# 🛡️ Can Your Ship's OT Systems Actually Run Antivirus? The Answer Changes Everything.
For most vessels, the honest answer is "not on the systems that matter most" — and UR E26 §4.2.3 is the first international framework to address this head-on.
**What UR E26 §4.2.3 Actually Requires**
Every Computer-Based System (CBS) in scope must be protected against malicious code — but the requirement is deliberately tiered. Where industrial-grade AV can be installed without disrupting operations, it must be. Where it cannot — particularly on Category II and III real-time control systems — compensating controls are not optional. They are mandatory, and they must be documented in the Cyber Security Design Description.
**Why This Is Uniquely Challenging at Sea**
Vessels operate with constrained connectivity, small crews, and OT systems running 24/7 with near-zero tolerance for downtime. The infection vectors E26 explicitly names — USB drives, email, PDFs, web services, and service engineer laptops — are all routine aboard ship. A contractor connecting an unscanned laptop to an integrated navigation or machinery control system is not a hypothetical risk. It happens every port call. And unlike shore-side environments, there is no IT helpdesk standing by if something goes wrong mid-voyage.
**The IEC 62443 Technical Foundation**
IEC 62443-3-3 SR 3.2 defines malicious code protection across three mandatory dimensions: prevention, detection, and mitigation — not detection alone. At Security Level 2, automated quarantine is required. At SL-3 and above, behavior-based detection becomes necessary. E26 §4.2.3.3 explicitly permits compensating measures for CBS where traditional AV cannot be installed, directly mirroring the IEC 62443 compensating countermeasures framework — making application whitelisting the preferred alternative for real-time OT systems.
**The E26 ↔ E27 Layered Relationship**
UR E27 §4.1 item 18 (mapped via E26 Appendix II) requires malware protection to be addressed and certified at the individual component level by equipment suppliers. E26 §4.2.3 elevates this to the vessel system level — adding operational management requirements: maintenance policies, AV update procedures, and physical safeguards. Annual survey evidence must demonstrate that these controls are actively maintained, not just installed at delivery.
**The Implementation Reality**
→ Application whitelisting on legacy PLC or SCADA platforms often requires OEM validation before deployment — start this conversation during design, not commissioning.
→ Removable media procedures and physical port controls are your most defensible compensating measures when AV is operationally impractical.
**Question for the Community**
How are your projects handling AV updates on air-gapped or semi-connected OT systems — and who owns that process between the shipyard, owner, and OEM?
📌 Post 4/17 in my IACS UR E26 series — breaking down all 17 requirements across the Identify → Protect → Detect → Respond → Recover framework.
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E26] Protect – 06 Wireless Communication Security (0) | 2026.05.29 |
|---|---|
| [IACS UR E26] Protect – 05 Access Control (0) | 2026.05.29 |
| [IACS UR E26] Protect – 03 Network Protection Safeguards (0) | 2026.05.28 |
| [IACS UR E26] Protect – 02 Security Zones & Network Segmentation (0) | 2026.05.27 |
| [IACS UR E26] Identify – 01 Vessel Asset Inventory (0) | 2026.05.27 |
