[IACS UR E26/E27] CBS (Computer Based System) and Category Classification - The Core Framework for IACS UR E26 & E27 Compliance

🔬 R&D IACS UR E26 IACS UR E27 CBS Definition Maritime Cybersecurity

CBS and Category Classification: The Core of IACS UR E26 & E27 Compliance

Understanding how Computer Based Systems are defined, classified, and protected under the IACS Unified Requirements

Captain Ethan

Maritime 4.0 · AI, Data & Cyber Security
- LinkedIn : https://www.linkedin.com/in/shipjobs/

If CBS is not clearly defined, critical vessel systems — propulsion, steering, power management — become vulnerable to cyberattacks and operational failures. IACS UR E26 and E27 mandate CBS protection to mitigate these risks, and non-compliance can result in certification delays and operational disruptions.

Beyond regulatory compliance, defining CBS is essential for ensuring the cybersecurity and operational resilience of IT and OT systems onboard. Shipowners, shipyards, equipment manufacturers, and classification societies must collaborate to establish clear CBS standards.

Before engaging in discussions with stakeholders involved in shipbuilding, consider: 'The Relationship Between CBS Definition and Category Classification for Compliance with IACS UR E26 & E27.'

TL;DR

1. CBS = Computer Based System — all programmable IT and OT systems onboard, per IACS UR E26 Sec.2. The acronym is often misunderstood; the correct definition is foundational to compliance.
2. UR E26 classifies every CBS into four categories (I, II, III, Others) based on the consequence of failure — from no safety risk to immediate catastrophic risk.
3. Category III systems (propulsion, steering, power) and Others (ECDIS, GMDSS) require the highest level of cybersecurity protection.
4. UR E27 maps these categories to network architecture — four network types must be kept separate to prevent lower-risk networks from becoming attack vectors into safety-critical CBS.
5. Mandatory for new builds: keel-laying on/after 1 Jan 2024. Existing vessels: first class renewal survey on/after 1 Jul 2024.

---

Ⅰ. CBS Definition in IACS UR E26

CBS — Computer Based System — is the foundational term in IACS UR E26. Every cybersecurity requirement flows from this definition. Misunderstanding what a CBS is leads to gaps in scope, incomplete risk assessments, and failed class surveys.

📖 Official Definition — IACS UR E26, Sec.2

"A programmable electronic device, or interoperable set of programmable electronic devices, organized to achieve one or more specified purposes such as collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

CBSs onboard include IT and OT systems. A CBS may be a combination of subsystems connected via network. Onboard CBSs may be connected directly or via public means of communications (e.g. Internet) to ashore CBSs, other vessels' CBSs and/or other facilities."

Source: IACS UR E26 (Rev.3, 2024), Section 2 — Definitions

💻

IT & OT Both Included

Information Technology and Operational Technology systems are both CBS — the framework covers the full spectrum.

🔗

Single or Multi-System

A CBS may be one device or multiple subsystems interconnected via a network — scope is intentionally broad.

🌐

External Connectivity

Onboard CBS may connect via internet to shore, other vessels, or facilities — introducing external attack surfaces.

Why It Matters

Importance of a Clear CBS Definition

• ·Cybersecurity scope: Undefined CBS means critical systems may be excluded from protection — creating life-threatening vulnerabilities.
• ·Operational continuity: CBS must remain functional during blackout conditions; undefined systems cannot be hardened against failure.
• ·Class certification & insurance: Non-compliance affects class certificate issuance and may void P&I cover for cyber incidents.

---

Ⅱ. Key Requirements of IACS UR E26

UR E26 translates the CBS definition into enforceable engineering requirements. Understanding these is essential for shipyards designing systems, equipment makers seeking type approval, and owners managing cyber risk.

Req 01

🛡️ System and Network Protection

• ·Cybersecurity measures must be applied to all IT and OT systems within the CBS definition.
• ·Network segmentation and access control are mandatory — CBS networks must be isolated from passenger, crew welfare, and untrusted IP networks.
• ·Regular security updates and patch management are required; a documented patch policy must be maintained.

Req 02

📋 Cyber Risk Assessment and Management

• ·A formal cyber risk assessment must be conducted for all CBS during design, installation, and commissioning phases.
• ·A cyber incident response plan and contingency procedures must be documented, drilled, and available to the crew.
• ·System inventories (hardware, software, firmware versions) must be maintained and reviewed at each survey.

Req 03

⚙️ Ensuring Operational Continuity

• ·CBSs must be designed and configured to remain functional — or fail safely — during blackout conditions and cyberattack scenarios.
• ·Critical systems (propulsion, steering, fire detection) must have documented backup or manual override mechanisms.
• ·Restoration procedures after a cyber incident must be tested and incorporated into the vessel's Safety Management System (SMS).

---

Ⅲ. Category Classification in IACS UR E26

Not all CBSs carry the same risk. UR E26 classifies every onboard system into four categories based on the consequence of failure — correctly classifying each system is a prerequisite for a compliant cyber risk assessment.

