# Post 23/41 — Audit Log Accessibility
When a cyber incident strikes your vessel, the first question investigators ask is: "Can we see the logs?" The answer should never be "not right now."
---
IACS UR E27 requires that authorized personnel and tools can access audit logs on a read-only basis — and that this access is timely. Logs that exist but cannot be reached when needed offer no protection. Read-only access is non-negotiable: investigators observe, they do not alter.
---
Consider a vessel arriving at port following a suspicious navigation system anomaly. Flag state auditors board within hours. Shore-based forensic consultants need remote access. Your P&I insurer's incident team is asking for records. If log access is blocked by connectivity limitations, procedural approvals, or system architecture — the investigation stalls, liability exposure grows, and the forensic window closes. On a vessel, these delays are not inconveniences; they are compounding failures.
---
IEC 62443-3-3 SR 6.1 frames log accessibility as the operational backbone of the entire incident response chain.
→ SL 1 requires that authorized users can access logs locally on a read-only basis
→ SL 2 adds the capability for remote read-only access — critical given that most maritime incidents are reviewed from shore
→ SL 3 and SL 4 require real-time log streaming to authorized external systems, enabling a shore-based Security Operations Centre to monitor vessel activity live without waiting for port calls
The jump from SL 1 to SL 2 is where many vessel systems currently fall short.
---
🔍 One practical challenge: many OT systems aboard vessels were never designed with remote log export in mind. A common implementation approach is deploying a dedicated log aggregation node within the vessel's network that pulls from CBS components and exposes a read-only interface — either for onboard investigators or for secure tunnel transmission to a shore SOC. This decouples log access from operational system availability and prevents access attempts from touching production assets.
---
What is your organization's current answer to this question: if an incident occurred at sea tonight, how quickly could your shore team access vessel logs — and through what mechanism?
---
📌 Post 23/41 in my IACS UR E27 series — breaking down all 41 requirements
---
#AuditAccess #IACS #URE27 #IEC62443 #MaritimeCyberSecurity #IncidentResponse #SOC
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E27] FR7 Resource Availability - Resource Management (0) | 2026.05.21 |
|---|---|
| [IACS UR E27] FR7 Resource Availability - Denial of Service Protection (0) | 2026.05.21 |
| [IACS UR E27] FR4 Data Confidentiality - Use of Cryptography (0) | 2026.05.18 |
| [IACS UR E27] FR4 Data Confidentiality - Information Confidentiality (0) | 2026.05.18 |
| [IACS UR E27] FR3 System Integrity - Deterministic Output (0) | 2026.05.15 |
