Ship OT Cybersecurity: IACS E26/E27 Compliance Guide for Vessel Operators (1/4) - Ship OT Cybersecurity

📋 Compliance IACS UR E26/E27 Ship OT Security 3-Part Series · Part 1

IACS E26/E27 Compliance Guide: What Ship OT/IT Engineers Need to Know

Ship OT Cybersecurity — A Practitioner's Guide for Vessel Operators

Captain Paul 

Maritime Cybersecurity Consultant · CRSI Specialist

 

If your vessel is under construction or due for a major retrofit after July 2024, IACS Unified Requirements E26 and E27 are no longer optional reading — they are contractual obligations tied to your Classification Society certificate. Yet the same question comes up in every conversation with ship OT/IT engineers: "I know E26/E27 exist, but what do they actually require me to do on board?" This post answers that question directly — no vendor pitch, no generic checklist.

Ⅰ. The Two Documents and Why They Are Different

IACS published E26 and E27 together, but they operate at different levels of the vessel hierarchy.

IACS UR E26

Cyber Resilience of Ships

Vessel-level governance layer — defines how a ship as a whole must be organized, protected, monitored, and recovered.

IACS UR E27

Cyber Resilience of On-board Systems

Component-level product standard — defines what individual CBS must be capable of doing before installation.

In practice: E26 governs how you run the ship's cybersecurity program. E27 governs what you are allowed to buy and install.

Ⅱ. The CBS: The Fundamental Unit of E26/E27

Everything revolves around the Computer-Based System (CBS) — any programmable system on board that performs a function relevant to the safety, security, or operation of the vessel.
(And CBS can be classified into 4 types, and E26 focuses on managing Target and Exclusion. 
reference : https://www.shippauljobs.com/p/crsi-iacs-ur-e26e27-system.html  )

• Navigation systems (ECDIS, GNSS, Radar, AIS)
• Propulsion and steering control systems
• Power management and distribution systems (PMS, EMS)
• Alarm and monitoring systems (AMS, IAS)
• Cargo management systems
• Communication systems (GMDSS, VSAT)
• Vessel data recorders (VDR, S-VDR)

The first practical step in E26 compliance: build and maintain a complete CBS inventory. Every CBS must be identified, documented, and assigned to a Zone.

---

Ⅲ. Zone and Conduit: How E26 Structures the Ship Network

E26 requires the vessel's network to be organized into Zones and connected by Conduits — drawn directly from IEC 62443.

OT Zone (L0–1)

Sensors, actuators, PLCs, DCS — field devices directly controlling physical processes

Control Zone (L2)

SCADA, HMI, Historian, AMS — the supervisory layer

IT / Admin (L3)

Crew network, business systems, shore connectivity

A Conduit is the controlled pathway between two Zones (firewall, data diode, DMZ). No uncontrolled paths between zones are permitted — every connection must be documented, justified, and enforced.

Ⅳ. The Five Functions of E26

E26 organizes the vessel's cybersecurity obligations around five functions — directly mapped from the NIST Cybersecurity Framework:

IDENTIFY

Maintain a complete and current inventory of all CBS — software versions, configurations, and interconnections. This is the foundation.

PROTECT

Implement access controls, network segmentation (Zones and Conduits), software hardening, and secure configuration across all CBS.

DETECT

Establish capability to detect cyber incidents in a timely manner. OT monitoring is now a compliance requirement — detect anomalies, unauthorized changes, and intrusion attempts.

RESPOND

Define incident classification, escalation procedures, isolation of affected systems, and communication to flag state and Classification Society.

RECOVER

Define and implement procedures for restoring affected CBS. Recovery priorities must align with vessel safety criticality — propulsion and navigation before administrative systems.

---

Ⅴ. Security Levels: The E27 Targeting System

E27 introduces Security Levels (SL) to define how much protection a CBS must provide:

Level	Definition	Typical Application
SL 0	No specific security requirements	Non-critical, isolated systems
SL 1	Protection against unintentional violation	Basic operational systems
SL 2	Protection against intentional violation using simple means	Most navigation and control systems
SL 3	Protection against intentional violation using sophisticated means	Safety-critical systems, remote access gateways

For each CBS: define a Target Security Level (SL-T) via risk assessment, then verify the CBS meets a Capability Security Level (SL-C) through Type Approval. When procuring, you must specify required SL-C and demand a valid Type Approval certificate.

Ⅵ. Type Approval: The E27 Procurement Gate

Type Approval under E27 is the mechanism by which individual CBS demonstrate compliance before installation:

1. 1 Manufacturer submits the CBS for evaluation by a Classification Society
2. 2 Society assesses the CBS against E27 requirements at the claimed SL-C
3. 3 If approved, a Type Approval certificate is issued, valid for a defined period
4. 4 Shipyard or operator verifies that installed CBS hold valid TA certificates at the required SL-C

Common gap found during assessments: the CBS inventory exists, but SL-T assignments are either missing or not verified against supplier Type Approval status.

---

Ⅶ. The SBOM Requirement: Often Overlooked

Both E26 and E27 reference the need for software transparency. E26 requires CBS software configurations to be documented and maintained. E27 expects manufacturers to provide information about software components within their systems — effectively a Software Bill of Materials (SBOM) requirement.

Most manufacturers are not yet delivering formal SBOMs. However, Classification Societies are increasingly asking for software component transparency during Annual Surveys. Establishing an SBOM tracking process now puts you significantly ahead of the compliance curve.

Ⅷ. What Applies to Your Vessel: Applicability Rules

If your vessel falls within scope, both E26 and E27 apply simultaneously — you cannot comply with one without the other, since E26 requires CBS that meet E27 standards.

Ⅸ. The Practical Starting Point

The sequence that works in practice — and what a Classification Society surveyor will work through during your Annual Survey:

1

Build the CBS inventory — every programmable system, its location, function, software version, and network connections

2

Define Zones and Conduits — map the network topology and formalize the zone boundaries

3

Assign SL-T to each CBS — based on safety criticality and risk assessment

4

Verify Type Approval status — for each CBS against the required SL-C

5

Implement E26 controls — access control, monitoring, incident response, recovery procedures

6

Document everything — the Cybersecurity Management Plan is a survey deliverable, not an internal document

---

📚 Series Navigation — 4 Parts

NOW Part 1 · CBS Inventory, Zone Design & Applicability

Ship OT Cybersecurity: IACS E26/E27 Compliance Guide for Vessel Operators (1/4)

DONE Part 2 · IT/OT Monitoring & Annual Survey

Ship OT Cybersecurity: IACS E26/E27 Compliance Guide for Vessel Operators (2/4)

DONE Part 3 · Incident Response & Recovery Operations

Ship OT Cybersecurity: IACS E26/E27 Compliance Guide for Vessel Operators (3/4)

DONE Part 4 · 25 Capability Areas × NIST CSF 5 Functions

IACS UR E26/E27 Compliance Matrix: Cybersecurity Solutions for Maritime OT (4/4)

#IACS_E26 #IACS_E27 #ShipCybersecurity #OTSecurity #TypeApproval #IEC62443 #CBS #SBOM #Maritime40

Captain Paul 

Maritime Cybersecurity Consultant · CRSI Specialist

Captain Paul is the editorial voice of ShipPaulJobs — an independent Maritime Industry 4.0 platform for shipbuilding and maritime professionals. Views expressed are based on independent consulting practice and do not represent any Classification Society or vendor position.