The International Association of Classification Societies (IACS) introduced unified requirements (URs) E26 and E27 on July 1, 2024, establishing new benchmarks for shipping’s response to cyber threats. These URs set minimum requirements for the cyber resilience of newly built vessels and their connected systems, a move broadly welcomed by the industry. During the Riviera and Inmarsat Maritime webinar on June 19, 2024, experts emphasized the need for comprehensive risk assessments and appropriate mitigation measures.
Benefits and Challenges of UR E26 and E27
Kostas Grivas, Information Security Officer at Angelicoussis Group, highlighted the benefits of these URs, including the elimination of scattered requirements and providing a clear framework for auditing and control. They establish minimum technical and procedural criteria for a vessel’s cyber resilience, ensuring all stakeholders are responsible for cyber security. Makiko Tani, Deputy Manager for Cyber Security at ClassNK, noted that while the URs enhance the visibility of shipboard networks, additional controls may be necessary based on a vessel’s specific connectivity. This underscores the need for a thorough cyber-risk assessment and C-level commitment to a comprehensive cyber-security program.
Key Areas for Investment in Cyber Resilience
Laurie Eve, Chief of Staff at Viasat subsidiary Inmarsat Maritime, proposed three key areas for companies to focus on to meet and exceed the new requirements:
- People and Culture: Emphasizing that people are the weakest link in cyber security, Eve stressed the importance of training, managing user privileges, and investing in quality management systems like ISO 27001. This includes assessing suppliers’ risk management and embedding cyber security in the organization’s culture.
- Network-Connected Systems and Services: With numerous attack surfaces on vessels, a risk-management approach is essential. Companies should assess risks, set risk appetites, and implement security measures based on their capacity and willingness to bear costs.
- Incident Response Plan (IRP): Recognizing the inevitability of security breaches, Eve advocated for a robust IRP with contingencies to minimize business disruption. This includes investing in backup systems and regular staff training. He emphasized that having a plan is good, but training, rehearsing, and improving the plan is better.
Support for Smaller Operators
Eve noted the differences in cyber resilience investments between small and large operators. Inmarsat’s Fleet Secure offers a comprehensive solution for smaller operators lacking in-house capabilities. Combining Fleet Secure Endpoint, Fleet Secure Unified Threat Management, and Fleet Secure Cyber Awareness Training, the Fleet Secure portfolio supports compliance with new requirements and enhances overall cyber resilience.
Did you subscribe to our daily Newsletter?
It’s Free! Click here to Subscribe
Source: rivieramm.com
