[CRSI] IACS UR E26/E27 System Classification Guide — 2. 10 Essential Elements Every Supplier Must Prepare
Under IACS Unified Requirement E27, any Computer-Based System (CBS) installed onboard a vessel and designated as a security-relevant system must comply with a structured set of documentation requirements. These 10 documents — ranging from asset inventory and topology diagrams to incident response support and test reports — ensure that each CBS can be independently verified and integrated into the ship's overall cyber resilience framework as defined in UR E26.
Key Terms
CBS — Computer-Based System: onboard digital system subject to E27
IACS — International Association of Classification Societies
UR E27 — Unified Requirement for cyber resilience of onboard systems & equipment
UR E26 — IACS UR on cyber resilience at the ship (vessel) level
SDLC — Secure Development Lifecycle for software and firmware
Security Zone — Network segment with defined access and security boundary
Conduit — Communication channel connecting two or more security zones
Type Approval — Class certification granted for an approved security design
Asset Inventory — Documented list of all CBS hardware, software, and interfaces
Incident Response — Planned procedure for detecting and recovering from cyber incidents
Section Ⅰ — Overview: CBS Designation & Document Framework
IACS UR E27 sec.3.1 — Document submission context
📋 CBS
Identified
Identified
⚓ Designated
under E27
under E27
📄 10 Documents
Required
Required
✅ Class
Approval
Approval
✅ Approve Class
Documents formally reviewed and approved by the classification society. Non-compliance may result in denial of class notation.
ℹ️ Info Class
Documents submitted for information and record only. Class does not formally approve these but they form part of the compliance package.
⚠️ Applicability Notes
Note 1: Required for CBS without type approved security capabilities
Note 2: Required for CBS with type approved security capabilities
Note 2: Required for CBS with type approved security capabilities
Section Ⅱ — Design & Architecture Documents
E27 sec.3.1.1 ~ 3.1.2 · Class: Approve ¹⁾²⁾
sec.3.1.1Approve ¹⁾²⁾
1. CBS Asset Inventory
A complete inventory of all hardware, software, firmware, and network interfaces within the CBS scope.
→ To be incorporated into the Vessel asset inventory (E26 sec.4.1.1)
→ To be incorporated into the Vessel asset inventory (E26 sec.4.1.1)
sec.3.1.2Approve ¹⁾²⁾
2. Topology Diagrams
Network topology showing all connections, interfaces, and data flows of the CBS.
→ Enables System Integrator to design security zones and conduits (E26 sec.4.2.1)
→ Enables System Integrator to design security zones and conduits (E26 sec.4.2.1)
Section Ⅲ — Security Capability Documents
E27 sec.3.1.3 ~ 3.1.5 · Class: Approve / Info ¹⁾
sec.3.1.3Approve ¹⁾
3. Description of Security Capabilities
Documents required security capabilities (E27 sec.4.1) and any additional capabilities (E27 sec.4.2) implemented in the CBS.
sec.3.1.4Approve ¹⁾
4. Test Procedure for Security Capabilities
Detailed test procedures for verifying required security capabilities (sec.4.1) and additional capabilities (sec.4.2) on the CBS.
sec.3.1.5Info ¹⁾
5. Security Configuration Guidelines
Describes network and security configuration settings per E27 sec.4.1 item 29. Guides integrators on secure deployment.
Section Ⅳ — Lifecycle & Process Documents
E27 sec.3.1.6 ~ 3.1.9 · Class: Approve / Info ¹⁾
sec.3.1.6Approve ¹⁾
6. Secure Development Lifecycle (SDLC)
Evidence that the CBS was developed following a secure development process per E27 sec.5 requirements. Covers design, coding, testing, and release practices.
sec.3.1.7Info ¹⁾
7. Plans for Maintenance and Verification
Ongoing maintenance plan and verification schedule for security functionality per E27 sec.4.1 item 19. Ensures continued compliance post-delivery.
sec.3.1.8Info ¹⁾
8. Information Supporting Incident Response & Recovery
Covers four sub-items required for incident handling:
• Auditable events (item 13)
• Deterministic output (item 20)
• System backup (item 26)
• System recovery & reconstitution (item 27)
• Auditable events (item 13)
• Deterministic output (item 20)
• System backup (item 26)
• System recovery & reconstitution (item 27)
sec.3.1.9Info ¹⁾
9. Management of Change Plan
Formal process for managing changes to the CBS after delivery. Aligned with IACS UR E22 management of change requirements.
