# Who Can Read Your Cargo Manifest?
If a port agent, competitor, or threat actor can access your vessel's cargo contents, crew data, or proprietary voyage routes — you have a confidentiality failure. And on many ships today, that access requires nothing more than being on the right network segment.
---
**What UR E27 Demands**
IACS UR E27 requires that all sensitive information aboard Computer-Based Systems is protected from unauthorized access — both at rest and in transit. Explicit read authorization must be granted for every user or process accessing sensitive data. Implicit access, inherited permissions, and role-based assumptions are not sufficient.
---
**Why This Matters for Ships**
Vessels hold an unusual concentration of commercially and legally sensitive data: cargo manifests, crew PII, proprietary routing decisions, and commercial charter terms. This data sits across ECDIS systems, vessel management platforms, loading computers, and crew management databases — often on networks designed for operational reliability, not information security.
A crew payroll file stored on an unencrypted shared drive. A cargo manifest accessible to any authenticated user on the ship's LAN. Configuration files for ballast control systems readable by maintenance accounts with no need to know. Each of these is a confidentiality failure waiting to become a liability.
---
**IEC 62443-3-3 Technical Context**
SR 4.1 under IEC 62443-3-3 addresses data confidentiality and applies from Security Level 2 upward — acknowledging that not all OT data requires secrecy, but that sensitive operational data does. The progression matters:
→ SL-2 requires protection of sensitive data at rest and in transit
→ SL-3 adds stronger access enforcement and cryptographic controls
→ SL-4 demands the highest assurance, including protection against sophisticated, state-level adversaries
For maritime OT, this means encryption is not optional for inter-CBS communication channels handling cargo, positioning, or crew data. TLS for data in transit and AES-based encryption at rest are the baseline expectations for systems operating at SL-2 and above.
---
**Implementation Insight**
One consistent challenge: legacy integration between bridge systems and cargo management platforms was built on flat, open protocols. Retrofitting explicit read authorization — particularly granular, data-level access controls rather than system-level access — requires architectural changes that many vessels simply haven't planned for. The earlier this is addressed in newbuild design, the lower the remediation cost.
---
Where does your vessel stand on data-level access controls — and do your inter-system communication channels have encryption in scope for your next class survey?
📌 Post 21/41 in my IACS UR E27 series — breaking down all 41 requirements
#DataConfidentiality #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #DataPrivacy #Encryption
