Part of the PROTECT Playbook ← Return to Hub

Crew Changeover & Identity Handover

Regulatory Context: IACS UR E27 (Section 4.2.1) mandates that every user must be uniquely identified. This module outlines the procedure for the revocation of access for departing personnel and the provisioning of new identities, ensuring a continuous and secure audit trail.

In the maritime industry, the rotation of crew is a constant. However, if digital identities are not managed during these transitions, the vessel’s security posture degrades rapidly. “Account Pollution”—where dozens of old accounts remain active—is a primary target for attackers and a major “Critical Finding” during Class Surveys.

The Changeover Risk: Shared Identities

The biggest risk during a crew change is the temptation to pass over a single “Chief Eng” or “ETO” login. While this seems efficient, it creates a blind spot in the vessel’s safety management. Without unique identities, you lose the ability to verify who performed a specific action, which is a requirement for both security and insurance liability.

The “Ghost” Admin

Departing officers who retain remote access credentials (ZTNA/VPN) or hardware tokens pose a significant risk. If their home computer is compromised months later, an attacker has a direct, valid “identity” to enter your ship’s engine room.

Audit Trail Collapse

When multiple people use one ‘Admin’ account, forensic logs become legally useless. In the event of an accident, you cannot prove if a change was made by the current ETO, the one who left last week, or a remote vendor.

The Formal Handover Protocol

To satisfy E26/E27 requirements, the digital handover must be documented in the ship’s Safety Management System (SMS).

Action Step Responsibility Verification
Access Revocation Departing Officer Confirm deletion of personal OT accounts and termination of ZTNA/Remote access.
Identity Provisioning New Officer Creation of unique credentials and first-time password change on Level 2/3 assets.
Credential Validation Joint Review Incoming officer performs test logins to AMS and Firewall prior to predecessor departure.
Handover Verification Checklist
Revoke Remote Access

The departing officer’s ZTNA or VPN access must be terminated the moment they leave the gangway to prevent “Ghost Admin” risks.

Live Credential Validation

Test login to critical systems (AMS, Firewall, Switches) to ensure the incoming ETO has functional control before the handover is complete.

Inventory of Master Keys

Audit physical cabinet keys and ensure all “Break-Glass” envelopes are intact and have not been tampered with.

Ghost Account Audit

Review account lists on all OT workstations. Any account belonging to crew off-contract for >30 days must be disabled.

Legacy Tip: On older vessels with shared “ENGINE_ROOM” logins, the handover must include a mandatory password rotation. Even without unique users, this ensures the old crew no longer has access.

Next Section

Industrial DMZ (iDMZ) Deployment: Building the OT Security Air-Lock

Industrial DMZ (iDMZ) Deployment: The Security Air-Lock Requirement: This module details the deployment of a "Neutral Zo...

Scroll to Top