**A password is not authentication. It's a username with extra steps.**
When a maintenance engineer dials into a vessel's control network over satellite from a shore-based office — or an OEM technician connects remotely to troubleshoot an engine management system — a password alone tells you almost nothing about who is actually on the other end of that connection.
IACS UR E27 is unambiguous on this point. Any human user accessing a Cyber-Based System (CBS) from an untrusted network must use Multi-Factor Authentication. No exceptions for role, seniority, or convenience. Satellite-based remote access is explicitly in scope, which covers the vast majority of real-world remote maintenance scenarios in the maritime industry.
The operational implications for ships are significant. Vessels routinely rely on remote access for OEM support, condition monitoring, and software updates — all legitimate, necessary activities. But untrusted networks, by definition, offer no assurance that a credential hasn't been stolen, replicated, or intercepted in transit. A compromised account accessing propulsion controls, ballast systems, or power management from shore is not a theoretical risk. It is a well-documented attack vector in industrial environments, and maritime OT is not exempt.
🔐 IEC 62443-3-3 SR 1.1 RE2 establishes MFA as a Security Level 3 enhancement within the IEC 62443 framework — meaning it is formally required at SL 3 and SL 4, where the assumed threat includes sophisticated, motivated adversaries with the capability to target credentials. UR E27 goes a step further: it mandates MFA for all untrusted network access regardless of the target Security Level assigned to the CBS in question. This reflects a deliberate policy decision — external access is inherently high-risk, and the control environment around it must respond to that reality, not to where a system sits on a compliance matrix.
Acceptable second factors include OTP tokens, PKI certificates, hardware security keys, and biometrics. The principle is consistent: something you know must be paired with something you have or something you are.
The practical challenge in maritime is infrastructure. Many vessels operate with limited or intermittent connectivity, and deploying hardware tokens or certificate-based authentication across a global fleet requires PKI management, device provisioning, and crew training that shipowners often underestimate. Getting the architecture right before a remote access incident is considerably cheaper than explaining to flag state or class why it wasn't in place.
What is the biggest barrier your organisation faces when implementing MFA for remote OT access — connectivity, procurement, or crew adoption?
📌 Post 31/41 in my IACS UR E27 series — breaking down all 41 requirements
