Network Segmentation: Zones & Conduits

IACS UR E26 Control 3.1: Logical & Physical Separation

Implementation guide for isolating Navigation (Zone A), Propulsion (Zone B), and Cargo (Zone C) networks. This playbook provides the technical requirements for VLAN tagging, Access Control Lists (ACLs), and Industrial DMZs to prevent lateral movement of cyber threats.

Standard: IEC 62443-3-3
Reference Architecture v4.0
01
Identify
Asset Library & Protocol Mapping
02
Quantify
Risk Scoring & Vulnerability Analysis
03
Hardening
OT Playbooks & Protocol Guides
04
Certify
IACS UR E26/E27 Audit Readiness
Technical Blueprint: The 3-Zone Maritime OT Model

This reference architecture defines the Gold Standard for IACS UR E26 compliance. It visualizes the physical and logical separation required between Bridge navigation, Engine propulsion, and administrative ship-to-shore conduits.

Vessel OT Zone Model

Reference: Tagsia Standard Architecture v4.0 (IACS E26 / IEC 62443 aligned)

Pillar A

Inventory & Zone Mapping

The foundation of E26 compliance. Identify all OT assets, map their criticality, and define the logical boundaries (Zones) they inhabit.

Asset Inventory & Mapping Guide Regulatory Models Guide Newbuild Design Approach
Pillar B

Physical & Logical Controls

Implementation of Conduits via VLANs and ACLs. This is the engineering “heavy lifting” for IEC 62443 compliance.

VLAN & ACL 3-Zone Model Industrial DMZ Deployment
Pillar C

Remote Access & Perimeter

Hardening the Ship-to-Shore interface. Secure OEM access and data harvesting through ZTNA frameworks.

ZTNA Gold Standard Retrofit Segmentation
Required Auditable Evidence (IACS UR E26)

To satisfy a Class Surveyor during an E26 audit, the following documentation should be generated using the guides above:

  • Vessel Network Topology: High-level diagram showing Zones & Conduits.
  • Asset Inventory: List of all OT devices mapped to their specific security zones.
  • Communication Matrix: Documentation of ACLs and allowed traffic between zones.
Scroll to Top