Cyber Regulatory Landscape and Industry Responses in the Shipbuilding and Maritime Sector – Part 2: The Hidden Reality of Supplier-Driven Risk Shaking the Shipbuilding Industry

1. Most Suppliers Still Do Not Truly Understand UR E27

Although UR E27 has been around for several years, conversations with system suppliers still reveal the same questions:

  • “How much do we actually need to produce?”

  • “Who is responsible for writing this—us or the shipyard?”

  • “What exactly does the class society expect?”

This is not because suppliers are unprepared or unwilling.

👉 The real problem is the lack of practical, unified guidance.

  • The items exist, but the criteria do not.

  • The criteria exist, but the interpretations differ.

  • The interpretations differ, so documentation quality varies dramatically.

And because SCARP (E26) is built on supplier documentation,
this inconsistency is now creating a growing structural risk across the entire shipbuilding and maritime sector.


2. Why Supplier Documentation Quality Directly Determines the Ship’s Cyber Resilience

SCARP—the centerpiece of UR E26—is constructed on top of supplier E27 documentation.

That means:

  • Weak E27 → Weak SCARP

  • Weak SCARP → Inaccurate RA/RM

  • Inaccurate RA/RM → Failed cyber response during operation

Two truths stand out:

  1. E27 may appear to concern individual equipment,
     but it actually influences the entire ship architecture.

  2. High-quality E27 documentation cannot be produced by suppliers alone—
     it requires coordinated industry-wide structure.

3. What Suppliers Are Actually Asking — The Real Pain Points

Across dozens of suppliers supported by EY MCH, we repeatedly encounter these questions:

  • “What exactly is CIS Control?”

  • “To what depth should we define Zone & Conduit?”

  • “Is our system Target or Non-Target?”

  • “Who validates our E27 document?”

  • “What typically fails during class reviews?”

  • “We only have PLCs, no servers—do we still need E27?”

  • “How do we support security patching during operation?”

Surprisingly, these questions come not only from small vendors—but also from global Tier-1 suppliers.

👉 This is not a supplier capability problem.
👉 This is a structural problem rooted in the absence of clear industry standards.

4. The Core Issue: Shipyards, Owners, Suppliers Are Still Working in Isolation

Today’s industry reality looks like this:

  • Shipowners interpret the rules.

  • Shipyards calculate schedule and design impact.

  • Suppliers try to create documents.

  • Class societies review based on their own interpretations.

  • SI companies focus only on connectivity and integration.

In short: everyone is working separately, based on different assumptions.

This leads to:

  • Different Zone & Conduit models per vessel

  • Different RA/RM methodologies

  • Highly inconsistent supplier documentation

  • Completely different SCARP quality between shipyards

This is not a “difference” —
it is a compounding structural risk that undermines long-term fleet resilience.

5. The Solution: Owner Policy + CRSI + Industry Standardization

Field experience shows that three actions are essential:

1) Establish a unified Owner Cybersecurity Policy

Without it, every project defaults to either the shipyard’s interpretation or the supplier’s interpretation.

2) Introduce a CRSI (Ship Cyber Resilience Integrator)

A CRSI harmonizes:

  • Documentation quality

  • System architecture

  • Zone & Conduit

  • RA/RM methodology

  • Class feedback

  • SCARP completeness

  • FAT and onboard results

Without this integrator role, fragmentation is guaranteed.

3) Create global-level supplier guidance and standardization

This is the only practical solution to the biggest pain point in the market.

6. Final Message — The Next 10 Years Will Depend on Standardization

Suppliers are confused.
Shipyards are pressured by schedules.
Shipowners often lack a clear baseline.

In this environment, UR E26/E27 will not merely be “requirements”—
they will become major sources of cost, delays, and inconsistent risk management.

But there is a positive perspective:

👉 Right now is the best opportunity the industry has ever had to build true standardization.
👉 What we choose today will define the cyber resilience of smart ships for the next decade.

The Shipjobs series will continue to share:

  • Real field insights

  • Industry pain points

  • Practical frameworks and solutions

as the shipbuilding ecosystem undergoes the most important structural transformation in its history.

Comments

Post a Comment

Popular posts from this blog

[MaritimeCyberTrend] Relationship and prospects between U.S. Chinese maritime operations and maritime cybersecurity

Image
U.S. Sanctions on Chinese Ships & Cybersecurity Compliance The U.S. Trade Representative (USTR)’s sanctions on Chinese shipping and shipbuilding are expected to heighten the importance of cybersecurity regulations in vessel operations. In particular, as the U.S. increasingly frames Chinese-built ships and shipping companies as cybersecurity risks, compliance with maritime cybersecurity standards will become a critical issue for global shipping stakeholders. The United States is increasingly likely to classify Chinese-built vessels as national security and cybersecurity threats, using this as a basis for additional regulations and sanctions. In particular, drawing from past sanctions on Huawei and ZTE, the U.S. may argue that ships built in Chinese shipyards and equipped with Chinese IT systems (navigation, communication, and monitoring equipment) pose risks to the digital maritime infrastructure of the U.S. and its allies. As a result, the U.S. Coast Guard (USCG) is expected to s...
Read more

Understanding IMO MSC-FAL.1/Circ.3/Rev.3

Image
  Its Alignment with IACS UR E26/E27 and the Impact on the Maritime Industry In April 2025, the International Maritime Organization (IMO) released a critical revision to its maritime cybersecurity framework — MSC-FAL.1/Circ.3/Rev.3 .  This revision replaces its 2021 predecessor, Rev.2, and marks a significant paradigm shift from basic cyber risk awareness to structured cyber resilience implementation across all digital assets involved in maritime operations. Why does this matter? Because this new guidance is not just another update — it’s a direct policy foundation for the upcoming IACS Unified Requirements UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of Onboard Equipment) , both becoming mandatory for all new vessels contracted from 1 July 2024 . 📌 1. What Has Changed? Comparing Rev.2 vs. Rev.3 The previous Rev.2 served primarily as an awareness-raising document — encouraging companies to consider cyber risk within Safety Management Systems (SMS)....
Read more

Examining the Reality of Cyber Incidents and the Shortfalls in Compliance Frameworks

Image
🌐 When a Ship's GPS Is Hacked: The Gap in Global Maritime Cyber Regulations – Examining the Reality of Cyber Incidents and the Shortfalls in Compliance Frameworks As maritime logistics rapidly digitalizes, the 2025 cyber grounding of MSC Antonia marks a clear turning point—showing that the industry must move beyond technology alone and embrace practical cyber resilience in real-world operations. The maritime cyber market has reached a turning point where it must move beyond mere technical compliance; it now requires the integrated operation of real-time threat response capabilities during vessel operation, organizational-level cyber governance, and the practical cybersecurity competence of crew members to effectively bridge the gap between stagnant global regulations and rapidly evolving threats. 📌 1. The 2025 MSC Antonia Incident – A Ship Hacked Mid-Voyage In May 2025, the MSC Antonia, a container ship operated by one of the world’s largest shipping lines, ran aground near Jedda...
Read more