Part of the PROTECT Playbook ← Return to Hub

OS Hardening & Service Disabling

Regulatory Context: IACS UR E27 (Section 4.3.1) mandates the hardening of all OT hosts. This involves the removal of unnecessary software and the deactivation of non-essential services to reduce the “Attack Surface” of critical shipboard systems.

Every active service or open port on an HMI (Human Machine Interface) is a potential vulnerability. “Hardening” is the process of stripping away everything that isn’t required for the vessel’s operation. If an AMS workstation never needs to print a document, the “Print Spooler” service should not only be stopped—it should be disabled at the root.

The Principle: Minimalist Computing

Modern operating systems are built for general-purpose convenience, shipping with hundreds of background processes designed for office environments or home use. In a maritime OT environment, these services represent “technical debt” that increases the risk of exploitation. Hardening transforms a standard Windows or Linux installation into a Single-Purpose Asset. By ensuring the OS only does what is strictly necessary to run the Scada or Navigation software, we create a predictable environment where any unexpected process becomes immediately obvious during a security audit.

Reducing the Attack Surface

By disabling 10 unnecessary services, you remove 10 potential entry points for malware to gain “System” level privileges on your bridge computer. Fewer services mean fewer patches to manage.

Performance & Stability

On older, legacy hardware found in Engine Control Rooms, OS hardening frees up critical CPU and RAM, making monitoring applications more responsive and reducing the risk of “blue screen” crashes.

Top Services to Disable in Maritime OT

Unless specifically required for the system’s function, the following services should be set to “Disabled” in the Windows Service Manager (services.msc):

Service Name Risk Category Why Disable?
Print Spooler Remote Code Execution Frequent “PrintNightmare” style exploits allow full system takeover via the network.
Remote Registry Unauthorized Config Allows users (or malware) to modify system registry settings from across the network.
Windows Error Reporting Information Leakage Attempts to send technical data/crash logs over VSAT, wasting bandwidth and leaking info.
Bluetooth Support Physical Proximity Prevents unauthorized wireless peripherals from connecting to assets in the ECR.
ETO Hardening Workflow
Remove Non-Essential Software

Uninstall any bloatware, games, or trial software that came with the PC. If it’s not the AMS application, it shouldn’t be there.

Disable Default Shared Folders

Disable administrative shares (C$, ADMIN$) to prevent lateral movement via SMB exploits.

Host-Based Firewall

Enable the local Windows Firewall and set it to “Block All” incoming traffic except for the specific ports used by the PLC/SCADA software.

Advisor Tip: The “Test-then-Lock” Rule. Hardening can sometimes break old OEM software. Always perform hardening on a backup or a clone of the system first. Verify that all alarms and signals still work before applying the changes to the live production asset.

Next Section

Anti-Malware for OT: EDR vs. AV

Anti-Malware for OT: EDR vs. AV Regulatory Context: IACS UR E27 (Section 4.3.2) mandates protection against malicious co...

Scroll to Top