Part of the Protect Playbook ← Return to Protect Hub

Network Segmentation (retrofits)

Best Practice: This module details the technical execution of logical zone isolation (VLANs) and communication enforcement (ACLs). While IACS UR E26 is the standard for new-builds, this guide applies its core security logic to help existing vessels convert high-level “Zones and Conduits” theory into a deployable configuration for retrofitted OT networks.

3 zone network segregation
3 zone network segregation

Network segmentation is the single most effective way to prevent an initial breach (e.g., a phishing email on the crew IT network) from disabling or seizing control of your critical Operational Technology (OT) systems.

This guide translates the foundational concept of Zones and Conduits from the IACS UR E26 and IEC 62443 standards into a three-step practical implementation plan for existing vessels seeking to retrofit zones for security compliance.

TAGSIA Tags: IACS UR E26 (3.1); IEC 62443-3-3 SR 1 (Zones & Conduits); IMO/ISM Code §11.2

1. The Core Concept: Zones and Conduits

Historically, many ships treated the entire network as one large, flat “trusted” zone. Segmentation divides this flat network into smaller, distinct Security Zones based on system criticality and security requirements.

  • Security Zone: A collection of systems (assets) sharing the same security needs.
  • Conduit: The secure communication path (firewall/ACL) enforcing rules between zones.

The Principle of Least Privilege: If a system doesn’t need to talk to another zone, the conduit must block it by default (Deny by Default).

2. Step-by-Step Implementation

For most vessels, a three-zone model is the most pragmatic starting point for compliance.

1 Zone 1: Mission-Critical OT (The Citadel)

  • Assets: Bridge systems (ECDIS, Radar), Propulsion/PMS, Steering, Safety Systems.
  • Requirement: Maximum Availability & Integrity. Air-gapped or Firewall-restricted.
  • Action: Data must be brokered through a Stateful Firewall with a “Deny All” default rule.

2 Zone 2: Ship Operations / Business IT

  • Assets: Admin (HR, Cargo), Crew Internet, CCTV, Inventory.
  • Requirement: Standard IT controls. Susceptible to phishing.
  • Action: Use VLANs to separate crew from admin and a firewall at the Zone 1 boundary.

3 Zone 3: Remote Access / DMZ (The Air Lock)

  • Assets: ZTNA Gateways, Historian Replicas, SIEM, VSAT Comms.
  • Requirement: High Protection/Low Trust.
  • Action: External traffic lands at ZTNA. 2FA is mandatory for all entry.

Final Alignment: Vessel Network Security Checklist

Use this checklist to verify that your segmentation strategy aligns with industry-standard cyber resilience practices found in IACS UR E26 and IEC 62443. This ensures your retrofit is robust enough to meet future insurance requirements and charterer expectations.

Task Category Standard Reference ETO / Superintendent Action
1. Asset Inventory Identify 4.1.1 / 5.1.3 Verify the Vessel Asset Inventory [5.1.3] includes hardware, firmware versions, and communication interfaces for all CBSs in scope.
2. Security Zones Protect 4.2.1 / 5.1.1 Group CBSs into security zones based on risk profiles. Ensure safety-related CBSs are in separate zones. Document in Zones and Conduit Diagram [5.1.1].
3. Conduit Enforcement Protect 4.2.1.1 / 4.2.2 Confirm zone boundaries (firewalls/routers) control all data flows. Untrusted networks must be physically or logically segmented.
4. Access Control (ACL) Protect 4.2.1.1 / 4.2.2.1 Only explicitly allowed traffic may traverse boundaries. Implement the “Principle of Least Functionality” by disabling unused ports/protocols.
5. Remote Access (MFA) Protect 4.2.6.3.2 Verify Multi-Factor Authentication (MFA) is required for all human users accessing the OT network from untrusted networks.
6. Network Monitoring Detect 4.3.1 Implement continuous monitoring to detect malfunctions or unusual events. Generate alarms for reduced/degraded capacity.
7. Management of Change Respond 5.3.1 / 4.1.1.3 Ensure all modifications to hardware/software are recorded in the inventory and approved via the Ship Cyber Security Program [5.3.1].
Retrofit Implementation Tip

When implementing this on an existing vessel, use 802.1Q VLAN tagging to create these zones logically if you cannot run new physical cabling to every deck. Ensure your core switch is “Managed” to support these boundaries and can handle the required Access Control Lists (ACLs).

Design Strategy Set?

With the retrofit framework defined, learn the practical steps for implementing VLANs and Access Control Lists.

Continue to VLAN & ACL →
Scroll to Top