Network Port Security & RJ45 Hardening
Requirement: This module addresses IACS UR E26 (Section 5), mandate for protecting network infrastructure from unauthorized physical access and the “tamper-evident” requirements for OT cabinets.
While digital firewalls guard the perimeter, the internal OT network is often “flat” and trusting. An unused RJ45 port on a bulkhead (Ethernet Wall Jack) or an open switch port in an Engine Control Room (ECR) is an open invitation for lateral movement and packet sniffing.
The Reality: Vulnerable Entry Points
The “Shadow” Connection
Crew members or contractors often plug personal laptops or Wi-Fi routers into “spare” OT ports for convenience, inadvertently bridging the OT network to the internet.
Unsecured Cabinets
Many OT switches are housed in unlocked cabinets, allowing unauthorized personnel to bypass software-level security via direct physical access.
The Solution: Multi-Layered Port Hardening
For both newbuilds (E26) and legacy retrofits, the goal is to ensure that a physical connection does not automatically grant network access.
| Control Level | Technical Action | E26/E27 Compliance |
|---|---|---|
| L1: Physical | RJ45 Dust Covers & Port Locks (Physical Key Required) | Mandatory for public/exposed areas. |
| L2: Infrastructure | Administrative “Shutdown” of unused Switch Ports | Requirement for technical hardening of assets. |
| L3: Logical | MAC Address Filtering / 802.1X Authentication | Recommended for critical AMS/ECDIS backbones. |
Next Security Phase
OS Hardening & Service Disabling
OS Hardening & Service Disabling Regulatory Context: IACS UR E27 (Section 4.3.1) mandates the hardening of all OT hosts. This involves the removal of unnecessary software and the deactivation of non-essential services to reduce the "Attack Surface" o...