Marine Protocol Guides
Strategic Protocol Intelligence & Security Research
A comprehensive technical guide to legacy and modern maritime communication protocols. Understand the inherent security gaps in NMEA, Modbus, and IEC standards to better implement segmentation and hardening across the vessel's OT infrastructure. Use the button above to access the step-by-step implementation guide.
NMEA 0183 / IEC 61162-1
Architecture
Serial / Text-based
Common Maritime Usage
GPS, Heading, AIS (Serial), Wind sensors, Depth sounders.
The Security Gap
Plain-text communication with no authentication. Data transmitted in ASCII sentences ($GP...) can be spoofed by any device on the line.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Optical Isolation
Install RS-422 buffers to isolate electrical signals and prevent malicious fault injection.
Physical Integrity
Seal junction boxes and audit cable runs to prevent "vampire taps" or signal sniffers.
61162-450 Migration
Transition to Ethernet-based standards to enable IP-level logging and firewall inspection.
Standard Reference
IACS E26 / IEC 62443 Framework
NMEA 2000 / IEC 61162-3
Architecture
CAN Bus / Binary
Common Maritime Usage
Modern bridge integration, Engine monitoring, Autopilot systems.
The Security Gap
Broadcast-based protocol. No source verification (Source Address can be claimed by any device), allowing PGN spoofing.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Backbone Segmentation
Use intelligent gateways to isolate steering and propulsion CAN networks from guest or sensor networks.
PGN Filtering
Apply whitelist filters to only allow specific Parameter Group Numbers from verified internal IDs.
Traffic Analysis
Monitor bus load; a spike in "Address Claim" PGNs often indicates a rogue node attempting hijacking.
Standard Reference
IACS E26 / IEC 62443 Framework
IEC 61162-460 Gateway
Architecture
Secure Maritime Gateway
Common Maritime Usage
The isolation point between Navigation (450) and Admin/WAN networks.
The Security Gap
If absent, the Bridge is often "leaked" to the crew Wi-Fi or Office LAN, exposing critical sensors to internet-borne ransomware.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Zone Forwarding
Deploy a certified 460-Forwarder to isolate secure (Bridge) and non-secure (Admin) network zones.
SFI Collision Detection
Enable SFI monitoring to detect when two devices are spoofing the same System Function Identifier.
IGMP Snooping
Enforce IGMP snooping on all 460-switches to prevent multicast traffic storms from overwhelming navigation displays.
Standard Reference
IACS E26 / IEC 62443 Framework
Modbus TCP
Architecture
Ethernet / IP
Common Maritime Usage
Ballast control, Power Management (PMS), Cargo pumps, HVAC.
The Security Gap
No encryption or passwords. Any device on the network can issue "Write Single Register" commands to toggle valves or breakers.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
VLAN Logic
Physically or virtually isolate PLC networks. The Bridge should never reach the PMS without a firewall.
DPI Filtering
Use OT Firewalls to inspect Modbus payloads, allowing "Read" while blocking "Write" from unauthorized IPs.
Access Control
Restrict engineering workstation access with MFA to prevent lateral movement to the PLC network.
Standard Reference
IACS E26 / IEC 62443 Framework
Modbus RTU
Architecture
Serial (RS-485)
Common Maritime Usage
Generator controllers, Tank gauging, Battery monitoring.
The Security Gap
Relies on physical serial access. Vulnerable to "Man-in-the-Middle" via unsecured serial-to-ethernet gateways.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Secure Gateways
Harden serial-to-IP converters. Disable Telnet/HTTP and use SSH or encrypted VPN tunnels.
Memory Protection
Use hardware jumpers on controllers to disable remote writing to safety-critical memory registers.
Periodic Audits
Inspect RS-485 daisy-chains for unrecognized devices or signal-interruption hardware.
Standard Reference
IACS E26 / IEC 62443 Framework
OPC UA
Architecture
Ethernet / M2M Gateway
Common Maritime Usage
Aggregating ship data for Shore-side monitoring and Digital Twins.
The Security Gap
Commonly misconfigured with "SecurityPolicy: None." This transmits sensitive engine telemetry in plain text across the ship.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
X.509 Certificates
Enforce certificate-based authentication for all Client/Server connections to ensure only verified devices connect.
