Understanding IMO MSC-FAL.1/Circ.3/Rev.3
Its Alignment with IACS UR E26/E27 and the Impact on the Maritime Industry
In April 2025, the International Maritime Organization (IMO) released a critical revision to its maritime cybersecurity framework — MSC-FAL.1/Circ.3/Rev.3.
This revision replaces its 2021 predecessor, Rev.2, and marks a significant paradigm shift from basic cyber risk awareness to structured cyber resilience implementation across all digital assets involved in maritime operations.
Why does this matter? Because this new guidance is not just another update — it’s a direct policy foundation for the upcoming IACS Unified Requirements UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of Onboard Equipment), both becoming mandatory for all new vessels contracted from 1 July 2024.
📌 1. What Has Changed? Comparing Rev.2 vs. Rev.3
The previous Rev.2 served primarily as an awareness-raising document — encouraging companies to consider cyber risk within Safety Management Systems (SMS). In contrast, Rev.3 provides actionable, measurable, and documentable requirements, making it more of a technical standard than a guideline.
| Feature | Rev.2 (2021) | Rev.3 (2025) |
|---|---|---|
| Core Purpose | Risk awareness & high-level guidance | Achieving structured, measurable cyber resilience |
| Framework | Based on NIST CSF (v1) | Based on NIST CSF v2.0, includes Minimum Security Controls |
| Scope | Focus on onboard IT/OT systems | Expanded to shore-side links, port interfaces, autonomy, supply chains |
| Training | Recommended only | Mandatory annual training, with OT-specific modules |
| Documentation | Basic risk analysis records | Asset inventories, zone maps, incident response & recovery plans required |
Rev.3 transforms from “what you should consider” to “what you must prepare and prove.”
🧩 2. Why It Matters — Rev.3 and UR E26/E27
Both UR E26 and UR E27 from the International Association of Classification Societies (IACS) define mandatory cybersecurity requirements for ship systems and equipment. They will be enforced from July 2024 onward.
🔐 UR E26: Cyber Resilience of Ships
This standard applies to ship-wide Operational Technology (OT) systems, focusing on critical functions such as propulsion, steering, ballast, fire systems, and navigation.
How Rev.3 aligns:
-
Asset Inventory
Rev.3 mandates maintaining a current list of all hardware/software and system interconnections → Directly required by UR E26 for cybersecurity zoning. -
Network Segmentation
Rev.3 recommends secure zoning and segmentation of ship networks → UR E26 enforces this technically with physical/logical security zones. -
Incident Response & Recovery
Rev.3 demands documented and tested response strategies → UR E26 requires actionable recovery steps as part of system certification. -
Documentation Governance
Rev.3 sets expectations for maintaining updated diagrams, policies, and logs → these serve as audit artifacts under UR E26’s verification process.
⚙️ UR E27: Cyber Resilience of Onboard Equipment
UR E27 focuses on individual equipment and systems, such as sensors, PLCs, control units, and HMIs.
How Rev.3 aligns:
-
Device Security Features
Rev.3 calls for access control, password policies, and firmware integrity → all directly required in UR E27 as embedded equipment capabilities. -
Patch & Update Management
Rev.3 mandates managed updates and vulnerability remediation → E27 requires secure software updates and version control processes. -
Authentication and Logging
Rev.3 defines user identification and access logging as essential → E27 treats these as non-negotiable technical criteria for type approval.
In summary, Rev.3 sets the strategic and documentation expectations, while UR E26/E27 enforce them through classification and certification mechanisms.
🧠 3. Stakeholder Insights
🏗️ For Shipyards
-
Security must be embedded into design: Rev.3 encourages cyber zoning and documentation during early-stage engineering.
-
Cybersecurity schematics (network topology, data flow maps, system classification) become contractual deliverables.
-
Cyber-specific Factory/Site Acceptance Tests (FAT/SAT) will likely become standardized under UR E26 audits.
🚢 For Shipowners
-
Integration into ISM and SMS is now non-optional. Cyber risk, incident response, and recovery must be part of safety documentation.
-
Crew must undergo annual cybersecurity training, including OT-specific content (e.g., ECR systems, bridge systems).
-
Shipowners will need to prove incident response readiness via drills and records, just as with fire or man-overboard scenarios.
⚓ For Classification Societies
-
Rev.3 lays the foundation for E26/E27 to be auditable standards, not abstract policies.
-
Class societies will play a larger role in approving cyber zoning designs, testing cyber controls, and monitoring compliance during annual surveys.
-
There is growing demand for "Cyber Class Notations", especially for digitally integrated or remotely operated vessels.
📍 Final Thoughts: This is the New Normal
MSC-FAL.1/Circ.3/Rev.3 is no longer a suggestive roadmap — it’s a clear blueprint for how ships must be built, operated, and maintained in the digital age.
It provides a strategic policy layer that enables UR E26/E27 to function not only as technical standards but as enforceable measures integrated into class rules, insurance policies, and port security frameworks.
The maritime industry must now treat cybersecurity not just as a technical risk — but as a core part of vessel design, operations, safety, and certification.
📬 ShipJobs is committed to helping maritime professionals, shipbuilders, suppliers, and regulators stay ahead in this era of digital maritime transformation.
If you'd like to receive a downloadable checklist, a compliance self-assessment tool, or training recommendations — just drop us a message.
Rev.3 : https://www.traficom.fi/sites/default/files/media/file/MSC-FAL.1-Circ.3-Rev.3%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20%28Secretariat%29.pdf
Comments
Post a Comment