Part of the IDENTIFY Playbook ← Return to Hub
Phase: Identify All vessels
Satisfies: E26E27IEC 62443IMO MSC-FAL.1BIMCO v5

Risk Assessment & Threat Mapping

This guide explains the risk assessment process required to exclude systems from E26 scope, and provides a methodology for mapping functional threats to the vessel’s specific OT topology.

1. The RA Methodology (E26 vs. Best Practice)

For UR E26 compliance, the risk assessment must be “Functional-Based.” For non-mandatory vessels, we recommend a “Vulnerability-Based” approach to prioritize budget and maintenance.

Mandatory Path (UR E26)

Focuses on Category II & III systems. Requires formal documentation of the “Safety Impact” if a system’s Integrity or Availability is lost.

Requirement: Class Approval File
Best Practice Path (Existing Fleet)

Focuses on Cost & Operational Downtime. Prioritizes “Low-Hanging Fruit” like USB lockdowns and network segmentation.

Goal: Resilience & Insurance Alignment

2. Functional Threat Mapping (UR E27 Alignment)

Under UR E27, you must prove that technical controls are in place to mitigate specific threats. Use this matrix to bridge the gap between your inventory and your security controls.

Threat Scenario Impact on OT Asset Mitigation Reference
Unauthorized Access Malicious set-point changes in the Power Management System (PMS). Authentication (§4.1)
Malware Infiltration Introduction of ransomware via OEM service laptop or infected USB. Interface Protection (§4.3)
Network Storm/DoS Loss of communication between Bridge and Engine Room due to traffic surge. Network Isolation (§4.2)
Maritime OT risk assessment 5x5 heat map under IACS UR E26 §5.3 — likelihood and impact scoring matrix with four risk levels from low to extreme, two RA methodologies for E26 mandatory and existing fleet vessels, and four treatment strategies including avoid mitigate transfer and accept

The 5×5 matrix shown here looks simple but the maritime application has a nuance that generic risk frameworks miss. In a standard IT risk assessment, likelihood is based on threat actor capability and motivation. In a maritime OT context, the most significant likelihood factor is often the operational state of the vessel — an internet-facing ECDIS with default credentials in a busy port is a likelihood-5 exposure, while the same system isolated and offline in a shipyard dry-dock is a likelihood-1 exposure for the same vulnerability.

This means maritime risk scores should be voyage-phase dependent rather than fixed values. A risk register that assigns static likelihood scores without acknowledging operational context will systematically understate risk during high-exposure periods and overstate it during low-exposure periods — neither of which satisfies the functional-based assessment methodology required by E26 §5.3.

<< Click the diagram to expand at full resolution

3. Defining Risk: Scoring & Visual Matrix

To ensure consistency across the fleet, use the following criteria and the 5×5 Heat Map to determine your risk priority.

IMPACT
510152025
48121620
3691215
246810
12345
LIKELIHOOD
Extreme (16-25): Stop operations / Immediate Fix.
High (10-15): Technical controls required within 30 days.
Medium (5-9): Operational monitoring / Scheduled hardening.
Low (1-4): Risk accepted / Regular review.
Likelihood Scale (1-5)
  • 1. Rare: Requires physical access + expert skill.
  • 2. Unlikely: Possible via remote port; no known exploit.
  • 3. Possible: Networked system; standard security.
  • 4. Likely: Legacy OS or known unpatched vulnerability.
  • 5. Almost Certain: Internet-facing OT with default credentials.
Severity Impact (1-5)
  • 1. Insignificant: No operational impact.
  • 2. Minor: Loss of non-essential monitoring.
  • 3. Moderate: Temporary loss; manual bypass possible.
  • 4. Major: Degradation of propulsion/steering.
  • 5. Catastrophic: Total loss of safety-critical control.

4. Risk Response & Treatment

Once a risk is scored, the Technical Manager must select a treatment strategy. This is a mandatory step for UR E26 §5.3 documentation.

Avoid Eliminate the risk (e.g., removing a legacy Wi-Fi bridge).
Mitigate Implement technical controls (e.g., Firewalls, MFA).
Transfer Shift risk to a third party (e.g., Cyber Insurance).
Accept Document low risks that do not justify the cost of fix.

5. Strategic Integration: The RA Hub

To avoid duplicating effort, your Risk Assessment must directly reference the data points already established in your other playbook sections:

6. RA Lifecycle: When to Re-Assess

A Risk Assessment is not a one-time project. Under E26 Management of Change (MoC), the RA must be updated during:

Annual Fleet Audit Major Network Changes New Satellite HW Installation Post-Cyber Incident Review

Strategic Intelligence: The “Cascading Failure”

The Auditor’s Trap: Many shipowners assess systems in isolation. However, UR E26 requires you to assess “Networked Dependence.” If a Category I (Non-Essential) system like Crew Wi-Fi shares a switch with a Category II system, the risk score of the Category I asset must be elevated due to the potential for lateral movement.

Pro-Tip: Always audit the Physical Layer (Layer 1) before finalising your risk score. A shared cable is a shared risk.

For CBS-specific network risk — particularly where vendor-certified equipment connects to owner-supplied systems — the CBS Risk Assessor complements this guide by assessing zone/conduit architecture and scope boundaries against IACS E26/E27 at the network topology level.

Compliance Documentation Previews

Standardized templates for Risk Assessment and Threat Analysis. Register free to access all vault forms.

TAG-OT-CYRA-TOOL
Cyber Risk Assessment Tool
Launch Tool
PREVIOUS:
System Interdependency Matrix

Next Section

Roles & Change Management (MoC)

Roles & Change Management This guide defines cyber security roles and responsibilities on board and ashore, and document...

Roles & Change Management (MoC) →
Login
Login
Scroll to Top