The Relationship Between CBS Definition and Category Classification for Compliance with IACS UR E26 & E27

The Relationship Between CBS Definition and Category Classification for Compliance with IACS UR E26 & E27


If CBS is not clearly defined, critical vessel systems—such as propulsion, steering, and power management—become vulnerable to cyberattacks and operational failures, posing serious risks to safety and certification.

IACS UR E26 and E27 mandate CBS protection to mitigate these risks, and non-compliance can result in certification delays and operational disruptions.
Beyond regulatory compliance, defining CBS is essential for ensuring the cybersecurity and blackout resilience of IT and OT systems onboard.

Shipowners, shipyards, equipment manufacturers, and classification societies must collaborate to establish clear CBS standards to achieve strong security and seamless system integration.

Rather than facing costly consequences after an incident, now is the time to define and safeguard CBS to enhance vessel safety and competitiveness.

Before engaging in discussions with stakeholders involved in shipbuilding, take a moment to consider 'The Relationship Between CBS Definition and Category Classification for Compliance with IACS UR E26 & E27.'

1. CBS Definition in IACS UR E26 and Its Importance

(1) Definition of CBS (Controlled and Blackout-Survivable System) in IACS UR E26

According to IACS UR E26, Sec.2 Definitions, CBS is defined as follows:

"A programmable electronic device, or interoperable set of programmable electronic devices, organized to achieve one or more specified purposes such as collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
CBSs onboard include IT and OT systems.
A CBS may be a combination of subsystems connected via network.
Onboard CBSs may be connected directly or via public means of communications (e.g. Internet) to ashore CBSs, other vessels’ CBSs and/or other facilities."

(2) Key Aspects of the CBS Definition

  • Includes IT and OT systems: CBS comprises both Information Technology (IT) and Operational Technology (OT) systems.
  • Composed of programmable electronic devices and networks: CBS can be an individual system or a combination of multiple subsystems connected via a network.
  • Potential connection to external networks: Onboard CBSs may connect directly or via public communication channels (e.g., the internet) to shore-based CBSs, other vessels, or facilities.

(3) Importance of CBS Definition

A clear CBS definition is crucial for ensuring cybersecurity and operational continuity onboard vessels:

  • Cybersecurity risks: If CBS systems are compromised, critical functions such as propulsion, steering, and power management could be disabled.
  • Operational safety and continuity: CBS systems must remain functional even in blackout situations or system failures to ensure vessel safety.
  • Compliance with IACS UR E26 & E27: Failure to meet cybersecurity regulations could affect class certification and insurance eligibility for vessels.

2. Key Requirements of IACS UR E26

IACS UR E26 establishes cybersecurity requirements for vessel systems, including:

(1) System and Network Protection

  • Cybersecurity measures must be applied to IT and OT systems, including CBS.
  • Network separation and access control are essential.
  • Regular security updates and patch management are mandatory.

(2) Cyber Risk Assessment and Management

  • Risk assessments and security evaluations must be conducted for CBS systems.
  • Cyber incident response plans and contingency procedures must be in place.

(3) Ensuring Operational Continuity

  • CBS must remain functional during blackout or cyberattack scenarios.
  • Critical systems (propulsion, steering, communication) must have backup mechanisms.

3. Category Classification in IACS UR E26

IACS UR E26 categorizes vessel systems based on their importance and the impact of failure into four categories:

CategoryFailure EffectsTypical System Functionality
Category IFailure does not pose a risk to human safety, vessel safety, or the environment.Monitoring, informational, and administrative functions.
Category IIFailure could eventually lead to dangerous situations for human safety, vessel safety, or the environment.Vessel alarm, monitoring, and control systems necessary for normal operation.
Category IIIFailure could immediately result in dangerous or catastrophic situations for human safety, vessel safety, or the environment.Control functions for maintaining vessel propulsion, steering, and safety.
OthersSystems required by statutory regulations.Vessel navigation, internal/external communication systems.

4. Relationship Between CBS Definition and Category Classification

(1) CBS and Category III & Others

  • CBS is directly related to Category III and Others systems onboard.
  • Category III systems (propulsion, steering, power management) are essential for safe vessel operation, and their failure could cause severe risks.
  • Others systems (navigation and communication) are legally required and must remain operational under all circumstances.

(2) Need for CBS Protection

  • Cybersecurity measures are essential for protecting Category III and Others systems.
    • If a Category III system is hacked, vessel operation could be entirely disrupted.
    • CBS must be secured with network separation, access control, and regular security updates.
  • Category I & II systems require a lower level of security but may still impact CBS if interconnected.

5. IACS UR E27 and CBS Protection

IACS UR E27 categorizes vessel networks based on security requirements and importance:

SystemDescription
Systems directly connected to CBSCritical control systems (propulsion, steering, safety) classified under Category III & Others.
Other systems connected to CBSAny system based on Internet Protocol (IP) connected to CBS.
Passenger and visitor servicesPassenger-facing networks such as onboard internet and entertainment.
Vessel administrative and crew welfare systemsInternal networks used for crew administration and welfare.

(1) CBS Network Security Measures

  • CBS must be isolated from external networks.
  • Passenger and administrative networks must remain separate from CBS.
  • Category III & Others systems require strict access control and security patch management.

