MFA Implementation for Maritime OT
Regulatory Context: IACS UR E26 (Section 4.2.3) mandates Multi-Factor Authentication (MFA) for all untrusted or remote network connections. This module addresses the technical challenge of implementing MFA in “Offline” or high-latency maritime environments.
Passwords alone are no longer sufficient to protect critical shipboard systems. Multi-Factor Authentication (MFA) adds a second layer of verification—something you know (password) and something you have (a token). However, traditional SMS-based or App-based codes often fail mid-ocean due to lack of cellular signal or VSAT latency.
The “Disconnected” Challenge
VSAT Latency Issues
Cloud-based MFA (like Microsoft Authenticator) can time out before the signal reaches the vessel, causing “Login Loops” that lock ETOs out of their own systems.
Zero-Signal Zones
Zero-Signal Zones Many OT locations, such as ship engine rooms, are RF-hostile environments due to steel structures and shielding. Even when a vessel has Wi-Fi, specific OT workstations may have no reliable cellular or wireless coverage, making smartphone-based MFA impractical or unusable.
Recommended Maritime MFA Methods
To remain compliant with E26 while ensuring operational safety, we prioritize Offline-capable MFA methods:
| Method | Connectivity Need | Use Case |
|---|---|---|
| FIDO2 Hardware Keys (e.g. Yubikey) | None (Offline) | Best for: Admin access to Firewalls and AMS Servers. |
| TOTP Tokens (Time-based codes) | None (Offline) | Best for: ETO access to Engineering Workstations. |
| Local Auth Server | LAN Only | Best for: Fleet-wide identity management on newbuilds. |
Next Security Phase
Crew Changeover & Identity Handover
Crew Changeover & Identity Handover Regulatory Context: IACS UR E27 (Section 4.2.1) mandates that every user must be uniquely identified. This module outlines the procedure for the revocation of access for departing personnel and the provisioning of ...