🔒 Cyber Compliance IACS UR E26 · CBS · SFI OT Security · Network Zones Maritime 4.0

PART 4 OF 4 — Maritime AI & Data Foundations

From SFI to Smart Ship — How IACS UR E26 CBS Inventory Works in Practice

What the regulation actually requires, how the SFI code connects to it, and what surveyors check · ~13 min read

Captain Paul

Maritime 4.0 · AI, Data & Cyber Security · linkedin.com/in/shipjobs

In Part 1, we mapped the SFI code hierarchy. In Part 2, we traced how sensor data flows from those systems to shore. In Part 3, we wrote Python to analyze that data. Now we reach the compliance layer that governs all of it.

IACS UR E26 — Cyber Resilience of Ships — requires every vessel covered by its scope to maintain a complete inventory of onboard Computer-Based Systems (CBSs). Understanding what this inventory must contain, how the SFI code connects to it in practice, and what classification society surveyors actually check is the difference between a compliance checkbox and a genuinely useful asset register.

Key Terms

IACS UR E26 — Cyber Resilience of Ships (ship-level requirement)

IACS UR E27 — Cyber Resilience of On-Board Systems and Equipment (equipment-level)

CBS — Computer-Based System: any onboard system using programmable logic, firmware, or software

Vessel Asset Inventory — UR E26 term for the master list of all onboard CBSs

Security Zone — Logical/physical network segment grouping CBSs by function and trust level

OT Network — Operational Technology network (navigation, machinery, safety systems)

IT Network — Information Technology network (admin, crew, cargo office systems)

DMZ — Demilitarized Zone: intermediate network segment between OT and IT zones

IMO MSC-FAL.1/Circ.3 — IMO Guidelines on Maritime Cyber Risk Management

IEC 62443 — International standard for industrial automation and control system security

Section Ⅰ — IACS UR E26 & E27: The Regulatory Foundation

Scope · Effective Date · Ship Level vs. Equipment Level

IACS (International Association of Classification Societies) published two Unified Requirements that together form the framework for maritime cybersecurity in newbuildings. They are distinct but interdependent.

UR E26 Cyber Resilience of Ships

Addresses the ship as a whole — the owner/operator's obligation. Requires a vessel asset inventory of all CBSs, security zone definitions, network segmentation, software update procedures, and incident response capability.

→ Responsibility: Ship Owner / Operator

UR E27 Cyber Resilience of On-Board Systems

Addresses individual equipment and systems — the manufacturer's obligation. Requires equipment to be delivered with documented cyber resilience capabilities (hardening, patching support, documented interfaces).

→ Responsibility: Equipment Manufacturer

📅 Effective Date

Both UR E26 and E27 apply to ships with construction contracts signed on or after 1 July 2024 (revised requirements). Existing vessels are not retroactively required but are encouraged to comply.

🏛 Regulatory Context

UR E26/E27 build on IMO MSC-FAL.1/Circ.3 (Guidelines on Maritime Cyber Risk Management). The IMO guidelines are non-binding; UR E26/E27 are binding for IACS member class society new builds.

🔗 Referenced Standards

UR E26/E27 are aligned with the IEC 62443 series (industrial automation and control system cybersecurity) and the BIMCO Guidelines on Cyber Security Onboard Ships (v5, 2024).

Section Ⅱ — What Is a CBS? Scope of the Inventory

Definition · Categories · What the vessel asset inventory must contain

Under UR E26, a Computer-Based System (CBS) is any system onboard that uses programmable logic, firmware, or software to perform a function. This is a deliberately broad definition — the intent is to capture every system that could be compromised or disrupted through a cyber event.

Section Ⅲ — Why SFI Is Used in Practice (Though Not Mandated)

UR E26 does not require SFI · Practical reasons operators adopt it anyway

IACS UR E26 requires a vessel asset inventory but does not specify SFI as the classification structure. However, most operators and class society surveyors see SFI-based CBS inventories in practice, for a clear reason: SFI is already the standard backbone of CMMS, ISM Code documentation, and planned maintenance systems on commercial vessels.

🔗 Integration with CMMS

CMMS maintenance records are indexed by SFI code. A CBS inventory built on SFI connects directly to maintenance history — the surveyor can trace from the CBS entry to the last patch update in the same system.

📄 ISM Code Alignment

The ISM Code requires documented procedures for critical equipment. SFI-coded CBSs inherit the same equipment ID used in ISM Code Safety Management Systems — no duplicate coding is required.

