Protection in maritime OT — where compliance meets engineering

The Protect phase is where security decisions become physical reality on the vessel. Network segmentation is not a policy — it is a VLAN configuration on a managed switch, a firewall rule set, a locked cabinet door, and a tested procedure for what happens when a vendor needs temporary remote access. The gap between a vessel that has documented its intent to segment and a vessel that has actually segmented is the gap between a paper compliance programme and one that would survive a real incident.

Maritime OT protection has constraints that shore-side IT security does not. Legacy systems running Windows XP cannot be patched. PLCs cannot run endpoint protection agents. A firewall between the bridge and the engine room network cannot be configured in a way that interrupts alarm transmission. Every protective control has to be evaluated against the operational environment it sits in — and the playbooks in this phase are built around that constraint, covering what is achievable with the equipment found on real vessels rather than what would be ideal in a greenfield environment.

Protection is also the phase most visible to surveyors, vetting inspectors, and P&I clubs. A SIRE 2 inspector will ask to see network diagrams showing IT/OT separation. A Class surveyor will ask for evidence that USB media is controlled and that remote access is logged. A P&I club assessing incident liability will look for evidence that access controls were in place and enforced. The five pillars below cover all of these areas — for vessels of any type, at any stage of their cyber security programme.

For onboard CBS network risk — covering zone/conduit architecture, VLAN segmentation adequacy, vendor scope boundaries, and physical access controls per E26 §3.2 — map your topology and get an instant E26/E27 compliance assessment with clause references and mitigation measures.