Part of the PROTECT Playbook ← Return to Hub

Supply Chain & Vendor Security

Regulatory Context: IACS UR E27 (Section 4.5) mandates the management of third-party risks. This includes verifying the integrity of hardware/software delivered to the ship and controlling the tools used by service engineers during onboard visits.

Modern vessels are ecosystems of components from dozens of different manufacturers (OEMs). Each vendor is a potential “backdoor” into your ship. Supply chain security ensures that every piece of software, firmware, or hardware brought onto the gangway is verified before it touches a critical system.

The “Dirty Laptop” Problem

The most common way malware enters a “gapped” OT network is through a service engineer’s toolset. Technicians travel from ship to ship, often connecting their laptops to multiple uncontrolled networks. This creates a “cross-contamination” risk where a virus picked up on a bulk carrier in Asia can be transferred to a tanker in Europe via the technician’s Ethernet cable or USB drive.

Uncontrolled Access

Service engineers often carry laptops that have been connected to multiple ship networks globally. If one of those ships was infected, the laptop acts as a carrier for malware.

Shadow Software

Vendors may install “temporary” remote access tools (like TeamViewer) for convenience during sea trials and forget to remove them, leaving a permanent hole in the firewall.

The Vendor Engagement Protocol

To comply with E27, the Master and ETO must enforce a “Zero Trust” policy for all visiting technicians:

Stage Requirement Enforcement Action
Pre-Arrival Verification of OEM Cyber-Security Status. Request a “Cleanliness Certificate” for service tools.
Onboarding Physical Inspection & Scanning. Scan all vendor USB drives via the “USB Kiosk” (Pillar C).
Active Service Supervised Network Connection. Only allow connection to “Service VLAN”—never Main Bus.
Post-Service Sanitization & Audit. Revoke accounts and verify no new services were left running.
ETO Service Engineer Checklist
No Direct Connections

If possible, provide a “Vessel Laptop” for the vendor to use. If they must use their own, connect them through a Jump Server (Pillar B) to log all actions.

Software Inventory Check

Check the Software Bill of Materials (SBOM). Ensure the vendor is not installing components with known critical vulnerabilities (CVEs).

Pro Tip: The “Witness” Rule. IACS E26 suggests that critical software changes should be witnessed. The ETO should not just hand over the keys; they should watch the process to ensure no “any-to-any” rules are added to the firewall for “temporary testing” and forgotten.

Next Section

Configuration Backups & Golden Images

Configuration Backups & Golden Images Regulatory Context: IACS UR E27 (Section 4.6) mandates the creation and secure sto...

Scroll to Top