# Post 14/41 — Audit Storage Capacity
---
When a cyber incident occurs on a vessel three weeks into an offshore voyage, how confident are you that the logs you need still exist?
---
**IACS UR E27 requires that every Computer-Based System aboard a vessel allocates sufficient storage for audit records before operations begin** — not after a storage failure is discovered. Overflow prevention must be built in: pre-emptive capacity alerts, automatic log rotation, or remote archival. Reactive storage expansion is not an acceptable strategy.
---
Consider a bulk carrier on a 28-day Pacific crossing with no reliable satellite connectivity. Every ECDIS interaction, network authentication event, and control system alarm is generating audit data continuously. If storage wasn't sized for that voyage duration at departure, logs begin overwriting themselves silently — and no one knows what was lost until an investigator needs exactly those records.
That silent gap is not a minor compliance footnote. It is a blind spot that can make incident response, insurance claims, and flag state investigations effectively impossible.
---
IEC 62443-3-3 SR 2.9 maps directly to this requirement across all four Security Levels, with escalating obligations:
→ SL 1 — Audit storage must be adequate for operational needs
→ SL 2 — Systems must generate capacity threshold alerts before overflow occurs
→ SL 3/4 — Automated archival to secondary or remote storage is mandated
For offshore and deep-sea vessels, SL 2 alerting alone is insufficient if there is no one monitoring those alerts or no bandwidth to act on them. SL 3+ automated archival becomes practically essential — even for systems nominally classified at lower security levels — given the connectivity realities of maritime operations.
---
🛠️ A practical starting point: storage pre-allocation should be calculated from the vessel's longest anticipated voyage segment, multiplied by the peak daily audit event volume across all CBS — not average volume. This buffer should be validated during commissioning and re-validated after any major system change or new sensor integration.
---
How is your organisation sizing OT audit storage — and does that calculation account for satellite blackout periods, or only for connectivity-available operations?
---
📌 Post 14/41 in my IACS UR E27 series — breaking down all 41 requirements
#LogManagement #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #StorageManagement #SIEM #OTSecurity #OffshoreOperations
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E27] FR2 Use Control - Timestamps (0) | 2026.05.14 |
|---|---|
| [IACS UR E27] FR2 Use Control - Response to Audit Processing Failures (0) | 2026.05.14 |
| [IACS UR E27] FR2 Use Control - Auditable Events (0) | 2026.05.13 |
| [IACS UR E27] FR2 Use Control - Session Lock (0) | 2026.05.13 |
| [IACS UR E27] FR2 Use Control - Mobile Code Control (0) | 2026.05.13 |
