The Reality of Cyber Regulations Facing the Shipbuilding & Maritime Industry – Part 5: E26/E27 Era and the Emergence of a New Role, CRSI

 CRSI (Ship Cyber Resilience Integrator) —A New Player Integrating Shipyards, Suppliers, and Classification Societies — In the UR E26/E27 era, why is a “Cyber Integrator” absolutely essential?



1. A Newly Emerging Role in the E26/E27 Era: CRSI

For decades, the shipbuilding industry has operated with clearly defined roles:

  • Basic design engineers

  • Outfitting design engineers

  • Electrical design engineers

  • SI (System Integrator)

  • Shipyard PMs

But in today’s UR E26/E27 landscape, a new role is quietly appearing.

That role is the CRSI (Ship Cyber Resilience Integrator).

A CRSI is not the same as:

  • an SI (System Integrator),

  • a shipyard design team,

  • or an owner’s ICT department.

The CRSI integrates systems and data across the entire vessel, focusing specifically on cyber resilience—coordinating, harmonizing, and validating how cyber-related elements work together.

It’s a role that no organization has previously taken responsibility for.

And this absence is exactly what has caused confusion around UR E26/E27.


2. Why Do We Need CRSIs? — Ships Have Become Fully Connected Ecosystems

Ships were once just a “collection of independent equipment.”
Today, that era is over.

Modern vessels integrate:

  • Engine

  • IAS (Integrated Automation System)

  • Navigation

  • Cargo Control

  • Power Management

  • Ballast

  • CCTV

  • Cyber-enabled sensors

  • OT/IT Networks

All of these have become one unified Cyber-Physical System (CPS).

This means the security target is no longer a single device—
but the entire connected architecture.

In this environment:

  • The “traditional designers” cannot integrate all cyber elements.

  • The “traditional SI” cannot manage security boundaries or risk structure.

UR E26/E27 points directly at this issue by implying the need for a central integrator role.

That role is the CRSI.

3. Core Responsibilities of the CRSI: Integration, Coordination, Harmonization

The CRSI’s primary duties include:

① Maintaining Zone & Conduit Consistency

Integrating all ZCD documentation from shipyards, suppliers, and network topology into a single model.

② Asset Inventory Modeling

Converting diverse supplier documents into a unified Asset List, including equipment, subsystems, and network hosts.

③ RA/RM Quality Control and Class Engagement

Ensuring boundaries, risk ratings, and impact flows meet class standards.

④ QA of Supplier Documents (E27) & Setting Baselines

Standardizing completeness and structure to support high-quality SCARP development.

⑤ SCARP (E26) Integrated Development

Connecting supplier data → ZCD → RA/RM → SCARP into a consistent deliverable.

⑥ FAT / Onboard Cyber Validation

Verifying that cyber architecture is properly implemented during testing and onboard installation.

⑦ Lifecycle-Based Operational Model Development

Maintaining consistency of the cyber architecture from newbuilding → operation → maintenance.

⑧ Annual Survey for Operating Vessels (운항선 Annual Survey)

CRSI supports shipowners during annual cyber surveys required for in-service vessels, ensuring:

  • SCARP updates

  • RA/RM revisions

  • Asset list maintenance

  • Cyber incident review

  • Compliance with class survey requirements

This closes the loop between newbuild documentation and real-world vessel operation, ensuring cyber resilience remains valid throughout the ship’s life.


In short:
CRSI handles what shipyards cannot, suppliers won’t, and shipowners struggle to perform on their own — including the ongoing Annual Cyber Survey.

4. Why CRSIs Are Not the Same as SIs (System Integrators)

People often confuse SI and CRSI, but their core functions differ significantly.

CategorySI (System Integrator)CRSI (Cyber Resilience Integrator)
PurposeFunctional system integrationSecurity/resilience integration across entire ship
FocusFunctions, interfaces, interoperabilityRisks, boundaries, policies, cyber controls
BoundarySystem-specificWhole-ship cyber boundary
DocumentationFDS, ICDE27, ZCD, RA/RM, SCARP
Class InteractionTechnical performanceCybersecurity audit & compliance
Work StageDesign & installationFull lifecycle: design → operation (Annual Survey)

If the SI is a functional engineer,
the CRSI is a cyber architect + security integrator + policy coordinator.

5. CRSI Ultimately Protects the Shipowner’s Interests Most

When a CRSI is present, shipowners gain:

  • Unified standards across yards & suppliers

  • Consistent document structure & quality

  • Higher RA/RM accuracy

  • Reduced class approval risks

  • Cyber incident response readiness

  • Stronger fleetwide cyber resilience

  • Lower lifecycle operating costs

  • Standardization across entire fleet

  • Smooth and compliant Annual Surveys for operating vessels

For major shipowners, the impact scales across dozens or hundreds of ships.

