Maritime Cybersecurity: UR E26 vs. NIS2 Directive

As the maritime industry embraces advanced technologies, ensuring robust cybersecurity has become paramount. Both the International Association of Classification Societies (IACS) UR E26 and the European Union’s NIS2 Directive set out to enhance cybersecurity standards. Let's compare these frameworks in the todays Newsletter to understand their impact on maritime cyber resilience.

UR E26 - Cyber Resilience of Ships

UR E26 aims to help maritime organisations establish and maintain a secure onboard environment, addressing cyber resilience comprehensively across the vessel’s lifecycle. This unified requirement sets the foundation for shipbuilders, integrators, and owners to implement robust cybersecurity measures from the initial design phase through construction, commissioning, and operation. By adhering to these standards, maritime stakeholders can protect against the growing cyber threats targeting vessel networks and systems.

Scope:

• Design and Construction

During the design and construction phase, systems integrators must submit comprehensive documentation to the classification society. This includes a zones and conduit diagram that clearly indicates the security zones, a vessel asset inventory covering all hardware and software components relevant to E26, and a detailed cybersecurity design description. These documents ensure that all cybersecurity aspects are considered and integrated into the vessel's design, providing a robust foundation for cyber resilience.

• Commissioning

At the commissioning stage, the systems integrator must provide a ship cyber resilience test procedure. This procedure demonstrates that the security zones on board meet the criteria established in the approved design documents. It involves rigorous testing to ensure that all cybersecurity measures are effectively implemented and functioning as intended.

• Operation

Once the vessel is operational, the ship owner assumes responsibility for maintaining cybersecurity. They must submit a ship cybersecurity and resilience programme, outlining procedures to manage technical and organisational security countermeasures. This programme ensures that the onboard environment remains secure and capable of adapting to emerging cyber threats throughout the vessel’s operational life.

Framework

UR E26 is structured around the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is divided into five core functions:

• Identify

Develop an understanding of cybersecurity risks to facilitate their identification. This involves creating an inventory of all assets, systems, and networks to pinpoint vulnerabilities.

• Protec

Establish safeguards to protect the ship from cyber-attacks. These measures include implementing access controls, encryption, and other security technologies to prevent unauthorized access and data breaches.?

• Detect

Implement measures for detecting cyber incidents on board. This involves deploying monitoring systems and intrusion detection tools to identify potential threats in real-time.

• Respond

Set up protocols for responding to detected cyber-attacks. This includes creating incident response plans, conducting regular drills, and ensuring that the crew is trained to handle cyber incidents effectively.

• Recover

Adopt procedures to recover any capabilities and/or services impaired by a cyber incident. This involves developing contingency plans and backup strategies to restore normal operations quickly.

?

UR E27 - Cyber Resilience of Onboard Systems and Equipment

UR E27 supports manufacturers and OEMs in evaluating and improving the cyber resilience of onboard operational systems and equipment. This requirement offers comprehensive instructions related to security philosophy, documentation, system requirements, secure development lifecycle requirements, and plan approval. By incorporating elements of the International Electrotechnical Commission (IEC) standard IEC 62443, UR E27 ensures that onboard systems meet stringent cybersecurity standards.

UR E27’s system requirements cover 30 security capabilities required by all Computer-Based Systems (CBSs) and 11 additional security capabilities required by CBSs that interface with untrusted networks. These requirements ensure that all onboard systems and equipment are designed and maintained to withstand cyber threats effectively.

Demonstrating Compliance

Demonstrating compliance with UR E27 requires the submission of several detailed documents to the classification society. These documents provide a comprehensive overview of the onboard systems' cybersecurity measures and their effectiveness.

?

1.???? CBS Asset Inventory

This includes a list of hardware components detailing the manufacturer and model, a short description of their functionality, physical interfaces, the name/type of system software and its version and patch level and supported communication protocols. This inventory ensures that all hardware and software components are accounted for, and their security attributes are well documented.

2.???? CBS Topology Diagrams

These comprise two diagrams – a physical topology diagram illustrating the physical architecture of the system and a logical topology diagram illustrating the data flow between system components. These diagrams provide a visual representation of the system’s structure and data interactions, facilitating the identification of potential vulnerabilities.

3.???? Description of Security Capabilities

This document demonstrates how the CBS meets the required security capabilities with its hardware and software components. It provides detailed descriptions of the security features implemented in the system, ensuring that all necessary measures are in place to protect against cyber threats.

4.???? Test Procedure of Security Capabilities

This describes how to demonstrate, through testing, that the system complies with the security requirements. It includes detailed test plans and procedures to validate the effectiveness of the implemented security measures.

5.???? Security Configuration Guidelines

This document describes recommended configuration settings of the security capabilities and specifies default values. It provides guidelines for configuring the system securely, ensuring that it operates in a manner that minimizes the risk of cyber-attacks.

