Part of the PROTECT Playbook ← Return to Hub
Phase: Protect All vessels
Satisfies: E26E27IEC 62443IMO MSC-FAL.1BIMCO v5

Industrial DMZ (iDMZ) Deployment: The Security Air-Lock

This guide provides the technical implementation steps for deploying an Industrial DMZ as the mandatory security boundary between OT and IT networks, terminating all conduits and enforcing least-privilege traffic rules.

1. The Architecture: Physical vs. Logical

To implement an iDMZ that passes a Class Survey, you must choose an architecture that ensures Zero Direct Routing. In maritime environments, we typically use the Three-Legged Firewall (for smaller vessels) or Back-to-Back Firewalls (for complex offshore units).

2. Technical Service Placement

By placing proxy services in the iDMZ, we ensure that OT assets (PLCs/HMIs) never “talk” to the internet directly. They only talk to these local authorized proxies.

Service iDMZ Role Security Rationale
Identity (AD) RODC (Read-Only) Allows local authentication for ETOs even if the main ship server is offline or compromised.
Patching/AV Distribution Point The iDMZ server pulls updates from WAN; OT assets pull updates only from the iDMZ server.
Jump Host Hardened Bastion The only device allowed to initiate RDP/SSH into the PLC network.

If you have an OTS or COTS computer that currently accesses a monitoring system inside your vendor-certified OT zone without going through a Jump Host or iDMZ boundary, that connection may be in direct violation of E27 §4.1 — the CBS Risk Assessor will identify the exact scope boundary crossing and tell you what conduit controls are required before the iDMZ is in place.

3. Implementation: Traffic Directional Logic

Success is defined by your Firewall Access Control Lists (ACLs). Use the following “Directionality Matrix” to configure your conduits:

Source Zone Destination Permitted Service Rationale
IT / Crew iDMZ Jump Host HTTPS / RDP + MFA Secure entry point for admins.
OT Assets iDMZ Patch Server SMB / HTTP (Internal) Pulling updates safely.
IT / WAN OT PLC Network DENY ALL Mandatory E26 Compliance.

1. Detailed Port Mapping Guide (IACS UR E26)

To meet IACS UR E26 requirements, network segmentation must be enforced through strictly defined conduits. Use these specific service definitions when configuring your Firewall rules to ensure a “Least Privilege” security posture across the vessel’s OT/IT boundary.

Service Type Ports / Protocols Direction
Remote Mgmt TCP 3389 (RDP), TCP 22 (SSH) IT → iDMZ Jump Host
Identity / AD TCP/UDP 88, 389, 445 OT → iDMZ RODC
Data Historian TCP 44818, 502 OT Level 2 → iDMZ Proxy

Asset: iDMZ Firewall Policy Matrix (TAG-NET-XLS-04)

The downloadable template includes the following mandatory audit columns required for technical compliance validation:

  • Rule ID: Unique identifier (e.g., FW-IDMZ-001) for log cross-referencing.
  • Source Asset: Specific IP/Subnet initiating the connection.
  • Dest. Asset: The target iDMZ service IP.
  • Service/Port: The exact technical port (No “ANY” allowed).
  • Action: Permit / Deny / Inspect (DPI).
  • E26 Mapping: Regulatory clause satisfied by this rule.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; All fillable forms and SOPs are free with a registered account.

TAG-NET-XLS-04
Firewall Policy Matrix
View Form
TAG-OT-CRT-01
Conduit Evidence Certificate
View Form
PREVIOUS:
Crew Cyber Awareness

Next Section

USB Protection & Removable Media Control

USB Protection & Removable Media Control This guide provides the policy and technical controls for managing removabl...

USB Protection & Removable Media Control →
Login
Login
Scroll to Top