[CRSI] IACS UR E26 Cybersecurity Requirements: Roles of Shipowners, Shipyards and Suppliers
IACS UR E26/E27 Cybersecurity Deliverables: Roles and Responsibilities of Owners, Shipyards, and Suppliers
A Practical Breakdown of 23 Required Deliverables Across the Maritime Stakeholder Value Chain
- LinkedIn : https://www.linkedin.com/in/shipjobs/
Collaborator : Lew, Julius, Jin, Morgan, Yeon
Since the enforcement of IACS UR E26 and UR E27, the maritime industry has faced significant challenges in interpreting and implementing cybersecurity requirements across the shipbuilding value chain. This article provides a structured breakdown of 23 required cybersecurity deliverables — clarifying what shipowners, shipyards, and suppliers are each responsible for, and how these responsibilities interconnect under the IACS framework.
Ⅰ. Why Uncertainty Persists After IACS UR E26/E27
The maritime industry is currently experiencing significant uncertainty due to the implementation of IACS UR E26 and E27. In response, various classification societies have introduced their own guidelines to address these new cybersecurity requirements. However, despite these guidelines outlining the deliverables expected from owners, shipyards, and suppliers, the industry continues to face challenges in interpreting and implementing these requirements in real-world shipbuilding.
The key issues contributing to this confusion include:
- 1️⃣Lack of clarity on the practical application of cybersecurity deliverables beyond regulatory frameworks
- 2️⃣Varying interpretations across classification societies, leading to inconsistent requirements
- 3️⃣Uncertainty regarding the essential deliverables that must be prepared by different stakeholders in the shipbuilding process
To address these concerns, we analyzed the IACS UR framework, referencing NIST-based cybersecurity principles, and conducted interviews with classification societies, shipyards, and suppliers. This research identified and compared the key deliverables required for each entity and their interdependencies.
Ⅱ. 23 Required Cybersecurity Deliverables by Stakeholder
Based on the IACS UR E26/E27 framework and cross-stakeholder interviews, the following table maps each of the 23 cybersecurity deliverables to the responsible party — Owner, Shipyard, or Supplier. A cell entry indicates that the party must produce or provide that deliverable.
| No | Requirement | Owner | Shipyard | Supplier |
|---|---|---|---|---|
| 1 | Owner Policy Cybersecurity policy and operational guidelines | ✓ | — | — |
| 2 | Ship Cybersecurity and Resilience Program Establishment of cybersecurity and resilience program | ✓ | — | — |
| 3 | Management of Change (MoC) Operational change management plan | ✓ | — | Change mgmt plan for equipment |
| 4 | Management of Software Updates Policy for managing software updates in operation | ✓ | — | Software update procedures for equipment |
| 5 | Management of Firewalls Network firewall policy and operational guidelines | ✓ | — | Security configuration guidelines |
| 6 | Management of Malware Protection Malware detection and response plan in operation | ✓ | — | Malware protection function for equipment |
| 7 | Management of Access Control Access control management for shipboard systems | ✓ | — | Access control features for equipment |
| 8 | Management of Remote Access Remote access policy and control | ✓ | — | Security assessment of remote access for equipment |
| 9 | Management of Mobile and Portable Devices Security policy for portable and removable storage | ✓ | — | Secure data transmission for equipment |
| 10 | Detection of Security Anomalies Implementation of security anomaly detection system | ✓ | — | Security anomaly detection for equipment |
| 11 | Verification of Security Functions Continuous evaluation and improvement of security functions | ✓ | — | Security test results for equipment |
| 12 | Incident Response Plans Incident response plan and procedures | ✓ | — | Incident response support information for equipment |
| 13 | Recovery Plans Cyber attack recovery plan | ✓ | — | Recovery and reinstallation procedures for equipment |
| 14 | Cybersecurity Specification Specification of cybersecurity requirements | — | ✓ | — |
| 15 | Ship Asset Inventory IT/OT asset inventory for the ship | — | ✓ | Asset inventory for CBS |
| 16 | Zones and Conduit Diagram Zoning and data flow diagram of ship network | — | ✓ | Network topology diagram for equipment |
| 17 | Cybersecurity Design Description (CSDD) Description of cybersecurity design and policies for the ship | — | ✓ | Security capabilities description for equipment |
| 18 | Risk Assessment for Exclusion of CBS Risk assessment for IT/OT system cybersecurity exclusion | — | ✓ | Security risk assessment for equipment |
| 19 | Description of Compensating Countermeasures Explanation of compensating cybersecurity measures | — | ✓ | Alternative security countermeasures for equipment |
| 20 | Ship Cyber Resilience Test Procedure Cyber resilience test procedure for the ship | — | ✓ | Security function test procedures for equipment |
| 21 | Plans for Maintenance and Verification Long-term security maintenance and verification planning | — | — | Maintenance and security verification plans for equipment |
| 22 | Test Reports Formal security test documentation | — | — | Security test reports for equipment |
| 23 | TA (Type Approval) Certification ClassNK, DNV, ABS, LR type approval documents | — | — | TA certification documents for equipment |
Ⅲ. Summary of Responsibilities for Each Stakeholder
Based on the traditional value chain of the shipbuilding and maritime industry, the following outlines the specific roles of shipowners, shipyards, and suppliers in maritime cybersecurity compliance.
