Maritime System Criticality Mapping Guide

Part of the IDENTIFY Playbook ← Return to Hub

Phase: Identify All vessels

Satisfies: E26E22 Impact CATE27IMO MSC-FAL.1BIMCO v5

System Criticality Mapping

This guide explains how to classify each onboard system as Category I, II or III based on its safety impact, and how to justify those classifications to a Class Surveyor.

Method A: IACS UR E22 Impact Levels

High Impact Category III: Essential

Systems whose failure leads to loss of life, ship, or severe environmental damage.

Medium Impact Category II: Important

Systems whose failure could eventually to loss of life, ship, or severe environmental damage.

Low Impact Category I: Support

Systems with no safety impact (e.g., Crew Wi-Fi, Entertainment).

Category Decision Matrix (Logic Gate)

Use this logical flow to determine the impact category. Note that per UR E26 4.4.2, local controls must be tested for total independence from remote networks.

Criteria	CAT I (Support)	CAT II (Important)	CAT III (Essential)
Failure Impact	Inconvenience or loss of administrative data.	Degraded operations; safety systems compromised but stable.	Immediate danger to life, ship, or environment.
Response Time	Days/Weeks (Non-urgent).	Minutes/Hours (Can be managed temporarily).	Seconds/Instant (Uncontrolled situation).
Mandated Backups	No Class/SOLAS requirement for backup.	Requirement: Local/manual means must compensate for remote loss.	Requirement: Independent, redundant local HMI and automatic failover.
Reference Benchmarks
Typical Examples	Crew PC, Entertainment, CCTV (Non-sec).	Ballast control, Bilge alarm, Fuel pumps.	Steering gear, ECDIS, Main Engine Control.

Rule of Precedence: Categories are based on Inherent Risk. Per UR E22 and E26, the existence of manual procedures or backups is a mandatory regulatory response to a high-impact function—it is not a justification to lower the category. If a system requires an independent local control (SOLAS II-1 Reg 31), it is inherently a high-tier cyber system.

CBS criticality classification table — Category I support systems, Category II important systems, and Category III essential systems under IACS UR E26 and E22 with example systems including main engine control, ECDIS, steering, PMS, ballast control and fire detection

The classification table answers the question Class surveyors ask first: how did you decide which category each system belongs to, and can you justify it?

The most common mistake in CBS categorisation is assigning categories based on the existence of backups rather than the inherent consequence of failure. A fire detection system with a hardwired backup panel is still a Category III system — the backup is the mandatory regulatory response to a high-consequence function, not evidence that the function is less critical. The rule of precedence box in the diagram states this directly because it is the single most frequent categorisation error found during survey preparation.

Category drives everything downstream — the security controls required, the safe state obligations, the backup requirements, and the evidence package needed for Class submission.

<< Click the diagram to expand at full resolution

Regulatory Mapping: SOLAS Chapter II to IACS UR E22

This table provides the specific SOLAS Functional Requirements and the mandated manual/independent redundancies that dictate the IACS Cyber Category.

SOLAS Reg.	Functional Requirement	Mandated Backup / Redundancy	Category
II-1 / 31	Machinery Control: Remote control of propulsion machinery from the navigation bridge.	Must have local/manual control independent of the remote control system (SOLAS II-1/31.2.5).	CAT III
II-1 / 29	Steering Gear: Ability to steer the ship and reach auxiliary steering limits.	Redundant power units and local manual steering at the rudder stock (Steering Gear Room).	CAT III
II-1 / 41	Main Source of Power: Propulsion, steering, and safety systems must remain powered.	Load shedding and automatic start/synchronization of standby generators.	CAT III
II-1 / 13	Watertight Doors: Remote closing of doors from the bridge and local stations.	Local manual mechanical override for each door to operate regardless of control failure.	CAT III
II-2 / 7	Fire Detection: Fixed fire detection and fire alarm systems.	System must remain functional even with a single loop failure; fault-tolerant wiring.	CAT III
II-1 / 35-1	Bilge Pumping: Ability to pump from any compartment under all conditions.	Direct suction and local valve operation independent of the automation system.	CAT II
II-1 / 21	Ballast Systems: Control of pumping for stability and trim.	Manual operation of ballast valves/pumps at the local manifold.	CAT II
II-1 / 42	Emergency Power: Emergency generator and lighting.	Automatic connection within 45 seconds of main power loss; independent starting.	CAT III
II-2 / 10	Fire Pumps: Remote and local start of fire pumps.	Isolation valves and local manual starting capability.	CAT II

Note: Classification as CAT II or III implies that while manual intervention is required for safety, the primary Computer-Based System (CBS) must meet the specific technical resilience requirements of IACS UR E26 and E22 Rev.3 (2025).

Preferred Option

Method B: DNV Default System under Consideration (SuC)

DNV identifies scope based on Mandatory Functions required for vessel operation.

Efficiency Gain: Minimizes administrative burden by utilizing pre-defined Class benchmarks, bypassing the need for exhaustive manual scoping.

Vessel Function	Mandatory Systems in Scope
Propulsion & Steering	Engine speed, thrusters, rudders, pitch control, and steering gear.
Safety & Integrity	Fire detection, ESD, gas detection, watertight doors, and machinery protection.
Navigation & Comms	Radar, ECDIS, AIS, GNSS, GMDSS, and Internal Comms (PA/GA).
Electrical Power	Generators, switchboards, battery systems, and power management.

A comprehensive list of all computer-based systems in the default SuC can be found in DNV-CG-0325 (Appendix A).

Access DNV Rules & Standards Portal (Login Required) →

DNV Negligible Risk Exclusions

To exclude a system from security requirements, a risk assessment must prove negligible cyber risk by meeting these specific criteria.

Isolation: No IP-network communication or remote access solutions.
Physical Security: Located in restricted and controlled areas.
Port Lockdown: No accessible physical interface ports; unused ports logically disabled.
No External Media: Hardened against USB/External media mounting.
Criticality Check: Not an integrated control system or required for propulsion/steering.

Need to document an exclusion for Class?

View CSDD & Exclusion Guide

Surveyor Tip: DNV requires risk assessments (Document F011/F021) to be submitted if you intend to exclude systems or components based on negligible risk.

PREVIOUS:
Asset Inventory & Mapping Guide

Next Section

RTO & RPO Determination

RTO & RPO Determination for Shipboard CBS This module establishes the methodology for deriving Recovery Time Objecti...

RTO & RPO Determination →