Section Ⅴ — Verification, Test Reports & Supplier Readiness
E27 sec.3.1.10 · Class: Info ²⁾
sec.3.1.10Info ²⁾
10. Test Reports
Final test reports documenting configuration of security capabilities and hardening of the CBS, referencing E27 sec.3.1.5 (Security Configuration Guidelines) and E27 sec.5.7. Required for CBS with type approved security capabilities (Note 2).
📋 Supplier Readiness — Quick Reference
✅ Asset inventory mapped & linked to E26 vessel inventory
✅ Topology diagram reviewed by System Integrator
✅ Security capabilities documented (required + additional)
✅ Test procedures written & aligned to sec.4.1 / sec.4.2
✅ Security configuration guidelines published
✅ SDLC evidence compiled per sec.5
✅ Maintenance & verification schedule defined
✅ Incident response info (4 sub-items) documented
✅ Change management process aligned to E22
✅ Final test reports completed & archived
⚓ Captain's Take
IACS UR E27 isn't just a checklist — it's a systematic framework that forces suppliers to think about cybersecurity from the design phase through to post-delivery maintenance. For maritime suppliers entering the new-build market, understanding these 10 documents is table stakes for class compliance.
✅Asset inventory and topology diagrams (Approve ¹⁾²⁾) are the foundation — get these right first, as they feed directly into the ship-level E26 framework and affect how the System Integrator designs security zones.
✅Security capability descriptions (3.1.3) and test procedures (3.1.4) must be internally consistent — class will cross-check them. Any gap between what is described and what is tested will surface during approval review.
✅SDLC documentation (3.1.6) is increasingly scrutinized. Suppliers who adopt IEC 62443-4-1 practices will find this section considerably easier to satisfy and demonstrate to class surveyors.
✅Post-delivery documents (3.1.7–3.1.9) are often deprioritized, but shipowners and operators rely on them for ongoing OT security management throughout the entire vessel lifecycle — neglecting them creates long-term compliance gaps.
#IACS#URE27#URE26#CBS#CyberResilience#MaritimeCybersecurity#OTSecurity#SDLC#NewBuild#Maritime4.0
📚 Related Papers & Standards
1
IACS UR E27 — Cyber Resilience of On-board Systems and Equipment
IACS Unified Requirements · 2022 · iacs.org.uk/resolutions/unified-requirements/ur-e/
IACS Unified Requirements · 2022 · iacs.org.uk/resolutions/unified-requirements/ur-e/
2
IACS UR E26 — Cyber Resilience of Ships
IACS Unified Requirements · 2022 · iacs.org.uk/resolutions/unified-requirements/ur-e/
IACS Unified Requirements · 2022 · iacs.org.uk/resolutions/unified-requirements/ur-e/
3
IEC 62443-2-4 — Security for Industrial Automation and Control Systems: Patch Management
IEC / ISA · 2015 (rev. 2017) · iec.ch
IEC / ISA · 2015 (rev. 2017) · iec.ch
4
5
The Guidelines on Cyber Security Onboard Ships (v4)
BIMCO / CLIA / ICS / INTERCARGO / INTERTANKO · 2020 · bimco.org
BIMCO / CLIA / ICS / INTERCARGO / INTERTANKO · 2020 · bimco.org
Captain Ethan · In Sung Lee
Maritime 4.0 · AI, Data & Cyber Security
Collaborator: Lew, Julius, Jin, Morgan, Yeon
Comments
Post a Comment