Cytur publishes ‘Secure-by-Design’ white paper on ship cyber resilience

Can a ship that holds the required compliance documentation safely maintain navigation, propulsion, communications, and cargo operations even when it comes under a real cyberattack? As ships contracted on or after July 1, 2024 and subject to the mandatory IACS Unified Requirements UR E26·E27 enter their delivery period, the industry's question is shifting from "Have we met the requirements?" to exactly this.

The maritime cybersecurity company CYTUR Inc. has published a white paper addressing this issue, Secure-by-Design for Ship Cyber Resilience, pointing out that if UR E26·E27 compliance stops at documentation and manual checks, a gap can open between regulatory compliance and actual resilience. Classification societies describe UR E26·E27 as the "minimum requirements" for the cyber resilience of newbuildings.

According to CYTUR, a ship's network configuration, equipment specifications, software versions, remote-access paths, and supply-chain information change continually throughout design and construction. Tracking this by hand and verifying it only once, just before delivery, makes omissions and inconsistencies likely. Ships in particular are systems in which navigation, propulsion, power, communications, cargo, remote support, and the supply chain are intricately interconnected; checking only some equipment or part of the network makes it difficult to identify the compound attack paths a real adversary could use. Documentary compliance can be demonstrated on paper, the company notes, yet that does not guarantee the ability to withstand an attack during actual operation.

As a solution to this trend, CYTUR proposes Secure-by-Design: identifying threats at the design stage and tracing them all the way through to security requirements, design measures, test items, and verification evidence. This is not an additional security procedure but an engineering approach that raises design quality and verification efficiency, making it possible to quickly trace which requirements and test items are affected when a system changes. As a result, shipyards and shipowners can reduce repetitive manual documentation and last-minute rework before delivery, cutting the cost and man-hours of class response, equipment-maker collaboration, and owner review—while raising resilience in the actual operating environment.

Precedents from the automotive and defence industries are also instructive. The automotive industry, through UN Regulation No. 155 and ISO/SAE 21434, treats cybersecurity as an engineering activity spanning vehicle type approval and the entire development lifecycle, and in defence, design-stage threat modelling is likewise required for weapon systems. The shift to treating cybersecurity as part of design rather than an after-the-fact inspection has already taken place in other industries.

CYTUR CEO Yonghyun Cho said: "IACS UR E26·E27 is the minimum requirement for cyber resilience. Passing class certification means that minimum requirement has been met—it is not a guarantee that a real attack can be repelled." He added: "Documents can be produced once, but a ship's systems change throughout design and construction. Cyber resilience is secured not through a manual check just before delivery, but when threats are identified at the design stage and traced all the way through to requirements and test evidence."

The white paper Secure-by-Design for Ship Cyber Resilience covers clause-by-clause approaches to IACS UR E26·E27, a methodology for ship-systems threat modelling, the direction of international regulations and standards such as IMO, IACS, and the EU CRA, and Secure-by-Design precedents from the automotive and defence industries. It is available via the CYTUR website (cytur.net)