# Who Has the Keys to Your Ship's Critical Systems? 🔐
Most cyber incidents don't start with sophisticated hacking — they start with someone who simply shouldn't have had access, and did.
**What UR E26 §4.2.4 Requires**
Access to Cyber-Based Systems (CBS) must be controlled both physically and logically — and only authorized personnel should have it, based on genuine operational need. In practice, this means:
→ Category II and III CBS must be housed in lockable rooms or cabinets
→ Visitors (technicians, surveyors, port authorities) get supervised access only — no exceptions by default
→ Removable media must be scanned for malware and signature-validated before connecting to any CBS
→ Least privilege is the baseline — elevated credentials should be temporary and expiring where possible
**Why This Is Uniquely Challenging at Sea**
Ships operate with small, rotating crews — often under pressure, in port windows measured in hours. A third-party service technician connecting a USB to the ECDIS for a software update feels routine. But without enforced media scanning and supervised access protocols, that single moment represents a wide-open attack surface. Physical isolation isn't a luxury onboard; it's a compensating control when network segmentation has limits.
**The IEC 62443 Foundation**
E26 §4.2.4 directly implements two IEC 62443 pillars:
→ **SR 2.1** (IEC 62443-3-3): Role-Based Access Control enforcement at every user interface, grounded in separation of duties and least privilege
→ **§4.3.3.6.2** (IEC 62443-2-1): Physical access management for industrial automation and control environments
E26 takes these industrial security principles and re-anchors them to maritime operational reality — lockable server cabinets on the bridge replace server room badge readers; supervised technician access replaces enterprise visitor management systems.
**The E26–E27 Layered Relationship**
E27 §4.1 maps five specific Security Requirements to access control: SR 1.1 (human user identification), SR 1.3 (account management), SR 1.4 (identifier management), SR 1.5 (authenticator management), and SR 2.1 (authorization enforcement). These apply at the system and component level.
E26 §4.2.4 governs access at the vessel management level — and notably includes a deliberate pragmatic departure: unlike E27, E26 does **not** require uniquely identified individual accounts for every user. Shared HMI workstations remain a recognized operational reality on vessels.
**Implementation Insight** 🛠️
The commissioning verification requirement is often overlooked: E26 requires confirming that all temporary accounts have been removed and that user account segregation of duties is verified before handover. In practice, this is frequently missed during the hectic final days of new build delivery — making it a prime audit finding at first class survey.
**Question for the community:** How are your organizations handling removable media policy enforcement in port — especially when third-party vendors insist on using their own USB drives for maintenance?
📌 *Post 5/17 in my IACS UR E26 series — breaking down all 17 requirements across the Identify → Protect → Detect → Respond → Recover framework*
