Redefining System Suppliers’ IACS UR E26/27 Interpretation Trends in Alignment with Cyber Resilience Principles
Redefining System Suppliers' IACS UR E26/E27 Interpretation Trends in Alignment with Cyber Resilience Principles
Recently, during the application of IACS UR E26 and E27, ongoing cases are being observed in which certain system suppliers are refusing to submit required information, despite their systems clearly falling under CBS (Computer-Based Systems) and the existence of explicit classification society guidelines. The information in question includes key inputs such as asset inventory, system configuration diagrams, communication interface information, as well as the foundational cybersecurity domains of Identify and Detect.
A Transitional Phenomenon — With Structural Change Underway
This situation is considered a temporary transitional phenomenon. In the mid- to long-term, the submission of relevant information and compliance with IACS standards will inevitably become a common direction across the entire market. The background to this trend includes the following structural changes:
- Continuous clarification of IACS UR E26 / E27 requirements by classification societies
- Strengthening of Cyber Resilience responsibilities for shipbuilders and shipowners
- Institutionalization of Cyber Resilience as part of vessel delivery conditions
Accordingly, non-compliance with IACS requirements by system suppliers is no longer a matter of "negotiation", but an issue that is highly likely to translate directly into business risk in the future.
Zone & Conduit Design Concept — IACS Cyber Resilience Principles
System Suppliers' Interpretation Must Align with IACS Cyber Resilience Principles
In some cases, suppliers interpret IACS requirements based on their own internal perspectives — often centered on individual engineers or specific supplied equipment — with the objective of protecting proprietary technical assets. Typical examples include:
- ❌ Establishing manufacturer-centric independent zones onboard vessels (commonly referred to as "XXX Company Zones")
- ❌ Defining supplier-specific zones without linking them to the IACS UR E26 Zone & Conduit Diagram (ZCD)
- ❌ Requesting the installation of proprietary security solutions onboard the vessel
Such approaches are not, in principle, aligned with the fundamental Cyber Resilience principles defined in IACS UR E26 and E27.
The ZCD (Zone & Conduit Diagram) clearly illustrates the core principles of zone definition under IACS standards:
- ✓ Zones are defined based on system function and criticality, not manufacturer
- ✓ A zone is defined as "a group of CBS to which the same security requirements apply" (UR E26)
- ✓ System categorization follows UR E22, based on consequence of failure
- ✓ The purpose of security controls under UR E27 is the protection of Essential Systems, not the separation of systems by manufacturer
Category III (High Risk) Systems Must Be Managed Within a Single Core OT Zone
Systems classified as Category III (High Risk) should be integrated and managed within a single core OT zone for the following reasons:
Propulsion-related systems explicitly defined as OT Essential Systems
Primary and Secondary Essential Services required to maintain propulsion
Propulsion systems classified as Category III (High Risk)
If Essential Systems belonging to the same Category III (High Risk) are separated based on manufacturer:
- ⚠ The objective of Essential System protection under UR E27 is undermined
- ⚠ The logic of function- and risk-based design, which underpins Cyber Resilience, collapses
Supplier Requests: Principle of Limited Reflection — Not Manufacturer-Centric Structures
Considering market characteristics and the practical realities of shipbuilding projects, limited reflection of supplier requirements may be acceptable only under the following conditions:
-
01
Supplier requirements reflected not as dedicated manufacturer zones, but as logical sub-zones or access control policies
-
02
Communication between OT zones controlled on a policy basis through security devices
-
03
Simple connection devices are insufficient — implementations must include:
- Firewall policies
- VLAN segmentation
- Routing and packet filtering satisfying IACS zone segmentation requirements
-
04
Intra-zone communication (e.g. Layer 2) must be clearly managed and documented within the system design scope
UR E26/E27 Deliverables Are Continuously Maintained — Including at Annual Surveys
The application of limited reflection approaches requires prior agreement between the CRSI (Cyber Resilience Single Interface) and the shipbuilder. The reasons are clear:
- The ZCD is a core UR E26 deliverable that must be continuously maintained
- For future submissions to the classification society, the CRSI bears final responsibility for the UR E26 deliverables
Unilateral definition of independent zones by system suppliers, or refusal to submit required information, may result in the transfer of cyber risks arising during vessel delivery and operation to the CRSI, shipbuilder, classification society, and ultimately the shipowner.
Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.
🌐 More Articles ↗
Comments
Post a Comment