IACS UR E26/E27 is the core maritime cybersecurity regulation applying to newbuilds contracted from July 2024. This matrix maps 25 capability areas across the five NIST Cybersecurity Framework phases (Identify · Protect · Detect · Respond · Recover) to corresponding solution categories. Click any row to expand the full description and solution mapping below.
📌 Captain Paul's Note
Obtaining class society certificates will get you through an audit. But to defend against real cyber threats — and to continuously meet the procedures and documentation required throughout vessel construction and operation — the right tools, i.e. solutions, are essential.
Limiting the budget to switches and a firewall is understandable. But when it comes to sustaining Zone Segmentation · Recovery Procedures · Annual Surveys — and the fundamental objective of maintaining best-in-class cyber threat detection, response, and management over the vessel's operational life — solutions become indispensable.
We hope this guide provides practical value to shipowners, shipyards, system suppliers, and everyone involved in delivering or evaluating maritime cybersecurity solutions.
🔗 Series Context — How Parts 1–3 Connect to This Matrix
Part 1OT Network Architecture & E26/E27 Applicability — CBS inventory, Zone/Conduit design, and security levels. E26/E27 applies to vessels with contracts signed on or after 1 July 2024. Every IDENTIFY capability and most PROTECT capabilities in this matrix are the technical implementation of that architecture.
Part 2IT/OT Monitoring & Annual Survey Automation — NMS and TA/RM tools automate up to 60% of Annual Survey evidence. The specific capabilities driving that are IDs 0, 3, 8, 10, 14, and 22 in this matrix. Starlink-equipped vessels use the same capability set but with a centralised shore-side analysis layer enabled by near-continuous broadband uplink.
Part 3Incident Response, Forensics & Recovery — CSIRP, digital evidence collection, shore SOC escalation, and flag state/class reporting. All 7 capabilities in the RESPOND and RECOVER phases of this matrix are the technical execution layer for those procedures.
Part 4This matrix is your procurement and deployment checklist — for every E26/E27 requirement identified in Parts 1–3, what do you actually need to buy, deploy, and continuously operate?
IACS UR E26/E27 is more than a regulation checklist. It is a technical framework defining how a vessel — a moving OT (Operational Technology) network — must be designed, operated, and continuously managed. Certification is only the starting point; compliance demands sustained operation across the full vessel lifecycle.
✅NMS (Network Monitoring System) — Core infrastructure for network asset visibility, traffic baseline learning, and SSLS (Ship Security Log System) log collection. Supports passive anomaly detection, though detection depth is limited compared to dedicated IDS (Intrusion Detection System) / NDR (Network Detection and Response). Full asset inventory requires concurrent operation with TA/RM scanning.
✅TA/RM (Threat Assessment / Risk Management w/Scanning) — Scan-based automated collection of software, hardware, and network assets. A vessel's CBS (Computer-Based Systems) can number in the hundreds — manual inventory is operationally impractical. Collected data drives CVE (Common Vulnerabilities and Exposures) matching, SBOM (Software Bill of Materials) management, risk prioritisation, and recovery procedure validation. The technical backbone of Annual Survey and PSC (Port State Control) documentation.
✅Firewall — NGFW (Next-Generation Firewall) / IPS (Intrusion Prevention System) — The security policy enforcement layer at L4 (Layer 4)–L7 (Layer 7). Performs deep OT protocol inspection at the zone boundaries established by switches and routers. IPS-based Virtual Patching is a practical compensating control in vessel environments where immediate software updates are not feasible. Stateful session tracking and application-layer awareness are functions that L2 (Layer 2)/L3 (Layer 3) devices do not provide.
✅TI/TM (Threat Intelligence / Threat Management) — Ingests and analyses threat feeds from ICS-CERT, Dragos, Claroty and others to support detection and response decision-making in NMS, SIEM (Security Information and Event Management), and Firewall. TI/TM does not directly block attacks — it operates as an intelligence layer that strengthens detection rules and enables priority-driven response.
✅Switch / Router (Managed L2 (Layer 2) / L3 (Layer 3)) — The foundational network infrastructure that creates physical and logical zone boundaries via VLAN (Virtual Local Area Network)(802.1Q), VRF (Virtual Routing and Forwarding), and ACL (Access Control List). This is the equipment that actually defines the zone structure within which the Firewall enforces security policy. Also responsible for port security, 802.1X-based NAC (Network Access Control), and SPAN (Switched Port Analyzer) traffic mirroring.
📋 Annual Survey Traceability — Part 2 Cross-Reference
Part 2 established that 60% of Annual Survey evidence is automatable via IT/OT monitoring solutions. The following capabilities in this matrix are the direct evidence sources:
ID 0 & 3
OT Asset Inventory + SBOM Management
HW/SW/firmware register with CVE mapping → class society CBS inventory submission
ID 8
Vulnerability Management & Virtual Patching
CVE scan report + IPS virtual patch log + remediation plan → DNV / LR / BV survey checklist
ID 10
Configuration Hardening & Baseline
Configuration drift report → evidence that approved baseline has been maintained since last survey
Restoration drill record → E26 §4.5 recovery procedure documentation required at Annual Survey
The remaining 40% — security policy review, crew training records, and management sign-off — requires human input and remains non-automatable regardless of solution maturity.
🚢 Implementation Priority — Where to Start
1
Foundation — Design & Commissioning
Newbuild: integrate during shipyard phase · Retrofit: first scheduled dry-dock / port call
CBS Asset Inventory (ID 0) · Network Topology (1) · CBS Classification (2) · Conduit Mapping (4) · Zone Segmentation (5) · Configuration Hardening (10) · Firewall Policy Baseline (7) · Managed Switch/Router deployment
Comments
Post a Comment