Deep Dive: Protocol Intelligence
Looking for detailed risk analysis and hardening guides for NMEA, Modbus, and AIS?
Marine Protocol Guides
This guide maps the communication protocols in use across the vessel’s OT network, providing the protocol inventory required for zone and conduit design and firewall rule configuration.
1. Intelligence: Gateway Logic
Bridging the Serial Gap
Most maritime assets (Engines, GPS, AIS) use serial RS-422/485. When using Serial-to-IP Gateways, they become network-visible. Ensure your Conduit (Firewall) only allows the specific IP and Port of the gateway.
ALLOW TCP [Bridge_Workstation] [NMEA_Gateway_IP] PORT [Protocol_Port]
2. Port & Service Mapping for Firewalls
To enforce Conduits (Step 03), you must map the “Language” of the assets to technical ports. This data is the foundation for your firewall Access Control Lists (ACLs).
Advanced Enforcement: DPI Actions
For critical machinery (Propulsion/Power), simple port blocking isn’t enough. Use Deep Packet Inspection (DPI) to enforce functional separation:
Allow Function Code 03/04 (Read) from any IP, but restrict Function Code 06/16 (Write) to authorized MACs only.
Drop all S7-STOP packets at the conduit boundary to prevent remote “Kill-Switch” attacks.
Safe Scanning Checklist (OT-Grade)
Standard IT scanning tools can cause DoS conditions on legacy hardware. Follow these rules to avoid crashing systems:
Legacy controllers may lock up if they receive ICMP Echo requests while processing logic.
Serial-to-IP gateways have limited buffers. Rapid scanning will overwhelm them.
Never scan 65k ports. Only scan for the specific OT services identified in the table above.
3. Maritime Discovery Commands
The specific regulatory requirements this playbook satisfies. Use these references when preparing for Class survey or responding to a surveyor's checklist.
