System Criticality Mapping
Depending on your Class Society and Cybersecurity Notation, you may follow the IACS UR E22 Impact Categories or the DNV Functional SuC approach. Both aim to identify computer-based systems (CBS) in scope for cyber resilience.
Method A: IACS UR E22 Impact Levels
Systems whose failure leads to loss of life, ship, or severe environmental damage.
Systems whose failure could eventually to loss of life, ship, or severe environmental damage.
Systems with no safety impact (e.g., Crew Wi-Fi, Entertainment).
Method B: DNV Default System under Consideration (SuC)
DNV identifies scope based on Mandatory Functions required for vessel operation.
A comprehensive list of all computer-based systems in the default SuC can be found in DNV-CG-0325 (Appendix A).
DNV Negligible Risk Exclusions
To exclude a system from security requirements, a risk assessment must prove negligible cyber risk by meeting these criteria.
- Isolation: No IP-network communication or remote access solutions.
- Physical Security: Located in restricted and controlled areas.
- Port Lockdown: No accessible physical interface ports; unused ports logically disabled.
- No External Media: Impossible to mount external devices.
- Criticality Check: Not an integrated control system or required for propulsion/steering.
Surveyor Tip: DNV requires risk assessments (Document F011/F021) to be submitted if you intend to exclude systems or components based on negligible risk.
Next Section
Software & Firmware Tracking
Software & Firmware Tracking UR E26 §4.1.1.1 & §4.1.1.3.2: The vessel asset inventory shall identify the software name...