User Auth
Disable "Anonymous" login; require unique credentials for every HMI or monitoring application.
Aes256 Encryption
Mandate Aes256_Sha256_RsaPss security profiles for all data leaving the secure OT environment.
Standard Reference
IACS E26 / IEC 62443 Framework
CANopen
Architecture
Embedded CAN Network
Common Maritime Usage
Deck Machinery, Cranes, Winches, and specialized Steering Gear.
The Security Gap
Simple broadcast protocol with zero built-in security. A local attacker can inject NMT (Network Management) commands to reset nodes.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Optical Isolation
Use CAN-to-Fiber converters to stop electrical tampering and eliminate grounding noise in deck cables.
NMT Monitoring
Monitor for "Node Guarding" or "Heartbeat" timeouts which indicate an attacker is trying to reset the bus.
Physical Hardening
Secure deck-side junction boxes to prevent the attachment of unauthorized CAN-sniffing hardware.
Standard Reference
IACS E26 / IEC 62443 Framework
PROFIBUS / PROFINET
Architecture
Industrial Fieldbus / Ethernet
Common Maritime Usage
Main Engine Control, Thrusters, Steering Gear (Siemens/ABB).
The Security Gap
Legacy PROFIBUS lacks any encryption. PROFINET (Ethernet) often operates on "flat" networks where one rogue device can flood the RT channel.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Security Class 1-3
Implement PROFINET Security Classes to enforce signed/encrypted GSDML configuration data.
Conductor Segregation
Physically isolate PROFINET cabling from general IT traffic to prevent cross-talk and sniffing.
Port Lockdown
Disable unused ports on SCALANCE switches to prevent unauthorized local connections in the engine room.
Standard Reference
IACS E26 / IEC 62443 Framework
AIS (Automatic Identification System)
Architecture
RF / VHF Protocol
Common Maritime Usage
Vessel tracking, Collision avoidance, Search and Rescue (SART).
The Security Gap
Unauthenticated radio broadcast. Vulnerable to "Ghost Ship" injection via Software Defined Radio (SDR).
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Cross-Checking
Mandate that bridge officers verify AIS targets against ARPA Radar physical reflections.
Kinematic Filtering
Configure ECDIS to alert when AIS targets exhibit impossible speeds or instant course changes.
SFI Sourcing
Validate AIS data streams at the network entry point using Source Functional Identifiers.
Standard Reference
IACS E26 / IEC 62443 Framework
Bridge / VSAT Terminal
Architecture
Admin Interface / Web
Common Maritime Usage
Primary ship-to-shore connectivity (Cobham, Intellian, Thrane).
The Security Gap
The "Front Door." Often left with default admin credentials or unpatched firmware, allowing remote OT network access.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
MFA Implementation
Enable Multi-Factor Authentication for all terminal management and satellite service portals.
Disable WAN Admin
Turn off administration access from the public WAN interface; restrict to local admin VLAN only.
Regular Patching
Treat VSAT firmware like OS security. Update monthly to close vulnerabilities found in terminal software.
Standard Reference
IACS E26 / IEC 62443 Framework
BACnet / IP
Architecture
Building Automation (UDP)
Common Maritime Usage
Massive HVAC systems, Cabin ventilation, and Lighting control on Cruise/Yachts.
The Security Gap
Designed for open communication. Lacks encryption; an attacker can "Command" fans to stop or override temperature setpoints across the vessel.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
BACnet/SC
Migrate to "Secure Connect" which uses TLS 1.3 to encrypt traffic between controllers and workstations.
UDP Broadcast Limiting
Segment BACnet traffic to its own VLAN to prevent discovery by devices in the Crew or Guest Wi-Fi.
BBMD Hardening
Secure BACnet/IP Broadcast Management Devices to prevent unauthorized cross-subnet communication.
Standard Reference
IACS E26 / IEC 62443 Framework
EtherNet/IP (CIP)
Architecture
Industrial Ethernet (TCP/UDP)
Common Maritime Usage
Cargo handling systems, Ballast control, and Allen-Bradley/Rockwell PLC loops.
