Exploring IACS' new unified requirements for cyber security

Inmarsat Maritime launched the whitepaper in collaboration with Japanese class society ClassNK, exploring the International Association of Classification Societies (IACS) new unified requirements (URs) for cyber security and outlining how to demonstrate compliance with the forthcoming URs.

As of 1 July 2024, updated URs E26 and E27 will require newbuild vessels and their connected systems to meet certain minimum cyber-resilience standards.

UR E27 aims to support manufacturers and OEMs of onboard operational systems and equipment in evaluating and improving their cyber resilience.

Demonstrating compliance with UR E27 requires submission of an asset inventory listing the hardware components used; topology diagrams illustrating the physical architecture of the system and data flows between system components; a description of security capabilities; test procedure of security capabilities describing how to demonstrate, through testing, that the system complies with requirements; and security configuration guidelines describing recommended configuration settings.

The whitepaper highlights while these new standards will provide a comprehensive view of a vessel’s computer assets and network infrastructure, there exists some limitations of the URs, such as a simplistic risk assessment process and insufficient attention to cyber-security policies and associated procedures.

Inmarsat believes that while IACS URs E26 and E27 will play an important role in helping organisations strengthen their cyber defences, it still recommends organisations concentrate their efforts and investments in three critical areas: people and culture, network-connected systems and services, and an incident-response plan.

Inmarsat chief of staff, Laurie Eve said, “Inmarsat Fleet Secure helps shipowners, operators and managers to comply with cyber-security regulations including the new IACS URs while supporting meaningful enhancements across the three key areas: people and culture, network-connected systems and services, and an incident-response plan. Deployed as part of a holistic, risk-based approach, it enables organisations to embed cyber security within their connectivity strategy to keep their assets – and people – safe from online threats.”

ClassNK deputy manager, cyber security, Makiko Tani added, “Best practice in addressing cyber-security requirements is to take a risk-based approach, where cyber-risk controls are implemented following a thorough risk assessment, and consider people, process and technology in a balanced manner.”

“ClassNK continues to collaborate with industry leaders, so it contributes to helping our stakeholders streamline their cyber-risk controls and further integrate their cyber-security policy with the organisation’s governance strategy, ultimately building a cyber-resilient organisation.”

The whitepaper can be downloaded here.