IACS UR E26 & E27 mandatory cyber regulations
From zero to hero!
By: Youri Hart
In July 2024, the new IACS regulation regarding new class cyber regulations will come into effect. These regulations, known as E26 & E27, are set to propel new build vessels from zero to hero in terms of cyber and IT management. One crucial aspect not to be underestimated is the potential cost involved for shipowners to achieve and maintain compliance with these regulations. The costs for compliance will be recurring rather than one-time expenses.
For whom?
These regulations apply to anyone signing a contract on or after July 1st, 2024, to build a new vessel equal to or larger than 500GT. This includes passenger vessels (capable of carrying more than 12 passengers) and self-propelled mobile offshore units. Essentially, almost every new build vessel should comply with these regulations. For vessels built before this date, the regulation can serve as a non-mandatory guideline.
What's the impact?
The impact of these new regulations will be significant on shipowners / managers. Unlike in the past, where many vessels operated with computer networks that received little to no regular maintenance and lacked protection from modern malware, these regulations will bring a change. E26 and E27 will focus on both Operational Technology (OT) and Information Technology (IT). OT systems include propulsion, steering, ballast, lighting, and any digitally connected components that must be listed and protected. As for IT, it’s crucial to note that all networks including administrative and crew welfare systems, fall under this requirement. Even temporary networks should be included in the scope for predictive maintenance. In essence, if there’s a network connection, it should be protected. However, the impact extends beyond just protection; it also addresses changes, predictive maintenance monitoring, and control. Notably, the regulation employs the NIST framework similar to the IMO 2021 guidelines: Identify, Protect, Detect, Respond and Recover.
The regulations stipulate that all actions / sytems necessary for compliance or aiding compliance should be present for the entire lifespan of the vessel. This doesn’t mean you can’t switch IT or security providers, but it does mean you can’t cancel subscriptions or maintenance tasks. During the design phase, systems must prove cybersecured status, and upon vessel commissioning, annual surveys and ongoing operational phases must ensure continued compliance.
Therefore, the complete IT and Cyber Security plan must be implemented from start to finish with ongoing efforts to minimize the risk of cyber incidents.
What is needed?
While E26 outlines what needs protection, E27 details how and which tools can be used to achieve it, albeit somewhat cryptically. One clear requirement from E26 is the need for Vulnerability Management, which can be done via software or manually. However, manual tracking isn’t feasible due to the multitude of systems on the vessel, making Vulnerability Management the essential first tool needed. As logging of user actions is a mandatory requirement as well, this would mean that tooling for this or Active Directory networks are needed for per user based accounts.
What does it cost?
As with any new regulation or action, costs are involved, and compliance with these regulations is no exception. The rough costs of the services needed or listed in these regulations can give a ballpark figure for compliance. It’s worth noting that costs may sometimes be lower if multiple services are obtained from one company. Here are some estimated costs sourced from the internet:
Vulnerability Management: Roughly $5 per endpoint per month.
Asset Management: Approximately $100 per month.
User identification for computer login + MFA: Around $10 per user per month.
Unified Threat Management: Roughly $350 per month.
General IT Hardening setup: Initial setup and maintenance at $350 per month.
Endpoint Security Software: Around $100 per month (depending on the number of endpoints).
Data Loss Prevention: Roughly $10 per user per month.
Network Detection and Response: Programs such as Darktrace, Vectra AI, Cisco Stealthwatch start with a license price of $2000 a month, excluding hardware and monitoring.
Additionally, the manual administration of record-keeping required by these regulations can result in higher costs. These prices only cover monthly costs; the creation of test procedures and setups for each product and service will require hundreds of hours of consultancy work.
Summing up the tools needed for compliance with these new class regulations, the monthly costs are extremely high compared to today’s IT budgets on a ship. However, when compared to shore-based companies such as small factories that have been dealing with these costs for years, it’s understandable. The rough calculation for vessels can amount to an average of $4500 USD in IT and security costs alone every month.
Although this may seem significant, it’s less than 1% of the vessel’s monthly fuel costs. Just as fuel is essential for a vessel to sail, IT and OT are now equally indispensable.
Do you want to save costs and want to talk further on these UR regulations, please contact us!
Visit us:
33 Space, Building 55, Room 508 Soi Pradipat, Pradipat 17 Phayathai Bangkok 10400 Thailand
Contact us:
EMEA: +31 (0)10 260 00 41
APAC: +66 (0)2-023-0112
APAC: +65 31 58 16 17
[email protected]
[email protected]