# The USB Drive That Stopped a Vessel
A service engineer plugs in a laptop to run a routine software update on an engine management system. Within minutes, malware that had been dormant on that device for months begins moving laterally across the vessel's OT network.
No firewall stopped it. No one planned for it. And it happens more often than the industry admits.
**What UR E27 Requires**
IACS UR E27 — under Foundational Requirement 2 (Use Control) — mandates that the use of portable and mobile devices be actively controlled on all Computer-Based Systems aboard vessels. This means USB drives, maintenance laptops, and tablets must be registered and authorized before any connection to shipboard CBS is permitted. Code and data transfers are not optional events — they require deliberate, governed processes.
**Why This Matters at Sea**
Every dry-dock period brings a wave of outside engineers — each arriving with their own devices. A single unscanned laptop connecting to a propulsion control system, ballast water management panel, or ECDIS workstation can introduce malware that persists undetected for months. Unlike an office IT environment, a vessel at sea cannot simply "call the IT department" when something goes wrong. The consequences range from degraded navigational systems to loss of machinery control — operationally and commercially catastrophic.
**The IEC 62443-3-3 Technical Context**
SR 2.3 within IEC 62443-3-3 directly targets this vector. At SL 1, basic awareness and policy-level controls are expected. SL 2 introduces technical enforcement — device whitelisting, port blocking, and transfer logging. SL 3 adds stricter authorization workflows and integration with broader access control frameworks. SL 4 demands near-complete restriction with cryptographic verification of any permitted device. For most commercial vessels, a credible SL 2 posture here is achievable and meaningful — but it requires technical controls, not just written procedures.
**Implementation in Practice**
One of the most effective — and underused — controls is the USB device whitelist enforced at the CBS endpoint level, combined with a shore-side pre-scanning requirement before any device is permitted aboard. Some operators are now implementing portable device registers as part of their Safety Management Systems, treating a third-party laptop like a piece of equipment requiring an entry permit. 🔒
The gap between policy and enforcement remains the critical failure point.
How does your organization actually verify that a service engineer's laptop is clean before it touches shipboard OT — and do you have the technical controls to enforce it, or only the paperwork?
📌 Post 10/41 in my IACS UR E27 series — breaking down all 41 requirements
#MobileDeviceSecurity #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #USB #EndpointControl
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E27] FR2 Use Control - Session Lock (0) | 2026.05.13 |
|---|---|
| [IACS UR E27] FR2 Use Control - Mobile Code Control (0) | 2026.05.13 |
| [IACS UR E27] FR2 Use Control - Wireless Use Control (0) | 2026.05.13 |
| [IACS UR E27] FR2 Use Control - Authorization Enforcement (0) | 2026.05.12 |
| [IACS UR E27] FR1 Identification & Authentication - Authenticator Feedback (0) | 2026.05.12 |
