OS Hardening & Service Disabling
Regulatory Context: IACS UR E27 (Section 4.3.1) mandates the hardening of all OT hosts. This involves the removal of unnecessary software and the deactivation of non-essential services to reduce the “Attack Surface” of critical shipboard systems.
Every active service or open port on an HMI (Human Machine Interface) is a potential vulnerability. “Hardening” is the process of stripping away everything that isn’t required for the vessel’s operation. If an AMS workstation never needs to print a document, the “Print Spooler” service should not only be stopped—it should be disabled at the root.
The Principle: Minimalist Computing
Reducing the Attack Surface
By disabling 10 unnecessary services, you remove 10 potential ways for malware to gain “System” level privileges on your bridge computer.
Performance Gains
On older, legacy hardware, OS hardening frees up CPU and RAM, making critical monitoring applications more stable and responsive.
Top Services to Disable in Maritime OT
Unless specifically required for the system’s function, the following services should be set to “Disabled” in the Windows Service Manager (services.msc):
| Service Name | Risk Category | Why Disable? |
|---|---|---|
| Print Spooler | Remote Code Execution | Frequent “PrintNightmare” style exploits allow full system takeover. |
| Remote Registry | Unauthorized Config | Allows users (or malware) to modify system settings from across the network. |
| Windows Error Reporting | Information Leakage | May attempt to send technical data/crash logs over VSAT to Microsoft. |
| Bluetooth Support | Physical Proximity | Prevents unauthorized wireless peripherals from connecting in the ECR. |
Next Security Phase
Anti-Malware for OT: EDR vs. AV
Anti-Malware for OT: EDR vs. AV Regulatory Context: IACS UR E27 (Section 4.3.2) mandates protection against malicious code. This module explores the selection of security tools that provide robust protection without compromising the real-time availab...