Cyberattacks on the High Seas: The Rising Threat to Digital Ships
While digitalization of ships brings many benefits, the influx of new technology also increases the risk of cyberattacks on maritime networks. On January 16, 2023, the DNV Classification Society reported a cyberattack on its fleet management and operation platform, "ShipManager." This attack affected roughly 1,000 vessels and caused a temporary shutdown of IT servers. This targeted ransomware attack against the maritime industry is a wake-up call, highlighting the urgent need to strengthen the cybersecurity of onboard systems.
2024: A Turning Point for Cybersecurity with UR E26 & UR E27
From January 2024, compliance with the UR E26 and UR E27 requirements—which focus on cyber resilience of ships and onboard equipment—will be mandatory. To navigate these changes, a clear understanding of four key points is crucial.
1. Who Does UR E26 and UR E27 Apply To?
The primary focus here is identifying the maritime stakeholders affected by the new cybersecurity norms. UR E26, "Cyber Resilience of Ships," thrusts ship design firms, shipyards, and system designers into the cybersecurity vanguard.
Source: Text excerpted from IACS E26 1.3
The launch of UR E27, "Cyber Resilience of On-Board Systems and Equipment," extends these stipulations to all onboard operational technology systems, implicating all associated personnel. Shipowners need to define their classification societies and security tiers. Suppliers are now charged with producing robust products that meet high-security standards such as IEC 62443-4-1 and IEC 62443-4-2. Classification societies, meanwhile, will audit based on these criteria.
2. What Are the Benefits of Early Adoption of UR E27?
Early adopters conducting a UR E27 compliant gap analysis and validation could gain a competitive edge in 2024.
3. Which Classification Societies Will Release Verification Guidelines?
Each classification society is expected to release their respective guidance documents and related supporting materials this year, all based on UR E26 and UR E27 requirements.
For example:
- DNV has already implemented the "DNV-RU-SHIP-Pt6Ch.5 Section 21 Cyber Security" standards and has brought its compliance with UR E26 and UR E27 up to par.
- CCS's 'Guidelines on Cybersecurity Onboard Ships' officially took effect on May 1, 2023.
Differences across societies should be minimal, and selecting one for both planning and verification could be beneficial.
4. The Heart of UR E26 and UR E27
UR E26 provides principles for creating cyber-resilient ships and sets guiding principles for maritime professionals constructing CBS (Computer Base Systems). It emphasizes five key dimensions of information security: identification, protection, detection, response, and recovery. UR E27 operationalizes these principles, with a particular reference to the IEC 62443-3-3 standard. Understanding IEC 62443 is critical in meeting UR E27's security requirements. IACS UR E27 4.1 “Required security capabilities” specifies 31 requirements that correspond to different objectives, and maps them to IEC-62443-3-3 SR system requirements.
Source: IACS UR E27 4.1
Accelerating Implementation: The Role of IEC 62443
IEC 62443 sets security standards and requirements for systems and components, and is key to assess if shipborne systems comply with UR E27. To achieve a certain security level, robust security capabilities are necessary, along with measures to compensate for system vulnerabilities. Recognized manufacturers and various industries have adopted this cybersecurity standard for Industrial Automation and Control Systems (IACS).
For faster UR E27 compliance, consider IEC 62443-compliant components and service providers like Moxa, an industry pioneer certified by IEC 62443-4-1 and IEC 62443-4-2. Moxa offers solutions that ensure maritime security compliance and stands ready to protect maritime network security.
For more information, visit Moxa's Maritime Microsite.