Disruptions in the Shipping Industry and Deliverables Based on IACS UR and Classification Society Guidelines for Owners, Shipyards, and Suppliers
Following the announcement of IACS UR E26/E27, uncertainty among stakeholders remains in the maritime cybersecurity market.
The maritime industry is currently experiencing significant uncertainty due to the implementation of IACS UR E26 and E27. In response, various classification societies have introduced their own guidelines to address these new cybersecurity requirements.
However, despite these guidelines outlining the deliverables expected from owners, shipyards, and suppliers, the industry continues to face challenges in interpreting and implementing these requirements in real-world shipbuilding.
The key issues contributing to this confusion include:
However, despite these guidelines outlining the deliverables expected from owners, shipyards, and suppliers, the industry continues to face challenges in interpreting and implementing these requirements in real-world shipbuilding.
The key issues contributing to this confusion include:
1️⃣ Lack of clarity on the practical application of cybersecurity deliverables beyond regulatory frameworks
2️⃣ Varying interpretations across classification societies, leading to inconsistent requirements.
3️⃣ Uncertainty regarding the essential deliverables that must be prepared by different stakeholders in the shipbuilding process.
To address these concerns, EY MCH has analyzed the IACS UR framework, referencing NIST-based cybersecurity principles, and conducted interviews with classification societies, shipyards, and suppliers. This research has enabled us to identify and compare the key deliverables required for each entity and their interdependencies.
📌 Required Deliverables for Owners, Shipyards, and Suppliers
| No | Requirement | Owner | Shipyard | Supplier |
|---|---|---|---|---|
| 1 | Owner Policy | Cybersecurity policy and operational guidelines | - | - |
| 2 | Ship Cybersecurity and Resilience Program | Establishment of cybersecurity and resilience program | - | - |
| 3 | Management of Change (MoC) | Operational change management plan | - | Change management plan for equipment |
| 4 | Management of Software Updates | Policy for managing software updates in operation | - | Software update procedures for equipment |
| 5 | Management of Firewalls | Network firewall policy and operational guidelines | - | Security configuration guidelines |
| 6 | Management of Malware Protection | Malware detection and response plan in operation | - | Malware protection function for equipment |
| 7 | Management of Access Control | Access control management for shipboard systems | - | Access control features for equipment |
| 8 | Management of Remote Access | Remote access policy and control | - | Security assessment of remote access for equipment |
| 9 | Management of Mobile and Portable Devices | Security policy for portable and removable storage devices | - | Secure data transmission for equipment |
| 10 | Detection of Security Anomalies | Implementation of security anomaly detection system | - | Security anomaly detection for equipment |
| 11 | Verification of Security Functions | Continuous evaluation and improvement of security functions | - | Security test results for equipment |
| 12 | Incident Response Plans | Incident response plan and procedures | - | Incident response support information for equipment |
| 13 | Recovery Plans | Cyber attack recovery plan | - | Recovery and reinstallation procedures for equipment |
| 14 | Cybersecurity Specification | - | Specification of cybersecurity requirements | - |
| 15 | Ship Asset Inventory | - | IT/OT asset inventory for the ship | Asset inventory for computer-based systems (CBS) |
| 16 | Zones and Conduit Diagram | - | Zoning and data flow diagram of ship network | Network topology diagram for equipment |
| 17 | Cybersecurity Design Description | - | Description of cybersecurity design and policies for the ship | Security capabilities description for equipment |
| 18 | Risk Assessment for Exclusion of Computer-Based Systems | - | Risk assessment for IT/OT system cybersecurity exclusion | Security risk assessment for equipment |
| 19 | Description of Compensating Countermeasures | - | Explanation of compensating cybersecurity measures | Alternative security countermeasures for equipment |
| 20 | Ship Cyber Resilience Test Procedure | - | Cyber resilience test procedure for the ship | Security function test procedures for equipment |
| 21 | Plans for Maintenance and Verification | - | - | Maintenance and security verification plans for equipment |
| 22 | Test Reports | - | - | Security test reports for equipment |
| 23 | TA (Type Approval) Certification | - | - | Type Approval (TA) certification documents (e.g., ClassNK, DNV, ABS) |
Summary of Responsibilities for Each Stakeholder
Based on the traditional value chain of the shipbuilding and maritime industry, we will outline the roles of shipowners, shipyards, and suppliers
in the marine cybersecurity market.
1. Shipowners
As the entity responsible for ship operations, the shipowner must establish cybersecurity policies to ensure compliance with IACS UR E26. Additionally, they must collaborate with shipyards and suppliers to clearly define security requirements and verify cybersecurity measures from an operational perspective after ship delivery.
