Part of the PROTECT Playbook ← Return to Hub
Phase: Protect All vessels
Satisfies: E26E27IMO MSC-FAL.1BIMCO v5

Supply Chain & Vendor Security

This guide manages third-party risk by establishing controls for vendor laptop inspection, software verification and service engineer access — preventing supply chain malware from entering the OT network via the gangway.

Modern vessels are ecosystems of components from dozens of different manufacturers (OEMs). Each vendor is a potential “backdoor” into your ship. Supply chain security ensures that every piece of software, firmware, or hardware brought onto the gangway is verified before it touches a critical system.

The “Dirty Laptop” Problem

The most common way malware enters a “gapped” OT network is through a service engineer’s toolset. Technicians travel from ship to ship, often connecting their laptops to multiple uncontrolled networks. This creates a “cross-contamination” risk where a virus picked up on a bulk carrier in Asia can be transferred to a tanker in Europe via the technician’s Ethernet cable or USB drive.

Uncontrolled Access

Service engineers often carry laptops that have been connected to multiple ship networks globally. If one of those ships was infected, the laptop acts as a carrier for malware.

Shadow Software

Vendors may install “temporary” remote access tools (like TeamViewer) for convenience during sea trials and forget to remove them, leaving a permanent hole in the firewall.

The Vendor Engagement Protocol

To comply with E27, the Master and ETO must enforce a “Zero Trust” policy for all visiting technicians:

Stage Requirement Enforcement Action
Pre-Arrival Verification of OEM Cyber-Security Status. Request a “Cleanliness Certificate” for service tools.
Onboarding Physical Inspection & Scanning. Scan all vendor USB drives via the “USB Kiosk” (Pillar C).
Active Service Supervised Network Connection. Only allow connection to “Service VLAN”—never Main Bus.
Post-Service Sanitization & Audit. Revoke accounts and verify no new services were left running.

One of the most common compliance gaps at class survey is an undocumented boundary between vendor-certified CBS and owner-supplied equipment connected to the same network — the CBS Risk Assessor identifies every connection crossing a scope boundary and surfaces the E27 §2.1 documentation requirements for each one.

ETO Service Engineer Checklist
No Direct Connections

If possible, provide a “Vessel Laptop” for the vendor to use. If they must use their own, connect them through a Jump Server (Pillar B) to log all actions.

Software Inventory Check

Check the Software Bill of Materials (SBOM). Ensure the vendor is not installing components with known critical vulnerabilities (CVEs).

Pro Tip: The “Witness” Rule. IACS E26 suggests that critical software changes should be witnessed. The ETO should not just hand over the keys; they should watch the process to ensure no “any-to-any” rules are added to the firewall for “temporary testing” and forgotten.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; All fillable forms and SOPs are free with a registered account.

Implementation tools for IACS UR E27 §5. Use these assets to verify third-party toolsets and enforce the “Zero Trust” gangway policy.

TAG-OT-SEP-02
Service Entry Permit
View Form
TAG-OT-VND-02
OEM Pre-Arrival Letter
View Form
TAG-OT-XLS-03
Sanitization Checklist
View Form
TAG-OT-SOP-03
Media Sanitization SOP
View Form

Compliance: Media Scanning (E27)

IACS UR E27 Requirement: All external media must be scanned before connection to the System Under Consideration (SuC). Use the Media Sanitization SOP included in this kit to ensure your crew follows a consistent, auditable process for verifying OEM hardware.

PREVIOUS:
Software & Firmware Patch Management

Next Section

Configuration Backups & Golden Images

Configuration Backups & Golden Images This guide establishes the creation, secure storage and verification of complete s...

Configuration Backups & Golden Images →
Login
Login
Scroll to Top