# [IACS UR E27] FR1 Identification & Authentication - Wireless Access Management
---
Could a crew member's personal tablet be the entry point for your next cyber incident? On modern vessels, the answer is no longer hypothetical.
---
**The Requirement**
IACS UR E27 mandates that every participant communicating over a wireless channel — whether a person, process, or device — must be uniquely identified and authenticated before gaining network access. No exceptions for convenience, and no shared or anonymous credentials.
---
**Why It Matters for Ships**
Vessels are rapidly expanding wireless infrastructure to support remote diagnostics, condition monitoring, and portable maintenance tools. That convenience introduces real exposure.
→ A rogue access point connected to an engine room switch can silently bridge your OT network to an unauthenticated device
→ Contractor laptops and service tablets brought aboard for a port call often bypass the authentication controls applied to fixed workstations
→ IoT sensors on cargo refrigeration or ballast water systems may authenticate to nothing at all under legacy configurations
Without wireless-specific controls, your wired network policy is only as strong as its weakest radio frequency.
---
**IEC 62443-3-3 Technical Context**
SR 1.6 mirrors the foundational identity principles of SR 1.1 (user identification and authentication) but extends them explicitly to all wireless-capable devices and communication processes. The Security Level mapping matters here:
→ SL 1 — Basic wireless authentication (e.g., WPA2-PSK with managed passphrases)
→ SL 2 — Device-level authentication, certificate-based or EAP methods
→ SL 3 — Mutual authentication between device and network infrastructure
→ SL 4 — Cryptographically assured identity with hardware-backed credentials
SR 1.6 applies to 802.11 Wi-Fi, Bluetooth, and private LTE networks — all of which are increasingly deployed across modern commercial vessels for operational and crew connectivity.
---
**Implementation Insight** 🔐
One practical challenge: vessels operating 802.1X port-based authentication for wired networks often discover their wireless controllers are still running shared-key authentication — a configuration gap that survives multiple audits. Aligning wireless authentication to the same certificate infrastructure as wired access is achievable, but requires deliberate policy scoping that separates crew welfare networks from operational technology zones.
---
What wireless devices aboard your vessels are currently authenticating to your OT network — and do you actually know all of them?
---
📌 Post 5/41 in my IACS UR E27 series — breaking down all 41 requirements
---
#WirelessSecurity #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #NetworkSecurity #OTSecurity #ShipSecurity
