The importance of type approval Part II: From Detect to Recover

📋 Compliance IACS UR E26 & E27 Type Approval Series · Part Ⅱ

The Importance of Type Approval — Part Ⅱ: From Detect to Recover

How UR E27 Type Approval Reduces Commissioning-Phase Demonstration for Shipyards and System Suppliers under IACS UR E26

Sheep
Sheep
Senior Maritime Engineering Lead · Concept & Basic Design
Technical Advisor: shippauljobs.com — Crew Behind ShipJobs

In Part Ⅰ, we covered the Identify and Protect functions of UR E26. In this chapter, we'll look at the remaining three: Detect, Respond, and Recover.

📌 A Note from Sheep

From Respond through Recover, please keep in mind that the shipowner's policy is critical — the incident response plan and the recovery plan are both documents that shall be developed by the shipowner, not the shipyard or the equipment supplier.

Ⅰ. Detect

NIST CSF

Refers to the capability of verifying and diagnosing the cybersecurity status of a vessel. It requires system configuration integrity checks, self-diagnostics to identify anomalies, and mandatory logging of results. In other words, the ship's computer-based systems (CBS) must be able to automatically review their security settings, detect issues, and record them for later inspection.


D1 Network Operation Monitoring

  • Networks shall be continuously monitored, and an alarm shall be generated when anomalies occur in the network.
  • A monitoring system that can detect anomalies and supports post-incident analysis provides the ability to respond to and recover from a cyber event.
  • Measures to monitor networks shall have the following capabilities:
    • Monitoring and protection against excessive traffic.
    • Monitoring of network connections.
    • Monitoring and recording of device management activities.
    • Protection against connection of unauthorized devices.
    • Generate an alarm if the network's bandwidth exceeds a threshold.
    • The IDS shall be qualified by the supplier, if applicable.
    • The IDS shall be passive to ensure it does not affect the performance of the CBS.
    • Responsible personnel on board should be trained and qualified to use the IDS.
Demonstration

Design & Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. Test that disconnected network connections activate an alarm and are recorded.
  2. Test that abnormally high network traffic is detected, and an alarm with audit record is generated — this test may be carried out together with the Fallback to a Minimal Risk Condition test.
  3. Demonstrate that the CBS responds in a safe manner to network storm scenarios, considering both unicast and broadcast messages.
  4. Demonstrate generation of audit records (logging of security-related events).
  5. If an IDS is implemented, demonstrate that it is passive and will not activate protection functions that may affect the intended operation of the CBSs.
⚠️ The above tests may be omitted if performed during the certification of CBSs.

Any IDS implemented in the CBS shall be subject to verification by the Society.

D2 Verification and Diagnostic Functions of CBS and Networks

  • CBSs and networks shall be capable of checking performance and security functions.
  • CBSs' and networks' diagnostic functionality shall be available.
Demonstration

Design & Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. The effectiveness of the procedures for verification of security functions provided by the suppliers.
⚠️ The test may be omitted if performed during the certification of CBSs.

Ⅱ. Respond

NIST CSF

Develop and implement appropriate measures and activities to take action regarding a detected cyber incident onboard.

R1 Incident Response Plan

  • An incident response plan shall be developed by the shipowner.
  • The plan shall contain documentation of a predetermined set of instructions or procedures to detect, respond to, and limit the consequences of incidents against the CBS.
  • The stakeholders of the ship shall provide information to the shipowner for the preparation of the Plan, to be placed onboard at the 1st Annual Survey and kept up to date during the operational life of the ship.
  • The Plan shall, as a minimum, include the following information:
    • Breakpoints for the isolation of a compromised system.
    • A description of alarms and indicators signaling detected ongoing cyber events or abnormal symptoms caused by cyber events.
    • Response options, prioritizing those which do not rely on either shutdown or transfer to independent or local control.
    • Independent and local control information for operating independently from the system that failed due to the cyber incident, as applicable.
  • The incident response plan shall be kept in hard copy.
Demonstration

Design Phase: The CSDD shall include references to information provided by the suppliers that may be applied by the shipowner to establish incident response plans.

Construction & Commissioning Phase: Nothing required.

R2 Local, Independent and/or Operation

  • Any CBS needed for local backup control as required by SOLAS II-1 Regulation 31 shall be independent of the primary control system, with the necessary HMI.
  • The CBS for local control and monitoring shall be self-contained. If communication to the remote control system is applicable, segmentation and protective safeguards shall be implemented.
  • The local control and monitoring system shall be considered a separate security zone.
Demonstration

Design Phase: The CSDD shall include a description of how the local controls are protected from cyber incidents in any connected remote or automatic control systems.

Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. The required local controls can be operated independently of any remote or automatic control systems — verified by disconnecting all networks from the local control system to others.
⚠️ The test may be omitted if performed during the certification of CBSs.

R3 Network Isolation

  • Where the incident response plan indicates network isolation as an action to be taken, it shall be possible to terminate network-based communication to or from a security zone.
  • Individual systems' data dependencies that may affect function and correct operation, including safety, shall be identified — clearly showing where systems must have compensations for data or functional inputs if isolated during a contingency.
Demonstration

Design Phase: The CSDD shall include:

  • How to isolate each security zone from others, with a description of the effects of such isolation.
  • Demonstration that the CBSs in a security zone do not rely on data transmitted by IP networks from others.

Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. By disconnecting all networks traversing security zone boundaries, demonstrate that the CBSs maintain adequate operational functionality without network communication with others.
⚠️ The test may be omitted if performed during the certification of CBSs.

