System Criticality Mapping
UR E26 §4.1.2 Requirement: Computer-based systems shall be categorized based on the potential impact of a security incident. This classification (Cat I, II, III) directly dictates the level of security capabilities required in the PROTECT phase.
Systems whose failure could lead to loss of life, ship, or severe environmental damage. (e.g., Propulsion, Steering, Navigation).
Systems whose failure could affect safety of the ship but allow for manual intervention. (e.g., Fuel, Cargo, Ballast, Alarms).
Systems with no safety impact. Usually administrative or crew-related. (e.g., Crew Wi-Fi, CCTV, Entertainment).
Decision Matrix: Which Cat is it?
| Assessment Question | Yes | No |
|---|---|---|
| Can compromise lead to immediate loss of maneuverability? | Cat III | Go to next question |
| Is the system required by SOLAS/MARPOL for safety? | Cat II | Go to next question |
| Is there a manual fallback that prevents an immediate hazard? | Cat II | Cat I |
Surveyor Tip: In your Asset Inventory (Excel/Database), you must justify why a system is Category I. If you can’t prove it has no safety impact, Class will default it to Category II or III.
Criticality Defined?
System importance is set. Now, complete your digital inventory by logging the specific software versions and firmware levels for these assets.