# 🚢 You Can't Protect What You Don't Know Exists
Most vessels operating today cannot produce a complete, accurate inventory of every OT component aboard. That's not a criticism — it's a structural problem the industry is now being required to solve.
**What UR E26 §4.1.1 Requires**
The systems integrator must establish a full asset inventory covering all hardware, software, firmware, and network connections for every Computer-Based System (CBS) in scope — and keep it current from design through decommissioning. This isn't a one-time deliverable. It's a living document the shipowner must maintain, with a Management of Change (MoC) process demonstrating at first annual survey that the inventory has actually been kept up to date.
**Why This Is Uniquely Challenging at Sea**
Vessels integrate equipment from dozens of suppliers across propulsion, navigation, cargo, and safety domains — often with minimal cross-system documentation. Unlike a shore-based industrial facility, a ship's OT environment evolves during construction, port calls, and mid-life upgrades with limited configuration control. Network connections between CBS, to other shipboard systems, and to shore-based infrastructure must all be captured and access-controlled — including sensitive items like IP addresses, port numbers, and protocols.
**The IEC 62443 Foundation**
IEC 62443-2-1 §4.2.3.4 establishes asset identification as the mandatory first step in building a security management system — nothing downstream is credible without it. More critically, IEC 62443-3-2 requires the asset inventory as the primary input to security zone and conduit definition. If your inventory is incomplete or outdated, your zone boundaries are wrong, your risk assessment is built on assumptions, and your Purdue-model segmentation is theoretical at best.
**The E26 / E27 Two-Level Hierarchy**
E26 §4.1.1.3.1 explicitly requires the vessel-level inventory to include, at minimum, the information specified in UR E27 §3.1.1 at the CBS component level:
→ Hardware identifiers and OS versions
→ Application software and firmware versions
→ Network interface and connection details
This creates a deliberate two-tier structure: E27 governs what each CBS supplier documents; E26 governs how the systems integrator aggregates that into a unified vessel-level picture. One cannot substitute for the other.
**Implementation Insight**
The practical gap most shipyards face is the hand-off between commissioning and operations. Inventories that are accurate at delivery become stale within 12–18 months as software patches, hardware replacements, and configuration changes accumulate without a functioning MoC process. Build the MoC workflow before delivery — retrofitting it after the fact is significantly harder.
What's your experience with asset inventory hand-offs between shipyards and shipowners? Is the MoC process being built in from the start, or added as an afterthought?
📌 Post 1/17 in my IACS UR E26 series — breaking down all 17 requirements across the Identify → Protect → Detect → Respond → Recover framework
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E26] Protect – 03 Network Protection Safeguards (0) | 2026.05.28 |
|---|---|
| [IACS UR E26] Protect – 02 Security Zones & Network Segmentation (0) | 2026.05.27 |
| [IACS UR E27] Untrusted Network – 41 Session ID Invalidation after Termination (0) | 2026.05.26 |
| [IACS UR E27] Untrusted Network – 40 Session Integrity (0) | 2026.05.26 |
| [IACS UR E27] Untrusted Network – 39 Input Validation (0) | 2026.05.26 |
