**A shore-side attacker doesn't need to sleep. Your ship's login portal shouldn't let them keep trying indefinitely.**
Most maritime OT systems facing the internet have no limit on failed login attempts. That's not an oversight — it's an open invitation to brute-force every credential on board.
**What UR E27 Requires**
For any computer-based system (CBS) with untrusted network interfaces, IACS UR E27 mandates a hard technical limit on consecutive failed login attempts within a defined time window. Once that threshold is breached, the system must lock out the account or throttle access automatically — no exceptions, no manual intervention required.
**Why This Matters at Sea**
A vessel's ECDIS, remote monitoring gateway, or crew-facing network portal may be reachable from the open internet. Shore-side threat actors running credential-stuffing tools can attempt thousands of password combinations per minute.
Without lockout controls, a single exposed system becomes a persistent target. A successful brute-force entry into an OT system at sea — where response time is measured in hours, not minutes — can mean loss of navigational control, machinery manipulation, or disruption of safety systems with no immediate expert support available.
The geography of maritime operations makes recovery from a breach uniquely costly.
**IEC 62443-3-3 Technical Context**
SR 1.11 is classified as an SL-2 through SL-4 requirement in IEC 62443-3-3, reflecting that brute-force prevention is considered a baseline for any system exposed to adversaries with meaningful capability — which describes every internet-facing shipboard system by default.
The standard calls for:
→ A configurable maximum consecutive failure threshold (typically 3–5 attempts)
→ Automatic lockout or IP-based rate limiting upon threshold breach
→ Configurable lockout duration to balance security with operational continuity
→ Immediate alerting on repeated failures as a brute-force indicator
UR E27 applies this specifically to CBS with untrusted network access, closing a gap that UR E26 does not address.
**Implementation Insight 🔒**
The real maritime challenge isn't enabling lockout — it's calibrating it. Set the threshold too low and a legitimate engineer locked out in port at 02:00 becomes an operational crisis. Set it too high and the protection is meaningless. Pairing account lockout with IP-based throttling and out-of-band alerting to the vessel's cybersecurity officer gives you control without crippling access.
How does your organization currently balance brute-force protection with the operational realities of unmanned machinery spaces and remote access support?
📌 Post 33/41 in my IACS UR E27 series — breaking down all 41 requirements
