Ship Security: Scope, Schedule, Penalties, etc. for IACS UR E26 and E27 and other regulations

-

 


Let's talk about IACS UR E26 and E27 and others in detail including the scope, timeline, penalties etc.

The International Association of Classification Societies (IACS) has introduced Unified Requirements (UR) E26 and E27 to enhance the cyber resilience of ships and their onboard systems. Below is a detailed overview of their scope, implementation timeline, and compliance considerations.​

Scope of UR E26 and E27

  • UR E26: Cyber Resilience of Ships

    • Objective: Establishes minimum requirements for the cyber resilience of ships throughout their design, construction, commissioning, and operational life.

    • Key Functional Aspects:

      • Identify: Maintain an inventory of hardware and software for applicable Computer-Based Systems (CBSs) and document network arrangements.

      • Protect: Implement security zones, network segmentation, access controls, and protections against malicious code.

      • Detect: Monitor network operations and perform verification and diagnostics of CBSs and networks.

      • Respond: Develop incident response plans, enable local or manual operations, and establish network isolation protocols.

      • Recover: Create recovery plans, ensure backup and restore capabilities, and facilitate controlled system restarts.

    • Applicable Systems: Includes propulsion, steering, anchoring, electrical power, fire detection, bilge and ballast systems, watertight integrity, lighting, navigational systems, and communication systems, among others.

  • UR E27: Cyber Resilience of On-Board Systems and Equipment

    • Objective: Provides requirements to ensure the integrity and security of onboard systems and equipment supplied by third parties.

    • Focus Areas: Addresses user interfaces with computer-based systems, product design, and development requirements for new devices before their implementation onboard ships.

    • Applicability: Mandatory for certain vessel types, including passenger ships on international voyages, cargo ships of 500 gross tonnage (GT) and upwards on international voyages, high-speed craft of 500 GT and upwards on international voyages, mobile offshore drilling units of 500 GT and upwards, and self-propelled mobile offshore units engaged in construction activities. For other vessel types, compliance serves as non-mandatory guidance.

Implementation Timeline

  • Original Schedule: Both UR E26 and E27 were initially set to enter into force on January 1, 2024.

  • Revised Schedule: Following industry feedback and further enhancements, IACS revised the implementation date to July 1, 2024. Consequently, the original versions were withdrawn before taking effect, and only the revised versions will be applied from the new implementation date.

Compliance and Penalties

  • Compliance Requirements: As of July 1, 2024, compliance with UR E26 and E27 is mandatory for new construction ships and offshore vessels as specified. Shipowners, system integrators, and equipment suppliers must ensure that new vessels and onboard systems meet these cyber resilience standards.

  • Penalties: While IACS URs themselves do not specify penalties, non-compliance can lead to significant consequences, including:

    • Classification Impact: Failure to comply may result in the vessel not receiving classification or having its classification withdrawn, affecting its operational legitimacy.

    • Regulatory Detention: Non-compliant vessels may face detention by port state control authorities, leading to operational delays and financial losses.

    • Safety Risks: Inadequate cyber resilience increases the risk of cyber incidents that can compromise the safety of the vessel, crew, and cargo.


Also, the maritime industry is governed by strict security regulations to protect vessels, ports, and maritime infrastructure from cyber threats, piracy, and other security risks. These regulations are enforced by international bodies such as the International Maritime Organization (IMO), regional authorities like the European Maritime Safety Agency (EMSA), and national governments.

1. Key Security Regulations for Ship Manufacturers and Owners

1.1 International Ship and Port Facility Security (ISPS) Code

  • Issued by: IMO under SOLAS (Safety of Life at Sea) Convention

  • Applies to: All ships above 500 GT (Gross Tonnage) in international voyages and port facilities serving them.

  • Requirements:

    • Conduct security assessments and develop a Ship Security Plan (SSP).

    • Appoint a Ship Security Officer (SSO) and a Company Security Officer (CSO).

    • Implement access control and restricted areas on ships.

    • Maintain security records and report security incidents.

  • Penalties:

    • Detainment of vessel, fines, or banning from port entry.

1.2 IMO Cyber Risk Management – IMO Resolution MSC.428(98)

  • Effective Date: January 1, 2021

  • Applies to: All vessels covered by ISPS Code.

  • Requirements:

    • Cyber risk management must be incorporated into the Ship’s Safety Management System (SMS) by the first annual verification after 2021.

    • Identify and mitigate risks related to onboard IT and OT systems (e.g., GPS, AIS, ECDIS, engine monitoring systems).

    • Conduct periodic cyber risk assessments and crew training.

  • Penalties:

    • Failure to implement cyber risk management can lead to flag state penalties, increased insurance costs, and potential port detentions.

1.3 Ballast Water Management (BWM) Convention

  • Issued by: IMO

  • Applies to: Ships designed to carry ballast water.

  • Requirements:

    • Install Ballast Water Treatment Systems (BWTS).

    • Obtain an International Ballast Water Management Certificate.

    • Keep records of ballast water operations in the Ballast Water Record Book.

  • Penalties:

    • Heavy fines, detention of ships, and revocation of operational permits.

1.4 Ship Recycling Regulations – Hong Kong Convention & EU SRR

  • Applies to: Ship manufacturers and owners planning to scrap vessels.

  • Requirements:

    • Maintain an Inventory of Hazardous Materials (IHM) onboard.

    • Ensure recycling is done in approved facilities.

  • Penalties:

    • Ships without an IHM may be detained in EU ports or face financial penalties.

2. Timelines and Compliance Deadlines

RegulationEnforcement DateKey Deadline
ISPS Code2004Ongoing, ships must maintain compliance
IMO Cyber Risk Management (MSC.428(98))2021First SMS verification after Jan 1, 2021
Ballast Water Management (BWM) Convention2017Ships built before 2017 must retrofit BWTS by 2024
EU Ship Recycling Regulation (EU SRR)2020IHM compliance for all EU-flagged ships and non-EU ships visiting EU ports
MARPOL Annex VI (IMO 2023 GHG Reduction)2023CII ratings and EEXI compliance required by 2024

3. Enforcement and Penalties

Port State Control (PSC) authorities such as:

  • US Coast Guard (USCG)

  • European Maritime Safety Agency (EMSA)

  • Tokyo MOU and Paris MOU authorities

can inspect and detain non-compliant ships. Penalties include:

  • Detention of ships until compliance is achieved.
  • Heavy fines (varies by country, often exceeding $1M).
  • Revocation of certifications (e.g., ISM Code, ISPS Code).
  • Blacklisting of non-compliant ships, restricting global trade.

RecapIACS UR E26 and E27 represent significant steps toward enhancing maritime cybersecurity. Stakeholders in the maritime industry should proactively prepare for these requirements to ensure compliance and safeguard against cyber threats. 

Also ship manufacturers and owners must continuously comply with international maritime security regulations to avoid penalties, detentions, and reputational damage. Regular audits, cybersecurity assessments, and crew training are key strategies to ensure compliance.


#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안

Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more