Remote Access & OT Kill-Switch Implementation

Part of the PROTECT Playbook ← Return to Hub

Phase: Protect All vessels

Satisfies: E26E27IMO MSC-FAL.1

Remote Access: The Digital Gangway

This guide implements session-based access control for all remote connections, ensuring every OEM or shore-side session is explicitly approved by crew, time-limited, fully logged, and terminable at any moment. Under IACS UR E26 §4.2.6, all remote access to CBS must be controlled, monitored, and logged — and the vessel must be able to terminate any session immediately.

On a modern vessel, OEMs and shore-side technicians require access to HMIs for troubleshooting and maintenance. An unsecured VPN or a forgotten remote desktop session is a permanent, unmonitored entry point into the OT network. Security is not about blocking access — it is about controlling the gate. Every session must be vessel-initiated, time-limited, supervised, and logged.

The four non-negotiable access control principles

Vessel-initiated only

The connection must be started by the ETO on the vessel. Shore-side or OEM personnel must never be able to initiate a connection without an explicit vessel-side action first.

MFA required

Static passwords alone are not acceptable. All remote logins to any CBS must require a second factor — TOTP app, hardware token, or FIDO2 key. Password-only access is a Class finding under E26 §4.2.6.

Time-limited

Access is granted for a specific window defined in the SEP — typically 2–4 hours. The ETO sets a timer and terminates the session at the agreed end time regardless of whether the vendor has finished.

Supervised & logged

The ETO or a designated officer must be present and monitoring screen activity throughout the session. Every action taken by the remote party must be logged in TAG-OT-LOG-03.

The Service Entry Permit — SEP workflow

Every remote access session must be preceded by a completed SEP. No SEP — no connection. This is not bureaucracy — it is the audit trail that proves the session was authorised and controlled.

OEM or shore-side team submits access request — Minimum 24 hours in advance where possible. Request must specify: system to be accessed, reason for access, duration required, name and company of technician, and whether any configuration changes are planned.

ETO reviews and Master approves — ETO confirms the request is technically valid and the access scope is appropriate. Master gives operational approval. For Cat III system access, DPA awareness is required. Complete TAG-OT-SEP-01 (OT Access Request Form).

ETO enables access — vessel-side only — Either enable the firewall kill-switch rule or physically connect the vendor gateway. Record the exact time access was enabled in TAG-OT-LOG-03. The remote party cannot initiate the connection before this step.

ETO supervises the session in real time — The ETO or designated officer watches the screen throughout. If the remote party attempts to access a system not listed on the SEP, the session is terminated immediately and the deviation logged as a security event.

ETO terminates the session — never relies on vendor logout — At the agreed end time, the ETO disables the firewall rule or disconnects the physical cable. Do not wait for the vendor to log out — terminate from the vessel side and verify the session is closed.

Implementing the OT kill-switch

Two methods for maintaining a default-off posture for remote access. The choice depends on the vessel’s network architecture — both are valid, both must be documented in the CSDD.

The physical air-gap

The vendor gateway or jump-host is physically disconnected from the OT switch until the moment access is required. The ETO plugs in the cable, the session runs, the ETO unplugs it. No cable = no breach. This method works even if the firewall has a misconfiguration — the physical disconnect is absolute.

The logical firewall kill-switch

A specific firewall rule labelled “OEM-REMOTE-ACCESS” is maintained in a disabled state. The ETO toggles it on after the SEP is signed, and toggles it off at session end. This method requires the firewall configuration to be verified against the known-good baseline after every session — a toggled rule that was not re-disabled is a security gap.

ETO best practice — closing the gate

Never rely on the vendor to log out. To satisfy IACS UR E26 §4.2.6 audit requirements, the ETO must verify session termination through all three steps:

Hard kill: Manually disable the firewall rule or pull the physical bridge cable at the agreed session end time.
Verification: Refresh the HMI user list and check the firewall active sessions table to confirm no active sessions remain. A session that shows as terminated on the vendor side may still have an active tunnel on the firewall.
Audit entry: Timestamp the actual end time in TAG-OT-LOG-03 — not the planned end time. If the session ended 20 minutes early because the work was complete, log the actual time.

Session log — required fields (TAG-OT-LOG-03)

Every remote access session must generate a log entry. The log is the primary Class evidence that access was controlled — a session that happened but was not logged is treated as an uncontrolled access event at survey.

Field	What to record	Why it matters
SEP reference number	TAG-OT-SEP-01 form number for this session	Links the log entry to the pre-approved request
Remote party name & company	Full name, company, and role of person accessing the system	Identifies who was given access — essential for incident investigation
System accessed	CBS name, system ID, and criticality category	Confirms access was limited to the approved scope
Session start / end time (UTC)	Exact times — not planned times. Record when access was actually enabled and when it was terminated	Establishes the window of potential exposure for any subsequent incident
Actions performed	Summary of what the remote party did — configuration changes, diagnostics, firmware updates	Creates audit trail for MoC compliance — any config change needs a MoC entry
Termination method	Firewall rule disabled / physical cable removed / session timeout	Confirms vessel-side termination — not vendor logout
ETO sign-off	ETO name and signature confirming the session was supervised throughout	Confirms the E26 §4.2.6 supervision requirement was met

Owner-scope devices connected to vendor-certified OT networks carry their own E27 compliance obligations — including documented patch status, authentication controls, and a formal security baseline. The CBS Risk Assessor flags owner-scope devices that lack a documented posture and tells you exactly what the surveyor will ask for.