Part of the PROTECT Playbook ← Return to Hub
Phase: Protect All vessels
Satisfies: E26IMO ISM Code §9BIMCO v5

Secure Space & Physical Access

This guide defines the physical security requirements for spaces housing critical OT infrastructure — including locked access, tamper-evident seals, visitor supervision and surveillance — as required for Category II and III systems.

In maritime OT, the “Perimeter” isn’t just a firewall; it’s a locked door. If an unauthorized person can physically touch a PLC or a switch, they can bypass all digital security by performing a factory reset or “man-in-the-middle” attack.

Defining the Secure Space

A Secure Space is any area housing critical OT infrastructure, such as the Bridge, ECR, or dedicated Server Rooms. To satisfy a class surveyor, the ETO must prove that these areas are not just “off-limits” by policy, but secured by physical barriers.

Administrative Controls

  • Access Logs: Maintain a logbook for visitors (vendors/contractors) entering the Server Room.
  • Key Management: Keys to OT cabinets must be kept in a secure locker, never left in the cabinet door.

Technical Controls

  • Cabinet Security: All racks must be locked. Use tamper-evident seals for remote outstations.
  • Port Security: Physically block unused RJ45 ports in public areas with plastic port locks.

Tamper Detection & Surveillance

Since 24/7 physical guarding of every PLC cabinet is impossible, we rely on evidence of tampering and tiered access controls.

Asset Location Protection Method Audit Evidence
Navigation Bridge Restricted Area Signage & Crew Oversight Bridge Log Entry
ECR Server Rack RFID Card or Physical Lock Electronic Access Log
Remote I/O Boxes Tamper-Evident Security Seals Monthly Inspection Checklist
Monthly Physical Security Walkthrough
Verify all OT rack doors are closed and locked.
Check for “Ghost” USB drives or unauthorized cables in Bridge/ECR consoles.
Ensure CCTV (if present) covers the entrance to the main server hub.

Pro Tip: The “Port Lock” Rule. In public spaces like the mess room or passenger lounges, any network jack is a risk. If it’s not in use, plug it with a physical RJ45 blocker that requires a proprietary key to remove.

Visitor & Non-Technical Access Control

E26 §4.2.4.3.2 requires that visitors — port officials, port agents, Class surveyors, PSC officers, chandlers, and any other non-crew personnel — are supervised or restricted when in spaces housing Category II and III systems. This is a separate requirement from service engineer access (covered in the Supply Chain playbook) and applies to anyone who enters an OT space without a technical role.

Who this applies to

  • Port state control (PSC) officers
  • Port agents and harbour officials
  • Class society surveyors
  • Flag state inspectors
  • Ship chandlers and suppliers
  • Any visitor with no assigned technical task

The two permitted approaches

  • Supervision: A crew member accompanies the visitor throughout their time in any OT space — never leaving them unattended near CBS
  • Restriction: The visitor is physically prevented from entering the OT space entirely — door remains locked, access not granted
Visitor Type Approach Required Evidence
PSC / Flag State Inspector Supervised — ETO or Chief Eng escorts throughout Visitor log entry with name, organisation, time in/out, escorting officer
Class Surveyor Supervised — ETO accompanies during CBS inspection Visitor log entry + survey record reference
Port Agent / Chandler Restricted — no access to Bridge server area or ECR Visitor log entry confirming access was not granted to OT spaces
Shipyard / Contractor (non-CBS work) Supervised if work is near OT spaces Visitor log entry + work permit reference
Visitor Log — Minimum Required Fields
Full name and organisation of visitor
Purpose of visit
Areas accessed or confirmed restricted
Time on board — arrival and departure
Name of escorting or responsible officer
Visitor signature (where practicable)

Surveyor tip: A PSC officer inspecting your SMS cyber annex will ask to see the visitor log. An empty log does not mean no visitors — it means no controls. A well-maintained log covering the last 12 months with consistent entries is strong evidence of a functioning physical access programme.

Compliance Documentation

Templates supporting local control documentation and IRP integration.

TAG-OT-LOG-04
Visitor & Port Official Log
View Form
TAG-OT-LOG-06
Threat Mapping Matrix
View Form
🛡️
Interactive tool
CBS Network Risk Assessor

Physical access controls are a recognised compensating measure under IACS E26 §3.2. The CBS Risk Assessor factors in the physical location and access level of each component — if your OT equipment is in a restricted ECR or server room, that reduces the assessed severity of network-layer findings accordingly.

Open CBS Risk Assessor →
PREVIOUS:
Data Diodes & Unidirectional Flows

Next Section

UPS & Power Integrity

UPS & Power Integrity This guide covers the power resilience requirements for in-scope computer-based systems, ensur...

UPS & Power Integrity →
Login
Login
Scroll to Top