**What if the logging system that's supposed to protect your vessel… actually sank it?**
In IT security, some systems are designed to halt operations when audit logging fails. On a ship, that design philosophy could kill people.
---
**What UR E27 Requires**
IACS UR E27 mandates that when audit processing fails — whether due to storage exhaustion, software faults, or system overload — Computer-Based Systems aboard vessels must not cascade that failure into a shutdown of essential services. Operations continue. Operators are alerted. The vessel keeps running.
---
**Why This Matters at Sea**
Imagine a vessel's Integrated Navigation System losing its audit log storage mid-voyage in restricted waters. An IT-style "fail-secure" response that freezes the system doesn't protect the ship — it creates the emergency.
Maritime OT operates under a fundamental constraint that shoreside IT does not: the ocean cannot wait for a system restart.
UR E27 recognises this. Operational availability of essential vessel functions is not a compromise on security — it is the security requirement. A vessel that cannot navigate, propel, or communicate is already in a catastrophic state, regardless of how complete its audit trail is.
---
**The IEC 62443-3-3 Technical Layer**
SR 2.10 is one of the most important deviations from conventional IT security practice in the entire standard.
Across all four Security Levels, the requirement holds: audit processing failures must not cause system or service disruption. What changes with SL progression is the sophistication of the response:
→ SL 1: Alert generated; operations continue unaffected
→ SL 2: Fallback to minimal logging mode with alerting
→ SL 3: Automated failover to redundant audit infrastructure
→ SL 4: Real-time monitoring with predefined continuity protocols and forensic preservation
The standard explicitly acknowledges that temporary audit gaps are an acceptable trade-off to preserve operational continuity in safety-critical environments.
---
**Implementation Reality**
The most common gap I see during vessel OT assessments is the absence of a defined fallback logging mode. Systems are either fully logging or not logging at all — with no graceful degradation path. Implementing even a minimal local buffer that captures safety-critical events during primary audit failure, and alerts the officer of the watch immediately, closes a significant compliance and operational risk gap simultaneously.
---
**A Question for the Community**
Have you encountered vessel systems where an IT-inherited "fail-secure" logic posed a direct threat to operational safety? How did you resolve the conflict between audit integrity and availability?
📌 Post 15/41 in my IACS UR E27 series — breaking down all 41 requirements
#AuditResilience #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #AvailabilityFirst #FailSafe
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E27] FR3 System Integrity - Communication Integrity (0) | 2026.05.15 |
|---|---|
| [IACS UR E27] FR2 Use Control - Timestamps (0) | 2026.05.14 |
| [IACS UR E27] FR2 Use Control - Audit Storage Capacity (0) | 2026.05.14 |
| [IACS UR E27] FR2 Use Control - Auditable Events (0) | 2026.05.13 |
| [IACS UR E27] FR2 Use Control - Session Lock (0) | 2026.05.13 |
