Cyber Regulatory Landscape and Industry Responses in the Shipbuilding and Maritime Sector – Part 3: Why should shipyards accept UR E26 as 'part of the basic design'?

UR E26 Is Not a “Cyber Regulation”

Why Shipyards Must Treat It as Part of Basic Design

Zone & Conduit, System Boundary, RA/RM — Everything Begins at the Earliest Design Stage

1. The Shipbuilding Industry Has Long Believed

“Cybersecurity = Post-Delivery Issue”

For decades, shipyards have followed four traditional priorities:

  • Design according to the contracted specifications

  • Install all systems on time

  • Pass class inspections

  • Complete a safe handover to the shipowner

In other words, the prevailing belief has been:

“Cybersecurity is something the operator handles after delivery.”

However, this mindset is no longer valid in the era of UR E26.
Cybersecurity is now considered part of the shipyard’s responsibility, from the earliest design stages all the way through delivery.



2. UR E26 Is Not a “Security Requirement” — It Is a Design Standard

Many still misunderstand UR E26 as a set of cybersecurity rules.

In reality, E26 is much closer to a ship systems design standard, because it requires a fully defined engineering structure, including:

  • System Boundary definition

  • Zones and Conduits modeling

  • Network topology structuring

  • Asset Inventory component definition

  • Analysis of interconnected interfaces

  • Criticality and cyber impact assessment

  • Evidence and basis for RA/RM execution

All of these elements are determined during the Basic Design stage (L0/L1).

In simple terms:

“If the design is not defined, UR E26 cannot exist.”

3. If E26 Is Not Embedded in Basic Design,

the Entire Industry Pays the Price**

What happens when UR E26 is not considered during the Basic Design phase?

The same issues appear repeatedly across real projects:

Problem 1: Late Zone & Conduit definition leads to large-scale rework

Once layout drawings, piping diagrams, and network structures have already been finalized,
creating the ZCD afterward forces a full rework of:

  • Drawings

  • Documents

  • Interface definitions

  • Network and system structure

This is one of the most common causes of schedule delays,
and a significant burden for both shipyards and suppliers.

Problem 2: RA/RM does not match the design, triggering repeated class findings

If RA/RM identifies a “critical zone connection risk,”
the system architecture must be altered.

In severe cases, class review must restart entirely.

This affects every stakeholder:

  • Shipyards

  • Shipowners

  • Class societies

  • Suppliers

Problem 3: Suppliers must rewrite E27 documentation, causing schedule slips

Supplier E27 documentation must align with the actual design structure.

But when the design changes late:

  • E27 documentation must be rewritten

  • SCARP (E26) must be reintegrated

  • RA/RM must be recalculated

  • Final class submission is delayed

All of this stems from not integrating E26 during the Basic Design phase.

4. UR E26 Is Not a Post-Delivery Paperwork Task

It Is a Design-Based Modeling Process**

Every E26 deliverable required for annual audits and incident response
ultimately depends on accurate system modeling during the design stage.

E26 requires:

  • Defining the complete system boundary of the vessel

  • Mapping system and equipment interfaces

  • Identifying the location and connectivity of risks

  • Determining the placement of defensive controls

  • Designing a structure that supports proper MOC (Management of Change)

This is not simply “security documentation.”
It is an engineering process, which is why E26 fundamentally belongs to Basic Design.

5. Why Shipyards Must Now Declare a “Cyber by Design” Era

In the UR E26 era, shipyards must adopt a new design philosophy:

1) Cyber by Design — Security is embedded from the beginning

Just like structural, electrical, piping, and environmental design,
cybersecurity must be included at the earliest design stages.

2) System Modeling — The entire vessel is one cyber system

A modern ship is no longer a collection of equipment.
It is a network-connected cyber-physical system (CPS).

3) Supplier Integration — Supplier documentation is unified based on a design model

The shipyard must define the standard
so supplier documentation can be consistent and aligned.

4) Collaboration with CRSI — Central coordination becomes mandatory

Given the scale and complexity of interconnected systems,
a dedicated CRSI function is essential to coordinate, validate, and integrate ship-wide cybersecurity requirements.

6. Conclusion — The Shipyard Must Change for the Industry to Survive

UR E26 is not a simple compliance requirement.
It is the starting point of a new design, production, and operational model
that the shipbuilding industry must adopt.

And the starting point is clear:

UR E26 must be embedded into Basic Design.

This is Cyber by Design.

This shift does not add burden to shipyards.
It becomes the foundation that allows shipyards to lead the global market
for the next decade.

The Shipjobs series will continue documenting
this transformation and the real challenges unfolding across the industry.

Comments

Post a Comment

Popular posts from this blog

[MaritimeCyberTrend] Relationship and prospects between U.S. Chinese maritime operations and maritime cybersecurity

Image
U.S. Sanctions on Chinese Ships & Cybersecurity Compliance The U.S. Trade Representative (USTR)’s sanctions on Chinese shipping and shipbuilding are expected to heighten the importance of cybersecurity regulations in vessel operations. In particular, as the U.S. increasingly frames Chinese-built ships and shipping companies as cybersecurity risks, compliance with maritime cybersecurity standards will become a critical issue for global shipping stakeholders. The United States is increasingly likely to classify Chinese-built vessels as national security and cybersecurity threats, using this as a basis for additional regulations and sanctions. In particular, drawing from past sanctions on Huawei and ZTE, the U.S. may argue that ships built in Chinese shipyards and equipped with Chinese IT systems (navigation, communication, and monitoring equipment) pose risks to the digital maritime infrastructure of the U.S. and its allies. As a result, the U.S. Coast Guard (USCG) is expected to s...
Read more

Understanding IMO MSC-FAL.1/Circ.3/Rev.3

Image
  Its Alignment with IACS UR E26/E27 and the Impact on the Maritime Industry In April 2025, the International Maritime Organization (IMO) released a critical revision to its maritime cybersecurity framework — MSC-FAL.1/Circ.3/Rev.3 .  This revision replaces its 2021 predecessor, Rev.2, and marks a significant paradigm shift from basic cyber risk awareness to structured cyber resilience implementation across all digital assets involved in maritime operations. Why does this matter? Because this new guidance is not just another update — it’s a direct policy foundation for the upcoming IACS Unified Requirements UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of Onboard Equipment) , both becoming mandatory for all new vessels contracted from 1 July 2024 . 📌 1. What Has Changed? Comparing Rev.2 vs. Rev.3 The previous Rev.2 served primarily as an awareness-raising document — encouraging companies to consider cyber risk within Safety Management Systems (SMS)....
Read more

Examining the Reality of Cyber Incidents and the Shortfalls in Compliance Frameworks

Image
🌐 When a Ship's GPS Is Hacked: The Gap in Global Maritime Cyber Regulations – Examining the Reality of Cyber Incidents and the Shortfalls in Compliance Frameworks As maritime logistics rapidly digitalizes, the 2025 cyber grounding of MSC Antonia marks a clear turning point—showing that the industry must move beyond technology alone and embrace practical cyber resilience in real-world operations. The maritime cyber market has reached a turning point where it must move beyond mere technical compliance; it now requires the integrated operation of real-time threat response capabilities during vessel operation, organizational-level cyber governance, and the practical cybersecurity competence of crew members to effectively bridge the gap between stagnant global regulations and rapidly evolving threats. 📌 1. The 2025 MSC Antonia Incident – A Ship Hacked Mid-Voyage In May 2025, the MSC Antonia, a container ship operated by one of the world’s largest shipping lines, ran aground near Jedda...
Read more