Navigating the Digital Shoals

Tier 2 and Tier 3 Supplier Adoption of IACS UR E27 in the Southeast Asian Maritime Ecosystem

Executive Summary: The Cyber Resilience Mandate and the Supply Chain Shock

The global maritime industry stands at a precipice of a fundamental structural transformation, precipitated not by a shift in trade routes or propulsion technologies, but by the imposition of a digital mandate: the International Association of Classification Societies (IACS) Unified Requirements (UR) E26 and E27. Effective for new build vessels contracted on or after July 1, 2024, these regulations represent the first globally harmonized, mandatory baseline for cybersecurity in shipping.1 While UR E26 addresses the cyber resilience of the vessel as a collective operational entity, UR E27 ("Cyber Resilience of On-Board Systems and Equipment") targets the granular level of the supply chain, placing an unprecedented burden of compliance on equipment manufacturers.3

For Southeast Asia, a region that functions simultaneously as a global transshipment super-hub, a premier ship repair center, and a burgeoning manufacturing base for marine components, this regulatory shift has triggered a complex industrial reckoning. This report provides an exhaustive analysis of the adoption dynamics of UR E27 among Tier 2 and Tier 3 suppliers across the Association of Southeast Asian Nations (ASEAN). It dissects a landscape characterized by a "compliance capability gap," where high-maturity suppliers in Singapore are rapidly adapting through government-supported innovation ecosystems, while the fragmented, cost-sensitive supplier bases in Indonesia, Vietnam, and the Philippines struggle with significant technical debt, the prohibitive economics of certification, and a critical shortage of specialized operational technology (OT) cyber-engineering talent.

The analysis reveals that the enforcement of these requirements has created an immediate, frantic demand for "cyber-secure by design" components, a demand that the current regional supply chain is ill-equipped to meet. With fewer than 50 systems globally holding full E27 Type Approval as of late 2024, a severe procurement bottleneck has emerged.4 In response, Southeast Asian integrators are increasingly relying on "gateway" architectures—wrapping legacy OT in hardened industrial firewalls—as a primary mechanism of compliance. This strategy, while pragmatic, introduces long-term architectural risks and maintenance burdens that challenge the traditional "fit-and-forget" ethos of maritime engineering. Through a detailed examination of use cases, hurdles, and demand drivers, this report offers a nuanced view of an industry in transition, where the ability to navigate digital certification is rapidly becoming as critical as the ability to weld steel.

1. The Regulatory Architecture: Deconstructing UR E27 for the Component Manufacturer

To understand the magnitude of the challenge facing Southeast Asian suppliers, one must look beyond the high-level intent of the regulation and examine the granular technical demands it places on the "box builder." UR E27 is not merely a requirement for a password or a firewall; it is a mandate for a Secure Development Lifecycle (SDLC) applied to heavy machinery and embedded electronics. It forces a convergence of traditional marine engineering with advanced IT security practices, a merger for which the regional supply chain is historically unprepared.

1.1 The Scope of Applicability: From Propulsion to Crew Welfare

UR E27 applies to "Computer Based Systems" (CBS) categorized under UR E26, which encompasses essential systems such as propulsion, steering, anchoring, and electrical power generation, as well as "important" systems like cargo handling and fire detection.1 The definition of a CBS is expansive, covering any programmable electronic device. This means a Tier 2 supplier in Batam fabricating a main switchboard, or a vendor in Vietnam assembling an alarm monitoring system, must now view their product not just as electrical infrastructure, but as a digital node requiring 30 specific security capabilities.3

A critical differentiator in E27 is the distinction between systems connected to trusted versus untrusted networks. Equipment that interfaces with crew welfare networks, business administrative networks, or the public internet—often for remote maintenance or diagnostics—faces a stricter set of 11 additional security controls.3 This specifically targets the "connected ship" paradigm, effectively forcing suppliers of IoT-enabled devices to prove their equipment will not serve as a lateral vector for cyberattacks.

Table 1: The E27 Capability Matrix and Supplier Implications

 

E27 Requirement Domain

Technical Mandate for Supplier

Implications for SE Asian Tier 2/3 Manufacturers

Asset Identification

Maintain a dynamic Software Bill of Materials (SBOM) listing all firmware, OS, and libraries.

Suppliers often use "white label" generic chips from China without tracking firmware versions or vulnerabilities.3

Authentication & Access

Role-Based Access Control (RBAC), MFA for remote access, removal of default passwords.

Legacy PLCs often have hardcoded "admin/1234" credentials burned into read-only memory, requiring hardware redesign.4

Physical Security

Port blocking (USB locks), tamper detection, cabinet integrity.

Requires redesign of physical enclosures (IP56 cabinets) to prevent unauthorized peripheral connection.1

Network Segmentation

Logical separation of traffic, defined "Zones and Conduits."

Manufacturers of integrated consoles must now include managed switches and firewalls within the console itself.8

Security Logs

Continuous logging of user actions and system anomalies (syslog/SNMP).

Low-cost microcontrollers often lack the storage or processing power to generate and buffer security logs.10

Resilience

Fallback to "Minimal Risk Condition" during a cyber incident.

Engineering failsafes are standard for mechanical failure, but cyber-induced failure modes (e.g., ransomware on a throttle control) are rarely modeled.12

1.2 The "Paperwork Barrier": Documentation as a Barrier to Entry

For many small engineering firms in the region, the physical engineering of security features is less daunting than the associated documentation burden. UR E27 requires a level of bureaucratic rigor typically associated with aerospace or nuclear industries. Suppliers must submit:

  1. CBS Asset Inventory: A granular list of all hardware and software components, including version numbers for third-party libraries.3
  2. Topology Diagrams: Detailed schematics showing logical and physical connections, defining the boundaries of security zones.1
  3. Security Capabilities Description: A mapping document demonstrating exactly how the device meets the required security capabilities.3
  4. Test Procedures: Validated protocols for testing the cyber resilience of the equipment during Factory Acceptance Tests (FAT) and Sea Acceptance Tests (SAT).13
  5. Secure Development Lifecycle (SDLC) Evidence: Proof that security was designed into the product from the concept phase, not retrofitted.14

This documentation requirement disproportionately affects smaller regional suppliers. A global OEM like Wärtsilä or Kongsberg maintains dedicated compliance departments. A medium-sized switchboard manufacturer in Surabaya or a sensor integrator in Manila typically does not, creating a significant barrier to entry for the international newbuild market.16 The cost of producing this documentation, often requiring external consultants, can exceed the profit margin on the hardware itself.

1.3 The Silent Tier: Supply Chain Opacity

A critical structural weakness in the Southeast Asian adoption curve is the prevalence of the "silent tier"—Tier 3 suppliers who provide PCBs, sensors, actuators, or sub-assemblies to Tier 2 integrators.18 In markets like Vietnam and Indonesia, supply chains are often informal, relying on long-standing relationships rather than digital integration. UR E27 requires visibility into this "silent tier" to track vulnerabilities and ensure software integrity.

Many Tier 2 integrators in the region are discovering that they cannot certify their systems because their own Tier 3 suppliers—perhaps a local provider of a specific microcontroller board in Ho Chi Minh City or a cable manufacturer in Johor—cannot provide the necessary evidence of secure development or firmware integrity. This "dependency deadlock" creates a situation where the Tier 2 supplier is held responsible for the cyber hygiene of components they do not fully control or understand.6

2. Regional Analysis: The Two-Speed Adoption Landscape

The adoption of UR E27 in Southeast Asia is not a monolithic phenomenon. A distinct bifurcation exists between the advanced maritime hub of Singapore, which operates at the cutting edge of global compliance, and the emerging manufacturing centers of Indonesia, Vietnam, and the Philippines, which face foundational infrastructure and capability gaps.

2.1 Singapore: The Hub of High-Maturity Integration

Singapore serves as the region's primary node for high-value integration, regulatory compliance, and innovation. The ecosystem here is characterized by strong government support, the presence of major global OEMs, and a highly skilled workforce.

  • Institutional Support and Funding: The Maritime and Port Authority of Singapore (MPA) has aggressively pushed for digitalization and cyber resilience through initiatives like the Maritime Innovation and Technology (MINT) Fund and the Maritime Cluster Fund.19 These grants allow local suppliers to subsidize the high cost of R&D required for E27 compliance. Furthermore, the establishment of the Maritime Cyber Assurance and Operations Centre (MCAOC) provides a centralized mechanism for monitoring and threat intelligence, indirectly supporting suppliers by creating a standardized operating environment.21
  • The Seatrium Effect: As one of the world's largest offshore and marine engineering groups, Seatrium (formed from the merger of Sembcorp Marine and Keppel O&M) acts as a powerful enforcement mechanism for E27. Seatrium’s rigorous Supplier Code of Conduct and vendor qualification processes are increasingly aligning with IACS requirements.23 Tier 2 suppliers in Singapore, such as Jason Electronics or Pantech Marine Engineering, must meet these standards to remain on the Approved Vendor List (AVL) for major projects.25
  • The Role of Integrators: Firms like Jason Electronics and Cyclect (via Applied Automation) serve as vital intermediaries. They do not just distribute hardware; they engineer the "systems of systems" that allow disparate equipment to function securely. Jason Electronics, for example, bridges the gap between global manufacturers (like Cobham or Raytheon) and regional shipyards, ensuring that the "last mile" integration of navigation and communication systems meets Class requirements.27 Their ability to bundle hardware with "managed cyber services" allows them to offer E27 compliance as a value-added service.

2.2 Indonesia: The Challenge of Retrofitting and Aspirational Standards

Indonesia’s maritime sector is vast, archipelagic, and heavily reliant on a mix of state-owned enterprises (like PT PAL) and a multitude of smaller private yards in Batam. The adoption of E27 here is complicated by the dual nature of the market: export vs. domestic.

  • BKI and the IACS Aspiration: Biro Klasifikasi Indonesia (BKI) is the national class society. While it strives for full IACS membership and aligns its rules with IACS standards to maintain competitiveness, it is not yet a member.29 BKI has issued technical circulars regarding cyber resilience that mirror E26/E27 for new constructions.31 This creates a complex environment where suppliers must meet BKI’s "IACS-aligned" rules for domestic builds (Cabotage trade) while meeting actual IACS certification for international export vessels built in Batam (often classed by ABS, DNV, or BV).
  • Supplier Struggles: Indonesian switchboard and automation manufacturers, often local partners of global brands like Terasaki or Schneider, operate on thin margins.33 The requirement to add "smart" capabilities and security hardening to standard electrical switchboards (as seen in the 440V/690V systems) represents a significant R&D burden.35 Local integrators like Arakan Marine Automation and PT Sinco Automasi provide essential bridging services, retrofitting cyber-secure capabilities onto legacy hardware, but the depth of "secure by design" engineering remains low among indigenous manufacturers.36
  • Procurement Gaps: Procurement processes in Indonesian SOEs (like PT PAL) have historically focused on cost and hardware specifications. Integrating complex cybersecurity criteria (e.g., requiring ISO 27001 or IEC 62443 compliance from vendors) into public procurement is a new and evolving challenge, often leading to delays in tender evaluations as procurement officers struggle to evaluate cyber-compliance.38

2.3 Vietnam: Manufacturing Capability vs. Cyber Maturity

Vietnam has established itself as a shipbuilding powerhouse, particularly for export vessels (tankers, bulk carriers) via joint ventures like Hyundai Vietnam Shipbuilding (HVS). However, the supplier base faces a steep learning curve.

  • The Hyundai Influence: Hyundai Vietnam Shipbuilding, as a subsidiary of HD Hyundai, benefits from the parent company's aggressive cyber strategy. HD Hyundai has already secured Approval in Principle (AiP) for cyber resilience from multiple class societies.40 This creates a "compliance umbrella" for the shipyard but puts immense pressure on local Tier 2/3 vendors to meet Korean-standard vendor registration requirements, which now include strict cyber hygiene protocols.41
  • Legislative Layering: Vietnam’s adoption of UR E27 is complicated by its own stringent domestic cybersecurity laws—specifically the Law on Cybersecurity (2018) and the upcoming 2025/2026 revisions.42 These laws impose data localization and system classification requirements (Level 1 to 5) that overlap with, and sometimes contradict, IACS data handling requirements. Vietnamese suppliers must navigate this dual compliance regime, ensuring their products satisfy both Class surveyors (for the ship’s safety) and the Ministry of Public Security (for national data sovereignty).
  • Supplier Base: Vietnam’s supplier base includes companies like Hai Nam Automation and numerous providers of steel and electrical components.44 While strong in electrical engineering, the transition to cyber-secure engineering is in its infancy. Many rely on distributing global brands (Siemens, Schneider) rather than developing indigenous secure logic controllers, reducing the E27 burden to one of configuration rather than product development. However, firms like Techno-Trade are beginning to introduce automation solutions that bridge this gap.46

2.4 Philippines: The Manning Focus and Software Potential

The Philippines occupies a unique niche. While it is the world's fourth-largest shipbuilding nation (dominated by Hanjin's legacy and Tsuneishi), its indigenous equipment manufacturing base is smaller compared to Vietnam or Indonesia. The focus here is heavily skewed toward the human element.

  • Cyber Hygiene Training: The Philippines is the primary supplier of global maritime labor. Consequently, the adoption of cyber standards here manifests largely in training rather than manufacturing. Institutions like the Maritime Industry Authority (MARINA) focus on integrating cyber hygiene into seafarer curriculum to meet IMO and IACS operational requirements.47
  • Software and Outsourcing: There is a growing sector of software development and IT outsourcing in the Philippines servicing the maritime sector. These firms are increasingly tasked with developing the "crew welfare" apps and "ship management" software that run on the vessel's IT networks. For these Tier 3 software suppliers, E27 compliance means adopting secure coding practices and rigorous vulnerability testing.49

3. Hurdles and Struggles: The Supplier's Dilemma

The transition to UR E27 compliance is creating existential struggles for Tier 2 and 3 suppliers across the region. The hurdles are financial, technical, and human.

3.1 The "Type Approval" Bottleneck and Cost

The most immediate hurdle is the scarcity of E27 Type Approved equipment. As of late 2024, reports suggest fewer than 30-50 major systems globally had achieved full certification.4 For a Southeast Asian shipyard, this restricts the Approved Vendor List (AVL) dramatically.

  • Cost Prohibitions: Obtaining Type Approval from a major class society (DNV, ABS, ClassNK) involves rigorous testing, documentation review, and often the hiring of external cyber consultants. For a small manufacturer of bilge alarm systems in Vietnam or Indonesia, this cost is disproportionate to the unit price of their equipment.17
  • Recurring Costs: Unlike a one-off hardware certification, cyber resilience requires ongoing maintenance (patch management, vulnerability monitoring). This shifts the business model from "install and forget" to "lifecycle support," a service model many Tier 3 suppliers are not structured to provide financially or operationally.5

3.2 The Technical Debt of Legacy OT

A significant portion of the maritime supply chain in Southeast Asia involves the retrofit or continued production of legacy designs—pumps, winches, and engine controls that have functioned reliably for decades without connectivity.

  • The Connectivity Paradox: To achieve the "smart ship" status required by modern buyers, these mechanical systems are being fitted with sensors and connected to shipboard networks. However, the underlying controllers (PLCs) often lack the processing power to support encryption, user logging, or modern authentication protocols required by E27.7
  • Protocol Insecurity: Many legacy systems utilize industrial protocols like Modbus RTU or NMEA 0183, which were designed without security in mind (no encryption, no authentication). Securing these protocols to meet E27 standards (which requires protection against unauthorized access and data manipulation) is technically impossible at the protocol level, forcing suppliers to use encapsulation or gateway strategies.50

3.3 The Talent Vacuum

There is a profound shortage of engineering talent in Southeast Asia that possesses dual competency in Marine Engineering and Operational Technology (OT) Cybersecurity.

  • Misaligned Skills: Electrical engineers in regional shipyards are expert in power distribution and heavy machinery but often lack training in network segmentation, firewalls, and secure coding practices demanded by IEC 62443 (the standard underpinning E27).51
  • Training Deficits: While Singapore has launched initiatives like the MariOT testbed and training courses with Singapore Polytechnic 22, such resources are scarce in Indonesia and Vietnam. Suppliers in these countries often rely on generic IT security training which does not address the specific constraints of maritime OT (e.g., safety-critical latency, non-standard protocols).51

4. Use Cases and Technical Adoption Strategies

Despite these hurdles, adoption is occurring, driven by necessity. Suppliers are employing specific technical and architectural strategies to meet E27 requirements.

4.1 Use Case A: The "Secure Gateway" Enclave

The most prevalent use case for UR E27 adoption among Tier 2 suppliers is the deployment of Maritime Cyber Gateways. Since redesigning a windlass control system to support encryption is capital-intensive and time-consuming, suppliers are placing a secure gateway between their equipment and the vessel's OT network.

  • Technology: Companies are utilizing hardened industrial routers from vendors like Moxa (EDR series), Robustel (MG460 series), and Fortinet. These devices are specifically marketed as "IEC 61162-460 / UR E27 aligned".8
  • Implementation: A Vietnamese switchboard manufacturer (Tier 2) uses a standard PLC (Tier 3) for generator control. To meet E27, they install a Moxa EDR-810 firewall in the switchboard cabinet. The firewall handles the E27 requirements for "Network Segmentation" and "Access Control," effectively shielding the "dumb" PLC from the ship's network. It creates a "secure enclave" where the legacy device can operate safely.
  • Regional Relevance: This is particularly popular in the retrofit market in Singapore and Malaysia, where existing vessels are being upgraded to "Cyber Secure" class notations without ripping out functioning machinery. Distributors like Alvasta (Indonesia), ElectGo (Indonesia), and Assured Systems are key enablers of this trend, supplying the hardware that allows legacy mechanical firms to claim compliance.11

4.2 Use Case B: Managed Cyber Services for Connectivity

For navigation and communication suppliers (Tier 2), adoption has moved beyond hardware to managed services. This sector faces the highest scrutiny because it sits at the interface between the ship and the outside world (the "untrusted network").

  • Cobham/Thrane & Thrane: The SAILOR 900 VSAT series, widely distributed by AMI Marine in Vietnam and Jason Electronics in Singapore, integrates cybersecurity features directly into the terminal's Below Deck Unit (BDU).57
  • The Service Wrap: Suppliers are no longer just selling an antenna; they are selling a "Cyber Secure Connectivity" package. This includes managed firewalls, intrusion detection systems (IDS), and continuous logging—features that satisfy E27's requirement for "Detect" and "Respond" capabilities.59
  • Benefit: This relieves the shipowner of the burden of configuring the device, shifting the compliance risk to the supplier (e.g., Inmarsat Fleet Xpress or KVH Managed Firewall).3 This model is gaining traction among smaller vessel operators (tugs and barges) who lack onboard IT staff.

4.3 Use Case C: Digital Twin and Virtual Commissioning

In advanced shipyards (like Seatrium or HD Hyundai's Vietnam operations), virtual commissioning is emerging as a high-end use case for E27 compliance.

  • Mechanism: Before physical installation, the ship's network topology is modeled digitally. Suppliers must provide digital models or "twins" of their components to verify network segmentation and access controls.
  • Adoption: This is currently limited to top-tier suppliers who can provide such digital assets. It allows the shipyard to validate the "Zones and Conduits" diagram required by Class before steel is cut, reducing the risk of costly rework during the commissioning phase.3 Singapore's MariOT testbed at SUTD is a prime example of infrastructure supporting this sophisticated validation.53

5. Demand Drivers and Procurement Dynamics

Demand for E27 compliance in Southeast Asia is not organic; it is a top-down imposition driven by three distinct and powerful forces.

5.1 The "Class Notation" Cascade

Shipowners, particularly those chartering to energy majors (Shell, ExxonMobil, Petronas), require vessels to have specific Class Notations (e.g., DNV's Cyber Secure (Essential) or ABS's Cyber Safety).

  • Impact: Since July 1, 2024, these notations mandate E26/E27 compliance.2 A supplier in Surabaya cannot sell a main switchboard to a DNV-classed tanker project without providing the E27 evidence dossier (topology, security capabilities, test procedures).13
  • Verification: Classification societies (ClassNK, DNV, ABS) act as the gatekeepers. Their surveyors are now asking for evidence of "hardening" (disabled USB ports, password policies) during Factory Acceptance Tests (FAT), forcing suppliers to upgrade their testing protocols.14

5.2 National Security and Critical Infrastructure Laws

  • Singapore: The Cybersecurity Act designates maritime infrastructure as Critical Information Infrastructure (CII). This compels port operators (PSA) and major maritime firms to enforce strict supply chain cyber hygiene, cascading requirements down to maintenance contractors.22
  • Vietnam: The new Law on Cybersecurity (effective 2025/2026) classifies information systems by security level. Level 3 systems (critical national infrastructure) face strict audit and import license requirements for cyber-products. This forces Vietnamese suppliers to ensure their imported components (e.g., from China or Europe) meet these new national standards alongside IACS rules.43

5.3 Energy Major Vetting (TMSA 3 / SIRE 2.0)

The Tanker Management and Self Assessment (TMSA) and the new SIRE 2.0 inspection regimes heavily weigh cyber resilience. Ship operators know that non-compliant equipment can lead to vetting failures, which means the vessel cannot be chartered. Consequently, procurement departments are rewriting vendor contracts to include indemnification clauses regarding cyber incidents, effectively forcing Tier 2 suppliers to carry cyber liability insurance or prove robust E27 compliance.2

6. Open Questions and Future Outlook

Despite the deadline passing, the industry remains in a state of flux. Several critical questions and trends will define the next 24 months.

6.1 The "Validation Void": Who audits the Tier 3s?

An open question remains regarding the depth of auditing. While Class societies review the Tier 2 integrator, they rarely have the resources to audit the Tier 3 component maker in a remote industrial park in Shenzhen or Cikarang. Will the industry accept self-declarations from these sub-suppliers, or will a new market for "Cyber Verification Agents" emerge? The reliance on paper-based compliance creates a risk of "paper security" without actual technical resilience.6

6.2 The Cost of Obsolescence and the "Grey Market"

What happens to the massive inventory of non-compliant spare parts sitting in warehouses across Singapore and Busan? Can a non-E27 spare part be installed on an E27-certified vessel during a repair? The regulatory guidance on "maintenance of class" suggests no, but operational reality may dictate otherwise. This creates the potential for a "grey market" of non-compliant spares, posing a significant threat to the integrity of certified vessels.14

6.3 Convergence or Divergence?

Will Southeast Asia converge on the IACS standard, or will national interests fracture the market? Vietnam's specific data localization and cyber-product licensing laws suggest a potential divergence, where a "Vietnam-compliant" ship might differ slightly from a "Singapore-compliant" one. This would complicate life for regional suppliers who export to multiple markets, potentially requiring different product SKUs for different jurisdictions.65

Conclusion

The adoption of IACS UR E27 in Southeast Asia is a story of asymmetric progress. Singaporean integrators and global OEMs are racing ahead, leveraging advanced gateways and managed services to monetize compliance. They are turning a regulatory burden into a competitive advantage. In contrast, the broader base of Tier 2 and Tier 3 suppliers in Indonesia and Vietnam faces a steep climb, burdened by the need to digitize and secure mechanical legacies with limited resources and talent.

For the supplier, the message is clear: E27 is not just a technical specification; it is a market access license. Those who can wrap their products in verified security—whether through native engineering or smart gateway integration—will dominate the Authorized Vendor Lists of the future. Those who cannot will be relegated to the shrinking market of non-IACS, domestic-only tonnage. As the "silent tier" becomes a source of noisy risk, the maritime industry in Southeast Asia enters a period of rigorous, and painful, maturation.

Table 2: Comparative Adoption Readiness in Southeast Asia

Country

Primary Driver

Supplier Readiness Level

Key Hurdle

Singapore

MPA Policy, Global Hub Status

High (Tier 1/2)

Cost of compliance for SMEs; Talent shortage.

Vietnam

Hyundai JV, National Cyber Law

Medium (Export) / Low (Domestic)

Overlap of IACS & National Law; Reliance on component imports.

Indonesia

BKI Standards, Domestic Cabotage

Low to Medium

Lack of Type Approved domestic products; Funding for R&D.

Malaysia

Oil & Gas (Petronas) Standards

Medium

Transitioning legacy offshore support vessels to new standards.

Philippines

Crewing/Manning focus

Low (Manufacturing)

Focus is on training crew (cyber hygiene) rather than manufacturing equipment.

Sources: 43

  1. IACS UR E27 Rev.1 - Hull Classification Surveys, https://www.classnk.or.jp/hp/pdf/info_service/iacs_ur_and_ui/ur_e27_rev.1_sep_2023_cln.pdf
  2. IACS unified requirements for cyber security mandatory from 1 ..., https://www.dnv.com/news/2022/iacs-unified-requirements-for-cyber-security-mandatory-from-1-january-2024-227429/
  3. IACS unified requirements E26 and E27 Cyber security beyond ..., https://www.inmarsat.com/content/dam/viasat-maritime/perspectives/documents/MBU_IACS_UR_E26_E27_whitepaper_June_2024.pdf
  4. IACS UR E26-E27 Implementation for VLCC Cyber Resilience, https://medium.com/@shipsec.guardian/iacs-ur-e26-e27-implementation-for-vlcc-cyber-resilience-ef386d9d520f
  5. New Mandatory cyber-security requirements coming in July 2024, https://marine-safety-consultant.ch/new-mandatory-cyber-security-requirements-coming-in-july-2024/
  6. Why IACS UR E26 Falls Short of True Maritime Cyber Resilience, https://medium.com/@shipsec.guardian/why-iacs-ur-e26-falls-short-of-true-maritime-cyber-resilience-33389da1ae6b
  7. Cybersecurity IACS E26 and E27 - Speedcast, https://www.speedcast.com/blog-hub/2025/iacs-e26-e27-standards/
  8. Maritime Networking & Cybersecurity | IACS E26/E27 - Robustel, https://robustel.com/products/maritime-networking-cybersecurity/
  9. Maritime IoT and cyber security solutions - Robustel, https://robustel.com/solutions/maritime/
  10. Cybersecurity Challenges in The Maritime Industry | PDF - Scribd, https://www.scribd.com/document/807970657/Cybersecurity-Challenges-in-the-Maritime-Industry
  11. MG360 | Official Robustel Distributor and Integrator - Assured Systems, https://www.assured-systems.com/robustel-mg360-maritime-cyber-security-gateway/
  12. Recommendation on Cyber Resilience No. 166 - Steamship Mutual, https://www.steamshipmutual.com/sites/default/files/downloads/articles/2020/IACS-Recommendation-on-Cyber-resilience-No-166-2020_04.pdf
  13. TYPE APPROVAL CERTIFICATE - Zenitel, https://www.zenitel.com/sites/default/files/2025-10/DNV%20Cyber%20%28SP1%29%20-%20IACS%20UR%20E27%20-%202027-06-24%20-%20TAA00003MY.pdf
  14. IACS UR E27 Cybersecurity Frequently Asked Questions (FAQs), https://ww2.eagle.org/en/Products-and-Services/vendor-certification/abs-cybersafety-for-resilience/faq-cyber-resilience-program.html
  15. TYPE APPROVAL CERTIFICATE - Bachmann.info, https://www.bachmann.info/media/5671/download/Bachmann_DNV_MC_MH_MX_series_en_2024.pdf?v=1
  16. Cyber Security: Supply Chain Risk Management and Defense-in ..., https://library.imarest.org/record/7692/files/INEC_2020_Paper_80.pdf
  17. From zero to hero - IACS UR E26 & E27 mandatory cyber regulations, https://www.port-it.nl/latest-news/from-zero-to-hero/
  18. Why Tier-2 and Tier-3 Suppliers Hold the Future of Supply Chain ..., https://ean-network.com/the-power-of-the-silent-tier-why-tier-2-and-tier-3-suppliers-hold-the-future-of-supply-chain-stability/
  19. MINT Fund | Maritime & Port Authority of Singapore (MPA), https://www.mpa.gov.sg/maritime-singapore/what-maritime-singapore-offers/programmes-to-support-your-maritime-business/mint-fund
  20. Grants and Funding | Maritime & Port Authority of Singapore (MPA), https://www.mpa.gov.sg/maritime-singapore/what-maritime-singapore-offers/programmes-to-support-your-maritime-business
  21. Details - Maritime & Port Authority of Singapore (MPA), https://www.mpa.gov.sg/media-centre/details/driving-growth-and-innovation-to-strengthen-maritime-competitiveness-and-resilence
  22. Singapore's MPA launches Maritime Cybersecurity Operations Centre, https://www.rivieramm.com/news-content-hub/news-content-hub/singapores-mpa-launches-maritime-cybersecurity-operations-centre-54661
  23. Supplier Code of Conduct - Seatrium, https://www.seatrium.com/assets/reports/851.5-FRM1-Supplier_Code_of_Conduct_Seatrium.pdf
  24. Compliance Business Code of Conduct - Seatrium, https://www.seatrium.com/assets/code-of-conduct/Seatrium-Business-Code-of-Conduct.pdf
  25. Brochures | Jason Marine Group, https://www.jason.com.sg/brochures
  26. Contact - Pantech Group, https://pantech-group.com/contact/
  27. jason electronics (pte) ltd - Asia Marine & Offshore Industries Directory, https://www.sgmarineindustries.com/company-details/jason-electronics-pte-ltd/
  28. Jason - ShipServ, https://www.shipserv.com/ShipServ/pages/profiles/53945/documents/Jason-Electronics-Brochure.pdf
  29. Biro Klasifikasi Indonesia - Maritime Directory, https://directory.marinelink.com/companies/company/biro-klasifikasi-indonesia-209442
  30. BKI - Rules For Classification and Construction - Vol.1 2022 | PDF, https://www.scribd.com/document/666528910/BKI-Rules-For-Classification-And-Construction-Part-1-Seagoing-Ships-Vol-1-2022
  31. Latest Trends in Ship Cybersecurity Regulations - ClassNK, https://www.classnk.or.jp/hp/pdf/research/rd/2024/10_e06.pdf
  32. PT. Biro Klasifikasi Indonesia (BKI) - IKA PPNS, https://ika.ppns.ac.id/pt-biro-klasifikasi-indonesia-bki/
  33. Global Network|ABOUT TERASAKI|TERASAKI ELECTRIC CO.,LTD, https://www.terasaki.co.jp/english/about/offices.html
  34. Jual TERASAKI ELECTRIC oleh PT. TOTAL ABADI SOLUSINDO, https://totalabadi.indonetwork.co.id/products/terasaki-electric-546509
  35. 440V/690V Low-Voltage Marine Switchboard | manufacturer & price, https://www.smartelecmfg.com/Switchgear/product/440v-690v-low-voltage-marine-switchboard/
  36. Arakanmarine | Marine Automation, https://arakanmarine.com/
  37. introduction - Sinco Marine, https://www.sincomarine.com/doc/COMPANY-PROFILE_SINCO_MARINE_SOLUTION_compressed.pdf
  38. Cybersecurity Considerations for Procurement Process, https://www.energy.gov/femp/articles/cybersecurity-considerations-procurement-process
  39. Prevention of Corruption in the Procurement of Goods/Services ..., https://www.ajhssr.com/wp-content/uploads/2025/09/M2590999106.pdf
  40. HD Hyundai gets global ship cyber security certifications - KED Global, https://www.kedglobal.com/shipping-shipbuilding/newsView/ked202406250008
  41. HD Hyundai in ship cyber security tie-up - Lloyd's List, https://www.lloydslist.com/LL1148011/HD-Hyundai-in-ship-cyber-security-tie-up
  42. Vietnam's Law on Cybersecurity 2025: What's New and What ..., https://www.frasersvn.com/legal-updates-and-publications/vietnam-s-law-on-cybersecurity-2025-what-s-new-and-what-businesses-need-to-know
  43. Vietnam's New Cybersecurity Law to Take Effect January 2026 - DFDL, https://www.dfdl.com/insights/legal-and-tax-updates/vietnams-new-cybersecurity-law-to-take-effect-january-2026/
  44. Hai Nam Automation Technology JSC.: Home, https://www.hainamsi.com/
  45. Round Steel Pipe (galvanized, non galvanized), https://investvietnam.vn/round-steel-pipe-galvanized-non-galvanized2
  46. Technotrade LLC, https://www.technotrade.ua/
  47. The Philippine Maritime Industry, https://marina.gov.ph/wp-content/uploads/2019/07/OSS-Newsletter-Volume-2-July-2019.pdf
  48. MIDP 2028 - MARITIME INDUSTRY AUTHORITY, https://marina.gov.ph/wp-content/uploads/2024/04/MIDP-2028-as-of-29-April-2024.pdf
  49. Improving Maritime Cybersecurity in Southeast Asia: Suggestions for ..., https://brill.com/view/journals/apoc/8/2/article-p329_008.xml
  50. Secure Remote Access to Legacy Equipment on Closed Networks, https://www.remote.it/resources/remote-access-legacy-equipment-closed-networks
  51. Challenges in Maritime Cybersecurity Training and Compliance, https://www.mdpi.com/2077-1312/12/10/1844
  52. The impact of IACS UR E26, UR E27 - Theseus, https://www.theseus.fi/bitstream/10024/895631/2/Ungureanu_Alexandra.pdf
  53. Collective Efforts to Strengthen Maritime Cybersecurity, https://www.mpa.gov.sg/media-centre/details/collective-efforts-to-strengthen-maritime-cybersecurity
  54. Holistic Smart Maritime Solutions for Cyber-resilience - Moxa, https://www.moxa.com/en/spotlight/integrated-solutions/marine/maritime-solutions-for-cyber-resilience/index
  55. Moxa Distributor di Indonesia - Electgo, https://electgo.id/brands/moxa
  56. Moxa Solusi Jaringan Industri 4.0 - alvasta-tech.com, https://www.alvasta-tech.com/moxa
  57. Cobham SAILOR 900 VSAT Ka Maritime Satellite Internet System ..., https://www.asiasatellite.co/Cobham-SAILOR-900-Ka-VSAT-System-p/Cobham-SAILOR-900-Ka-VSAT-System.htm
  58. Cobham Satcom - AMI Marine Vietnam, https://www.amisales.com.vn/cobham-satcom?___store=vietnam
  59. Cybersecurity & Managed Firewall - KVH Integrated Hardware, https://www.kvh.com/managed-services/fleet-services/managed-firewall/
  60. Cyber Overview - GTMaritime, https://www.gtmaritime.com/services/cyber-overview/
  61. Inmarsat Fleet One Plans | Maritime Voice & Data Costs, https://satellitephonestore.com/service-plans/fleet-one-service-plans
  62. Cyber security approval of components and systems - DNV, https://www.dnv.com/services/cyber-security-approval-of-components-and-systems-124196/
  63. Cyber-Attacks as an Evolving Threat to Southeast Asia's Maritime ..., https://amti.csis.org/cyber-attacks-as-an-evolving-threat-to-southeast-asias-maritime-security/
  64. Cyber Secure class notation - DNV, https://www.dnv.com/services/cyber-secure-class-notation-124600/
  65. Vietnam's Draft Cybersecurity Law 2025 – Key Changes Businesses ..., https://rouse.com/insights/news/2025/vietnam-s-draft-cybersecurity-law-2025-key-changes-businesses-need-to-know
  66. Cyber Security and Cyber Information Safety Regulations in Vietnam, https://vci-legal.com/wp-content/uploads/2021/04/Cyber-Security-Law-in-Vietnam.pdf
  67. Regional freight transport infrastructure and policy in Southeast Asia, https://www.itf-oecd.org/sites/default/files/regional_freight_transport_infrastructure_and_policy_in_southeast_asia.pdf
  68. About Us | IPERINDO - WordPress.com, https://dppiperindo.wordpress.com/about/
  69. Singapore Norway Maritime Cyber Forum - NBAS, https://nbas.org.sg/news/singapore-norway-maritime-cyber-forum/
  70. IACS PROCEDURES, https://www.ccs.org.cn/ccswz/file/download?fileid=201900004000000903

Featured