The guidelines describe new regulatory requirements for cybersecurity
ClassNK says it has released "Guidelines for Cyber resilience of on-board systems and equipment". The guidelines expound new IACS Unified Requirements (UR). For supporting the consideration of measures to ensure the cybersecurity of ships.
IACS has established UR E26*1 for ships and UR E27*2 for on-board systems and equipment as minimum requirements for cyber resilience, which is the capability to reduce the occurrence and mitigate the effects of cyber incidents due to cyber-attacks. The URs will be applied to new ships contracted for construction on and after 1 July 2024.
This represents the first instance in which cybersecurity is incorporated into class rules as mandatory requirements. To facilitate industry’s smooth compliance with them, ClassNK has published the guidelines primarily for manufacturers and suppliers of marine systems and equipment, which describe the interpretation of each requirement of UR E27 as well as the approval procedure, including document reviews and surveys.
UR E26 aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship. This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery. The revised version of UR E26 will be published before the end of the 2023.
UR E27 aims to ensure system integrity is secured and hardened by third-party equipment suppliers. This UR provides requirements for cyber resilience of on-board systems and equipment and provides additional requirements relating to the interface between users and computer-based systems on-board, as well as product design and development requirements for new devices before their implementation on-board ships.