**A warning banner isn't just a legal formality — on a vessel with remote access to critical OT systems, it may be the only line of defence that holds up in court.**
IACS UR E27 requires that Computer-Based Systems with untrusted network interfaces display a system use notification *before* authentication occurs. Not after login. Not buried in a terms-of-use document. Before any credentials are entered — every single time.
This matters enormously at sea. Vessel OT environments — ECDIS, propulsion control, ballast management — are increasingly reachable via satellite links, remote vendor access, and crew Wi-Fi pathways. When an unauthorised party probes or penetrates one of those systems, the absence of a pre-login warning banner can complicate the ship operator's legal position significantly. Without it, the argument that the intruder "didn't know" the system was restricted and monitored becomes much harder to defeat. Onboard, where incidents may unfold thousands of miles from shore-side legal support, that matters.
⚖️ IEC 62443-3-3 SR 1.12 addresses this directly — and it applies across all four Security Levels (SL 1 through SL 4). The requirement is consistent regardless of the threat sophistication the system is designed to withstand. SR 1.12 mandates two essential elements: an explicit statement that access is authorised use only, and a clear notice that monitoring and activity recording are active. The reasoning is deliberate — by surfacing this notice before authentication, the system places every user, including those who should never be there, on formal legal notice. That notice creates the foundation for civil and criminal action if unauthorised access is later confirmed.
In practice, maritime OT implementation carries a specific challenge. Many legacy shipboard systems — PLCs, HMI terminals, integrated bridge components — were never designed with pre-login notification screens. Retrofitting a compliant banner requires either vendor-supported firmware updates or, where that's not feasible, an intermediate access layer such as a jump host or remote access gateway that presents the banner before the underlying system is reached. This gateway approach is increasingly common and pragmatic where direct system modification isn't viable.
→ Pre-login placement is non-negotiable
→ Content must explicitly cover authorised use scope and active monitoring
→ Documentation of banner configuration should be retained as part of the cyber security management evidence trail
What's your experience implementing compliant warning banners on legacy vessel systems — have vendors been forthcoming with support, or is the gateway approach the default reality?
📌 Post 34/41 in my IACS UR E27 series — breaking down all 41 requirements
