Skip to content

Cyber security approval of components and systems

Certify your components or systems and secure digital services with DNV’s Cyber secure type approval and show compliance with IACS UR E27.

It is recognised that today’s software-based maritime and offshore control systems are increasingly being integrated, connected to Internet, remotely accessed and implemented by use of commercially available software and communication protocols. The drivers are e.g. optimization of performance, improved operations, reduced costs and regulatory compliance.

However, this comes with an increased cyber risk, as such technologies are more often susceptible to malicious codes and attacks.

IACS updated Unified Requirements (UR E26 and UR E27) for cyber security will be mandatory from 1 st of July 2024. This will require systems in scope of the UR to be product certified (PC) according to the IASC UR E27 and DNV Cyber secure rules, Security profile 1, for each vessel delivery, including design approval and survey. As an option, system suppliers may opt for Cyber security Type approval (TA) of their systems according to the same requirements. The Type approval will cause the reduce the vessel specific design approval and omit the manufacturer survey.

What is cyber security type approval and why do it?

The “DNV-CP-0231 Cyber security capabilities of systems and components” type approval programme is a flexible certification regime that demonstrates the cyber security capabilities of on-board control and bridge systems.

DNV has rules in place and already offer Type approval (TA) in accordance with the upcoming mandatory requirement.

Systems type approved in accordance with DNV rules edition July 2023 for class notation Cyber secure(Essential) and Security Profile 1 will meet IACS UR E26 and E27. The TA-process includes both verification of technical measures and a secure development process will be amended with audit of relevant additional development activities in accordance with IACS UR E27 sections 4 and 5.

By choosing this type approval class programme, manufacturers can demonstrate compliance with recognized security requirements. DNV type approval is based on the IEC 62443 standard for industrial automation and control systems as well as the IEC 61162-460 for navigation and communication systems. Securing control and bridge systems is especially important in today’s trends of Information Technology (IT) and Operational Technology (OT) connectivity and complexity, as well as the need for live updates on an asset’s status and the increase in cyber-criminal activities.

The type approval process follows the normal type approval process as given in DNV-CP-0231:

  1. Manufacturer raises a TA request to DNV via the local office or DNV customer portal with the following information:
    1. List of Hardware and Software devices
    2. System topology drawing
    3. Brief system description
    4. Desired security profile
  2. Verification of security capabilities performed via document assessment
  3. Test witnessing of security functions
  4. Audit of the software change handling and the secure development processes
  5. On successful completion, a certificate is issued

Your Benefits

With DNV’s Cyber security type approval, your products are certified to be cyber secure, and the foundation for digital value adding services is established:

  • Compliance with IACS UR E27, mandatory for new vessels contracted after 1st of July 2024
  • Reduced scope of document verification as well as omitting the manufacturer survey for cyber security approval in each project
  • Reduced risk of down-time, negative publicity and cyber security incidents
  • Positive marketing by having an independent cyber security certification
  • Type approval of systems are pre-qualified installation on board vessels with DNV Cyber Secure Class Notation
  • Type approved systems facilitates more digital and additional value adding services such as e.g. condition-based maintenance and remote support
  • Increased security and quality of your products due to 3rd party verification based on recognised IEC standards