Part of the PROTECT Playbook ← Return to Hub
Phase: Protect All vessels
Satisfies: E27IEC 62443IMO MSC-FAL.1BIMCO v5

UPS & Power Integrity

This guide covers the power resilience requirements for in-scope computer-based systems, ensuring that security state is maintained during power transitions and that critical CBS continue operating during outages. Under IACS UR E27 §4.1, suppliers must specify and document the power supply requirements and backup duration for every CBS they deliver — the shipowner is responsible for implementing those requirements aboard the vessel.

A maritime UPS is more than a battery backup — it is a power conditioner and a security continuity device. It protects sensitive OT hardware from the voltage spikes and frequency fluctuations common during heavy weather or large motor starts (bow thrusters, cargo pumps). More importantly from a cyber perspective, it prevents the firewall, core switch, and IDS sensor from rebooting during a brief power interruption — which would create a window of zero network visibility and zero access control enforcement.

Critical UPS specifications — maritime grade requirements

Standard consumer UPS units are not sufficient for maritime OT security infrastructure. The following specifications are required for CBS covered under E27.

1 — Double-conversion (online)

The UPS must continuously convert AC to DC and back to AC. This ensures zero transfer time during a blackout — the firewall and switches never see a power interruption because the UPS output is always active, not switched in on failure.

2 — Managed SNMP monitoring

Every security UPS must have a network management card configured to send SNMP traps to the AMS and syslog server on battery health degradation, input power loss, overload, and low battery — before the next blackout, not during it.

3 — Maritime environmental rating

UPS units in the ECR must be rated for the marine environment — IEC 60945 or equivalent. This covers humidity, temperature range, vibration, and EMI tolerance. Consumer rack UPS units will fail in ECR conditions within months.

Security infrastructure load management

The ETO must verify that the security UPS is not overloaded. A UPS carrying non-security loads will have reduced runtime during a blackout — potentially insufficient to bridge the gap before the emergency generator comes online. Keep the security UPS dedicated to security and connectivity assets only.

Allowed on security UPS NOT allowed — use separate UPS or main power
Main OT firewalls and iDMZ gateway Desktop monitors and printers
Core managed OT switches Non-critical Cat I CBS workstations
IDS sensors and centralised syslog server Cabin power outlets and personal device chargers
NTP time server Crew Wi-Fi access points
ECDIS and bridge navigation CBS (Cat III) Non-essential office servers
GMDSS communications equipment Cargo CCTV systems (unless security-classified)

Runtime calculation — bridging to emergency generator

The UPS must provide sufficient runtime to bridge the gap between main power loss and emergency generator pickup. SOLAS requires the emergency generator to start and assume load within 45 seconds — the UPS must sustain the security infrastructure for at least this period with a safety margin.

Step 1 — Calculate total load
Sum the nameplate wattage of every device on the security UPS. Add 20% headroom for startup surges. This is your minimum UPS VA rating.
Step 2 — Determine required runtime
Minimum 90 seconds for SOLAS emergency generator pickup plus 60 seconds safety margin. Target: 5 minutes minimum for security infrastructure UPS.
Step 3 — Verify at commissioning and annually
UPS battery capacity degrades over time. Perform a full load discharge test annually — not just battery health indicator check. Log actual runtime achieved.

Battery health verification — quarterly checklist

Battery health indicators on the UPS management card are not sufficient for compliance evidence. These physical checks are required quarterly and the results must be logged.

Check battery age against replacement schedule — Most marine-grade VRLA batteries have a 3–5 year service life. A battery within 6 months of its replacement date must be flagged for replacement before the next annual survey regardless of health indicator status.
Verify SNMP trap delivery to AMS and syslog — Generate a test event from the UPS management card and confirm the trap arrives in the syslog within 60 seconds. A UPS that cannot send alerts is providing no early warning capability.
Check load percentage on UPS display or management card — Security UPS should be running at no more than 60–70% of rated capacity. Above 80% load leaves insufficient headroom for startup surges and reduces battery runtime significantly.
Verify firmware version against OEM baseline — UPS management cards have firmware that can contain vulnerabilities. Check the installed version against the OEM’s current release. A UPS management card on outdated firmware is a network-connected device with an unpatched attack surface.
Confirm UPS management interface credentials are non-default — The SNMP community string must not be “public” or “private”. The web interface username and password must not be manufacturer defaults. These are among the most commonly found default credentials on vessel networks.

Blackout drill verification

During a “dead ship” drill, the ETO must confirm the resilience chain. The firewall uptime log is the evidence — a system restart entry means the UPS failed to bridge the transition.

  1. T-0 — main power lost: UPS takes over immediately. Firewall status must remain ACTIVE with no restart. Check firewall uptime counter — it must not reset.
  2. T+10s — UPS on battery: SNMP trap should have arrived in the syslog indicating “on battery” status. If no trap received, the SNMP monitoring has failed — log as a finding.
  3. T+30–45s — emergency generator starts: UPS transfers back to AC charging. Confirm transfer was smooth — no voltage spike on the UPS output that could cause CBS instability.
  4. Post-drill verification: Check firewall uptime log, switch uptime, and syslog server continuity. Log actual battery runtime achieved and compare against the required 5-minute minimum. Any CBS that restarted during the drill must be investigated — either the UPS load exceeded capacity or the UPS itself has a fault.

E27 documentation requirements

UPS coverage is part of the power supply specification that E27 vendors must provide per §4.1. The shipowner must document how those requirements are implemented aboard the vessel for the CSDD.

Document Required content Filed in
UPS coverage register List of every CBS and its UPS assignment — make, model, rated runtime, actual tested runtime, and battery replacement date CBS Register — CSDD Appendix
Blackout drill log Date, systems tested, actual runtime achieved, any CBS that restarted, pass/fail outcome, ETO sign-off SMS records — submitted to DPA annually
Battery replacement record Date replaced, battery type and specification, installer, post-replacement runtime test result MoC log — CBS Register updated
UPS firmware version log Current firmware version on each UPS management card — updated in the software register after each firmware update Software and firmware register — CSDD §4.2.3
PREVIOUS:
Secure Space & Physical Access

Next Section

Protect Phase: Summary & Audit Readiness

Protect Phase: Summary & Audit Readiness Phase Objective The Protect Phase is about Hardening. Using the blueprints from...

Protect Phase: Summary & Audit Readiness →
Login
Login
Scroll to Top