IACS unified requirements for cyber security mandatory from 1 January 2024
The International Association of Classification Societies (IACS) has recently published new Unified Requirements for cyber security: E26 and E27. These will be be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024. Find out more about the Unified Requirements in this statutory news.
Relevant for ship owners and managers, design offices, shipyards and suppliers.
The new IACS Unified Requirements (URs) are based on recognized international standards for the cyber security of industrial automation and control systems, such as IEC 62443. In brief, the new IACS URs cover the following main topics:
- Scope of applicability, including OT systems for important vessel functions
- Identification and protection against cyber threats
- Detection of incidents
- Means to respond and recover
- Hardening and security capabilities of systems and components
The URs will be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024. Consequently, the DNV class notation Cyber secure(Essential) will be mandatory from this date.
The technical security requirements of the IACS URs E26 and E27 are fully aligned with DNV’s class notations for cyber security and are covered by the current edition of the DNV class notation Cyber secure(Essential).
For customers who would like, on a voluntary basis, to implement the new IACS cyber security requirements before 1 January 2024, the following items outline how to achieve this in line with the current DNV rules:
- Systems type approval (TA) in accordance with the current edition of DNV rules for the class notation Cyber secure(Essential) / security profile 1 will meet the IACS URs E26 and E27. The TA process will be amended with the audit of the relevant additional development activities in accordance with IACS UR E27 section 5.
- Ships and offshore installations assigned the class notation Cyber secure(Essential, +) as per the current edition of DNV rules, will meet the IACS URs E26 and E27. The additional qualifier (+) is needed to extend the scope of systems in accordance with the scope of applicability in IACS UR E26.
Recommendations
Until the new URs are in force, DNV encourages product suppliers, shipyards, and ship owners to implement cyber security into control systems, ship design and relevant management systems on board. Special attention is recommended for product suppliers of systems within the scope of the URs, as these systems may need further development and design changes to comply with the URs.
References
- IACS news on new requirements on cyber security
- IACS UR E (electrical and electronic installations)
- DNV cyber secure class notation
- DNV cyber security approval of components and systems
Contact
- For customers:
DATE - Direct Access to Technical Experts via My Services on Veracity. - Otherwise:
Use our office locator to find the nearest DNV office.