In short:

The CRSI becomes a long-term operational partner protecting the entire fleet.

**6. What Real Projects Tell Us:

Without a CRSI, E26/E27 Is “Theory.”
With a CRSI, It Becomes “Reality.”**

Across many real-world projects, one conclusion is clear:

  • Shipyards cannot fully manage cyber integration due to schedule pressure.

  • Suppliers cannot unify documentation quality.

  • Class societies review submissions but do not model the system.

  • SIs focus on functional integration, not cyber resilience.

  • Shipowners struggle to maintain cyber documentation during operations—especially for Annual Surveys.

Thus, a third-party integrator is essential.

That role is fulfilled by the CRSI.

7. Conclusion — CRSI Will Become the Standard Role for the Shipbuilding & Maritime Industry

The industry is entering a fully digital, interconnected lifecycle:

design → procurement → construction → operation → maintenance → Annual Survey

In this landscape, the “security integrator” role is not optional—
it is essential.

The CRSI is not a document vendor, but a central hub linking:

  • Design principles

  • Supplier deliverables

  • Class requirements

  • Fleet operations

  • Annual cyber surveys

UR E26/E27 success or failure will ultimately depend on whether a CRSI is present.

Shipjobs will continue documenting how this new industrial structure evolves in future installments.

Comments

Post a Comment

Popular posts from this blog

[MaritimeCyberTrend] Relationship and prospects between U.S. Chinese maritime operations and maritime cybersecurity

Image
U.S. Sanctions on Chinese Ships & Cybersecurity Compliance The U.S. Trade Representative (USTR)’s sanctions on Chinese shipping and shipbuilding are expected to heighten the importance of cybersecurity regulations in vessel operations. In particular, as the U.S. increasingly frames Chinese-built ships and shipping companies as cybersecurity risks, compliance with maritime cybersecurity standards will become a critical issue for global shipping stakeholders. The United States is increasingly likely to classify Chinese-built vessels as national security and cybersecurity threats, using this as a basis for additional regulations and sanctions. In particular, drawing from past sanctions on Huawei and ZTE, the U.S. may argue that ships built in Chinese shipyards and equipped with Chinese IT systems (navigation, communication, and monitoring equipment) pose risks to the digital maritime infrastructure of the U.S. and its allies. As a result, the U.S. Coast Guard (USCG) is expected to s...
Read more

Understanding IMO MSC-FAL.1/Circ.3/Rev.3

Image
  Its Alignment with IACS UR E26/E27 and the Impact on the Maritime Industry In April 2025, the International Maritime Organization (IMO) released a critical revision to its maritime cybersecurity framework — MSC-FAL.1/Circ.3/Rev.3 .  This revision replaces its 2021 predecessor, Rev.2, and marks a significant paradigm shift from basic cyber risk awareness to structured cyber resilience implementation across all digital assets involved in maritime operations. Why does this matter? Because this new guidance is not just another update — it’s a direct policy foundation for the upcoming IACS Unified Requirements UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of Onboard Equipment) , both becoming mandatory for all new vessels contracted from 1 July 2024 . 📌 1. What Has Changed? Comparing Rev.2 vs. Rev.3 The previous Rev.2 served primarily as an awareness-raising document — encouraging companies to consider cyber risk within Safety Management Systems (SMS)....
Read more

Examining the Reality of Cyber Incidents and the Shortfalls in Compliance Frameworks

Image
🌐 When a Ship's GPS Is Hacked: The Gap in Global Maritime Cyber Regulations – Examining the Reality of Cyber Incidents and the Shortfalls in Compliance Frameworks As maritime logistics rapidly digitalizes, the 2025 cyber grounding of MSC Antonia marks a clear turning point—showing that the industry must move beyond technology alone and embrace practical cyber resilience in real-world operations. The maritime cyber market has reached a turning point where it must move beyond mere technical compliance; it now requires the integrated operation of real-time threat response capabilities during vessel operation, organizational-level cyber governance, and the practical cybersecurity competence of crew members to effectively bridge the gap between stagnant global regulations and rapidly evolving threats. 📌 1. The 2025 MSC Antonia Incident – A Ship Hacked Mid-Voyage In May 2025, the MSC Antonia, a container ship operated by one of the world’s largest shipping lines, ran aground near Jedda...
Read more