NIS2 Directive: Network and Information Security

The NIS2 Directive aims to bolster cybersecurity across critical sectors, including maritime, within the European Union by enhancing cybersecurity measures and incident response capabilities. This directive builds on the original NIS Directive, expanding its scope and introducing more stringent requirements to address the evolving cyber threat landscape. By setting high cybersecurity standards, NIS2 seeks to protect the EU’s critical infrastructure and services from cyber-attacks and ensure continuity of operations.

Scope:

• Wider Coverage

The NIS2 Directive applies to a broader range of essential services and digital service providers, including the maritime sector. It mandates that EU member states adopt national cybersecurity strategies and designate competent authorities to oversee the implementation of the directive. This ensures a coordinated approach to cybersecurity across the EU.

• Compliance Requirements

Organisations within the scope of NIS2 must implement comprehensive risk management measures to identify and mitigate cybersecurity risks. They are also required to report significant cyber incidents within 24 hours of detection, enabling timely response and mitigation efforts. Additionally, organisations must ensure the continuity of critical services, even during cyber incidents.

• International Cooperation

NIS2 promotes cooperation between EU member states and with international partners to address cross-border cyber threats. This involves sharing information, best practices, and threat intelligence to enhance collective cybersecurity capabilities and resilience.

NIS2 focuses on a broader approach to cybersecurity, encompassing various critical aspects:

• Risk Management

Organisations must systematically assess and manage cybersecurity risks. This involves conducting regular risk assessments, implementing appropriate security measures, and continuously monitoring the threat landscape.

• Incident Reporting

NIS2 mandates the reporting of significant cyber incidents to national authorities within 24 hours. This rapid reporting enables authorities to respond swiftly, mitigate the impact, and prevent further damage.

• Governance

The directive establishes clear responsibilities for cybersecurity management within organisations. It requires the appointment of designated cybersecurity officers and the creation of governance structures to oversee cybersecurity efforts.

• Cooperation

NIS2 encourages information sharing and cooperation among EU member states and international partners. This includes participating in joint exercises, sharing threat intelligence, and collaborating on cybersecurity research and development initiatives.

Key Comparisons

• UR E26

UR E26 is specific to the maritime sector, focusing on the cybersecurity of newbuild vessels and their systems. It provides detailed guidelines for shipbuilders, integrators, and owners to ensure that cybersecurity measures are integrated into the vessel's design, construction, commissioning, and operation phases.

• NIS2

The NIS2 Directive has a broader scope, covering various critical sectors, including maritime, within the EU. It aims to enhance overall cybersecurity resilience by setting high standards for risk management, incident reporting, and international cooperation.

Framework:

• UR E26

Based on the NIST Cybersecurity Framework, UR E26 emphasizes a structured approach to cyber resilience. It provides specific guidelines for identifying, protecting, detecting, responding to, and recovering from cyber incidents on board vessels.

• NIS2

NIS2 focuses on a comprehensive cybersecurity strategy for critical infrastructures. It emphasizes risk management, incident reporting, governance, and international cooperation to enhance cybersecurity resilience across the EU.

Compliance and Enforcement

• UR E26

Compliance with UR E26 is demonstrated through detailed documentation at various stages of the vessel’s lifecycle, with oversight by classification societies. These societies ensure that cybersecurity measures are effectively implemented and maintained.

?

• NIS2

Compliance with NIS2 involves national authorities, with mandatory incident reporting and penalties for non-compliance. Member states are responsible for overseeing the implementation of the directive and ensuring that organisations adhere to the established cybersecurity standards.

International Impact

• UR E26

UR E26 primarily impacts shipbuilders, integrators, and owners within the jurisdictions of classification societies. It sets specific cybersecurity standards for the maritime sector, enhancing the resilience of newbuild vessels and their systems.

• NIS2

NIS2 affects a wide range of organisations within the EU, promoting a unified cybersecurity stance across member states and fostering international cooperation. It aims to protect critical infrastructure and services from cyber threats, ensuring continuity of operations and enhancing overall cybersecurity resilience.

Both UR E26 and the NIS2 Directive play crucial roles in enhancing cybersecurity within the maritime industry. UR E26 offers a detailed, vessel-specific approach, ensuring cyber resilience from design to operation. By following the NIST Cybersecurity Framework, it provides a structured methodology for identifying, protecting, detecting, responding to, and recovering from cyber incidents. In contrast, NIS2 provides a broader, strategic framework that emphasizes risk management, incident reporting, governance, and international cooperation. It sets high cybersecurity standards for various critical sectors, including maritime, and promotes a coordinated approach to cybersecurity across the EU.

Together, these frameworks contribute to a safer, more resilient maritime industry in an increasingly interconnected world. As cyber threats continue to evolve, it is essential for maritime stakeholders to stay informed about cybersecurity best practices and regulatory requirements. By prioritising cyber resilience and adhering to established standards, shipowners and managers can safeguard their vessels, protect critical services, and ensure the continued success of their operations.

Stay informed about cybersecurity best practices and regulatory requirements to protect your maritime operations. Connect with us on LinkedIn for more insights and updates.

#MaritimeSecurity #CyberResilience #NIS2Directive #UR26 #CyberThreats #MaritimeIndustry