Part of the IDENTIFY Playbook ← Return to Hub

Deep Dive: Protocol Intelligence

Looking for detailed risk analysis and hardening guides for NMEA, Modbus, and AIS?

VIEW INTELLIGENCE LIBRARY

Execution: To enforce Conduits (Step 03), you must map the “Language” of the assets to technical ports. This module provides the configuration data needed for firewall Access Control Lists (ACLs) as required by UR E26 §4.2.

1. Port & Service Mapping for Firewalls

Protocol Standard Port Directionality Security Action
Modbus TCP 502 / TCP HMI → PLC Restrict to internal OT VLAN only.
NMEA over IP 10110 / UDP Sensor → Bridge Block at IT/OT boundary firewalls.
Siemens S7 102 / TCP Eng. PC → PLC Enable DPI for ‘Write’ commands.
OPC UA 4840 / TCP OT → Cloud/Office Require X.509 Certificates.

2. Intelligence: Gateway Logic

Bridging the Serial Gap

Most maritime assets use serial RS-422/485. When using Serial-to-IP Gateways, they become network-visible. Ensure your Conduit (Firewall) only allows the specific IP and Port of the gateway.

Firewall Rule Example: ALLOW TCP [Bridge_Workstation] [NMEA_Gateway_IP] PORT 10110

Safe Scanning Checklist (OT-Grade)

Standard IT scanning tools can cause denial-of-service (DoS) conditions on legacy shipboard hardware. Follow these rules to avoid crashing systems:

1. DISABLE PINGS (-Pn)

Legacy engine controllers may lock up if they receive ICMP Echo requests while processing logic.

2. SLOW TIMING (-T2)

Serial-to-IP gateways have limited buffers. Rapid scanning will overwhelm them.

3. TARGETED PORTS (-p)

Never scan 65k ports. Only scan for the specific OT services identified in Section 1.

3. Maritime Discovery Commands

Use these specific Nmap strings to verify protocol presence across your Conduits.

# Discovery Scan: Identify Core Maritime OT Services
nmap -sS -Pn -n -T2 -p 102,502,4840,10110,47808,44818 [Target_Subnet]
# Intelligence Scan: Query Modbus Device IDs (Use with Caution!)
nmap -sV -Pn –script modbus-discover -p 502 [Target_IP]

Next Section

OT Traffic Baselining Procedures

OT Traffic Baselining Procedures Objective: Capture the "Normal" state of communication to create a blueprint for Firewa...

Scroll to Top