Part of the PROTECT Playbook ← Return to Hub

Crew Changeover & Identity Handover

Regulatory Context: IACS UR E27 (Section 4.2.1) mandates that every user must be uniquely identified. This module outlines the procedure for the revocation of access for departing personnel and the provisioning of new identities, ensuring a continuous and secure audit trail.

In the maritime industry, the rotation of crew is a constant. However, if digital identities are not managed during these transitions, the vessel’s security posture degrades rapidly. “Account Pollution”—where dozens of old accounts remain active—is a primary target for attackers and a major “Critical Finding” during Class Surveys.

The Changeover Risk: Shared Identities

The “Ghost” Admin

Departing officers who retain remote access credentials or physical tokens pose a significant “Insider Threat” risk, whether accidental or intentional.

Audit Trail Collapse

If the new ETO uses the old ETO’s login, forensic logs become useless. You cannot prove who changed a critical cooling setpoint if everyone uses the same ‘Admin’ account.

The Formal Handover Protocol

To satisfy E26/E27 requirements, the digital handover must be documented in the ship’s Safety Management System (SMS).

Action Step Responsibility Verification
Access Revocation Departing Officer Confirm deletion/disabling of personal OT accounts.
Token Transfer Master / ETO Physical handover of Yubikeys or “Break-Glass” Envelopes.
Identity Provisioning New Officer Creation of unique credentials and first-time password change.
Handover Verification Checklist
Revoke Remote Access First

The departing officer’s ZTNA or VPN access must be terminated the moment they leave the gangway.

Inventory of Master Keys

Audit the physical cabinet keys and ensure all “Break-Glass” envelopes are intact and have not been tampered with.

Update the Assets Register

The new ETO must sign off that they have taken control of the “Cyber Security Management” folder on the Ship’s Server.

Legacy Tip: On older vessels where you are forced to use a shared “ENGINE_ROOM” login for a local HMI, the handover must include a mandatory password rotation. Even if you can’t have unique users, you can ensure that the old crew no longer knows the current password.

Next Security Phase

Industrial DMZ (iDMZ) Deployment: Building the OT Security Air-Lock

Industrial DMZ (iDMZ) Deployment: Building the OT Security Air-Lock Requirement: This module details the deployment of a "Neutral Zone" (iDMZ) to terminate conduits between IT and OT environments, satisfying IACS UR E26 requirements for defense-in-de...

Continue to iDMZ Deployment →
Scroll to Top