CBS Network Risk Assessor
Assess the cybersecurity risk of connected onboard systems and identify compliance gaps against IACS UR E26 and E27 — including vendor scope boundaries, zone/conduit architecture, and physical access controls.
How to use this tool
In the Topology tab, add your CBS components — firewalls, managed switches, servers, VMs, HMIs, PLCs, and any OTS or COTS computers. For each component set: vendor or owner scope, authentication method, patch status, physical location (bridge, ECR, engine room, etc.), and access level. Then add the connections between them with their protocol, segmentation type, and whether traffic is encrypted.
An engine control system scenario is pre-loaded as a starting example — a vendor-certified system with an owner-supplied OTS computer connected directly to the OT managed switch, a real and common configuration that raises specific E27 §4.1 compliance questions.
The Risk Findings tab runs a built-in rule engine that checks your topology against IACS E26/E27 requirements. Each finding shows its severity, the specific clause reference, the affected components, and concrete mitigation measures.
Physical access controls are factored in automatically per IACS E26 §3.2 — if all affected components are in a restricted space such as the ECR or server room, the finding severity is reduced one level and the mitigation list reflects what is already in place as a compensating control.
The AI Analysis tab sends your topology to a dedicated marine OT cybersecurity AI model and returns a structured expert assessment — including a direct verdict on vendor scope and segmentation claims, the specific E27 compliance gap a classification surveyor will look for, an architecture recommendation, and a prioritised action plan with timeframes.
Analysis takes approximately 60–90 seconds. A progress indicator shows what the model is evaluating. Results can be saved to your account and reloaded at any time.
IACS UR E27 requires vendors to hold a certificate for the Cyber Resilience of their Computer Based Systems (CBS). However, the certificate only covers components within the vendor’s defined scope. Any owner-supplied equipment connected to the certified network — such as an OTS monitoring computer, an ECDIS workstation, or a fleet management terminal — falls outside that scope, making the ship owner fully responsible for its cybersecurity posture and its impact on the certified system.
Classification surveyors increasingly ask for evidence that owners understand this boundary, have documented it in their CSMP, and have assessed the risk of every connection that crosses it. This tool helps you build and evidence that assessment.
Assessment Tool · Free Access
CBS Risk Assessor — Network Topology Analysis
Map your vessel's Computer Based System (CBS) network topology, run the E26/E27 rule engine against your architecture, and request an AI-powered analysis of zone and conduit compliance — all free with a registered account.