- Key Responsibilities of Shipowners
| Key Role | Details |
|---|---|
| Establish Cybersecurity Policies | Develop an "Ship Owner Policy" to define cybersecurity standards for the vessel. |
| Approve Requirements | Review and approve shipyard-provided designs and functional test procedures. |
| Collaborate with Classification Societies | Ensure compliance with IACS UR E26/E27 in coordination with classification societies. |
📌 Conclusion: To ensure compliance with IACS UR E26, shipowners must take a proactive role in cybersecurity management throughout a vessel’s lifecycle.
This includes establishing clear cybersecurity policies, actively engaging with shipyards and suppliers to define security requirements, and verifying implemented measures post-delivery.
Close collaboration with classification societies is essential to maintain regulatory compliance and uphold cybersecurity standards.
By fulfilling these responsibilities, shipowners can enhance the vessel’s resilience against cyber threats and ensure safe and efficient operations.
2. Shipyards (Ship Builders)
As the system integrator, the shipyard is responsible for managing the documentation and testing of IACS UR E26 (System Functional Tests) throughout the shipbuilding process.
- Key Responsibilities of Shipyards
| Key Role | Details |
|---|---|
Define | Establish cybersecurity and power system functional test requirements based on UR E26. |
Coordinate | Ensure that suppliers provide TA (Type Approval) certified equipment. |
System | Verify that all subsystems are securely integrated and comply with UR E26 requirements. |
Testing | system functional tests and cybersecurity assessments, resolving any identified issues. |
Final | Ensure compliance with classification society inspections and facilitate ship delivery. |
3. Suppliers
Suppliers manufacture ship systems and equipment and must provide IACS UR E27-compliant components while obtaining the necessary certifications.
This means suppliers play a critical role in developing equipment that meets shipyard and classification society requirements, integrating cybersecurity functions, and obtaining certification through performance and functional testing.
- Key Responsibilities of Suppliers
| Key Role | Details |
|---|---|
| Obtain TA (Type Approval) Certification | Ensure that equipment complies with IACS UR E26 by obtaining Type Approval (TA) certification from classification societies. |
| Perform Power System Functional Tests | Conduct Factory Acceptance Tests (FAT) to validate the performance and functionality of supplied equipment. |
| Integrate Cybersecurity Features | Implement cybersecurity functions such as firewalls, malware protection, access control, and remote access security into equipment. |
| Provide Testing Procedures & Security Documentation | Deliver security test procedures and functional test reports in accordance with shipyard and classification society requirements. |
| Enable Security Anomaly Detection | Equip systems with network anomaly detection capabilities and security event logging. |
| Collaborate with Shipyards & Owners | Support shipyards and owners by ensuring that supplied equipment meets security requirements, and provide ongoing technical support and maintenance plans. |
| Security Certification & Documentation | Submit security test results and certification documents proving compliance with IACS UR E26 and classification society standards. |
📌 Conclusion: Suppliers develop and certify cybersecurity-compliant equipment, integrate security features, and provide necessary documentation and technical support to ensure that ship systems meet IACS UR E26/E27 requirements.
4. EY MCH’s Role in the Emerging Maritime Cybersecurity Market
In the new maritime cybersecurity market, EY MCH plays a crucial role in ensuring that shipowners, shipyards, and suppliers meet well-defined cybersecurity requirements based on their responsibilities.
🚢 EY MCH’s Recommendations (Stakeholder Roles)
| Category | Shipowners (Owner) | Shipyards (Shipbuilder) | Suppliers (Equipment Manufacturer) |
|---|---|---|---|
| Primary Role | Define cybersecurity requirements | System design, integration, and functional testing | Manufacture equipment and implement cybersecurity features |
| Key Documents | Develop the "Owner Policy" and define security requirements | Create the "Cybersecurity Specification" and perform system integration | Obtain "TA Certification" and submit security test reports |
| Testing & Validation | Participate in sea trials and final inspections | Conduct FAT/SAT and coordinate with classification societies | Perform FAT and provide functional test documentation |
| Collaboration with Classification Societies | Define security requirements for certification | Conduct functional and security validation for classification inspections | Provide TA-certified equipment for classification approval |
| Final Goal | Verify and approve IACS UR E26/E27 compliance | Ensure system integration and certification | Supply secure and tested equipment that meets industry standards |
📌 Conclusion: EY MCH recommends clear role definitions for shipowners, shipyards, and suppliers to ensure compliance with IACS UR E26 cybersecurity requirements and smooth integration of security measures into ship systems.
Join forces with EYMCH to drive innovation and growth
🚢 Let me know if you need further modifications or additions! 😊
EY EYMCH USCG IACS IMO CyberSecurity MOL HapagLloyd evergreen MSC ClassNK ABS DNV LR #MAERSK
Comments
Post a Comment