Cyber-security services for mega yachts

IACS US-26 and UR-27 will be mandatory for classed superyachts from 1st January 2024: how to be compliant

Cyber Security service for mega yachtWhat is IACS UR-26?

IACS Unifier Requirement (UR) 26 aims to provide a minimum set of requirements for the cyber resilience of ships. Safe and secure shipping can be achieved through an effective cyber risk management system. 

UR 26 lists all the requirements that shall be fulfilled by: 

Starting from 1st January 2024, UR 26 will be a legal requirement for all classed luxury super yachts.

What is IACS UR-27?

IACS UR-27 specifies the unified requirements for cyber resilience of on-board systems and equipment and established a common set of minimum requirements to deliver systems and equipment that can be described as cyber resilient. 

Starting from 1st January 2024, UR 27 will be a legal requirement for all classed luxury super yachts: our experts can help you be compliant.  

Besides legal requirements for classed mega yachts, why does my superyacht need to be cyber-secured? 

In today’s world of yacht design, technology is one of the key components of luxury mega yachts and the electronic and software-dependent devices are now the essential heart of this jewelry of the seas characterized by:

Superyachts face remarkably similar cyber-security threats to any other modern business; however, additional vulnerabilities can come from the way systems communicate on-board and how this technology is often insecurely configured.  

In fact, today's mega yachts and superyachts are increasingly designed to be managed by a single central management system that controls navigation, engine management, power generation and distribution, entertainment system, lighting, air conditioning, etc. 
Integrated systems are increasingly present and vulnerable to failures arising from a single common element “the software”.

Onboard the last generation of superyachts, mega yachts the “coexistence” between OT (Operational Technology) Assets and IT Assets so high that this set-up can open the superyacht to a multitude of internal and external cyber-security threats. 

Where there have historically been separated networks for navigation and entertainment systems (IT & OT systems), they are now frequently combined with some level of access between the two: if there is access for a level of functionality, there is also access for an attacker to attempt to access both networks. 

The impact of unauthorized and even more authorized access to ships’ systems can be catastrophic, potentially resulting in reputational, financial, and environmental damage, piracy, data leak or simply malicious interference. Software, Hardware, and people are all attack vectors on-board vessels and yachts, a foundational understanding of how to address them is essential to maintaining the security and privacy of owners, guests, and crewmembers.  

Benefits and advantages of RINA cyber-security services 

RINA cyber-security team is able to validate tailored mitigation methods and measures, face cyber-security threats, protecting individuals from cyber exploits and attacks, as well offer the correct posture of security advice and services to protect OT and IT assets, paying the applicable regulatory framework.

Our experts can help you be compliant with IACS UR-26 and UR-27: contact us.  

Frequently asked questions 

Cyber-security and cyber resilience are topics of major relevance for a shipping company, and both are essential to address cyber threats on board. 

- Cyber-security refers to the methods and processes of protecting electronic data. This includes identifying data and where it resides and implementing technology and business practices to protect it. 

We can assist the clients in preventing data breaches and reduce the risk of malicious activity 

- Cyber resilience is defined as an organization’s ability to withstand or quickly recover from cyber events that disrupt usual operational and business activities. 

We can assist clients by helping them identify adequate procedures and solutions able to mitigate the impact of cyber attacks

There is no unique solution: 

- Customized technology
- Operational actions
- Digital tools
- Tailored solutions are essential instruments to face the specific client’s needs. 

Cyber-security & cyber resilience cannot exist independently without the other; to protect a fleet composed of a mix of IT and OT assets both must be in place for the entire operational lifecycle. 

On board existing vessels, where different technologies levels coexist, only a complete and continuous vision of the priorities, the identification of the critical assets, and the evaluation of the “magnitude effect” that could be on the entire vessel/company upon an applicable specific cyber threat, are the key to correctly verify adequate actions and solutions to be adopted. 

As cyber threats are constantly evolving, regular engagement and attention are crucial to protect the organization's digital assets from critical events. Our goal is to maintain and preserve compliance with SOLAS and applicable regulatory frameworks.  

IT/OT systems today are completely based on electrical/electronic and software dependencies; with their connective features, such as remote maintenance and monitoring, they are extremely vulnerable to cyber threats.  

The effects of cyber threats, on systems and more generally at the ship/yacht level, can directly have an impact on essential primary and secondary systems on board, compromising Class, and SOLAS minimum requirements.  

Cyber visibility, vulnerability, and risk management, along with procedure assessments and activities review/monitoring, must be adopted to maintain and periodically verify the correct cyber posture for the entire lifecycle of all CBS (IT/OT) assets on board.  

- OT/IT Asset Inventory 
- Rysk Assesment 
- Gap analysis & Ship Assessment
- Design of secure products, services and processes from the requirements specification to the certification
- Technical advisory for the development and deploy of secure systems, as well as process establishment
- Security-related services to monitor and improve cyber-security aspects
- Improve IT/OT resilience to cyber incidents by means of properly designed processes and procedures
- Requirement definition, verification & validation, security evaluation process according to international schemes, security technology scouting and procurement
- Vulnerabilities assessment, penetration tests, awareness and training campaigns, periodical audit to verify the correct "Cyber Posture"
- Risk Management, Change management, cyber threat intelligence, supply chain audits.
- Vulnerability Management 
- Offensive Security activities aimed at identifying vulnerabilities in networks for IT/OT application infrastructure 
- Implementation of technical security measures. 

We also perform periodical OT/IT Vulnerability Assessment activities, providing a real value for owner during the whole asset's life cycle management

Luca Carrà Marine Senior Engineer


Add to my contacts