Part of the PROTECT Playbook ← Return to Hub

MFA Implementation for Maritime OT

Regulatory Context: IACS UR E26 (Section 4.2.3) mandates Multi-Factor Authentication (MFA) for all untrusted or remote network connections. This module addresses the technical challenge of implementing MFA in “Offline” or high-latency maritime environments.

Passwords alone are no longer sufficient to protect critical shipboard systems. Multi-Factor Authentication (MFA) adds a second layer of verification—something you know (password) and something you have (a token). However, traditional SMS-based or App-based codes often fail mid-ocean due to lack of cellular signal or VSAT latency.

The “Disconnected” Challenge

Implementing MFA at sea is difficult because most modern solutions assume a constant, low-latency connection to a cloud server (Microsoft, Google, or Okta). On a vessel, two major technical hurdles exist:

The Time-Sync (NTP) Trap

Most MFA apps use TOTP (Time-based One-Time Passwords). If the vessel’s internal clock drifts by just 60 seconds relative to the “real world” due to a lack of NTP synchronization, the codes generated by the app will be rejected by the server, effectively deadlocking the system while the ship is mid-voyage.

The Steel Cage (RF-Hostility)

Ship engine rooms and lower decks act as Faraday Cages. Requiring an ETO to receive an SMS or a “Push” notification on a smartphone is impossible in these zones. Without a physical hardware-based alternative, the security measure becomes an operational blocker.

Recommended Maritime MFA Methods

To remain compliant with E26 while ensuring operational safety, we prioritize Offline-capable MFA methods:

Method Connectivity Need Use Case
FIDO2 Hardware Keys (e.g. Yubikey) None (Offline) Best for: Admin access to Firewalls and ZTNA Gateways. Immune to clock drift.
TOTP Tokens (Authenticator Apps) None (Offline) Best for: ETO access. Note: Requires NTP Sync between vessel and device.
Push Notifications High (Satellite) Best for: Shore-side superintendents (not recommended for onboard crew).
ETO Implementation Checklist
Mandatory Remote MFA

Per IACS E26, all connections from untrusted networks (WAN/OEM/Crew) to OT must be brokered by MFA. No exceptions for service vendors.

NTP Synchronization

Verify all OT servers are synced to the vessel’s GPS master clock. TOTP-based tokens will fail if the server time drifts more than 30-60 seconds.

Hardware Redundancy

For every primary hardware key (Yubikey), a backup key must be registered and stored in the Captain’s safe for emergency recovery.

Offline Recovery Path

Document a “Break-Glass” procedure for MFA bypass that can be executed if the authentication server itself fails while the vessel is mid-ocean.

Advisor Tip: The Jump Server Strategy. On older vessels that do not support MFA natively, implement a “Security Gateway.” The ETO authenticates via MFA to a hardened Windows Jump Host, which then allows access to the legacy PLC network.

Next Section

Crew Changeover & Identity Handover

Crew Changeover & Identity Handover Regulatory Context: IACS UR E27 (Section 4.2.1) mandates that every user must be uni...

Scroll to Top