IACS’ UR E26 “Cyber Resilience of Ships” is a non-negotiable reality, fundamentally changing how cyber resilience is integrated into shipbuilding and operations. It mandates that cybersecurity is embedded into ship design, moving beyond voluntary guidelines to enforceable requirements. This standard secures the "ship as an entire system," ensuring a holistic approach to maritime cybersecurity. The requirements themselves align to well-known frameworks such as IEC 62443 (zones and conduits is the requirement for the network design) and the regulation follows an Identify/Protect/Detect/Respond/Recover methodology as laid out in the NIST Cybersecurity Framework (CSF).
As shipbuilders or system integrators, the onus of UR E26 compliance for design, construction, and commissioning rests significantly with you. This means you now own E26 compliance during the design, build, and commissioning phases. Evidence is required for aspects such as zones and conduits, cyber-test procedures, and cybersecurity design descriptions. Furthermore, you must consider the supply-chain link, as UR E27 obligations extend to equipment suppliers, ensuring cybersecurity at the system and subsystem level.
The E26 process, while comprehensive, can be broken down into manageable phases, each crucial for achieving full cyber resilience:
This initial phase is about establishing robust project governance, conducting thorough risk identification and scoping, and creating a detailed asset inventory and classification. Understanding the critical operational technology (OT) systems and their potential threats is paramount. A strong project start is key to any engineering process, and make no mistake, IACS UR E26 cyber resilience implementation is an engineering process.
Here, the focus shifts to translating requirements into actionable technical specifications. This includes designing secure network segmentation and security zones, creating "watertight compartments" for digital systems, and developing a comprehensive Cybersecurity Requirements & Design Description (CSDD) that covers access controls, malware protection, and incident response. The design is crafted and approved by stakeholders with detailed implementation plans created in preparation for phase 3.
This phase brings the design to life. It involves working closely with equipment suppliers to ensure their components conform to UR E27, establishing rigorous change and configuration management processes, and ensuring secure installation practices during the construction phase. Preventing unauthorized access and applying initial security configurations are key.
The final stage is about validating the implemented security and preparing for operational life. This includes developing and executing comprehensive cyber resilience test programs, finalizing all compliance documentation, and liaising with classification societies for necessary approvals. Crucially, it also involves providing essential cybersecurity training to the crew and shipyard personnel, ensuring a smooth handover and equipping the shipowner for ongoing security management.
Proactive and thorough UR E26 adoption offers more than just compliance; it provides a significant competitive advantage. Vessels designed and built with inherent cyber resilience will attract global owners in a market increasingly prioritizing security. It prevents costly retrofits and delays, ensuring your new builds are not only compliant but truly resilient against the evolving threats of the digital age.
While the complexity is real, it is manageable. By embracing a strategic approach, shipyards can navigate the significant documentation, system integration (with UR E27), and lifecycle management challenges. The goal is to ensure compliance and strengthen your business, delivering vessels that are ready for the digital future.
As someone who has been in the industry for quite a while (re: old) I cannot express how excited I am for a real "secure by design" opportunity that can have appreciable and positive impact for an industry. Yes it's regulatory in nature, it's new, and like all things new will encounter storms along the journey. But what an opportunity to build in cyber resilience while supporting our mariners and sailors now and in the future. Keep in touch as we in maritime design, implement, test and operate this in real-time, on real assets, in real environments!
With over 25 years of cybersecurity experience, Ron Fabela has a deep technical understanding of Industrial Control Systems (ICS) and Operational Technology (OT) security. His hands-on experience at power generation facilities, offshore oil rigs, and other critical infrastructure has honed his ability to navigate unique challenges and effectively communicate both technical and business concepts. Residing in Chattanooga, TN, Ron enjoys life at the farm with his family and their horses, potbelly pigs, chickens, ducks, and goats.
