Part of the IDENTIFY Playbook ← Return to Hub

Deep Dive: Protocol Intelligence

Looking for detailed risk analysis and hardening guides for NMEA, Modbus, and AIS?

VIEW INTELLIGENCE LIBRARY

Execution: To enforce Conduits (Step 03), you must map the “Language” of the assets to technical ports. This module provides the configuration data needed for firewall Access Control Lists (ACLs) as required by UR E26 §4.2.

1. Intelligence: Gateway Logic

Bridging the Serial Gap

Most maritime assets (Engines, GPS, AIS) use serial RS-422/485. When using Serial-to-IP Gateways, they become network-visible. Ensure your Conduit (Firewall) only allows the specific IP and Port of the gateway.

Firewall Rule Concept: ALLOW TCP [Bridge_Workstation] [NMEA_Gateway_IP] PORT [Protocol_Port]

2. Port & Service Mapping for Firewalls

To enforce Conduits (Step 03), you must map the “Language” of the assets to technical ports. This data is the foundation for your firewall Access Control Lists (ACLs).

Protocol Standard Port Directionality Security Action
Modbus TCP 502 / TCP HMI → PLC Restrict to internal OT VLAN only.
NMEA over IP 10110 / UDP Sensor → Bridge Block at IT/OT boundary firewalls.
Siemens S7 102 / TCP Eng. PC → PLC Enable DPI for ‘Write’ commands.
OPC UA 4840 / TCP OT → Cloud/Office Require X.509 Certificates.

Advanced Enforcement: DPI Actions

For critical machinery (Propulsion/Power), simple port blocking isn’t enough. Use Deep Packet Inspection (DPI) to enforce functional separation:

Modbus DPI Action

Allow Function Code 03/04 (Read) from any IP, but restrict Function Code 06/16 (Write) to authorized MACs only.

Siemens S7 DPI Action

Drop all S7-STOP packets at the conduit boundary to prevent remote “Kill-Switch” attacks.

Safe Scanning Checklist (OT-Grade)

Standard IT scanning tools can cause DoS conditions on legacy hardware. Follow these rules to avoid crashing systems:

1. DISABLE PINGS (-Pn)

Legacy controllers may lock up if they receive ICMP Echo requests while processing logic.

2. SLOW TIMING (-T2)

Serial-to-IP gateways have limited buffers. Rapid scanning will overwhelm them.

3. TARGETED PORTS (-p)

Never scan 65k ports. Only scan for the specific OT services identified in the table above.

3. Maritime Discovery Commands

# Discovery Scan: Identify Core Maritime OT Services
nmap -sS -Pn -n -T2 -p 102,502,4840,10110,47808,44818 [Target_Subnet]
# Intelligence Scan: Query Modbus Device IDs
nmap -sV -Pn –script modbus-discover -p 502 [Target_IP]

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle
Includes Unlimited Intel Search
Instant access to IACS E26/E27 Templates

Next Section

OT Traffic Baselining Procedures

OT Traffic Baselining Procedures Objective: Capture the "Normal" state of communication to create a blueprint for Firewa...

Login
Login
Scroll to Top