# What If a Cyber Attack Takes Down Your Ship's Main Control System — Can Your Crew Still Steer?
Under UR E26 §4.4.2, the answer must be an unqualified yes — and you must be able to prove it.
**What UR E26 §4.4.2 Requires**
Any Computer-Based System (CBS) providing local backup control under SOLAS II-1 Regulation 31 must be completely independent of the primary control system — not just functionally separate, but architecturally isolated as its own security zone. This means the local control CBS must be fully self-contained: no network dependencies, its own complete HMI, and zero reliance on communication with any other CBS. A control function without a co-located HMI does not satisfy the requirement.
**Maritime-Specific Implications**
SOLAS II-1 Regulation 31 has long mandated local manual control for propulsion machinery — UR E26 now extends that statutory safety obligation into the cyber domain. The concern is straightforward: a cyber incident compromising a ship's central Integrated Platform Management System (IPMS) must not simultaneously disable the crew's last line of manual control. On a vessel in confined waters or heavy traffic, losing both primary and backup control simultaneously is not a cyber problem — it is a collision and grounding risk. The commissioning test here is unambiguous: physically disconnect all networks from the local control system and verify independent operation before delivery. 🔌
**IEC 62443 Technical Depth**
The technical foundation beneath local operation is IEC 62443-3-3 SR 3.6 (Deterministic Output), which requires that a CBS fail to a pre-defined safe state when integrity is compromised. E26 §4.4.2 builds the human backup layer directly above this technical failsafe. When the primary IPMS fails — whether through cyber attack or technical fault — SR 3.6 ensures the CBS reaches a known, stable state; E26's local operation requirement ensures trained crew can take manual control from that known state. These are not redundant requirements — they are complementary layers of a two-tier defense against loss of propulsion and steering.
**UR E27 Connection**
E27 §4.1 item 20 maps SR 3.6 as a system-level requirement, making it arguably the most safety-critical item in the entire E27 catalogue. If a CBS's failsafe output preserves last-known-good values — one of three accepted SR 3.6 options — the local control station presents crew with a stable, interpretable state to manage from. E26 §4.4.2 is the only E26 requirement grounded in both a cybersecurity mandate (E26) and an explicit statutory safety mandate (SOLAS), which makes this connection between E26 and E27 particularly consequential during class approval.
**Implementation Insight** ⚙️
The most common gap found during commissioning is an HMI that appears local but still pulls display data from a shared network server. Verify that every data source feeding the local HMI — not just control outputs — is physically independent before running the disconnect test.
**Engagement Question**
Has your yard or fleet developed a documented network-disconnect commissioning protocol specifically for local control CBS verification — or is this still being handled informally?
📌 Post 12/17 in my IACS UR E26 series — breaking down all 17 requirements across the Identify → Protect → Detect → Respond → Recover framework
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E26] Respond – 14 Fallback to Minimal Risk Condition (0) | 2026.06.01 |
|---|---|
| [IACS UR E26] Respond – 13 Network Isolation (0) | 2026.06.01 |
| [IACS UR E26] Respond – 11 Incident Response Plan (0) | 2026.06.01 |
| [IACS UR E26] Detect – 10 CBS & Network Verification and Diagnostic Functions (0) | 2026.06.01 |
| [IACS UR E26] Detect – 09 Network Operation Monitoring (0) | 2026.06.01 |