The Security Gap
Implicit messaging is unauthenticated. Malicious packets can "Force" IO points, potentially opening ballast valves unexpectedly.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
CIP Security
Enable CIP Security extensions on supported hardware to provide data integrity and sender authentication.
Logic Locking
Use physical keyswitches on PLCs to prevent remote program changes (RUN mode vs PROG mode).
IGMP Filtering
Use managed switches to prevent multicast EtherNet/IP traffic from flooding the entire Bridge network.
Standard Reference
IACS E26 / IEC 62443 Framework
DNP3 / IEC 60870-5-104
Architecture
Power Grid / SCADA
Common Maritime Usage
Main Switchboard monitoring, Circuit Breaker control, and Shore-Power syncing.
The Security Gap
Highly sensitive. If exposed, it allows remote "Tripping" of main breakers. Many maritime installs omit the SAv5 security layer.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
DNP3-SAv5
Implement Secure Authentication (version 5) to ensure commands are signed by an authorized controller.
Unidirectional Gateways
Use Data Diodes if data only needs to go to shore, preventing any commands from entering the Power Zone.
VPN Tunneling
Never expose Port 2404 or 20000 directly. Wrap all Power Management traffic in IPsec or WireGuard.
Standard Reference
IACS E26 / IEC 62443 Framework
Tridium Niagara Fox
Architecture
Manager of Managers (TCP)
Common Maritime Usage
Centralized dashboard for Chief Engineer (HVAC, Fire, Power, Lighting).
The Security Gap
Often has a web-based login. Vulnerable to credential brute-forcing and legacy Java-based vulnerabilities in older versions.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
Foxs (Secure)
Switch from the "Fox" protocol (Port 1911) to "Foxs" (Port 4911) to enable SSL/TLS encryption.
Account Lockout
Configure strict account lockout policies on the Niagara Station to prevent brute-force attempts.
Browser Isolation
Restrict the Niagara Web UI access to a dedicated "Engineering Workstation" only.
Standard Reference
IACS E26 / IEC 62443 Framework
Mitsubishi FINS
Architecture
Proprietary Industrial (TCP/UDP)
Common Maritime Usage
Water purification (Reverse Osmosis), Thruster localized control, HVAC units.
The Security Gap
Simple "Node-to-Node" protocol. By knowing the Network/Node ID, any device can read/write memory addresses in the PLC.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
IP Whitelisting
Configure the PLC "IP Address Table" to only accept FINS packets from a specific HMI address.
Segmentation
Isolate thruster and water-making controllers into a "Machinery Zone" separate from the main network.
FINS Header Auth
While limited, ensure Network and Node IDs are not left at default values (0.0.0).
Standard Reference
IACS E26 / IEC 62443 Framework
PCWorx / PLCnext
Architecture
Proprietary Automation (TCP)
Common Maritime Usage
Phoenix Contact based propulsion and steering control loops.
The Security Gap
Port 1962/TCP often allows unauthenticated logic uploads/downloads. If the engineering laptop is compromised, the PLC logic can be overwritten.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
User Authentication
Enable User Management on PLCnext controllers to require credentials for project changes.
Digital Signing
Use signed firmware and project files to ensure only verified code runs on the controller.
Access Control
Disable the PCWorx port (1962) unless a specific maintenance window is active.
Standard Reference
IACS E26 / IEC 62443 Framework
CODESYS v3
Architecture
Multi-Platform Runtime (TCP)
Common Maritime Usage
Standard runtime for hundreds of marine PLC brands (WAGO, Eaton, Schneider).
The Security Gap
Communication is often "Cleartext" by default. Attackers can intercept the Gateway-to-PLC traffic to steal project code or passwords.
Hover to View Intelligence
Hardening Strategy
Mitigation & Defense-in-Depth
TLS Encryption
Configure CODESYS to use encrypted communication (Port 11740/1217) instead of the legacy Port 1200.
Device User Mgmt
Always set a unique password for the "Owner" and "Admin" accounts on the runtime.
FW Rules
Block CODESYS discovery (UDP 1740) at the VLAN boundary to prevent unauthorized scanning.
Standard Reference
IACS E26 / IEC 62443 Framework