Master Project Summary
Vessel Cyber Resilience Dashboard
Target: Ship Operations | Framework: IACS UR E26 & E27 (Rev.1)
1. IACS UR E26 / E27 Audit Readiness Framework
This scorecard serves as the Vessel Benchmark for IACS compliance. It provides a standardized method for the ETO and Technical Managers to track implementation progress across the five functional phases. A 5/5 score is the required target for Class Cyber Secure certification, confirming that both technical shipboard tests (E26) and manufacturer documentation (E27) are verified and complete.
Maturity Framework Criteria
The following criteria define the progression toward full IACS UR E26 / E27 Audit Readiness.
| Score | Level | Required Evidence & Milestones |
|---|---|---|
| 1 / 5 | Initial | No formal cyber resilience measures. Systems are unmapped and unprotected. High risk of vessel detention during PSC inspection. |
| 2 / 5 | Managed | Cyber security requirements are documented in the Safety Management System (SMS). Responsibilities are assigned to the ETO/Chief Engineer. |
| 3 / 5 | Defined | Technical controls (Segmentation, MFA, Backups) are implemented on all Category II and III systems. E26 Part 4 requirements are physically active. |
| 4 / 5 | Verified | The Ship Cyber Resilience Test Procedure has been executed. Logs prove that detection and response capabilities are functioning as intended. |
| 5 / 5 | Optimized | Audit Ready. All UR E27 Vendor Certificates and technical manuals are filed. Vessel meets Rev.1 Nov 2023 standards for Class Certification. |
2. Regulatory Evidence Mapping
Verification of UR E26 ship-level requirements depends on the UR E27 Computer Based System (CBS) documentation stored in the Ship’s SMS.
| UR E26 Phase | Vessel Requirement (E26) | SMS Evidence (E27 Alignment) |
|---|---|---|
| Identify | §4.1.1: Vessel asset inventory | Topology & Inventory List (E27 §3.1.2) |
| Protect | §4.2.1: Security zones & segmentation | Security Capabilities Description (E27 §3.1.3) |
| Detect | §4.3.1: Network operation monitoring | Capabilities Test Procedure (E27 §3.1.4) |
| Respond | §4.4.1: Incident response plan | Response Support Documentation (E27 §3.1.8) |
| Recover | §4.5.3: Controlled shutdown & reset | Recovery & Reconstitution Plans (E27 §3.1.8) |
3. SMS Integration (ISM Code Alignment Examples)
To ensure operational compliance with the 2021 IMO Cyber Mandate, the framework is typically integrated into the vessel’s Safety Management System (SMS). Below are standard examples of how these requirements align with existing ISM chapters:
Example: Chapter 7 (Operations)
Integration of Cyber SITREP templates for bridge teams and pre-arrival verification of Category III critical system integrity (Ref: E26 §4.1).
Example: Chapter 10 (Maintenance)
Inclusion of Offline Backup Verification and Firmware Integrity Checks within the Planned Maintenance System (Ref: E26 §4.2 & §4.5).
*Note: The specific chapter placement may vary depending on the structure of the Company’s SMS and Safety Management Manual (SMM).
Surveyor’s Note (Class Cyber Secure)
For Cruise Vessels, auditors verify the Physical and Logical Segregation between Guest Networks (Category I) and Essential Systems (Category III). Ensure that UR E26 §4.2.2 Network Protection safeguards are testable and that E27 §3.1.5 Security Configuration Guidelines are implemented for all edge routers.