🚢 Fleet Consistency

A fleet operator using SFI has the same system ID structure across all vessels. Shore teams comparing CBS inventory across ten vessels can do so using the same code structure.

Section Ⅳ — Building the CBS Inventory: Step by Step

Walkthrough · Data collection · Zone assignment · Documentation

STEP 1 Define Scope — Which CBSs Are In?

Not every electronic device is a CBS under UR E26 scope. Standalone analog instruments and isolated panel indicators typically fall outside. The test is whether the device uses programmable logic, firmware, or software that could be targeted or disrupted. When in doubt, include it — exclusions must be justified to the surveyor.

STEP 2 Walk the Vessel — Systematically by Space and SFI Group

Conduct a physical walkthrough covering bridge, ECR, cargo control room, server room, and communication spaces. Use the SFI group structure to organize the walk: Group 2 (Navigation), Group 4 (Main Machinery), Group 5 (Safety), Group 6 (Automation), Group 7 (Cargo) — this prevents gaps. Document every CBS encountered with make, model, and physical location.

STEP 3 Record All Required Fields (Items ①–⑩ from Section II)

For each CBS, record hardware make/model/version, current software/firmware version, and operating system if applicable. Software version is the most frequently outdated field — many vessels have ECDIS or IAS systems running firmware that is several versions behind. Document the actual installed version, not the target version.

STEP 4 Map Network Connections and Assign Security Zones

For each CBS, document every network it is physically or logically connected to. Then assign a security zone (OT Bridge / OT Machinery / OT Safety / DMZ / IT Admin). This step reveals dual-network CBSs — systems connected to both OT and IT networks — which represent the highest risk and require the most scrutiny.

STEP 5 Classify Criticality and Establish Update Procedures

Assign each CBS a criticality level: Safety-Critical (failure affects SOLAS-mandated functions), Operational (failure affects vessel operations but not immediate safety), or Administrative (failure affects office/cargo administration). UR E26 requires documented procedures for software updates and patch management for each CBS — the criticality level determines the review and approval process for each update.

Section Ⅴ — Network Segmentation: The Technical Core of UR E26

Security zones · Zone boundaries · Dual-network CBS risks

UR E26 requires CBSs to be grouped into security zones with discrete network segments. Only explicitly permitted traffic may cross zone boundaries. This is the technical requirement that makes the CBS inventory operationally meaningful — the inventory must reflect the actual network architecture, not just the intended one.

Zone A — OT Safety Fire detection · Bilge alarms · GMDSS · EPIRB · Flooding sensors

Highest isolation — no external connections permitted · Event-driven only

↕ (no traffic allowed)

Zone B — OT Bridge ECDIS · AIS · GPS/GNSS · Radar (ARPA) · VDR · AMS bridge panel

Controlled — NMEA 0183/2000 data feeds in; no internet access

↕ (strictly controlled)

Zone C — OT Machinery IAS server/workstations · PMS · Main engine control · Generator management

Controlled — Modbus/OPC-UA internal; remote access strictly controlled

↕ (DMZ enforced)

Zone D — DMZ / Gateway VSAT router · Communication gateway · Data aggregation servers · Remote access proxy

Strict firewall rules both sides — inspects all traffic crossing OT ↔ IT boundary

↕ (IT traffic only below)

Zone E — IT Admin CMMS PCs · Cargo management · Crew management · Voyage planning (office) · Crew Wi-Fi

Internet-accessible — contains no OT systems

⚠️ Dual-Network CBSs: The highest-risk configuration is a CBS connected to both an OT zone and the IT/DMZ zone — for example, an IAS workstation with a USB port also used for crew data transfer, or a voyage management system with both NMEA input and internet connectivity. UR E26 requires these to be explicitly documented and their cross-zone traffic justified.

Section Ⅵ — What Classification Society Surveyors Check

Documentary review · Technical verification · Common gaps

IACS member class societies (DNV, Lloyd's Register, Bureau Veritas, ClassNK, ABS, and others) verify UR E26 compliance at new build surveys. Verification covers two layers: documentary completeness and technical alignment.

📄 Documentary Review

✓ Is the vessel asset inventory complete? (all CBSs listed)

✓ Does each CBS record contain the required fields?

✓ Is the network diagram present and does it show zone boundaries?

✓ Are software update and patch management procedures documented?

✓ Is an incident response plan in place?

🔍 Technical Verification

✓ Does the actual network match the network diagram?

✓ Are zone boundaries enforced by hardware (firewall/switch) — not just policy?

✓ Are installed software versions consistent with what is recorded in the CBS inventory?

✓ Are remote access paths documented and controlled?

