This guide establishes the identity and access management framework for maritime OT — covering password policies, role-based access control and the transition away from shared credentials on critical systems.
Onboard a vessel, the greatest vulnerability isn’t always a complex exploit; it is often the “admin/admin” default login on a ballast control HMI or a network switch. Hardening these identities is a mandatory step for E27 Type Approval and Class Surveys.
The Challenge: Balancing Security and Safety
Maritime OT presents a unique conflict: Cyber security demands friction (passwords, MFA), while Marine safety demands immediacy. If a propulsion alarm sounds, an engineer cannot spend 30 seconds typing a complex password just to acknowledge it.
The Legacy Constraints
Marine PLCs often lack central management. This creates “Credential Drift” where different vendors use different passwords, leading the crew to stick post-it notes on screens—negating all security efforts.
The Safety Paradox
Class requirements (UR E27) mandate lockout policies. However, a locked screen on a Dynamic Positioning (DP) console during a storm is a life-safety risk. We solve this by separating “View” from “Control.”
1. Implementing RBAC (Role-Based Access Control)
Access is granted based on the “Principle of Least Privilege.” We categorize users into three tiers:
Operator Level: Read-only. Access to AMS monitoring and alarm views. No configuration rights.
Engineer Level (ETO/Ch. Eng): Permission to modify setpoints and perform routine maintenance.
Admin/Service Level (OEM): Full configuration and firmware rights. These accounts remain disabled until a permit-to-work is issued.
Tiered RBAC Matrix (Audit Ready)
Defining clear Role-Based Access Control (RBAC) boundaries is essential for preventing unauthorized configuration changes while ensuring operational safety. This matrix provides an audit-ready framework for mapping vessel duties to technical permissions, ensuring that critical safety functions remain accessible to watch officers while high-risk logic modifications are restricted to authorized technical staff and OEMs.
System Function
Operator (Watch)
Engineer (ETO)
Admin (OEM)
Acknowledge Alarms
✔ ALLOW
✔ ALLOW
✔ ALLOW
Modify Setpoints
✖ DENY
✔ ALLOW
✔ ALLOW
Modify Logic/Code
✖ DENY
✖ DENY
✔ ALLOW*
*Requires Permit-to-Work and logged physical unlock.
2. Tiered Complexity Standards
We apply a tiered approach based on the device’s position within the Purdue Model.
Asset Class
Access Method
Lockout Policy
Rotation Trigger
Tier 1: Monitoring ECDIS, AMS View
No Login Required
None (Always Visible)
N/A
Tier 1: Infrastructure Firewalls, Gateways
12+ Chars (Complex)
5 Attempts / 15-Min
Quarterly
Tier 2: Control HMI Ballast, Machinery
6-Digit PIN
10-min Idle Lock
Annually
Tier 4: Remote OEM Support
16+ Chars + MFA
Immediate Session Kill
Per-Session (OTP)
Password Change & Rotation Log
To maintain IACS UR E27 compliance, all maritime OT assets must undergo periodic credential rotation. This log provides a centralized audit trail to verify that infrastructure, such as firewalls and gateways, are updated according to the quarterly schedule mandated in the Asset Complexity tiers.
Asset ID
Last Change
Next Due
Status
OT-FW-01
2026-01-15
2026-04-15
CURRENT
3. Managing Credentials in Air-Gapped Environments
Because vessels operate in zero-connectivity environments, a Vessel Credential Management Plan is required:
Onboard Offline Vault: Utilize an encrypted database (e.g., KeePassXC) stored on a secured workstation in the ETO office.
Physical MFA: Use hardware tokens (Yubikeys) for access to the Satellite Terminal and Primary Firewall to prevent credential theft.
Compliance Documentation Previews
Standardized templates for managing remote access and RBAC. View watermarked previews below; premium SOPs and fillable forms require the Register free.
Audit every IP-addressable OT component. Any instance of “password”, “1234”, or “admin” must be flagged as a Major Non-Conformity.
Verified Functional Persistence
Ensure that for safety-critical systems (AMS/PMS), an inactivity timeout only locks Command & Control functions. The Monitoring/Alarm View must remain visible without requiring a login to ensure the crew can see alarms instantly.
Unique User Identification
Move away from shared accounts. E27 requires that actions can be traced back to a specific individual. Where not technically possible, use a physical access log as a compensating control.
Pro Tip: The Master “Break-Glass” Envelope. Place a physical, sealed envelope in the Captain’s safe containing the “Super-Admin” credentials. If the network fails or the ETO is unavailable, the Master can authorize an emergency override.
The specific regulatory requirements this playbook satisfies. Use these references when preparing for Class survey or responding to a surveyor's checklist.
E26 §4.2.4
Access control — Physical and logical access to systems and networks must be restricted to authorised personnel based on their role, using the principle of least privilege.
E27 §4.1
Required security capabilities (all CBSs) — All in-scope computer-based systems must implement 30 defined security capabilities covering: identity and authentication, access control, audit logging, malware protection, communication integrity, denial-of-service protection, backup and recovery.
IEC 62443
IEC 62443 — Industrial cybersecurity standard series — The international standard series for cybersecurity in industrial automation and control systems. IACS UR E26 and E27 are directly aligned with this series. Covers security requirements for systems, components and secure development processes across the full OT lifecycle.