1. Shipowners
As the entity responsible for ship operations, the shipowner must establish cybersecurity policies to ensure compliance with IACS UR E26. Additionally, they must collaborate with shipyards and suppliers to clearly define security requirements and verify cybersecurity measures from an operational perspective after ship delivery.
| Key Role | Details |
|---|---|
| Establish Cybersecurity Policies | Develop a "Ship Owner Policy" to define cybersecurity standards for the vessel |
| Approve Requirements | Review and approve shipyard-provided designs and functional test procedures |
| Collaborate with Classification Societies | Ensure compliance with IACS UR E26/E27 in coordination with classification societies |
2. Shipyards (Ship Builders)
As the system integrator, the shipyard is responsible for managing the documentation and testing of IACS UR E26 (System Functional Tests) throughout the shipbuilding process.
| Key Role | Details |
|---|---|
| Define Requirements | Establish cybersecurity and power system functional test requirements based on UR E26 |
| Coordinate with Suppliers | Ensure that suppliers provide TA (Type Approval) certified equipment |
| System Integration | Verify that all subsystems are securely integrated and comply with UR E26 requirements |
| Testing & Verification | Conduct system functional tests and cybersecurity assessments, resolving identified issues |
| Final Approval | Ensure compliance with classification society inspections and facilitate ship delivery |
3. Suppliers
Suppliers manufacture ship systems and equipment and must provide IACS UR E27-compliant components while obtaining the necessary certifications. Suppliers play a critical role in developing equipment that meets shipyard and classification society requirements, integrating cybersecurity functions, and obtaining certification through performance and functional testing.
| Key Role | Details |
|---|---|
| Obtain TA Certification | Ensure equipment complies with IACS UR E27 by obtaining Type Approval (TA) from classification societies |
| Perform FAT | Conduct Factory Acceptance Tests (FAT) to validate performance and functionality of supplied equipment |
| Integrate Cybersecurity Features | Implement firewalls, malware protection, access control, and remote access security into equipment |
| Provide Security Documentation | Deliver security test procedures and functional test reports per shipyard and classification society requirements |
| Enable Anomaly Detection | Equip systems with network anomaly detection capabilities and security event logging |
| Collaborate with Shipyards & Owners | Ensure supplied equipment meets security requirements; provide ongoing technical support and maintenance plans |
Ⅳ. Stakeholder Role Matrix: Our Recommendations
In the emerging maritime cybersecurity market, ensuring that each stakeholder fulfills well-defined cybersecurity responsibilities is critical. The following matrix summarizes recommended actions for each party:
| Category | Owners | Shipyards | Suppliers |
|---|---|---|---|
| Primary Role | Define cybersecurity requirements | System design, integration, and functional testing | Manufacture equipment and implement cybersecurity features |
| Key Documents | Develop "Owner Policy" and define security requirements | Create "Cybersecurity Specification" and perform system integration | Obtain "TA Certification" and submit security test reports |
| Testing & Validation | Participate in sea trials and final inspections | Conduct FAT/SAT and coordinate with classification societies | Perform FAT and provide functional test documentation |
| Classification Society Collaboration | Define security requirements for certification | Conduct functional and security validation for classification inspections | Provide TA-certified equipment for classification approval |
| Final Goal | Verify and approve IACS UR E26/E27 compliance | Ensure system integration and certification | Supply secure and tested equipment that meets industry standards |
We recommend clear role definitions for shipowners, shipyards, and suppliers to ensure compliance with IACS UR E26 cybersecurity requirements and smooth integration of security measures into ship systems.
Key Takeaways
13 operational-phase deliverables centered on policy, incident response, and lifecycle management
8 design-phase documents covering asset inventory, zones & conduits, CSDD, and test procedures
CBS-level deliverables: TA certification, FAT test reports, CSDD contributions, and maintenance plans
Classification society interpretations vary — the same system may receive different classifications under ClassNK, DNV, or ABS
Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.
🌐 More Articles ↗
Comments
Post a Comment