Category	Failure Effect	Typical Systems	Security Level
Category I	Failure does not pose a risk to human safety, vessel safety, or the environment.	Monitoring, informational, administrative functions (e.g., voyage reporting, crew management).	Baseline — standard IT security practices
Category II	Failure could eventually lead to dangerous situations for human safety, vessel safety, or the environment.	Alarm systems, monitoring, and control systems necessary for normal operation (e.g., engine monitoring, ballast control).	Enhanced — access control + audit logging
Category III	Failure could immediately result in dangerous or catastrophic situations for human safety, vessel safety, or the environment.	Propulsion, steering, power management, fire detection, bilge systems.	Highest — network isolation + redundancy + incident response
Others	Systems required by statutory regulations whose loss may trigger port-state deficiencies.	ECDIS, AIS, GMDSS, LRIT, navigation and communication systems.	Statutory — must meet flag-state and IMO requirements

---

Ⅳ. CBS Definition ↔ Category Classification — The Link

The CBS definition sets what must be protected; the Category Classification sets how much protection is required. Misalignment between CBS scope and category assignment is the most common gap found during class surveys.

⚠ Category III Risk

Compromised propulsion or steering CBS causes immediate loss of manoeuvrability — direct threat to life and vessel.

⚠ Category II Risk

Compromised alarm or monitoring CBS delays crew response — eventual escalation to critical failure.

ℹ Interconnection Risk

Cat I/II CBSs networked with Cat III systems create lateral movement paths for attackers to reach safety-critical systems.

✓ Mitigation

Network segmentation between category tiers prevents a Cat I breach from propagating to Cat III systems.

🛠️ Practical Compliance Actions by Category

• ·Cat I: Inventory all administrative CBSs; apply OS patching and user access controls; log access events.
• ·Cat II: Enhanced access control; segment from Cat III networks; include in cyber risk assessment; document alarm system backup procedures.
• ·Cat III: Full network isolation from IT networks; hardware-level access restrictions; redundant manual override; include in SMS drills and incident response plan.
• ·Others (Statutory): Ensure ECDIS, AIS, GMDSS, LRIT meet IMO MSC-FAL.1/Circ.3/Rev.3; verify at each port-state inspection.

---

Ⅴ. IACS UR E27 — CBS Network Classification

UR E27 complements E26 by specifying how onboard networks must be structured and protected based on what they carry and who uses them. It translates the CBS category classification into concrete network architecture requirements.

Network Type	Typical Systems	Key Requirement
Systems directly connected to CBS	Propulsion control, steering, power management, ECDIS, GMDSS	Strict isolation; no direct internet access; hardware-enforced segmentation
Other IP-connected systems	Condition monitoring, cargo management, planned maintenance systems	Controlled interface via firewall/DMZ; access logging; regular vulnerability scanning
Passenger and visitor networks	Passenger Wi-Fi, IPTV, guest portals	Complete physical or logical separation from CBS networks; no routing path to OT
Crew admin & welfare networks	Crew internet access, HR systems, payroll terminals	Isolated from CBS; internet via dedicated VSAT channel; user awareness training

🔒 CBS Network Security Measures

• ·Physical/logical isolation: CBS networks must have no direct internet path to Cat III or Others systems.
• ·Passenger/crew separation: Guest and crew welfare networks must have no routing path to CBS — enforced at both L3 and L2 levels.
• ·Monitoring and anomaly detection: Anomalous behaviour on CBS segments (unexpected connections, port scans) must trigger the vessel's cyber incident response procedure.

---

Key Takeaways

🖥️

CBS = Computer Based System

Both IT and OT are CBS. A single programmable device or an entire networked system — all fall under the same UR E26 cybersecurity framework.

🎯

Category III Is the Highest Risk

Propulsion, steering, and power management CBSs require full network isolation, redundancy, and documented incident response — no exceptions.

🔒

E27 Enforces Network Segregation

Four separate network types prevent passenger and crew welfare networks from becoming stepping-stones into safety-critical CBS.

📅

Compliance Timeline Is Now

New builds: keel-laying ≥ 1 Jan 2024. Existing vessels: first class renewal ≥ 1 Jul 2024. The compliance window is already open.

Conclusion — CBS, Categories, and Compliance

IACS UR E26 and E27 form an interlocking framework — definition, classification, and network architecture.

The CBS definition establishes what must be protected; Category Classification determines how much protection is required; UR E27's network classification specifies how those systems must be architecturally separated. Together they represent the most comprehensive mandatory cybersecurity standard the maritime industry has ever implemented.

"Strengthening CBS protection is not just a compliance checkbox — it is the foundation of vessel safety and operational continuity."

Shipyards, equipment manufacturers, owners, and class societies must align on CBS scope and category assignment from the earliest design stage to avoid costly rework at survey — and to ensure that the ships of tomorrow are protected from the threats of today.

#IACS_UR_E26 #IACS_UR_E27 #CBS #ComputerBasedSystem #MaritimeCybersecurity #CategoryClassification #OTSecurity #Maritime4_0 #ClassCertification #SCARP

Collaborators: Lew · Julius · Jin · Morgan · Yeon  |  References: IACS UR E26 (Rev.3, 2024) · IACS UR E27 (Rev.2, 2024) · IMO MSC-FAL.1/Circ.3/Rev.3