes the threat of remote attacks that can potentially gain access to or impact critical onboard control systems. Optimal cybersecurity needs to be in place to ensure vessels remain in operation and to safeguard the safety of crew, passengers, assets, and the environment.
Implementing optimal preventative measures against cyber attacks is crucial.
Shipping serves as the backbone of global trade, and the potential disruptions from attacks, along with the risks to life and property, present a significant temptation for cyber-criminals and state-sponsored hackers. It is crucial to safeguard both corporate infrastructure and individual vessels in the face of growing connectivity.
Corporate IT systems, often deemed “mature,” present numerous attack surfaces, yet cyber attacks tend to financially impact companies more than vessel operations, which are seen as having low consequences. Nevertheless, the growing connectivity between operational technology (OT) on ships and shore-based IT systems opens a potential “back door” for cyber threats. It is imperative to safeguard this high-risk, low-maturity digital infrastructure to ensure the safety and operational continuity of maritime vessels under cyber attack.
New IACS unified requirements focus on cyber risks of on-board systems
Regulations such as the 2021 IMO cyber resolution have mandated that owners, operators, and managers assess overall cyber risks. Yet, until recently, specific system-level requirements remained undefined. This gap is being addressed by the International Association of Classification Societies (IACS), which has introduced new Unified Requirements (URs). These URs will require shipyards and system vendors to incorporate cyber security measures within their systems and vessels.
The Unified Requirements (URs) will apply to all computer-based systems onboard, including main-engine control systems, steering mechanisms, cooling systems, fire detection, communication systems (including public address systems), and navigation systems. Essentially, they will cover any system that is crucial for the safe movement, navigation, and operation of the ship.
The Unified Requirements will apply to all new buildings contracted after January 1, 2024, and will also provide non-mandatory guidance for existing ships, as well as for new vessels contracted before that date.
New URs ensure holistic cyber security of on-board equipment
Firstly, UR E26 aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship.
This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.
Secondly, UR E27 aims to ensure that system integrity is secured and hardened by third-party equipment suppliers.This UR provides requirements for cyber resilience of onboard systems and equipment plus additional requirements relating to the interface between users and computer-based systems onboard, as well as product design and development of new devices before their implementation onboard.
System delivery across different industries
The new Unified Requirements (URs) are a significant advancement, grounded in the concrete requirements of the globally recognized IEC62443 standards for control-system cybersecurity.
This alignment will be highly beneficial for suppliers distributing their control systems across various industries. Additionally, the complementary nature of UR E27 and UR E26 is advantageous. UR E27 enables suppliers to concentrate on creating cybersecurity barriers, such as through system type approval, providing shipyards and owners with a selection of pre-approved systems. This facilitates the integration of UR E26’s requirements into their vessel designs and operations.
To ensure compliance with the coming IACS unified requirements (URs) E26 and E27 and protect critical control systems, yards, and system vendors should take action now.
Steps vendors should take given the time pressure
The requirement for yards and vendors to validate critical systems to comply with standards marks a significant shift in the industry, considering the extended lifespan of control systems and the lengthy development cycles. Smaller vendors, in particular, may encounter resource constraints in adhering to these requirements within the stringent deadlines.
With less than two years remaining, it is crucial for vendors and yards to use this time to ensure their control systems comply with regulations.
We urge all vendors to first review their portfolios and systematically determine which products/systems can be made cyber-secure for continued use beyond January 1st, 2024.
This is particularly important for vendors providing digital services in the cloud, to prevent the leakage of sensitive information, such as key environmental data.
Vendors must conduct a thorough analysis to determine necessary actions, carry out these actions, and then proceed with testing and obtaining type approval. To ensure system security, they need to assess attack surfaces, strengthen login security, and safeguard configuration settings. Protection of USB removable device interfaces and network connections, particularly those linking to shore, is also crucial. Additionally, regular patching is essential to keep software consistently updated. Organizations must ensure that backup and recovery procedures are established to restore the system to a secure state. In the event of a system failure, it should be possible to recover it adequately to maintain critical operations and preserve essential technical functions.
Maritime Cyber Security Manual
Marine Surveyor Consultants have developed a Maritime Cyber Security manual, offering a comprehensive risk management solution for shipping companies and their vessels to protect against a range of cyber incidents. This manual serves as a crucial resource in bolstering maritime cyber defenses and ensuring operational resilience.
