[OT Sec] UR E26 Rev.1 (2023): Analysis of IACS Unified Requirements for Enhancing Cyber Resilience in Ships
Table of Contents
1. Overview
The International Association of Classification Societies (IACS) has published UR E26 Rev.1 (2023), a unified requirement aimed at ensuring cyber resilience in ships. This document defines the minimum requirements to protect ships and the marine environment from cyber threats, as Operational Technology (OT) and IT systems onboard vessels become increasingly digitalized.
Modern ships are integrated with both IT and OT systems, and the use of Commercial-Off-The-Shelf (COTS) products is increasing, thereby expanding the cyber threat landscape. Threat actors may exploit network connections, external system interfaces, and human factors to compromise ship safety. In response, IACS has emphasized the need to define consistent minimum functionality and performance requirements across the entire threat surface of a ship.
2. Scope of Application
1) Target Vessels
UR E26 applies to the following vessels:
- Passenger ships and high-speed passenger craft engaged in international voyages
- Cargo ships and high-speed craft of 500 GT and above on international voyages
- Mobile offshore drilling units (MODUs) and self-propelled offshore construction units of 500 GT and above
It also serves as non-mandatory guidance for the following:
- Cargo ships under 500 GT
- Naval ships and military transport vessels
- Primitive wooden ships and non-mechanically propelled vessels
- Yachts carrying 12 or fewer passengers
- Fishing vessels and certain offshore platforms (FPSO, FSU, etc.)
2) Target Systems
The requirement focuses on Cyber-Based Systems (CBS) performing OT functions onboard ships, including:
- Propulsion, steering, anchoring, and mooring systems
- Power generation and distribution systems
- Fire detection and extinguishing systems
- Ballast and cargo loading systems
- Watertight integrity and flooding detection systems
- Lighting and navigation light systems
- Emergency shutdown systems
Other applicable systems include navigation and communication systems, IP-based administrative and passenger service systems, and crew welfare systems.
3. Objectives and Functional Framework
UR E26 organizes its requirements around five core cyber resilience functions:
- Identify: Understand and document ship assets, networks, and critical systems
- Protect: Implement protective measures to prevent security breaches
- Detect: Establish capabilities to detect anomalies and cyberattacks
- Respond: Define procedures to respond swiftly to incidents
- Recover: Ensure system recovery and continuity of operations
These functions must operate as part of an integrated risk management framework, not in isolation.
4. Key Requirements
1) Identify
- Maintain a current inventory of CBS assets onboard
- Record software and hardware changes and reflect them in the asset list
- Document network connections, security zones, and inter-system interactions
2) Protect
- Security Zones and Network Segmentation:
- Segregate OT systems into distinct zones using firewalls and data diodes
- Do not place navigation/communication systems in the same zone as machinery/cargo systems
- Network Protection and Access Control:
- Implement DoS protection, monitor for abnormal traffic
- Apply least privilege access principles
- Enforce multi-factor authentication (MFA) for administrator accounts
- Wireless Communication Security:
- Operate wireless systems in separate zones
- Limit access to authorized users and devices, enforce encryption
- Remote Access Control:
- Enable remote access only with crew approval
- Perform pre-tested software updates with rollback options
3) Detect
- Network Monitoring:
- Continuously monitor network status and generate alerts on anomalies
- Use Intrusion Detection Systems (IDS) in passive mode
4) Respond
- Cyber Incident Response Plan:
- Document clear procedures for handling incidents
- Isolate compromised systems via zone separation
5) Recover
- Backup and Restoration Plan:
- Establish backup strategies for system recovery
- Maintain documented security update and maintenance policies
- Conduct regular cyber resilience tests
5. Verification and Maintenance
Cybersecurity compliance must be verified across the ship’s lifecycle:
- Design & Construction Phase: Submit security architecture and asset inventory
- Operational Phase: Operate a cybersecurity management program and conduct regular audits
6. Conclusion
UR E26 Rev.1 (2023) aims to enhance the cyber resilience of ships, preventing cyber incidents and ensuring operational continuity in the increasingly digitalized maritime industry. The document defines clear security management criteria for both IT and OT systems, providing essential requirements that ship operators and system integrators must comply with.
![[OT Sec] Understanding SIL and SL – Essential Foundations for OT System Design](https://ota2z.com/wp-content/uploads/2025/04/ChatGPT_Image_2025년_3월_29일_오후_02_19_10-768x768.webp)
![[Physical Sec] Physical Security Risk Management Master Guide: Systematic Approach for PSP Professionals](https://ota2z.com/wp-content/uploads/2025/07/ChatGPT-Image-2025년-7월-27일-오후-10_36_26-768x768.webp)
![[OT Sec] UR E27 Rev.1 (2023): Cyber Resilience of Shipboard Systems and Equipment – Security Requirements and Implementation Guidelines](https://ota2z.com/wp-content/uploads/2025/03/DALL·E_2025-02-14_16.24.04_-_A_futuristic_ship_with_a_holographic_security_d-768x439.webp)
![[OT 보안] “ISA/IEC 62443 Module 3: 산업제어시스템 보안의 핵심 프레임워크”](https://ota2z.com/wp-content/uploads/2025/08/ChatGPT-Image-2025년-8월-13일-오후-04_36_35-768x768.webp)