[IACS UR E27] FR2 Use Control - Mobile Code Control

# Post 11/41 — Mobile Code Control

 

---

 

A PDF attachment opens on a bridge workstation. No warning. No prompt. And somewhere in that file, a script just ran.

 

---

 

**IACS UR E27 demands that every Computer-Based System aboard a vessel controls the use of mobile code technologies.** JavaScript, ActiveX, PDF-embedded scripts — none of these should execute unless they come from an explicitly approved source and serve an approved purpose. Unused mobile code capabilities must be disabled by default, not merely restricted.

 

---

 

This matters more on ships than most operators realize. Modern vessel HMIs increasingly run on browser-based interfaces — the same architecture that makes enterprise web applications vulnerable to active content attacks. At sea, there is no IT helpdesk to call, no patch deployed in the next fifteen minutes, and no clean failover if a script silently exfiltrates your ECDIS configuration or corrupts a cargo management parameter. The OT consequence of a silent payload executing in a web-based HMI isn't a nuisance ticket — it can be an operational crisis with no viable emergency shutdown path.

 

---

 

IEC 62443-3-3 SR 2.4 maps directly to this requirement across all four Security Levels, with controls scaling in rigor from SL 1 through SL 4. At SL 1, the expectation is basic mobile code awareness and documented policy. By SL 3 and SL 4, you're looking at enforced technical controls — whitelisting of approved code sources, execution environment restrictions, and continuous monitoring for unauthorized mobile code activity. One technically valuable detail: SR 2.4 treats mobile code control as a complement to application whitelisting (SR 2.3), not a replacement. Both are needed, and neither alone closes the attack surface.

 

---

 

🔒 In practice, one of the harder implementation challenges in maritime OT is legacy HMI systems that were built assuming unrestricted browser functionality. Retrofitting mobile code controls onto an older SCADA web interface — without breaking legitimate operator workflows — often requires a granular content security policy review that vendors may not support or document. Procurement teams must ask for this capability explicitly during newbuild and retrofit contracting.

 

---

 

How many vessel operators can confirm today that PDF scripts and JavaScript are technically disabled on every CBS aboard — not just policy-restricted, but technically blocked? That gap between policy intent and technical enforcement is where attacks live.

 

---

 

📌 Post 11/41 in my IACS UR E27 series — breaking down all 41 requirements

 

---

#MobileCode #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #WebSecurity #HMISecurity