💡 Insight IACS UR E26 / E27 CRSI Maritime Cybersecurity

CRSI: The Missing Role in IACS UR E26/E27 — Why a Cyber Resilience Integrator Is No Longer Optional

Shipyards can't do it. Suppliers won't do it. Class won't model it for you. The CRSI is the role that bridges them all — from newbuilding through Annual Survey.

Captain Ethan

Maritime 4.0 · AI, Data & Cyber Security
- LinkedIn : https://www.linkedin.com/in/shipjobs/
Collaborator : Lew, Julius, Jin, Morgan, Yeon

Under IACS UR E26 and UR E27, a new role is quietly becoming essential across newbuilding projects: the CRSI — Cyber Resilience System Integrator. This is not a system integrator. It is not a shipyard design team. It is not an owner's ICT department. The CRSI is the organization that coordinates, harmonizes, and validates the entire vessel's cyber architecture — from design through operational Annual Survey. This article explains what a CRSI does, why it is different from a traditional SI, and why its absence is the root cause of most UR E26/E27 project failures.

Ⅰ. A New Role Emerging in UR E26/E27 Projects

For decades, the shipbuilding industry has operated with clearly defined roles: basic design engineers, outfitting design engineers, electrical design engineers, System Integrators (SI), and shipyard project managers. But in today's UR E26/E27 landscape, a new role is quietly appearing.

That role is the CRSI — Cyber Resilience System Integrator. A CRSI is not the same as:

• An SI (System Integrator) — which focuses on functional integration
• A shipyard design team — which manages construction and interfaces
• An owner's ICT department — which manages IT operations, not cyber architecture

The CRSI integrates systems and data across the entire vessel, focusing specifically on cyber resilience — coordinating, harmonizing, and validating how cyber-related elements work together across all stakeholders.

It is a role that no organization has previously taken responsibility for. And this absence is exactly what has caused the most confusion — and the most project delays — around UR E26/E27.

---

Ⅱ. Why Ships Need a CRSI: The Fully Connected Vessel

Ships were once a "collection of independent equipment." Today, that era is over. Modern vessels integrate all of the following into a single unified system:

Engine Control

IAS (Integrated Automation)

Navigation

Cargo Control

Power Management

Ballast / CCTV

Cyber-Enabled Sensors

OT / IT Networks

→ One CPS

All of these have become one unified Cyber-Physical System (CPS). The security target is no longer a single device — it is the entire connected architecture. In this environment:

✗Traditional designers cannot integrate all cyber elements across the vessel

✗Traditional SIs cannot manage security boundaries or risk structure

---

Ⅲ. The Eight Core Responsibilities of a CRSI

The CRSI's work spans the full project lifecycle — from design through newbuilding delivery and into operational Annual Surveys.

①

Zone & Conduit Consistency

Integrates all ZCD documentation from shipyards, suppliers, and network topology into a single coherent model

②

Asset Inventory Modeling

Converts diverse supplier documents into a unified Asset List covering equipment, subsystems, and network hosts

③

RA/RM Quality Control & Class Engagement

Ensures boundaries, risk ratings, and impact flows meet Class standards across all submitted documents

④

QA of Supplier E27 Documents & Baseline Setting

Standardizes completeness and structure across all E27 submissions to support high-quality SCARP development

⑤

SCARP (E26) Integrated Development

Connects supplier data → ZCD → RA/RM → SCARP into a single consistent, Class-approvable deliverable

⑥

FAT / Onboard Cyber Validation

Verifies that the cyber architecture is correctly implemented during Factory Acceptance Testing and onboard installation

⑦

Lifecycle-Based Operational Model

Maintains consistency of the cyber architecture from newbuilding → operation → maintenance throughout the vessel's life

⑧

Annual Survey Support for Operating Vessels

Supports shipowners through annual cyber surveys by managing SCARP updates, RA/RM revisions, asset list maintenance, cyber incident reviews, and Class survey compliance — closing the loop between newbuilding and real-world operation

---

Ⅳ. CRSI vs SI: Why They Are Not the Same

CRSI and SI are frequently confused, but their core functions differ significantly across every dimension of shipbuilding work.

