IACS UR E26 and E27 Guidance: Maritime Cybersecurity Framework for Modern Ships

Posted on May 23, 2026

Introduction

The maritime industry is undergoing a major digital transformation. Modern vessels are increasingly dependent on connected Operational Technology (OT), Industrial Control Systems (ICS), satellite communication systems, cloud-based monitoring, remote maintenance platforms, and integrated navigation technologies. While these advancements improve efficiency, automation, and operational visibility, they also introduce significant cybersecurity risks.

Cyberattacks against maritime infrastructure have grown rapidly in recent years. Threat actors now target shipping companies, ports, onboard navigation systems, cargo management systems, and industrial control environments. A successful cyberattack can disrupt vessel operations, impact safety systems, delay cargo delivery, and even create environmental or financial damage.

To address these challenges, the International Association of Classification Societies (IACS) introduced Unified Requirements (UR) E26 and E27. These cybersecurity requirements establish a standardized baseline for cyber resilience across modern vessels and connected onboard systems.

These requirements became mandatory for most newly contracted vessels from July 1, 2024 onward.

What is IACS?

The International Association of Classification Societies (IACS) is a global organization composed of leading ship classification societies such as:

  • DNV
  • ABS
  • Lloyd’s Register
  • Bureau Veritas
  • ClassNK
  • RINA
  • China Classification Society

IACS develops technical standards and safety requirements for ship design, construction, and operational safety.

With the increasing rise of maritime cyber threats, IACS introduced cybersecurity-focused requirements to improve cyber resilience across the shipping industry.

Overview of UR E26 and UR E27

Although both standards focus on maritime cybersecurity, they target different areas.

Requirement Primary Focus Applies To
UR E26 Cyber resilience of the vessel Shipowners, shipyards, integrators
UR E27 Cyber resilience of onboard systems and equipment Equipment manufacturers and suppliers

UR E26 focuses on the entire ship environment, while UR E27 focuses specifically on individual systems and components installed onboard.

High-Level Architecture

The challenge is ensuring every layer remains secure while maintaining operational availability and safety.

Detailed Explanation of UR E26

Purpose of UR E26

UR E26 defines cybersecurity requirements for the ship as a whole throughout its operational lifecycle.

The standard ensures vessels are:

  • Designed with cybersecurity in mind
  • Protected against cyber threats
  • Able to detect cyber incidents
  • Capable of responding effectively
  • Able to recover safely after attacks

UR E26 applies during:

  1. Design phase
  2. Construction phase
  3. Integration phase
  4. Commissioning phase
  5. Operational lifecycle
  6. Maintenance activities

Core Cybersecurity Functions in UR E26

UR E26 follows a framework similar to the NIST Cybersecurity Framework.

1. Identify

Organizations must identify:

  • Critical systems
  • Network architecture
  • Data flows
  • Connected assets
  • Communication interfaces
  • External dependencies

Example:

A vessel may contain:

  • Dynamic Positioning (DP) systems
  • Electronic Chart Display and Information Systems (ECDIS)
  • Engine Management Systems
  • Ballast Water Systems
  • Cargo Control Systems
  • Satellite Communication Systems

All these assets must be documented and classified.

Asset Identification Diagram

2. Protect

The protection phase focuses on preventing unauthorized access and reducing attack surfaces.

Common Security Controls

  • Network segmentation
  • Access control
  • Multi-factor authentication
  • Patch management
  • Malware protection
  • Firewall implementation
  • Secure configurations
  • USB control policies

Network Segmentation Example

This segmentation prevents threats from easily spreading between IT and OT environments.

3. Detect

Organizations must implement monitoring capabilities to identify cyber incidents quickly.

Detection Capabilities Include:

  • Security event monitoring
  • Intrusion detection systems
  • Log analysis
  • Network traffic monitoring
  • Behavioral anomaly detection

Detection Workflow

4. Respond

UR E26 requires documented incident response procedures.

Response Activities Include:

  • Incident containment
  • System isolation
  • Communication procedures
  • Recovery coordination
  • Evidence preservation
  • Escalation management

Example Scenario

If ransomware impacts a shipboard workstation:

  1. Isolate affected systems
  2. Prevent lateral movement
  3. Inform vessel operators
  4. Restore from backups
  5. Conduct forensic analysis
  6. Update security controls

5. Recover

Recovery planning ensures operational continuity after cyber incidents.

Recovery Requirements

  • Backup procedures
  • Redundant systems
  • Disaster recovery plans
  • System restoration testing
  • Business continuity procedures

Recovery Architecture

Detailed Explanation of UR E27

Purpose of UR E27

UR E27 focuses specifically on onboard systems and equipment.

It applies primarily to:

  • Equipment manufacturers
  • OEM vendors
  • Software developers
  • System suppliers

Manufacturers must prove that their systems are developed securely and can operate safely in cyber-threat environments.

