Secure Space & Physical Access
Regulatory Context: IACS UR E26 §4.4 requires that physical access to cyber-system assets (Category II and III) be restricted to authorized personnel only.
In maritime OT, the “Perimeter” isn’t just a firewall; it’s a locked door. If an unauthorized person can physically touch a PLC or a switch, they can bypass all digital security by performing a factory reset or “man-in-the-middle” attack.
Defining the Secure Space
A Secure Space is any area housing critical OT infrastructure, such as the Bridge, ECR, or dedicated Server Rooms. Access must be controlled and logged.
Administrative Controls
- Access Logs: Maintain a logbook for visitors (vendors/contractors) entering the Server Room or ECR.
- Key Management: Keys to OT cabinets must be kept in a secure locker, not left in the cabinet door.
Technical Controls
- Cabinet Security: All racks must be locked. Use tamper-evident seals for remote outstations.
- Port Security: Physically block unused RJ45 ports in public areas (lounges, cabins) with plastic port locks.
Tamper Detection & Surveillance
Since 24/7 physical guarding of every PLC cabinet is impossible, we rely on evidence of tampering.
| Asset Location | Protection Method | Audit Evidence |
|---|---|---|
| Navigation Bridge | Restricted Area Signage & Crew Oversight | Bridge Log Entry |
| ECR Server Rack | RFID Card or Physical Lock | Electronic Access Log |
| Remote I/O Boxes | Tamper-Evident Security Seals | Monthly Inspection Checklist |
Next Security Phase
UPS & Power Integrity
UPS & Power Integrity Operational Requirement: Cyber security infrastructure (Firewalls, IDS, Managed Switches) must remain operational during main power transitions. A "Hard Reboot" caused by power loss can corrupt security databases and leave the v...