Relevant for ship owners and managers, design offices, shipyards and suppliers.

The new IACS Unified Requirements (URs) are based on recognized international standards for the cyber security of industrial automation and control systems, such as IEC 62443. In brief, the new IACS URs cover the following main topics:

• Scope of applicability, including OT systems for important vessel functions
• Identification and protection against cyber threats
• Detection of incidents
• Means to respond and recover
• Hardening and security capabilities of systems and components

The URs will be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024. Consequently, the DNV class notation Cyber secure(Essential) will be mandatory from this date.

The technical security requirements of the IACS URs E26 and E27 are fully aligned with DNV’s class notations for cyber security and are covered by the current edition of the DNV class notation Cyber secure(Essential).

For customers who would like, on a voluntary basis, to implement the new IACS cyber security requirements before 1 January 2024, the following items outline how to achieve this in line with the current DNV rules:

• Systems type approval (TA) in accordance with the current edition of DNV rules for the class notation Cyber secure(Essential) / security profile 1 will meet the IACS URs E26 and E27. The TA process will be amended with the audit of the relevant additional development activities in accordance with IACS UR E27 section 5.
• Ships and offshore installations assigned the class notation Cyber secure(Essential, +) as per the current edition of DNV rules, will meet the IACS URs E26 and E27. The additional qualifier (+) is needed to extend the scope of systems in accordance with the scope of applicability in IACS UR E26.

DNV will arrange a webinar on the upcoming IACS URs for cyber security on 23 August 2022. The invitation will follow in mid-August.