The growing use and reliance on information technology, of data networks, transmissions and connectivity in the daily work within the marine and energy sectors increases exposure to cyber related risks. Ransomware attacks may result in economic loss or costs of rebuilding lost data. The consequential damages to hull, cargo and third-party liabilities from a cyber-attack on board a vessel or mobile offshore unit poses a different and more costly risk. The limited data on the frequency, severity of loss or probability of physical damage, is a challenge to underwriters.
In view of this growing risk, IACS has amplified its work on the reliability and functional effectiveness of onboard, safety-critical, computer-based systems. The need to take a holistic approach which includes the perspectives of various maritime stakeholders was a priority, hence IACS set up a Joint Working Group (JWG) on Cyber Systems. The objective was to help identify best practices, appropriate existing standards in risk and cyber security, and a practical risk-based approach.
Previous work included the development of Recommendations as well as efforts at the IMO such as IMO Resolution 428(98), applicable to in-service vessels since 1 January 2021. On this basis and in cooperation with the JWG on Cyber Systems, IACS adopted two new IACS Unified Requirements[1] (URs) on the cyber resilience of ships in April 2022:
UR E26 aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship. This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.
UR E27 aims to ensure system integrity is secured and hardened by third-party equipment suppliers. This UR provides requirements for the cyber resilience of onboard systems and equipment and provides additional requirements relating to the interface between users and computer-based systems onboard, as well as product design and development requirements for new devices before their implementation onboard ships.
These URs are to be uniformly implemented by IACS Societies on ships contracted for construction on or after 1 January 2024 and may be used for other ships as non-mandatory guidance. They help to establish a common set of minimum functional and performance criteria to deliver ships which can be described as cyber resilient.
IUMI has participated in the JWG on Cyber Systems to provide input from the insurance perspective. In light of the growing reliance on digital solutions in the maritime industry, the publication of the URs is a welcome step toward the development of a proper cyber risk management strategy on board today’s vessels.
[1] Unified Requirements are adopted resolutions on matters directly connected to or covered by specific Rule requirements and practices of classification societies and the general philosophy on which the rules and practices of classification societies are established.