# UR E26 Series | Post 8/17: Mobile & Portable Device Controls
⚓ A single unauthorized USB drive connected to a ship's ECDIS or ballast water management system could introduce malware that disrupts critical operations mid-voyage — and it happens more often than the industry admits.
**What UR E26 §4.2.7 Requires**
E26 mandates that mobile and portable devices on any in-scope Cyber-Based System (CBS) are restricted to authorized personnel and authorized devices only. Unauthorized USB connections must be technically prevented — not just policy-prohibited. Where a CBS cannot enforce this through software, physical port blockers become mandatory. No exceptions, no alternatives.
**Maritime-Specific Implications**
Ships are operationally unique: crew rotations bring dozens of personal devices aboard, third-party service engineers routinely connect laptops to OT systems, and remote port environments make monitoring difficult. Unlike a fixed industrial plant, vessels operate in isolation from IT support for weeks at a time. A compromised portable device introduced during a port call can propagate silently across networked CBS before anyone detects it. The consequence isn't just a data breach — it's a vessel that cannot navigate.
**IEC 62443 Technical Depth**
E26 §4.2.7 directly maps to IEC 62443-3-3 SR 2.3 (Use Control for Portable and Mobile Devices). At Security Level 2, removable media must be encrypted; at SL-3, only organization-approved media is permitted at all. Commissioning must demonstrate six specific controls: authorized-user restriction, device-type limitation, file transfer restriction, autorun disabled, MAC/IP-based access control, and unused port disabling. Where a legacy CBS cannot meet these controls natively, E26's mandatory physical port blocking aligns precisely with the compensating countermeasures framework in IEC 62443-3-2 §5.9 — the burden shifts from software enforcement to physical enforcement.
**UR E27 Connection**
E26 §4.2.7.1 directly cross-references E27 §4.1 item 10 (SR 2.3), making this one of the most explicit linkages between the two URs. E27 operates at the system/component level — requiring each CBS to technically enforce portable device controls. When a component cannot meet that bar, E26 closes the gap by requiring physical port blockers at the vessel level. The layered approach is intentional: component capability drives the solution; physical control is the non-negotiable backstop.
**Implementation Insight**
🔌 Inventory your CBS against those six commissioning controls early. Legacy navigation and machinery monitoring systems rarely support MAC-based USB filtering or autorun disabling natively — identifying these gaps at the design phase allows physical port blockers to be engineered in, rather than retrofitted at classification survey.
What's your experience with service engineers connecting unscanned laptops to OT systems during port calls — and how are you currently managing that risk?
📌 Post 8/17 in my IACS UR E26 series — breaking down all 17 requirements across the Identify → Protect → Detect → Respond → Recover framework
'Security > Maritime Cyber Security' 카테고리의 다른 글
| [IACS UR E26] Detect – 10 CBS & Network Verification and Diagnostic Functions (0) | 2026.06.01 |
|---|---|
| [IACS UR E26] Detect – 09 Network Operation Monitoring (0) | 2026.06.01 |
| [IACS UR E26] Protect – 07 Remote Access Control & Untrusted Network Communication (0) | 2026.05.29 |
| [IACS UR E26] Protect – 06 Wireless Communication Security (0) | 2026.05.29 |
| [IACS UR E26] Protect – 05 Access Control (0) | 2026.05.29 |
