Shipowners, builders, operators, and managers will face new cybersecurity regulations starting on July 1, 2024. The International Association of Classification Societies (IACS) developed these requirements to provide guidance for new ships and targets for existing vessels. The rules, known as IACS unified requirements (UR) E26 and UR E27, are designed to future-proof the shipping industry as older analogue devices are replaced with digital systems. IACS UR E26 will mandate cybersecurity measures during the design and construction of new vessels, while UR E27 will give guidelines for equivalent safeguards for onboard equipment.
These regulations are intended to create common standards for cybersecurity in the maritime industry and are linked to the International Shipmanagement (ISM) Code, which outlines cybersecurity risk management requirements. The new rules will be implemented by IACS societies for ships contracted for construction on or after July 1, 2024. Compliance is mandatory, but the regulations can be applied voluntarily beforehand. The main focus of the URs is on technical requirements and demonstrating compliance through risk assessment and other documentation. The rules are intended to secure the development of lifecycle requirements for software on ships and improve cybersecurity measures during ship construction.
Industry experts agree that these URs will be difficult to implement on existing vessels. However, they suggest that owners, operators, and managers can utilize the ISM Code requirements to enhance cybersecurity on their current vessels and fleets. Owners should perform risk assessments, implement firewalls, update antivirus software, and use unified threat management tools. The use of these safeguards, along with continuous improvement by assessing the latest information on cybersecurity and making informed decisions, will help increase cyber resilience on current ships.
Shipowners warned that cybersecurity measures should go hand-in-hand with communications strategies. As ships become more advanced and interconnected, more network-connected systems increase the attack surface on these vessels and make them more vulnerable to hacking. Owners and managers should conduct frequent cybersecurity audits, assess risks, and invest in 24/7 cybersecurity services. They should implement multi-layered security, physical network separation, and have robust response plans in place for cyber attacks. The experts also recommended crew and onshore staff training and the implementation of a strong incident response plan.