Cyber security approval of components and systems
Certify your components or systems and secure digital services with DNV’s Cyber secure type approval and show compliance with IACS UR E27.
It is recognized that today’s software-based maritime and offshore control systems are increasingly being integrated, connected to Internet, remotely accessed and implemented by use of commercially available software and communication protocols. The drivers are e.g. optimization of performance, improved operations, reduced costs and regulatory compliance.
However, this comes with an increased cyber risk, as such technologies are more often susceptible to malicious codes and attacks.
IACS updated Unified Requirements (UR E26 and UR E27) for cyber security will be mandatory from 1st of July 2024. This will require systems in scope of the UR to be product certified (PC) according to the IASC UR E27 and DNV Cyber secure rules, Security profile 1, for each vessel delivery, including design approval and survey.
System suppliers may opt for Cyber security Type approval (TA) of their systems according to the same requirements. The Type approval will cause significant reduction of vessel specific design approval, as well as omit the manufacturer survey for Cyber security.
All Essential and Important systems onboard will require a product certificate. This applies to both equipment typically under class scheme such as control systems, as well as systems under statutory scheme such as navigation, communication, and fire mitigation systems. The full list is given in IACS UR E26 [1.3.2] and DNV rules, as well as below:
- Propulsion
- Steering
- Anchoring and mooring
- Electrical power generation and distribution
- Fire detection and extinguishing systems
- Bilge and ballast systems, loading computer
- Watertight integrity and flooding detection
- Lighting (e.g. emergency lighting, low locations, navigation lights, etc.)
- Any required safety system whose disruption or functional impairing may pose risks to ship operations (e.g. emergency shutdown system, cargo safety system, pressure vessel safety system, gas detection system, etc.)
- Navigational systems required by statutory regulations
- Internal and external communication systems required by class rules and statutory regulations
What is cyber security type approval and why do it?
The “DNV-CP-0231 Cyber security capabilities of systems and components” type approval programme is a flexible certification regime that demonstrates the cyber security capabilities of on-board control and bridge systems.
DNV has rules in place and already offer Type approval (TA) in accordance with the upcoming mandatory requirement.
Systems type approved in accordance with DNV rules edition July 2023 for class notation Cyber secure (Essential) and Security Profile 1 will meet IACS UR E26 and E27. The TA-process includes both verification of technical measures and a secure development process will be amended with audit of relevant additional development activities in accordance with IACS UR E27 sections 4 and 5.
By choosing this type approval class programme, manufacturers can demonstrate compliance with recognized security requirements. DNV type approval is based on the IEC 62443 standard for industrial automation and control systems as well as the IEC 61162-460 for navigation and communication systems. Securing control and bridge systems is especially important in today’s trends of Information Technology (IT) and Operational Technology (OT) connectivity and complexity, as well as the need for live updates on an asset’s status and the increase in cyber-criminal activities.
The type approval process follows the normal type approval process as given in DNV-CP-0231:
- Manufacturer raises a TA request to DNV via the local office or DNV customer portal with the following information:
- List of Hardware and Software devices
- System topology drawing
- Brief system description
- Desired security profile
- Verification of security capabilities performed via document assessment
- Test witnessing of security functions
- Audit of the software change handling and the secure development processes
- On successful completion, a certificate is issued
Your Benefits
With DNV’s Cyber security type approval, your products are certified to be cyber secure, and the foundation for digital value adding services is established:
- Compliance with IACS UR E27, mandatory for new vessels contracted after 1st of July 2024
- Reduced scope of document verification as well as omitting the manufacturer survey for cyber security approval in each project
- Reduced risk of down-time, negative publicity and cyber security incidents
- Positive marketing by having an independent cyber security certification
- Type approved systems are pre-qualified for installation on board vessels with DNV Cyber Secure Class Notation, and facilitates more digital and additional value adding services such as e.g. condition-based maintenance and remote support
- Increased security and quality of your products due to 3rd party verification based on recognized IEC standards