# Who's Actually at the Helm? The Identity Problem Hiding in Plain Sight on Your Vessels
Every year, maritime cyber incidents trace back to a deceptively simple failure: nobody knew who was actually logged in.
---
**What IACS UR E27 Demands**
Under UR E27, every human user must be uniquely identified and authenticated before gaining access to any Computer-Based System aboard a vessel. No exceptions. No shared credentials. No "admin/admin" left over from commissioning. Each individual gets one identity, and that identity must be verified before the system opens its doors.
---
**Why This Matters at Sea**
Vessels operate with rotating crews, third-party service engineers, remote support connections, and tight operational schedules. In that environment, shared accounts feel convenient — but they are an accountability black hole. When an incident occurs, "Engineer 3 used the engine management login" tells investigators nothing. You cannot reconstruct a timeline, isolate a mistake, or demonstrate due diligence to your flag state or P&I club without individual identity at the foundation. Every audit trail, every forensic analysis, every regulatory response starts here.
---
**The IEC 62443-3-3 Technical Layer**
SR 1.1 is the bedrock requirement in IEC 62443-3-3 — Foundational Requirement 1 (Identification & Authentication). The security level progression matters:
→ **SL 1** — Unique identification and authentication enforced for all users
→ **SL 2** — Adds authenticator management and protection (password policies, credential storage controls)
→ **SL 3** — Recommends hardware token support for stronger authentication assurance
→ **SL 4** — Requires the highest assurance, typically multi-factor with tamper-evident mechanisms
A vessel where any crew member can log into the ECDIS, BMS, or power management system as "admin" has already failed SL 1. The remaining security levels become irrelevant until this baseline is met.
---
**The Implementation Reality** 🔧
The most common gap I encounter isn't malicious — it's legacy. Older OT systems were designed with a single operator in mind, running on closed networks, with no concept of individual user accounts. Retrofitting unique authentication onto a 15-year-old PLC-driven system mid-voyage requires planning, vendor coordination, and sometimes compensating controls until a proper fix is possible. That work needs to start now, before class surveys demand it.
---
What does your current CBS inventory look like — are there systems aboard your vessels that simply cannot support individual user accounts today? I'd be curious to hear how others are handling the legacy gap.
---
📌 Post 1/41 in my IACS UR E27 series — breaking down all 41 requirements
#Authentication #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #OTSecurity
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E27] FR1 Identification & Authentication - Identifier Management (0) | 2026.05.10 |
|---|---|
| [IACS UR E27] FR1 Identification & Authentication - Account Management (0) | 2026.05.09 |
| IACS UR E27 - Untrusted Networks (Items 30–41) (0) | 2026.05.08 |
| IACS UR E27 - FR6 + FR7: Event Response & Availability (0) | 2026.05.08 |
| IACS UR E27 - FR3 + FR4: System Integrity & Data Confidentiality (0) | 2026.05.08 |
