Redefining System Suppliers’ IACS UR E26/27 Interpretation Trends in Alignment with Cyber Resilience Principles

Recently, during the application of IACS UR E26 and E27, ongoing cases are being observed in which certain system suppliers are refusing to submit required information, despite their systems clearly falling under CBS (Computer-Based Systems) and the existence of explicit classification society guidelines.

The information in question includes key inputs required for E26 compliance, such as asset inventory, system configuration diagrams, communication interface information, as well as information required in the foundational cybersecurity domains of Identify and Detect.

We considers this situation to be a temporary transitional phenomenon. In the mid- to long-term, the submission of relevant information and compliance with IACS standards will inevitably become a common direction across the entire market.

The background to this trend includes the following structural changes:

  • Continuous clarification of IACS UR E26 / E27 requirements

  • Strengthening of Cyber Resilience responsibilities for shipbuilders and shipowners

  • Institutionalization of Cyber Resilience as part of vessel delivery conditions

Accordingly, non-compliance with IACS requirements by system suppliers is no longer a matter of “negotiation”, but an issue that is highly likely to translate directly into business risk in the future.


System suppliers’ interpretation and definition of IACS UR E22 / 26 / 27 must align with the principles of IACS Cyber Resilience.

However, in some cases, suppliers interpret IACS requirements based on their own internal perspectives, often centered on individual engineers or specific supplied equipment, with the objective of protecting proprietary technical assets and maintaining security.

Typical examples include:

  • Establishing manufacturer-centric independent zones onboard vessels (commonly referred to as “MAN Zones”)

  • Defining supplier-specific zones without linking them to the IACS UR E26 Zone & Conduit Diagram (ZCD)

  • Requesting the installation of proprietary security solutions onboard the vessel

SHIPJOBS clearly states that such approaches are not, in principle, aligned with the fundamental Cyber Resilience principles defined in IACS UR E26 and E27.

As a representative example, the ZCD clearly illustrates the core principles of zone definition under IACS standards.

  • Zones are defined based on system function and criticality, not manufacturer

  • A zone is defined as “a group of CBS to which the same security requirements apply” (UR E26)

  • System categorization follows UR E22, based on consequence of failure

  • The purpose of security controls under UR E27 is the protection of Essential Systems, not the separation of systems by manufacturer

In other words, manufacturer identity is not specified as a criterion for zone definition.


In particular, systems classified as Category III (High Risk) should be integrated and managed within a single core OT zone for the following reasons:

  • UR E26 1.3.2 a): Propulsion-related systems are explicitly defined as OT Essential Systems

  • UR E27 definition: Primary and Secondary Essential Services required to maintain propulsion

  • UR E22: Propulsion-related systems are classified as Category III (High Risk)

If Essential Systems belonging to the same Category III (High Risk) are separated based on manufacturer:

  • The objective of Essential System protection under UR E27 is undermined

  • The logic of function- and risk-based design, which underpins Cyber Resilience, collapses

Cyber Resilience is not about implementing independent security solutions to protect individual suppliers’ assets, but about establishing a vessel-wide, consistent approach to zone design, risk management, and clear allocation of responsibility.


Recent requests from system suppliers should follow the principle of limited reflection, rather than a shift toward manufacturer-centric structures.

Considering market characteristics and the practical realities of shipbuilding projects, limited reflection of supplier requirements may be acceptable only under the following conditions:

  • Supplier requirements are reflected not as dedicated manufacturer zones, but as:

    • Logical sub-zones, or

    • Access control policies

  • Communication between OT zones is controlled on a policy basis through security devices

  • Simple connection devices are insufficient; implementations must include:

    • Firewall policies

    • VLAN segmentation

    • Routing and packet filtering that satisfy IACS zone segmentation requirements

  • Intra-zone communication (e.g. Layer 2 communication) must be clearly managed and documented within the system design scope


Deliverables under IACS UR E26 / E27 are not one-time documents, but continuously maintained deliverables, including during Annual Surveys.

Therefore, the application of such limited reflection approaches requires prior agreement between the CRSI (Cyber Resilience Single Interface) and the shipbuilder.

The reasons are clear:

  • The ZCD is a core UR E26 deliverable that must be continuously maintained

  • For future submissions to the classification society, the CRSI bears final responsibility for the UR E26 deliverables

Accordingly, unilateral definition of independent zones by system suppliers, or refusal to submit required information, may result in the transfer of cyber risks arising during vessel delivery and operation to the CRSI, shipbuilder, classification society, and ultimately the shipowner.


CyberResilience MaritimeCyberSecurity ShipCyberSecurity MOL EVERGREEN MAERSK YANGMING KNUTSEN ClassNK LIoyd


 

Comments

Post a Comment