# What happens to your ship when a cyberattack hits mid-maneuver and the control system can no longer function normally?
The answer should never be "unpredictable." Yet for too many vessels, it still is.
---
**IACS UR E27 requires every Computer-Based System aboard a vessel to have a pre-defined, documented failsafe state** — a deterministic output that takes effect when the system can no longer maintain normal operation under attack or compromise.
Three options are permitted:
→ Power-off to a known de-energized state
→ Hold the last known good value
→ Revert to a fixed, pre-engineered safe output
The system must "fail safely." Full stop.
---
For ships, this is where cybersecurity becomes inseparable from physical safety. A compromised propulsion control system that outputs random or uncontrolled thrust is not just a cyber incident — it is a collision or grounding waiting to happen. A navigation safety alarm that goes silent under attack violates SOLAS requirements for continuous alarm monitoring. A rudder that freezes in an unknown position during port approach puts lives and infrastructure at risk.
Deterministic output means that even in the worst-case cyber scenario, the vessel's physical behavior remains within engineered safety bounds. The ship may lose capability — but it will not lose control in an unpredictable way.
---
IEC 62443-3-3 SR 3.6 is the technical backbone here, and it is genuinely unique. Unlike almost every other requirement in the IEC 62443 series, SR 3.6 has no meaningful equivalent in enterprise IT security. There is no IT analogy for "the server must fail to a safe physical state."
SR 3.6 scales across all four Security Levels, but the rigor of the failsafe design increases with criticality. At SL 1, documented failsafe states are required. At SL 3–4, those states must be actively enforced by independent logic, not just described in documentation. This directly mirrors functional safety concepts from IEC 61508 — and that crossover is intentional. 🔗
---
The implementation challenge most teams underestimate: **every output of every CBS must have a defined failsafe state documented before class approval.** For a modern vessel with dozens of integrated systems, this is a significant design and documentation exercise — and it often reveals gaps in legacy system design that vendors never anticipated having to answer for.
---
Has your organization mapped deterministic failsafe states for all CBS outputs, or is this still an open item in your UR E27 compliance roadmap? I'd value hearing where teams are finding the hardest gaps. ⚓
---
📌 Post 20/41 in my IACS UR E27 series — breaking down all 41 requirements
#DeterministicOutput #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #FunctionalSafety #SOLAS