⚠️ Common Gaps Found in Practice

①Undocumented CBSs: Systems added or upgraded after the original inventory was compiled — ECDIS updates, new crew welfare Wi-Fi access points, chartlet printers — that were never added to the CBS list.

②Software version mismatch: The inventory records the version installed at the time of commissioning. By survey time, patches may have been applied without updating the CBS record — or patches may not have been applied at all.

③Network diagram vs. reality: The submitted diagram shows intended segmentation, but the actual switch configuration has exceptions — a maintenance cable left plugged in, a port not tagged to the correct VLAN.

④Missing connectivity mapping: CBSs are listed but their interfaces to other systems are not documented — so the surveyor cannot verify that zone boundary rules are complete.

⚓ Captain Ethan's Take

"The most common failure mode I see is treating the CBS inventory as a one-time compliance deliverable rather than a living document. A ship is commissioned in 2025. By 2027, the ECDIS has had two software updates, a new VSAT router was installed, and the IAS was upgraded. None of it made it back into the CBS record. The inventory is now a snapshot of 2025 — and the surveyor knows it. The SFI structure helps because it anchors the CBS identity to the same code used in the maintenance system — so a planned maintenance record of the ECDIS update is visible alongside the CBS entry."

⚓ Series Conclusion — Key Takeaways

The four articles in this series form a complete chain: SFI addresses every onboard system → those systems generate data that travels from sensor to shore → Python gives engineers tools to work with that data → IACS UR E26 defines the compliance framework that governs those systems. Understanding all four layers is what defines a maritime data or cyber professional in 2024 and beyond.

✅ IACS UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of On-Board Systems and Equipment) apply to ships with contracts signed on or after 1 July 2024.

✅ UR E26 requires a vessel asset inventory of all Computer-Based Systems (CBSs) covering hardware/software versions, physical location, network connections, security zone, and criticality.

✅ SFI is not mandated by UR E26 but is widely adopted as the CBS identifier because it integrates with existing CMMS, ISM Code documentation, and planned maintenance systems.

✅ UR E26 requires network segmentation into security zones (OT Safety / OT Bridge / OT Machinery / DMZ / IT Admin) with only explicitly permitted traffic allowed to cross zone boundaries.

✅ The most common compliance gaps are: undocumented CBSs added post-commissioning, software version mismatches, network diagram/reality divergence, and incomplete connectivity mapping between CBSs.

📌 Series Complete — Maritime AI & Data Foundations

✅ Part 1: What Is the SFI Code — And Why Every Maritime AI & Data Career Starts Here

✅ Part 2: How Ship Sensor Data Flows — From Onboard to Shore

✅ Part 3: Python for Maritime Engineers — 5 Real Use Cases with Ship Data

▶ Part 4 (this article): From SFI to Smart Ship — How IACS UR E26 CBS Inventory Works in Practice

#IACSURe26 #CBSInventory #SFICode #MaritimeCyber #OTSecurity #NetworkSegmentation #SmartShip #CyberResilience #MaritimeCompliance #Maritime4.0

📚 Related Standards & References

IACS UR E26 — Cyber Resilience of Ships
IACS · Applies to ships contracted on or after 1 July 2024 · Requires vessel CBS asset inventory, security zones, and patch management procedures · iacs.org.uk

IACS UR E27 — Cyber Resilience of On-Board Systems and Equipment
IACS · Equipment-level requirements for manufacturers · Same effective date as UR E26 · iacs.org.uk

IMO MSC-FAL.1/Circ.3 — Guidelines on Maritime Cyber Risk Management
IMO · Non-binding guidance that UR E26/E27 build upon · Rev.3 is the current version · imo.org

BIMCO — The Guidelines on Cyber Security Onboard Ships (Version 5)
BIMCO · Version 5 published November 2024 · Industry guidance aligned with UR E26 and IMO MSC-FAL.1/Circ.3 · bimco.org

ShipPaulJobs — IACS UR E26/E27 Resource Library
ShipPaulJobs · Download IACS, BIMCO, NIST, IEC 62443 compliance PDFs · shippauljobs.com

Captain Ethan · In Sung Lee

Maritime 4.0 · AI, Data & Cyber Security

linkedin.com/in/shipjobs

Maritime Intelligence Platform · Cyber · AI · Data

shippauljobs.com

Search This Blog

ShipPaulJobs
Maritime AI & Cybersecurity

Maritime AI & Data Foundations Series : Part 4/4. From SFI to Smart Ship — How IACS UR E26 CBS Inventory Works in Practice