Part of the PROTECT Playbook ← Return to Hub

Crew Changeover & Identity Handover

Regulatory Context: IACS UR E27 (Section 4.2.1) mandates that every user must be uniquely identified. This module outlines the procedure for the revocation of access for departing personnel and the provisioning of new identities, ensuring a continuous and secure audit trail.

In the maritime industry, the rotation of crew is a constant. However, if digital identities are not managed during these transitions, the vessel’s security posture degrades rapidly. “Account Pollution”—where dozens of old accounts remain active—is a primary target for attackers and a major “Critical Finding” during Class Surveys.

The Changeover Risk: Shared Identities

The biggest risk during a crew change is the temptation to pass over a single “Chief Eng” or “ETO” login. While this seems efficient, it creates a blind spot in the vessel’s safety management. Without unique identities, you lose the ability to verify who performed a specific action, which is a requirement for both security and insurance liability.

The “Ghost” Admin

Departing officers who retain remote access credentials (ZTNA/VPN) or hardware tokens pose a significant risk. If their home computer is compromised months later, an attacker has a direct, valid “identity” to enter your ship’s engine room.

Audit Trail Collapse

When multiple people use one ‘Admin’ account, forensic logs become legally useless. In the event of an accident, you cannot prove if a change was made by the current ETO, the one who left last week, or a remote vendor.

The Formal Handover Protocol

To satisfy E26/E27 requirements, the digital handover must be documented in the ship’s Safety Management System (SMS).

Action Step Responsibility Verification
Access Revocation Departing Officer Confirm deletion of personal OT accounts and termination of ZTNA/Remote access.
Identity Provisioning New Officer Creation of unique credentials and first-time password change on Level 2/3 assets.
Credential Validation Joint Review Incoming officer performs test logins to AMS and Firewall prior to predecessor departure.

Access Revocation Checklist

Execute these steps to ensure IACS compliance before the signing-off officer leaves the vessel:

  • Step 1: Edge Gateway (ZTNA/VPN) — Revoke the officer’s unique certificate in the shore portal.
  • Step 2: Windows OT Workstations — Disable user accounts in Local Users & Groups.
  • Step 3: HMI / SCADA Systems — Remove the user from ‘Admin/Engineer’ groups in the AMS console.
  • Step 4: Network Switches — Rotate SSH/Console credentials if unique accounts aren’t used.
  • Step 5: Physical Assets — Collect hardware tokens and verify “Break-Glass” seals are intact.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; premium SOPs and fillable forms require the Pro Bundle.

TAG-OT-CRT-03
Handover Certificate
View Form
TAG-OT-AUD-01
Account Identity Audit Log
Unlock with Pro Bundle
Handover Verification Checklist
Revoke Remote Access

The departing officer’s ZTNA or VPN access must be terminated the moment they leave the gangway to prevent “Ghost Admin” risks.

Live Credential Validation

Test login to critical systems (AMS, Firewall, Switches) to ensure the incoming ETO has functional control before the handover is complete.

Inventory of Master Keys

Audit physical cabinet keys and ensure all “Break-Glass” envelopes are intact and have not been tampered with.

Ghost Account Audit

Review account lists on all OT workstations. Any account belonging to crew off-contract for >30 days must be disabled.

Legacy Tip: On older vessels with shared “ENGINE_ROOM” logins, the handover must include a mandatory password rotation. Even without unique users, this ensures the old crew no longer has access.

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle
Includes Unlimited Intel Search
Instant access to IACS E26/E27 Templates

Next Section

Industrial DMZ (iDMZ) Deployment: Building the OT Security Air-Lock

Industrial DMZ (iDMZ) Deployment: The Security Air-Lock Requirement: This module details the deployment of a "Neutral Zo...

Login
Login
Scroll to Top