Supply Chain & Vendor Security
Regulatory Context: IACS UR E27 (Section 4.5) mandates the management of third-party risks. This includes verifying the integrity of hardware/software delivered to the ship and controlling the tools used by service engineers during onboard visits.
Modern vessels are ecosystems of components from dozens of different manufacturers (OEMs). Each vendor is a potential “backdoor” into your ship. Supply chain security ensures that every piece of software, firmware, or hardware brought onto the gangway is verified before it touches a critical system.
The “Dirty Laptop” Problem
Uncontrolled Access
Service engineers often carry laptops that have been connected to multiple ship networks globally. If one of those ships was infected, the laptop acts as a carrier for malware.
Shadow Software
Vendors may install “temporary” remote access tools (like TeamViewer) for convenience during sea trials and forget to remove them, leaving a permanent hole in the firewall.
The Vendor Engagement Protocol
To comply with E27, the Master and ETO must enforce a “Zero Trust” policy for all visiting technicians:
| Stage | Requirement | Enforcement Action |
|---|---|---|
| Pre-Arrival | Verification of OEM Cyber-Security Status. | Request a “Cleanliness Certificate” for field service tools. |
| Onboarding | Physical Inspection & Scanning. | Scan all vendor USB drives via the “USB Kiosk” (Pillar C). |
| Active Service | Supervised Network Connection. | Only allow connection to the “Service VLAN”—never the Main Bus. |
| Post-Service | Sanitization & Audit. | Revoke temporary accounts and verify no new services were left running. |
Next Security Phase
Configuration Backups & Golden Images
Configuration Backups & Golden Images Regulatory Context: IACS UR E27 (Section 4.6) mandates the creation and secure storage of backups for all critical systems. This module focuses on the "Golden Image" strategy, ensuring that Category II and III sy...