R4 Fallback to a Minimal Risk Condition

  • In the event of a cyber incident, the affected system or network shall fall back to a minimal risk condition.
  • As soon as a cyber incident affecting the CBS or network is detected, the system shall fall back to a condition in which a reasonably safe state can be achieved.
  • Fall-back actions may include: bringing the system to a complete stop or other safe state; disengaging the system; transferring control to another system or human operator; or other compensating actions.
  • Fall-back to a minimum risk condition shall occur within a time frame adequate to keep the ship in a safe condition.
  • The ability of a system to fall back to a minimal risk condition shall be considered from the design phase.
Demonstration

Design Phase: The CSDD shall include a specification of the safe state for the control functions.

Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. The CBSs respond to cyber incidents in a safe manner, e.g. by maintaining outputs to essential services and allowing operators to carry out control and monitoring functions by alternative means. The test shall at least include DoS attacks, and may be combined with the related test in Network Operation Monitoring.
⚠️ The test may be omitted if performed during the certification of CBSs.

Ⅲ. Recover

NIST CSF

Develop and implement appropriate measures and activities to restore any capabilities or services necessary for shipping operations that were impaired due to a cyber incident.

RC1 Recovery Plan

  • A recovery plan shall be made by the shipowner to support restoring CBSs to an operational state after disruption or failure caused by a cyber incident.
  • The stakeholders of the ship shall provide information to the shipowner for the preparation of the Plan, to be placed onboard at the 1st Annual Survey and kept up to date during the operational life of the ship.
  • The plan shall be easily understandable by the crew and external personnel.
  • The plan shall include essential instructions and procedures to ensure the recovery of a failed system, and how to obtain external assistance if support from ashore is necessary.
  • Software recovery medium or tools onboard shall be available.
  • The systems and subsystems involved shall be specified with the following recovery objectives:
    • System recovery: methods and procedures to recover communication capabilities shall be specified in terms of Recovery Time Objective (RTO) — the time required to recover.
    • Data recovery: methods and procedures to recover data necessary to restore a safe state of OT systems and ship operation shall be specified in terms of Recovery Point Objective (RPO) — the longest period of time for which an absence of data can be tolerated.
  • Once the recovery objectives are defined, a list of potential cyber incidents shall be created, and the recovery procedure developed and described.
  • The plan shall include the following information:
    • Instructions and procedures for restoring the failed system without disrupting the operation of redundant, independent, or local operation.
    • Processes and procedures for the backup and secure storage of information.
    • Complete and up-to-date logical network diagram.
    • The list of personnel responsible for restoring the failed system.
    • Communication procedure and list of personnel to contact for external technical support, including system support vendors, network administrators, etc.
    • Current configuration information for all components.
    • The operation and navigation of the ship shall be prioritized in the plan, in order to help ensure the safety of onboard personnel.
    • Recovery plans in hard copy shall be available both onboard and ashore.
Demonstration

Design Phase: The CSDD shall include a reference to information provided by the suppliers that may be applied by the shipowner to establish plans to recover from cyber incidents.

Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. The effectiveness of the procedures and instructions provided by the suppliers to respond to cyber incidents.
⚠️ The test may be omitted if performed during the certification of CBSs.

RC2 Backup and Restore Capability

  • CBSs and networks shall have the capability to support backup and restore in a timely, complete, and safe manner, regularly maintained and tested.
  • Data shall be restorable from a secure copy or image.
  • Information and backup facilities shall be sufficient to recover from a cyber incident.
  • Offline backups shall be considered to improve tolerance against ransomware and worms affecting online backup appliances.
  • Backup plans shall be developed, including scope, mode and frequency, storage medium, and retention period.
Demonstration

Design & Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. The procedure and instructions for backup and restore provided by the suppliers.
⚠️ The test may be omitted if performed during the certification of CBSs.

RC3 Controlled Shutdown, Reset, Roll-Back and Restart

  • CBSs and networks shall be capable of controlled shutdown, reset to an initial state, roll-back to a safe state, and restart from a power-off condition, in order to allow fast and safe recovery from a cyber incident.
  • Suitable documentation on how to execute the operation shall be available onboard.
Demonstration

Design Phase: The CSDD shall include a reference to product manuals or procedures describing how to safely shut down, reset, restore, and restart the CBSs.

Construction Phase: Nothing required.

Commissioning Phase: The ship cyber resilience test procedure shall be submitted for the following demonstration:

✅ E27 Type Approval — Commissioning Demonstration
  1. Manuals or procedures are established for shutdown, reset, and restore of the CBSs.
⚠️ The test may be omitted if performed during the certification of CBSs.

This is Part Ⅱ of the Type Approval series, covering Detect, Respond, and Recover — completing the review of UR E26's five NIST CSF functions. Next time, I would like to write about which of these UR E26 demonstration tests may instead be conducted during the FAT (Factory Acceptance Test) stage.

About the Author

Sheep is a maritime engineering professional with deep expertise in conceptual and basic design across diverse vessel types. Sheep brings comprehensive knowledge of global mechanical, electrical & electronics, and cybersecurity system specifications — combined with proven design and project management capability for large-scale maritime and offshore platform construction, and a track record of steering complex programmes with market stability. Technical domains include naval architecture & concept design, mechanical systems engineering, electrical & electronics systems, cybersecurity system spec analysis, offshore & large platform construction, maritime project management, and global system integration.

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments