SIST EN IEC 63154:2021

SLOVENSKI STANDARD
SIST EN IEC 63154:2021
01-junij-2021
Pomorska navigacijska in radiokomunikacijska oprema in sistemi - Kibernetska
varnost - Splošne zahteve, preskusne metode in pričakovani rezultati preskušanja
(IEC 63154:2021)
Maritime navigation and radiocommunication equipment and systems - Cybersecurity -
General requirements, methods of testing and required test results (IEC 63154:2021)
Navigations- und Funkkommunikationsgeräte und -systeme für die Seeschifffahrt -
Cyber-Security - Allgemeine Anforderungen, Prüfverfahren und geforderte
Prüfergebnisse (IEC 63154:2021)
Matériels et systèmes de navigation et de radiocommunication maritimes - Sécurité
informatique - Exigences générales, méthodes d'essai et résultats d'essais exigés (IEC
63154:2021)
Ta slovenski standard je istoveten z: EN IEC 63154:2021
ICS:
35.030 Informacijska varnost IT Security
47.020.70 Navigacijska in krmilna Navigation and control
oprema equipment
SIST EN IEC 63154:2021 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN IEC 63154:2021

---------------------- Page: 2 ----------------------
SIST EN IEC 63154:2021


EUROPEAN STANDARD EN IEC 63154

NORME EUROPÉENNE

EUROPÄISCHE NORM
April 2021
ICS 35.030; 47.020.70

English Version
Maritime navigation and radiocommunication equipment and
systems - Cybersecurity - General requirements, methods of
testing and required test results
(IEC 63154:2021)
Matériels et systèmes de navigation et de Navigations- und Funkkommunikationsgeräte und -systeme
radiocommunication maritimes - Sécurité informatique - für die Seeschifffahrt - Cyber-Security - Allgemeine
Exigences générales, méthodes d'essai et résultats d'essai Anforderungen, Prüfverfahren und geforderte
exigés Prüfergebnisse
(IEC 63154:2021) (IEC 63154:2021)
This European Standard was approved by CENELEC on 2021-04-13. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.


European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
 Ref. No. EN IEC 63154:2021 E

---------------------- Page: 3 ----------------------
SIST EN IEC 63154:2021
EN IEC 63154:2021 (E)
European foreword
The text of document 80/984/FDIS, future edition 1 of IEC 63154, prepared by IEC/TC 80 "Maritime
navigation and radiocommunication equipment and systems" was submitted to the IEC-CENELEC
parallel vote and approved by CENELEC as EN IEC 63154:2021.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2022-01-13
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2024-04-13
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Endorsement notice
The text of the International Standard IEC 63154:2021 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 61162-1 NOTE Harmonized as EN 61162-1
IEC 61162-2 NOTE Harmonized as EN 61162-2
IEC 61162-3 NOTE Harmonized as EN 61162-3
IEC 61993-2:2018 NOTE Harmonized as EN IEC 61993-2:2018 (not modified)
IEC 62443 (series) NOTE Harmonized as EN IEC 62443 (series)
2

---------------------- Page: 4 ----------------------
SIST EN IEC 63154:2021
EN IEC 63154:2021 (E)
Annex ZA
(normative)

Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is
available here: www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 60945 2002 Maritime navigation and EN 60945 2002
radiocommunication equipment and
systems - General requirements - Methods
of testing and required test results
IEC 61162-450 - Maritime navigation and EN IEC 61162-450 -
radiocommunication equipment and
systems - Digital interfaces - Part 450:
Multiple talkers and multiple listeners -
Ethernet interconnection
IEC 61162-460 2018 Maritime navigation and EN IEC 61162-460 2018
radiocommunication equipment and
systems – Digital interfaces – Part 460:
Multiple talkers and multiple listeners –
Ethernet interconnection –Safety and
security

3

---------------------- Page: 5 ----------------------
SIST EN IEC 63154:2021

---------------------- Page: 6 ----------------------
SIST EN IEC 63154:2021




IEC 63154

®


Edition 1.0 2021-03




INTERNATIONAL



STANDARD




NORME


INTERNATIONALE
colour

inside










Maritime navigation and radiocommunication equipment and systems –

Cybersecurity – General requirements, methods of testing and required test

results



Matériels et systèmes de navigation et de radiocommunication maritimes –

Sécurité informatique – Exigences générales, méthodes d’essai et résultats


d’essai exigés














INTERNATIONAL

ELECTROTECHNICAL

COMMISSION


COMMISSION

ELECTROTECHNIQUE


INTERNATIONALE




ICS 35.030; 47.020.70 ISBN 978-2-8322-9471-0




Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale

---------------------- Page: 7 ----------------------
SIST EN IEC 63154:2021
– 2 – IEC 63154:2021 © IEC 2021
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 9
2 Normative references . 9
3 Terms, definitions and abbreviated terms . 10
3.1 Terms and definitions . 10
3.2 Abbreviated terms . 13
4 Module A: Data files . 14
4.1 General . 14
4.2 Requirements . 14
4.2.1 Transport integrity . 14
4.2.2 Source authentication . 14
4.3 Methods of testing and required test results . 15
5 Module B: Execution of executables . 16
5.1 General . 16
5.2 Requirements . 16
5.3 Methods of testing and required test results . 17
6 Module C: User authentication . 17
6.1 General . 17
6.2 Requirements . 17
6.3 Methods of testing and required test results . 19
7 Module D: System defence . 20
7.1 General . 20
7.2 Malware protection. 20
7.2.1 Requirements . 20
7.2.2 Methods of testing and required test results. 23
7.3 Denial of service protection . 25
7.3.1 Requirements . 25
7.3.2 Methods of testing and required test results. 27
8 Module E: Network access. 29
8.1 General . 29
8.2 Equipment which connects to a network . 29
8.2.1 Requirements . 29
8.2.2 Methods of testing and required test results. 29
8.3 Equipment providing network access between controlled networks . 30
8.3.1 Requirements . 30
8.3.2 Methods of testing and required test results. 30
8.4 Equipment providing network access between controlled and uncontrolled
networks . 31
8.4.1 Requirements . 31
8.4.2 Methods of testing and required test results. 31
9 Module F: Access to operating system . 32
9.1 General . 32
9.2 Requirements . 32
9.3 Methods of testing and required test results . 32
10 Module G: Booting environment . 32

---------------------- Page: 8 ----------------------
SIST EN IEC 63154:2021
IEC 63154:2021 © IEC 2021 – 3 –
10.1 General . 32
10.2 Requirements . 32
10.3 Methods of testing and required test results . 33
11 Module H: Maintenance mode . 33
11.1 General . 33
11.2 Requirements . 33
11.3 Methods of testing and required test results . 34
12 Module I: Protection against unintentional crash caused by user input . 35
12.1 General . 35
12.2 Requirements . 35
12.3 Methods of testing and required test results . 36
13 Module J: Interfaces for removable devices including USB . 36
13.1 General . 36
13.2 Requirements . 36
13.2.1 Physical protection . 36
13.2.2 Operational protection . 37
13.3 Methods of testing and required test results . 37
13.3.1 Physical protection . 37
13.3.2 Operational protection . 37
14 Module K: IEC 61162-1 or IEC 61162-2 as interface . 38
15 Module L: IEC 61162-450 as interface . 38
15.1 General . 38
15.2 IEC 61162-1 sentences . 38
15.3 IEC 61162-450 used for file transfer. 38
16 Module M: Other interfaces . 39
17 Module N: Software maintenance . 39
17.1 General . 39
17.2 Software maintenance in maintenance mode . 40
17.2.1 Requirements . 40
17.2.2 Methods of testing and required test results. 40
17.3 Semi-automatic software maintenance by the crew onboard the vessel . 40
17.3.1 General . 40
17.3.2 Requirements . 40
17.3.3 Methods of testing and required test results. 41
18 Module O: Remote maintenance . 42
18.1 General . 42
18.2 Requirements . 42
18.3 Methods of testing and required test results . 42
19 Module P: Documentation . 43
19.1 Requirements . 43
19.2 Methods of testing and required test results . 43
Annex A (informative) Guidance on implementing virus and malware protection on
type approved equipment . 44
Annex B (normative) File authentication . 46
B.1 General . 46
B.2 Digital signatures . 46
B.2.1 Requirements . 46
B.2.2 Methods of testing and required test results. 47

---------------------- Page: 9 ----------------------
SIST EN IEC 63154:2021
– 4 – IEC 63154:2021 © IEC 2021
B.3 Symmetric means based upon pre-shared secret keys . 48
B.3.1 Requirements . 48
B.3.2 Methods of testing and required test results. 49
Annex C (informative) Methods of authentication of data files and executables –
Examples . 51
C.1 General . 51
C.2 Explanations of terms . 51
C.3 Asymmetric cryptography . 51
C.4 Digital signatures . 52
C.5 Public key infrastructure . 53
C.5.1 General theory . 53
C.5.2 Notes about shipboard use . 55
C.6 Symmetric key authentication based on "pre-shared secret key" . 55
Annex D (normative) USB class codes . 57
Annex E (informative) Cyber security configuration document for equipment . 58
E.1 General for the document . 58
E.2 Document parts . 58
E.2.1 Hardening of the operating system . 58
E.2.2 Update strategy for cyber security reasons . 58
E.2.3 Strategies for detecting and reacting to future vulnerabilities . 58
Annex F (informative) Guidance on interconnection between networks . 59
F.1 General . 59
F.2 Guidance . 59
Bibliography . 61

Figure 1 – Some examples of data transfer . 8
Figure F.1 – Examples for different types of network and associated interconnecting

devices . 60


Table D.1 – USB class codes . 57

---------------------- Page: 10 ----------------------
SIST EN IEC 63154:2021
IEC 63154:2021 © IEC 2021 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________

MARITIME NAVIGATION AND RADIOCOMMUNICATION
EQUIPMENT AND SYSTEMS – CYBERSECURITY –
GENERAL REQUIREMENTS, METHODS OF TESTING
AND REQUIRED TEST RESULTS

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC Publication(s)"). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
IEC 63154 has been prepared by IEC technical committee 80: Maritime navigation and
radiocommunication equipment and systems. It is an International Standard.
The text of this International Standard is based on the following documents:
FDIS Report on voting
80/984/FDIS 80/989/RVD

Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this International Standard is English

---------------------- Page: 11 ----------------------
SIST EN IEC 63154:2021
– 6 – IEC 63154:2021 © IEC 2021
This document has been drafted in accordance with the ISO/IEC Directives, Part 2, and
developed in accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives,
IEC Supplement, available at www.iec.ch/members_experts/refdocs. The main document types
developed by IEC are described in greater detail at www.iec.ch/standardsdev/publications.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this document using a colour printer.

---------------------- Page: 12 ----------------------
SIST EN IEC 63154:2021
IEC 63154:2021 © IEC 2021 – 7 –
INTRODUCTION
IMO resolution MSC.428(98) on maritime cyber risk management in safety management
systems affirms the need for cyber risk management on vessels subject to the SOLAS
Convention. This document addresses the basic cybersecurity requirements for shipborne
navigation and radiocommunication equipment falling within that need.
Shipborne navigation and radiocommunication equipment are generally installed in restricted
areas, for example at the bridge where access is defined by the IMO International Ship and Port
Facility Security (ISPS) Code or in an electronic locker room or in a closed cabinet. These
restricted areas are referred to as secure areas in this document. This is based on the
importance of navigation and radiocommunication equipment for the safety of navigation. These
restricted areas are considered as areas with implemented security and access measures.
These measures are defined in the ship security plan of the individual vessel derived from ISPS
code, they are not part of this document and not specified or tested in the context of this
document. Accordingly, equipment installed in these physically restricted access areas are
understood to benefit from these security measures. This document provides mitigation against
the remaining cyber vulnerabilities for equipment installed in such areas.
Following from the above, this document includes consideration of cyber threats from
unauthorized users, from removable external data sources (REDS) like USB sticks, from
network segments installed outside of the restricted areas including interfaces to external
networks, for example ship to shore, ship to ship.
The risk of an incident is different for each equipment/system boundary, and the mitigating
security measures required should be appropriate to the identified risk of incident and
proportional to the identified adverse consequences. Boundaries take the form of both physical,
such as direct access to the equipment via its ports (e.g. network, USB, import of digital files,
software installation) and logical (e.g. connections over a network, transfer of data, operator
use). A key tenet of cyber security is authentication of who has provided the data and
verification that what is being provided has not been tampered with.
To reflect the difference in cyber security risk, the needs for authentication and verification
between secure and non-s
...