Key Requirements of UR E27

Secure Development Lifecycle (SDL)

Manufacturers must implement secure software development practices.

Secure Development Includes:

  • Secure coding standards
  • Vulnerability testing
  • Security reviews
  • Patch management processes
  • Threat modeling
  • Penetration testing

Secure Development Lifecycle Diagram

Authentication and Access Control

Systems must support:

  • Role-based access control
  • Password policies
  • Authentication mechanisms
  • User account management
  • Audit logging

Software Integrity Protection

Manufacturers must ensure:

  • Software authenticity
  • Secure firmware updates
  • Protection against tampering
  • Integrity verification

Firmware Update Security Example

Logging and Monitoring

Equipment must generate logs for:

  • User activities
  • Security events
  • Configuration changes
  • System failures

These logs assist during incident investigations.

Relationship Between UR E26 and E27

The two standards complement each other.

UR E26 UR E27
Focuses on vessel-wide cybersecurity Focuses on individual equipment security
Managed by shipowners and integrators Managed by equipment vendors
Covers operational lifecycle Covers product security lifecycle
Emphasizes operational resilience Emphasizes secure system development

Together, they create a layered cybersecurity model.

Maritime Threat Landscape

Modern vessels face numerous cyber threats.

Common Maritime Cyber Threats

1. Ransomware

Attackers encrypt systems and demand payment.

2. GPS Spoofing

False GPS signals manipulate navigation systems.

3. Malware Infections

Malicious software spreads through removable media or remote connections.

4. Supply Chain Attacks

Compromised vendors introduce malicious components.

5. Insider Threats

Unauthorized internal access causes operational disruption.

Threat Landscape Diagram

Compliance Challenges

Many shipping organizations face challenges implementing UR E26 and E27.

Common Challenges

Legacy Systems

Older OT systems may lack:

  • Security patching
  • Authentication mechanisms
  • Encryption support
  • Logging capabilities

Complex Integrations

Ships often combine systems from multiple vendors.

Limited Downtime

Operational systems cannot easily be shut down for upgrades.

Vendor Coordination

Multiple suppliers must align with compliance requirements.

Remote Operations

Vessels operate globally with limited onsite cybersecurity support.

Best Practices for Compliance

Conduct Asset Discovery

Create a complete inventory of:

  • Hardware
  • Software
  • Communication links
  • Remote access pathways

Implement Network Segmentation

Separate:

  • Corporate IT networks
  • Operational Technology networks
  • Safety-critical systems

Strengthen Remote Access Security

Implement:

  • VPN access
  • Multi-factor authentication
  • Session monitoring
  • Time-based access restrictions

Perform Regular Risk Assessments

Evaluate:

  • Vulnerabilities
  • Attack paths
  • System dependencies
  • Operational risks

Train Personnel

Human error remains one of the biggest cybersecurity risks.

Training should include:

  • Phishing awareness
  • Password security
  • USB usage policies
  • Incident reporting procedures

Example Vessel Cybersecurity Architecture

Role of Classification Societies

Classification societies play a major role in:

  • Reviewing compliance documentation
  • Conducting assessments
  • Verifying cybersecurity controls
  • Supporting certification processes

Organizations may be required to provide:

  • Network diagrams
  • Risk assessments
  • Asset inventories
  • Security procedures
  • Incident response plans
  • Vendor documentation

Benefits of UR E26 and E27

Improved Safety

Cybersecurity incidents can directly impact physical safety onboard.

Reduced Operational Disruption

Strong security controls minimize downtime.

Better Supply Chain Security

Vendor security requirements improve trust.

Standardized Cybersecurity Practices

The industry gains a unified cybersecurity baseline.

Increased Regulatory Readiness

Compliance supports alignment with IMO and other maritime regulations.

Future of Maritime Cybersecurity

The maritime sector is expected to become even more connected through:

  • Autonomous vessels
  • AI-driven monitoring
  • Remote operations
  • Cloud-based fleet management
  • Smart ports
  • IoT-enabled ship systems

As digital adoption increases, cybersecurity requirements will continue evolving.

UR E26 and E27 represent the foundation of a long-term maritime cyber resilience strategy.

Conclusion

IACS UR E26 and UR E27 are major milestones in maritime cybersecurity. They establish a structured framework for protecting vessels, onboard systems, and operational technology environments from evolving cyber threats.

UR E26 focuses on vessel-wide cyber resilience, while UR E27 ensures onboard systems and equipment are securely designed and maintained.

Together, these requirements help shipping companies, shipbuilders, and equipment vendors improve operational safety, reduce cyber risk, and strengthen resilience against modern maritime threats.

As the shipping industry becomes increasingly digitalized, cybersecurity is no longer optional — it is now a critical operational and safety requirement.