Category	SI (System Integrator)	CRSI (Cyber Resilience Integrator)
Purpose	Functional system integration	Security & resilience integration across entire ship
Focus	Functions, interfaces, interoperability	Risks, boundaries, policies, cyber controls
Boundary	System-specific	Whole-ship cyber boundary
Documentation	FDS, ICD	E27, ZCD, RA/RM, SCARP
Class Interaction	Technical performance	Cybersecurity audit & compliance
Work Stage	Design & installation	Full lifecycle: design → operation → Annual Survey

If the SI is a functional engineer, the CRSI is a cyber architect + security integrator + policy coordinator — responsible for the coherence of the entire vessel's cyber posture from design through operations.

---

Ⅴ. What Shipowners Gain When a CRSI Is Present

For major shipowners operating dozens or hundreds of vessels, the CRSI becomes a long-term operational partner. With a CRSI in place:

✓ Unified standards across all yards & suppliers

✓ Consistent document structure & quality

✓ Higher RA/RM accuracy and impact logic

✓ Reduced Class approval risk and re-submission cycles

✓ Cyber incident response readiness

✓ Fleet-wide standardization and lower lifecycle costs

✓ Smooth and compliant Annual Surveys for all operating vessels — with SCARP updates, RA/RM revisions, and asset list maintenance handled continuously

---

Ⅵ. What Real Projects Tell Us: Without a CRSI, E26/E27 Stays Theory

Across many real-world UR E26/E27 projects, one conclusion is consistent:

✗Shipyards cannot fully manage cyber integration — schedule pressure forces them to prioritize construction

✗Suppliers cannot unify documentation quality across a multi-supplier environment

✗Class reviews submissions — but does not model the system architecture for you

✗SIs focus on functional integration, not cyber resilience or risk architecture

✗Shipowners struggle to maintain cyber documentation during operations — especially for Annual Surveys

A third-party integrator is not a nice-to-have. It is the only structural solution to a gap that no existing shipbuilding role was designed to fill. That role is the CRSI.

---

Conclusion: CRSI Will Become the Standard Role for Maritime Cybersecurity

The industry is entering a fully digital, interconnected lifecycle: design → procurement → construction → operation → maintenance → Annual Survey. In this landscape, the security integrator role is not optional.

The CRSI is not a document vendor. It is a central hub linking design principles, supplier deliverables, Class requirements, fleet operations, and annual cyber surveys into one coherent, maintainable whole.

The Bottom Line

UR E26/E27 success or failure will ultimately depend on whether a CRSI is present.
With a CRSI: consistent documentation, faster Class approval, sustainable operations.
Without a CRSI: fragmented documents, repeated comments, delayed delivery, and annual survey failures.

---

Key Takeaways

🔗 CRSI Role

Not an SI, not a designer, not ICT — the CRSI is the only role responsible for integrating the entire vessel's cyber architecture end-to-end

🚢 Ships Are CPS

Modern vessels are Cyber-Physical Systems — the security target is the entire connected architecture, not individual devices

📋 8 Responsibilities

ZCD consistency, asset modeling, RA/RM QC, E27 baseline, SCARP integration, FAT validation, lifecycle model, Annual Survey support

⚠️ The Gap

Without a CRSI, E26/E27 remains theory — yards, suppliers, Class, and SIs each cover part of the picture, but no one owns the whole

#CRSI #IACSE26 #IACSE27 #MaritimeCybersecurity #CyberResilience #ShipbuildingCyber #SCARP #ClassApproval #Maritime40

Captain Ethan

Maritime 4.0 · AI, Data & Cyber Security

Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.

🌐 More Articles ↗