Shipbuilding Cybersecurity: Aligning Newbuilding Milestones with IACS UR E26 & E27 Deliverables (Standard)
Aligning Shipbuilding Schedules with Cybersecurity Deliverables
From Contract Signing to Delivery — What Owners, Shipyards, and Suppliers Must Prepare at Each Milestone
With the enforcement of IACS Unified Requirements E26 and E27 — mandatory for newbuildings contracted from 1 July 2024 — cybersecurity has become an integral part of the shipbuilding process. Classification societies now require cybersecurity certification, and shipyards must integrate security measures from the earliest design stage. This article maps every key shipbuilding milestone to the cybersecurity deliverables required by classification society guidelines, clarifying who must prepare what, and when.
Ⅰ. The Intersection of Shipbuilding and Cybersecurity
Shipbuilding follows a structured process of five phases after contract signing:
At each stage, cybersecurity requirements outlined by classification societies must be integrated. This requires close collaboration between shipowners, shipyards, and equipment suppliers — with clear accountability for who prepares each deliverable.
Ⅱ. Shipbuilding Milestones × Cybersecurity Deliverables (Standard)
The table below maps each major shipbuilding event to the cybersecurity deliverables required from owners, shipyards, and suppliers under classification society guidelines (IACS UR E26/E27).
Ⅲ. Cybersecurity Deliverables — What Each Document Contains
Management framework for IT/OT system protection. Compliance baseline with IMO MSC-FAL.1/Circ.3.
Security risk assessment and approval process for all IT/OT system modifications.
Managing OS, firmware, and security patch updates for CBS and IT/OT systems throughout the vessel lifecycle.
Firewall configuration, maintenance policies, and log monitoring procedures between network zones.
Malware detection and defense measures for IT/OT systems, including update policies for AV/EDR tools.
User access rights definition, RBAC policy, and unauthorized access prevention measures.
Secure remote access management using VPN (Virtual Private Network), MFA (Multi-Factor Authentication), and session logging.
Security policies covering USB storage devices, laptops, and other removable media brought onboard.
Network segmentation design and data flow analysis for cybersecurity zoning, aligned with IEC 62443.
Security requirements, secure coding practices (aligned with IEC 62443-4-1), and verification processes for IT/OT system development.
Recording all Computer-Based System (CBS) inventory items, their security interfaces, and network connections onboard.
Visual representation of CBS interconnections, data flows, and external network interfaces across IT/OT systems.
Documentation of security features: encryption, IDS (Intrusion Detection System), and access control mechanisms.
Detection, response, and recovery procedures for cybersecurity incidents including ransomware and data breaches.
With IACS UR E26 and E27 now in effect for newbuildings contracted from July 2024, cybersecurity is no longer a post-delivery concern — it must be embedded from the moment the contract is signed. Shipowners, shipyards, and suppliers each carry distinct obligations, and misalignment between them is the most common cause of certification delays.
The deliverable matrix above is a practical starting point for project managers, compliance officers, and class surveyors to align expectations early — and avoid last-minute document scrambles before delivery. 🚢🔐
Related Articles & Official Resources
A market-moving innovation leader connecting data, AI, and cybersecurity with the maritime industry. Expertise spans maritime cyber compliance, business design, investment, project management, AI-based RAG systems, and software development.
Comments
Post a Comment