The International Association of Classification Societies (IACS) has published two new unified rules (UR E26 and E27) on implementing cybersecurity controls. Their focus is ensuring cyber-resilience and functional integrity of the onboard, safety-critical, computer-based systems.
UR E26 only applies to new builds from 1 July 2024.
Should you only adopt the rules for your new builds?
If you’re not planning new builds, should you ignore these rules completely?
We’ve been complaining about the lack of clarity. Behold: clarity!
To date, regulation in maritime cyber security has been a mess. This is putting it lightly.
There is a resolution (IMO Resolution MSC. 428(98)), with no specification; loose reference to guidance (BIMCO Guidelines); a further bunch of guidances; specific Class notations and type approval processes; specific advisories from port states e.g. the US Coast Guard. To make matters worse, enforcement has been rather variable, with each audit team putting their own “spin” on the important questions to ask and observations to make.
You’re a shipping operator with global presence, vessels registered with different flag states, certified by different classification societies and calling different port states. How do you keep up?
The IACS rules provide a harmonised standard:
- It provides a common understanding of minimum requirements. It is not easy to keep up or stay ahead of the ever-evolving cyber threats. The IACS rules define the minimum security control requirements that will help you defend against cyber-threats and improve the overall cyber-resilience of your ship-critical and mission-critical systems.
- It provides a uniform methodology for inspection. This gives you assurance that your cybersecurity programme leads to a recognised standard of minimum security. It ensures predictability of audit and compliance processes, avoiding the anxiety of unexpected observations.
- It provides a recognised benchmark for customers. UR E26 compliance sends a clear message to customers, partners, and investors. It demonstrates your shipping company takes cybersecurity seriously, fostering trust and confidence in its operations. It gives you the ability to apply a recognised stamp of quality on your vessels and fleet operations across the asset lifecycle. A differentiator against your competitors.
- It provides a minimum security standard for the supply chain. Supply chain compromises take 12.8% longer to identify and contain. These are findings covered in a report we developed with HFW and Thetius – “Shifting tides, rising ransoms and critical decisions”. UR E26 and E27 places minimum security requirements on various stakeholders across the supply chain, from original equipment manufacturers to system integrators to the shipowner. This gives shipowners assurance of better practice across the supply chain.
The IACS cybersecurity rules are for newbuilds only. Why should I apply them across the fleet?
If you unpack UR E26, there are requirements across the lifecycle of the vessel from Design, Requirements & Specification, Construction, Commissioning, Operations to Maintenance. Nearly 50% of the requirements require global, rather than local, policies you can implement on just one vessel. This means to achieve compliance of just one vessel for UR E26, you need to define, implement and continuously maintain resources, security processes and tooling that affect your whole fleet operations.
This makes applying E26 only on some vessels more expensive than applying across the whole fleet in the long run. It would mean:
- Separate processes for separate vessels
- Ensuring the shore teams and crew know the differences
- Ensuring visitors and suppliers know the differences
- Tracking the hygiene of some vessels, differently to the rest of fleet
Setting UR E26 compliance as your north star also simplifies planning. It becomes the compass through which you can set clear targets of minimum cyber-hygiene. Compliance becomes a ‘gateway’ to building a uniform, robust, continuous fleet-wide security program that makes it manageable for both new and existing fleets. It provides a clear business case for budget discussions.
How do I prepare for UR E26?
Here are some practical next steps you can take that will help you prepare:
- Map your existing Cyber Security Management System (CSMS) manual that you developed and implemented to comply with IMO Resolution MSC.428(98) and BIMCO guidance to the new UR E26 requirements.
- Identify the gaps in security controls (e.g. your network monitoring capabilities, physical, logical and remote access control, incident response and recovery plans, crew training, etc.).
- For the new builds, create a cybersecurity requirements template to streamline the process.
- For the existing fleet, it isn’t necessary to do it all at once. Develop a roadmap of the requirements for the existing fleet that will eventually meet the UR E26 requirements in future. If you have some newbuilds scheduled, you will need to implement some global policies for those new vessels anyway. Start with those global policies as quick wins.
- Build a business case and communication plan to your management to bring them along the journey of achieving UR E26 compliance across the whole fleet over time. It may help to include UR E26 compliance as a key mitigation in the risk register.
- Measure and report progress towards compliance and repeatedly demonstrate how this has reduced cyber risks across the fleet.
If you need some help, CyberOwl has experts that may be able to support you with your UR E26 journey. Initial support may involve a private briefing on UR E26 or gap analysis of current cyber risk management to UR E26 compliance. Get in touch here to find out how far off you are to complying with UR E26.
Perhaps putting in place a SOC is not your main focus area. See other actions you can take to improve your vessel cyber risk management:
- Gain access to the benchmarking data – read “Don’t spend another dollar on cybersecurity until you benchmark“.
- Change crew behaviour to be more secure – read “Training isn’t working. Human error remains high.”
- Make your security operations fit for vessel operations – read “I already have an enterprise SOC. Why can’t they just monitor my fleet?“