6. Conclusion: The Relationship Between CBS Definition and Category Classification for Compliance with IACS UR E26 & E27

(1) Compliance with IACS UR E26 through CBS and Category Classification

  • CBS includes IT and OT systems that are crucial for vessel operations.
  • Category III & Others systems are directly linked to CBS and require the highest level of protection.
  • To comply with IACS UR E26, vessels must implement strict cybersecurity measures to protect CBS.

(2) Compliance with IACS UR E27 Through CBS Network Security

  • CBS may be connected to various onboard and external networks, requiring robust security policies.
  • To comply with IACS UR E27, CBS networks must be segregated and protected against cyber threats.

🚢 In conclusion, strengthening CBS protection is essential for compliance with IACS UR E26 & E27 and ensuring vessel safety and operational continuity. 🚢

Comments

Post a Comment

Popular posts from this blog

[MaritimeCyberTrend] Relationship and prospects between U.S. Chinese maritime operations and maritime cybersecurity

Image
U.S. Sanctions on Chinese Ships & Cybersecurity Compliance The U.S. Trade Representative (USTR)’s sanctions on Chinese shipping and shipbuilding are expected to heighten the importance of cybersecurity regulations in vessel operations. In particular, as the U.S. increasingly frames Chinese-built ships and shipping companies as cybersecurity risks, compliance with maritime cybersecurity standards will become a critical issue for global shipping stakeholders. The United States is increasingly likely to classify Chinese-built vessels as national security and cybersecurity threats, using this as a basis for additional regulations and sanctions. In particular, drawing from past sanctions on Huawei and ZTE, the U.S. may argue that ships built in Chinese shipyards and equipped with Chinese IT systems (navigation, communication, and monitoring equipment) pose risks to the digital maritime infrastructure of the U.S. and its allies. As a result, the U.S. Coast Guard (USCG) is expected to s...
Read more

인공지능 서비스 - 챗봇, 사전에 충분한 지식을 전달하고 함께 학습 하기!

Image
우리는 앞선 글을 통해 성공적으로  AI 서비스를  개발하거나 도입하는 것을 목적으로  프로젝트의 공식 착수 이전에  목표로 하는 AI 서비스에 대하여, 소속된 조직 내부는 물론 기업내 협력이 요구되는 조직들  각자가 서로 다른 정의와 기대 효과 그리고 활용 방안을 가지고 있던 상황을 해결할 필요가 있는것을  잘 알고 있습니다. 이를 위해 가장 먼저, 이해 관계자들이 그 추진 방향과 목표를 공감 할 수 있도록 잘  알려진 선행 사례와 수치를 활용하여 필요성 측면에서 사전 논쟁을 유도 하였으며  앞으로의 프로젝트 진행 단계 별 추진 방향에 대한 의사 결정의 매 순간  마다 이해 관계자들에게 정확한  정보를 전달 할 것임을 암시적으로 표현 하기도 하였습니다. 이제 남은 것은 관련 분야에 경험이나 지식이 없는 상황에서 잘못된 의사 결정이나 행동을 미연에 방지하기 위해   "사전에  충분한 지식을 전달하고 함께 학습 " 하는  것이라 생각 합니다. (나던 남이던 알면 얼마나 더 알겠는가.. 인터넷 검색만 해도 다 나오는 한 줌도 되지 않는 지식으로 자존심 세우려 하지 말고, 함께 학습 하며 결과물의 완성도를 높이는 대 힘쓰자~! 그것이 상생이다. 꼰대가 되지 말자~!) 이는 본인의 경험을 바탕으로 작성된 글임을 다시 한번 밝히며, 이러한 사항이 AI 업계에 종사 하시는 분들에게도 도움이 되기를 바라는 마음에  그 사례를 소개 하고자 합니다. (관련 전문 용어나 이미지 등은 하단의 reference 들을 참조 하여 작성 하였습니다.) 챗봇의 작동 원리 그리고 최적 성능 확보를 위한 노력   역은이: In-Sung Lee 모든 챗봇이 인간의 언어를 완벽히 이해하고 자연스럽게 대화하는 것을 목표로 가져야 할까요 ? 아마도 사람처럼 말하고 답변 하지 않는 단순 챗봇이라 하더라도 고객의 문제를 해결해 줄 수 있다면 그 자체로 의미가 있...
Read more

[Curriculum] Sungkyunkwan University - Department of Information Security - Course Sequence by Areas of Interest

Image
The order in which subjects are approached may vary depending on the student's major, interests, and learning goals. However, generally, taking courses in the following sequence allows for efficient learning. (Source: Sungkyunkwan University GSIC ) 1. Basic Courses First, it is essential to understand fundamental theories and basic concepts. The following courses help build foundational knowledge: Introduction to Digital Forensics (FSI5056) : Establishes the basics of digital forensics and teaches various methods for collecting and analyzing digital evidence. Korea University Graduate School of Information Security Introduction to Cryptography (GSIS001) : Covers the fundamental principles and applications of encryption technologies for data protection. Life Coding Database (GSID003) : Introduces key concepts and practical skills for data storage and management. Operating Systems (GSID021) : Helps understand the structure and functions of operating systems, which are the core of com...
Read more