Part of the PROTECT Playbook ← Return to Hub

OT Password Policy & RBAC

Regulatory Context: This module details the implementation of IACS UR E27 (Section 4.2). It focuses on the transition from static, shared credentials to a structured Identity and Access Management (IAM) framework suitable for Marine environments.

Onboard a vessel, the greatest vulnerability isn’t always a complex exploit; it is often the “admin/admin” default login on a ballast control HMI or a network switch. Hardening these identities is a mandatory step for E27 Type Approval and Class Surveys.

The Challenge: Balancing Security and Safety

Maritime OT presents a unique conflict: Cyber security demands friction (passwords, MFA), while Marine safety demands immediacy. If a propulsion alarm sounds, an engineer cannot spend 30 seconds typing a complex password just to acknowledge it.

The Legacy Constraints

Marine PLCs often lack central management. This creates “Credential Drift” where different vendors use different passwords, leading the crew to stick post-it notes on screens—negating all security efforts.

The Safety Paradox

Class requirements (UR E27) mandate lockout policies. However, a locked screen on a Dynamic Positioning (DP) console during a storm is a life-safety risk. We solve this by separating “View” from “Control.”

1. Implementing RBAC (Role-Based Access Control)

Access is granted based on the “Principle of Least Privilege.” We categorize users into three tiers:

Operator Level: Read-only. Access to AMS monitoring and alarm views. No configuration rights.
Engineer Level (ETO/Ch. Eng): Permission to modify setpoints and perform routine maintenance.
Admin/Service Level (OEM): Full configuration and firmware rights. These accounts remain disabled until a permit-to-work is issued.

2. Tiered Complexity Standards

We apply a tiered approach based on the device’s position within the Purdue Model.

Asset Class Access Method Lockout Policy Rotation Trigger
Tier 1: Monitoring
ECDIS, AMS View		 No Login Required None (Always Visible) N/A
Tier 1: Infrastructure
Firewalls, Gateways		 12+ Chars (Complex) 5 Attempts / 15-Min Quarterly
Tier 2: Control HMI
Ballast, Machinery		 6-Digit PIN 10-min Idle Lock Annually
Tier 4: Remote
OEM Support		 16+ Chars + MFA Immediate Session Kill Per-Session (OTP)

3. Managing Credentials in Air-Gapped Environments

Because vessels operate in zero-connectivity environments, a Vessel Credential Management Plan is required:

  • Onboard Offline Vault: Utilize an encrypted database (e.g., KeePassXC) stored on a secured workstation in the ETO office.
  • Physical MFA: Use hardware tokens (Yubikeys) for access to the Satellite Terminal and Primary Firewall to prevent credential theft.
ETO & Surveyor Verification Checklist
Default Password Scrub

Audit every IP-addressable OT component. Any instance of “password”, “1234”, or “admin” must be flagged as a Major Non-Conformity.

Verified Functional Persistence

Ensure that for safety-critical systems (AMS/PMS), an inactivity timeout only locks Command & Control functions. The Monitoring/Alarm View must remain visible without requiring a login to ensure the crew can see alarms instantly.

Unique User Identification

Move away from shared accounts. E27 requires that actions can be traced back to a specific individual. Where not technically possible, use a physical access log as a compensating control.

Pro Tip: The Master “Break-Glass” Envelope. Place a physical, sealed envelope in the Captain’s safe containing the “Super-Admin” credentials. If the network fails or the ETO is unavailable, the Master can authorize an emergency override.

Next Section

MFA Implementation for Maritime OT

MFA Implementation for Maritime OT Regulatory Context: IACS UR E26 (Section 4.2.3) mandates Multi-Factor Authentication ...

Scroll to Top