# 🔐 The Most Exploited Vulnerability in Maritime OT Has a Three-Letter Name: "admin"
Default credentials on vessel systems aren't a gap in a security checklist — they're an open door with a welcome mat.
---
**What IACS UR E27 Requires**
Under FR 1 (Identification & Authentication), UR E27 mandates that every Computer-Based System aboard a vessel must properly initialize, manage, rotate, and protect its authenticators — passwords, tokens, and certificates alike. Default vendor credentials must be changed before first operational deployment. No exceptions. No hardcoded credentials anywhere in hardware or software.
---
**Why This Matters on the Water**
Vessels operate with limited connectivity windows, meaning credential hygiene that gets deferred in port often stays deferred for weeks at sea. A compromised ECDIS login or an unchanged factory password on a ballast water management system isn't a theoretical risk — it's an operational liability that classification societies, flag states, and port state control inspectors are increasingly scrutinizing.
→ Credentials stored in plaintext configuration files remain common across legacy CBS installations
→ Shared accounts between OEM technicians and vessel engineers create accountability blind spots
→ Rotation schedules designed for shore-side IT rarely survive contact with maritime maintenance realities
---
**The IEC 62443-3-3 Technical Frame**
SR 1.5 defines the baseline: the system shall protect authenticators from unauthorized disclosure and modification. The Security Level progression adds real teeth:
→ SL 1: Basic protection — change defaults, restrict access
→ SL 2: Encrypted storage of credentials at rest, secure channels in transit
→ SL 3+: Mandatory expiry management, revocation capability, and audit-trail linkage
→ SL 4: Highest assurance — cryptographic binding and formal credential lifecycle governance
For most propulsion and navigation CBS, SL 2 is the current target floor. Many installed systems don't yet meet it.
---
**One Implementation Reality**
Vendor service accounts — frequently hardcoded or shared across multiple vessels in a fleet — are where UR E27 compliance meets its hardest test. A single compromised vendor credential can propagate laterally across dozens of ships. Enforcing unique, time-limited credentials for third-party OEM access, with automated revocation post-service, is technically achievable but organizationally demanding. That gap between "achievable" and "implemented" is where incidents happen.
---
How many vessels in your fleet are still running factory-default credentials on systems that were commissioned more than two years ago? It may be worth checking before an inspector — or an attacker — does.
---
📌 Post 4/41 in my IACS UR E27 series — breaking down all 41 requirements
#CredentialManagement #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #DefaultCredentials #OTSecurity
