IACS UR E26 & E27 Marine Cyber Compliance: What ETOs Actually Check
The IACS Unified Requirements E26 (cyber resilience of ships) and E27 (cyber resilience of on-board systems) apply to vessels contracted after 1 January 2024 — and to most retrofits. The compliance checklist a working ETO runs on the engine-room network, IAS, BWTS controller and the navigation suite before the delivery surveyor boards.
What E26 and E27 actually require — short version for working ETOs
IACS Unified Requirement E26 sets the cyber resilience requirements for the vessel as a system. E27 sets the cyber resilience requirements for each on-board system and equipment item. Both apply mandatorily to vessels for which the building contract was signed on or after 1 January 2024, and increasingly to retrofits as flag states adopt the framework into their inspection regimes. The practical impact for working ETOs is that the engine-room IAS, the BWTS controller, the bridge navigation suite and any networked auxiliary system now has to demonstrate baseline cyber hygiene at survey — and the documentation has to be aboard, not in the office.
The good news: the E26/E27 baseline is largely things experienced ETOs already do, formalised. The bad news: vessels that have run for years on shared service accounts, flat networks and no audit log will need a remediation sprint before the delivery surveyor accepts the vessel. This article walks the compliance checklist as a pre-survey pass — what to fix, what to document, what to defer with an accepted exception.
The asset inventory — every networked device, including the ones nobody documented
E26 starts with a complete asset inventory of every networked device aboard. Every device. The IAS PLCs and HMIs are obvious; the BWTS HMI, the fire panel network card, the bridge ECDIS, the VDR, the engine maker's remote-service modem — all of these are in scope. So is the maker's service laptop the third engineer leaves plugged into the K-Chief network 'in case it is needed'.
Build the inventory from a port scan of every accessible network segment, cross-checked against the cabinet wiring diagrams and the maker's commissioning documentation. Devices that respond to a scan but are not on any drawing are typically the highest-risk finding — they are unknown to the chief and to the surveyor. We run the scan with a hardened laptop on each engine-room and bridge segment; the output is a CSV with IP, MAC, hostname, maker, firmware version and the cabinet location. That CSV becomes the master asset inventory for E26/E27 audits.
Network segmentation — engineering network vs entertainment network
E26 mandates segmentation between safety-critical OT networks (engine control, navigation, BWTS, fire detection) and the crew-welfare or commercial networks (Wi-Fi, satellite Internet, cargo manifest systems). The simplest test: from the crew Wi-Fi VLAN, can a laptop reach the IAS HMI by IP? If the answer is yes, there is no segmentation. The remedy is a managed switch with VLANs and an explicit ACL between them.
Most modern vessels already have a managed switch in the bridge equipment rack; the segmentation is often half-done because the original commissioning engineer documented the design but the second yard period plugged a cable across the boundary. Audit the actual flows with a port mirror and a network analyser; if traffic is crossing the boundary, find the cable and fix the configuration.
Patch management on PLC and HMI without breaking the maker's warranty
E27 requires that on-board systems be maintained against the maker's published cyber bulletins. The risk most ETOs raise is that applying a firmware update to a PLC mid-cycle can void the maker's warranty or destabilise a tuned application. The IACS framework accommodates this through a documented exception: an unpatched system is acceptable if the exception is logged, the compensating controls are documented, and the maker's bulletin reference is on file.
In practice: maintain a patch register listing every cyber bulletin received from Kongsberg, Praxis, ABB, Siemens, Schneider, Yokogawa, Honeywell and the navigation makers. For each bulletin, record the decision (apply, defer with exception, not applicable) and the compensating control if deferred. Apply patches during planned port calls, not at sea; verify the maker's warranty is maintained by recording the maker's confirmation in the patch register entry.
Account management — the shared root password problem
The single most common E26 finding we see during pre-delivery audits is shared service accounts. The K-Chief commissioning password is the same one used in the second engineer's notebook is the same one written on the cabinet door. E26 requires per-user accounts where the platform supports them; for platforms that do not (older HMIs with a single service account), the requirement is documented physical access control instead.
Audit the account list on every platform. Where per-user accounts are possible, create them and revoke shared accounts. Where they are not, document the physical access control (cabinet locks, key custody log) and the routine for changing the shared password after personnel changes. The latter is acceptable to surveyors as a compensating control if it is consistently followed.
Logging and audit trail — what the surveyor checks
E26 requires an audit trail for safety-critical OT actions. The IAS already logs alarm acknowledgements with the user account that acknowledged; the BWTS logs cycle starts with the user account that initiated; the fire panel logs alarm tests with the user. The surveyor checks that these logs are retained for at least the maker-recommended period (typically 6 months on the device, longer if extracted to an off-device archive) and that the user identities are real per-user accounts where possible.
Configure log extraction to a hardened storage point — typically a dedicated NAS on the engineering segment with WORM (write-once, read-many) retention. Extract weekly. The surveyor wants to see the extraction routine and the storage configuration, not necessarily the log contents themselves.
Incident response — playbook the bridge can actually execute
E26 requires an incident response procedure that the duty officer on the bridge can execute without specialist support. The procedure has to cover the most likely scenarios: loss of bridge navigation network, suspected unauthorised access to the IAS, ransomware indication on a crew laptop, satellite link compromise. The procedure is a one-page flowchart that the duty officer can follow at 03:00 with a 4-hour-old alarm.
Test the procedure at least quarterly with a tabletop exercise. The surveyor will not run the exercise; they will check the exercise log and the after-action notes. Vessels that have a real-looking procedure with no exercise log are flagged; vessels that have a simple procedure with documented quarterly exercises pass without dispute.
Practical: getting a non-compliant vessel through delivery survey
Most vessels in the next 18 months will undergo their first E26/E27 surveyor visit either at delivery (newbuilds), at intermediate survey (retrofits), or at the next port-state-control inspection. The remediation effort scales with the network complexity. A small bulker with one IAS and a Furuno bridge can typically clear the audit in two days; a container vessel with three networked IAS sub-systems and an extensive deck monitoring network needs four to seven days.
Schedule the pre-audit attendance during a planned port call no later than 30 days before the survey. The findings drive the remediation plan; the remediation plan drives the schedule of the next attendance. We attend pre-audit work at all major US ports under the standard wizard flow.
FAQ
- Which vessels does IACS UR E26/E27 actually affect right now?
- Mandatorily, vessels contracted after 1 January 2024. In practice, flag states are extending the framework to retrofit-classed vessels at intermediate survey, and port-state control regimes are starting to ask for the documentation on any vessel calling. Treat it as the new baseline rather than a future requirement.
- Can we retrofit an older vessel for E26 compliance?
- Yes — most older vessels can reach E26 baseline within a single planned port-call window. The biggest variable is the state of the OT network: vessels with a flat unmanaged network need a managed switch retrofit, which is the longest single line item. Audit first, then plan.
- Which class societies are strict on E26/E27 enforcement?
- DNV and Lloyd's Register are running the most assertive interpretation today, ABS is close behind, BV and ClassNK are aligned to the IACS baseline. Türk Loydu and IRS accept the IACS baseline and add their own implementation notes. Format the documentation to the class society that will witness the survey.
Book an IACS UR E26/E27 pre-audit attendance
/services/plc-automation
Source managed switches and IAS spares
/supply
Published by Levent Marine — Florida-based, Wyoming LLC — 24/7 worldwide