Mandating Secure by Design: IACS UR E26
Part 2 of 3: Introduction to E26/E27 Compliance
"We need standards that actually work in space, not just paperwork that looks good in a filing cabinet," declared Captain Vera Rubin, Director of Vessel Operations at Tachyon Heavy Industries, during a heated industry meeting in 2133. She was responding to yet another voluntary cybersecurity guideline that seemed designed more for planetary facilities than for the unique challenges of space mining operations. Her frustration echoed throughout the room - and throughout the industry.
Less than a year later, Captain Rubin was leading her organization's implementation of the most comprehensive space cybersecurity standards ever developed. The Intergalactic Association of Classification Societies (IACS) had listened to industry concerns and delivered something unprecedented: mandatory, enforceable cybersecurity requirements specifically designed for the realities of space operations. IACS UR E26 and E27 weren't just another set of guidelines - they were a fundamental transformation of how the space industry approaches cybersecurity.
Enter E26 and E27: A New Era of Space Cybersecurity
Recognizing the growing cyber threat landscape I discussed in my previous post, IACS introduced two groundbreaking Unified Requirements that fundamentally change how the space industry approaches cybersecurity. IACS UR E26, "Cyber resilience of vessels," and UR E27, "Cyber resilience of on-board systems and equipment," became mandatory for all new vessels contracted for construction on or after July 1, 2134.
These aren't just another set of paperwork requirements. E26 and E27 represent the first unified space vessel cybersecurity standards with actual technical requirements, moving the industry beyond voluntary guidelines to mandatory, enforceable standards. The development process involved extensive consultation with space mining companies, shipbuilders, equipment manufacturers, and cybersecurity experts to ensure the standards address real-world challenges while remaining practical to implement in the harsh environment of space.
E26 focuses on the vessel as an entire system, ensuring cyber resilience is embedded into vessel design and lifecycle management from the earliest conceptual phases through operational deployment in the asteroid belt. E27 complements this by establishing prescriptive cybersecurity requirements for individual onboard computer-based systems and equipment, creating a comprehensive framework that addresses cybersecurity from both system-wide and component-level perspectives. We'll focus on E26 for now and cover E27 in a later post.
Scope and Coverage: What's In, What's Out
The scope of E26 is comprehensive, covering virtually every critical system on modern mining vessels. With a focus on "Computer Based Systems" the standards recognize that in space operations, consequences of compromise could be dire.
"Operational Technology (OT) systems onboard ships, i.e. those CBSs using data to control or monitor physical processes that can be vulnerable to cyber incidents and, if compromised, could lead to dangerous situations for human safety, safety of the vessel and/or threat to the environment." ~ IACS UR E26
Real World Reference: IACS UR E26 https://iacs.s3.af-south-1.amazonaws.com/wp-content/uploads/2022/02/04140503/UR-E26-Rev.1-Nov-2023-CR.pdf
As an example, propulsion control systems fall under these requirements because a cybersecurity incident affecting propulsion could leave a vessel stranded in space with no means of returning to safety. Life support management systems are included because any disruption to these systems in the vacuum of space could be immediately life-threatening. Navigation and positioning systems are covered because accurate navigation is essential for safe operations in the asteroid belt, where collision avoidance and precise positioning for mining operations are critical.
Communication systems are covered because they provide the vital link between vessels and Earth-based support, enabling everything from routine operational communications to emergency assistance requests. Even crew entertainment networks, administrative systems, and recreational facility controls are included if they connect to operational technology systems, recognizing that any connected system can potentially serve as an entry point for attackers. Of course crew entertainment should never be interconnected with critical OT systems, but out in the void you never know.
Implementation Requirements: What This Means for Shipbuilders
For shipbuilders like Tachyon Heavy Industries, the implications of E26 are profound and far-reaching. As one industry expert put it, "Builders now own UR E26 compliance during design, construction, and commissioning." This means cybersecurity can no longer be an afterthought or a checkbox exercise. It must be integrated from the earliest design phases, with evidence required for security zones and conduits, cyber-test procedures, and comprehensive cybersecurity design descriptions.
The design phase requirements under E26 mandate that cybersecurity considerations be integrated into vessel architecture from the beginning. This includes developing comprehensive Cyber Security Design Documents (CSDDs) that describe how cybersecurity requirements will be met throughout the vessel's lifecycle. The CSDD must address network segmentation, security zones, access controls, monitoring capabilities, incident response procedures, and recovery plans specifically adapted for space operations.
Real World Reference: Secure by Design and "Cyber Informed Engineering" go hand in hand https://www.energy.gov/sites/default/files/2022-06/FINAL%20DOE%20National%20CIE%20Strategy%20-%20June%202022_0.pdf
Construction phase requirements ensure that cybersecurity measures are properly implemented during vessel assembly. This includes installation and configuration of security systems, implementation of network segmentation, and integration testing to verify that cybersecurity measures work as designed without interfering with essential vessel operations. The construction phase is often where theoretical cybersecurity designs meet practical implementation challenges, particularly in the zero-gravity environment of orbital shipyards.
Commissioning requirements mandate comprehensive testing and validation of all cybersecurity measures before vessels can be certified for operational deployment. This includes testing of security controls, validation of incident response procedures, verification of backup and recovery capabilities, and demonstration that all systems meet their specified security requirements under realistic operational conditions that simulate the challenges of space operations.
The Practical Impact: What Changes on the Ground
The implementation of E26 is already changing how space vessels are designed, built, and operated throughout the solar system. At Tachyon Heavy Industries' Mars Shipyard, Captain Rubin reports that cybersecurity considerations now influence every major design decision, from the layout of control systems to the selection of communication equipment.
"We used to think about cybersecurity after we'd finished the basic design," Rubin explains. "Now it's one of the first things we consider. We're asking questions like: How will this system be segmented? What happens if it's compromised? How will the crew respond to an incident? These questions are shaping our vessels in fundamental ways."
The changes extend beyond technical considerations to organizational culture and processes. Shipbuilders are hiring cybersecurity integrators, developing new testing procedures, and creating documentation systems that can track cybersecurity requirements throughout the vessel lifecycle. Suppliers are investing in secure development practices and cybersecurity testing capabilities. Vessel operators are developing new crew training programs and operational procedures that integrate cybersecurity considerations into routine space operations.
Looking Forward: The Foundation for Future Innovation
As I watch the space industry adapt to E26 and E27 requirements, I'm struck by how these standards are creating a foundation for future innovation rather than simply imposing constraints. Organizations that embrace these requirements are finding that robust cybersecurity enables them to adopt new technologies more safely and operate more efficiently in the challenging environment of space.
The standards are also driving innovation in cybersecurity technologies specifically designed for space applications. New monitoring systems that can function in the radiation environment of the asteroid belt, communication security protocols optimized for quantum networks, and incident response procedures adapted for the isolation of space operations are all emerging from the industry's response to E26 and E27 requirements.
In my next post, I'll dive deep into the technical framework that makes E26 and E27 work: the five-function approach that provides a systematic method for building cyber resilience in space operations. Understanding this framework is crucial for anyone involved in implementing these standards or working with space vessels that must comply with them.
Next in this series: "The Five Pillars of Void Cyber Resilience: Understanding the Technical Framework"
This is Part 2 of a 15-part series on E26/E27 compliance for space operations. Follow me for insights on space cybersecurity, vessel compliance, and the future of secure space mining operations.
Until then, and into the void...