Part of the PROTECT Playbook ← Return to Hub
Phase: Protect All vessels
Satisfies: E26E27IMO ISM Code §6BIMCO v5

Crew Changeover & Identity Handover

This guide provides a structured process for revoking departing crew credentials and provisioning new identities during crew rotation, preventing account accumulation and maintaining a clean audit trail.

In the maritime industry, the rotation of crew is a constant. However, if digital identities are not managed during these transitions, the vessel’s security posture degrades rapidly. “Account Pollution”—where dozens of old accounts remain active—is a primary target for attackers and a major “Critical Finding” during Class Surveys.

The Changeover Risk: Shared Identities

The biggest risk during a crew change is the temptation to pass over a single “Chief Eng” or “ETO” login. While this seems efficient, it creates a blind spot in the vessel’s safety management. Without unique identities, you lose the ability to verify who performed a specific action, which is a requirement for both security and insurance liability.

The “Ghost” Admin

Departing officers who retain remote access credentials (ZTNA/VPN) or hardware tokens pose a significant risk. If their home computer is compromised months later, an attacker has a direct, valid “identity” to enter your ship’s engine room.

Audit Trail Collapse

When multiple people use one ‘Admin’ account, forensic logs become legally useless. In the event of an accident, you cannot prove if a change was made by the current ETO, the one who left last week, or a remote vendor.

The Formal Handover Protocol

To satisfy E26/E27 requirements, the digital handover must be documented in the ship’s Safety Management System (SMS).

Action Step Responsibility Verification
Access Revocation Departing Officer Confirm deletion of personal OT accounts and termination of ZTNA/Remote access.
Identity Provisioning New Officer Creation of unique credentials and first-time password change on Level 2/3 assets.
Credential Validation Joint Review Incoming officer performs test logins to AMS and Firewall prior to predecessor departure.

Access Revocation Checklist

Execute these steps to ensure IACS compliance before the signing-off officer leaves the vessel:

  • Step 1: Edge Gateway (ZTNA/VPN) — Revoke the officer’s unique certificate in the shore portal.
  • Step 2: Windows OT Workstations — Disable user accounts in Local Users & Groups.
  • Step 3: HMI / SCADA Systems — Remove the user from ‘Admin/Engineer’ groups in the AMS console.
  • Step 4: Network Switches — Rotate SSH/Console credentials if unique accounts aren’t used.
  • Step 5: Physical Assets — Collect hardware tokens and verify “Break-Glass” seals are intact.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; All fillable forms and SOPs are free with a registered account.

TAG-OT-CRT-03
Handover Certificate
View Form
TAG-OT-AUD-01
Account Identity Audit Log
View Form
Handover Verification Checklist
Revoke Remote Access

The departing officer’s ZTNA or VPN access must be terminated the moment they leave the gangway to prevent “Ghost Admin” risks.

Live Credential Validation

Test login to critical systems (AMS, Firewall, Switches) to ensure the incoming ETO has functional control before the handover is complete.

Inventory of Master Keys

Audit physical cabinet keys and ensure all “Break-Glass” envelopes are intact and have not been tampered with.

Ghost Account Audit

Review account lists on all OT workstations. Any account belonging to crew off-contract for >30 days must be disabled.

Legacy Tip: On older vessels with shared “ENGINE_ROOM” logins, the handover must include a mandatory password rotation. Even without unique users, this ensures the old crew no longer has access.

PREVIOUS:
MFA Implementation for Maritime OT

Next Section

Crew Cyber Awareness

Crew Cyber Awareness This guide covers the cyber security familiarisation and drill programme that the shipowner must ma...

Crew Cyber Awareness →
Login
Login
Scroll to Top