Network Segmentation Retrofits for Existing Vessels

Part of the PROTECT Playbook ← Return to Hub

Phase: Protect All vessels

Satisfies: E26E27IEC 62443-3-3IMO /ISM §11.2BIMCO v5

Network Segmentation (retrofits)

This guide implements practical zone isolation for existing vessels where full system redesign is not possible, using VLANs, industrial firewalls and physical separation to achieve meaningful segmentation.

Network segmentation is the single most effective way to prevent an initial breach (e.g., a phishing email on the crew IT network) from disabling or seizing control of your critical Operational Technology (OT) systems.

This guide translates the foundational concept of Zones and Conduits from IACS UR E26 and IEC 62443 into a practical implementation plan for existing vessels seeking to retrofit zone isolation for security compliance.

The Core Concept: Zones and Conduits

Historically, many ships treated the entire network as one large, flat “trusted” zone. Segmentation divides this flat network into smaller, distinct Security Zones based on system criticality and security requirements.

Security Zone: A collection of systems (assets) sharing the same security needs.
Conduit: The secure communication path (firewall/ACL) enforcing rules between zones.
The Principle of Least Privilege: If a system doesn’t need to talk to another zone, the conduit must block it by default (Deny by Default).

Step-by-Step Implementation

For most vessels, a three-zone model is the most pragmatic starting point for compliance.

1 Zone 1: Mission-Critical OT (The Citadel)

Assets: Bridge systems (ECDIS, Radar), Propulsion/PMS, Steering, Safety Systems.
Requirement: Maximum Availability & Integrity. Air-gapped or Firewall-restricted.
Action: Data must be brokered through a Stateful Firewall with a “Deny All” default rule.

2 Zone 2: Ship Operations / Business IT

Assets: Admin (HR, Cargo), Crew Internet, CCTV, Inventory.
Requirement: Standard IT controls. Susceptible to phishing.
Action: Use VLANs to separate crew from admin and a firewall at the Zone 1 boundary.

3 Zone 3: Remote Access / DMZ (The Air Lock)

Assets: ZTNA Gateways, Historian Replicas, SIEM, VSAT Comms.
Requirement: High Protection/Low Trust.
Action: External traffic lands at ZTNA. 2FA is mandatory for all entry.

Vessel Network Security Checklist

Use this checklist to verify that your segmentation strategy aligns with industry-standard cyber resilience practices found in IACS UR E26 and IEC 62443. This ensures your retrofit is robust enough to meet future insurance requirements and charterer expectations.

Task	Category	Standard Reference	ETO / Superintendent Action
1. Asset Inventory	Identify	4.1.1 / 5.1.3	Verify the Vessel Asset Inventory [5.1.3] includes hardware, firmware versions, and communication interfaces for all CBSs in scope.
2. Security Zones	Protect	4.2.1 / 5.1.1	Group CBSs into security zones based on risk profiles. Ensure safety-related CBSs are in separate zones. Document in Zones and Conduit Diagram [5.1.1].
3. Conduit Enforcement	Protect	4.2.1.1 / 4.2.2	Confirm zone boundaries enforce all data flows via stateful firewall. For Zone 1 (Mission-Critical OT), untrusted networks must be physically separated or enforced by a stateful firewall. VLAN-only logical separation does not satisfy this requirement for Zone 1 boundaries.
4. Access Control (ACL)	Protect	4.2.1.1 / 4.2.2.1	Only explicitly allowed traffic may traverse boundaries. Implement the “Principle of Least Functionality” by disabling unused ports/protocols.
5. Remote Access (MFA)	Protect	4.2.6.3.2	Verify Multi-Factor Authentication (MFA) is required for all human users accessing the OT network from untrusted networks.
6. Network Monitoring	Detect	4.3.1	Implement continuous monitoring to detect malfunctions or unusual events. Generate alarms for reduced/degraded capacity.
7. Management of Change	Respond	5.3.1 / 4.1.1.3	Ensure all modifications to hardware/software are recorded in the inventory and approved via the Ship Cyber Security Program [5.3.1].

Retrofit Implementation Tip

When implementing this on an existing vessel, use 802.1Q VLAN tagging to separate crew, admin, CCTV, and other non-critical systems within Zone 2 only. Ensure your core switch is “Managed” to support these boundaries and can handle the required Access Control Lists (ACLs).

VLAN tagging alone is not an acceptable Zone 1 boundary under any circumstances — including where physical cabling is constrained. The boundary between Zone 1 (Mission-Critical OT) and all other zones must be enforced by a stateful firewall with a Deny-All default rule. Where legacy PLCs cannot support VLAN tagging, use a dedicated unmanaged switch for the OT segment with a single industrial firewall as the sole gateway.

Compliance Note: A managed switch with VLAN tagging is a Layer 2 control only. It does not inspect traffic, enforce stateful policy, or constitute a conduit under IACS UR E26 §4.2.1.1. Presenting VLAN-only separation as your Zone 1 boundary to a Class auditor (DNV, LR, ABS) will not satisfy the conduit enforcement requirement.

Scope: Best Practice Guidance, Not a Binding E26 Requirement

IACS UR E26 is a newbuild standard. It applies to vessels contracted for construction on or after 1 July 2024. Existing vessels are not directly subject to E26 class survey requirements. This guide applies E26 principles as industry best practice for retrofit segmentation — the standard references in the checklist below indicate the E26 clause each control is derived from, not a binding compliance obligation for your vessel unless your class notation specifically requires it. Check with your Classification Society if you are uncertain about your vessel’s obligations.

TAGSIA Tags: IACS UR E26 (3.1) — best practice reference; IEC 62443-3-3 SR 1 (Zones & Conduits); IMO/ISM Code §11.2

1 Zone 1: Mission-Critical OT (The Citadel)

Assets: Bridge systems (ECDIS, Radar), Propulsion/PMS, Steering, Safety Systems.
Requirement: Maximum Availability & Integrity. Air-gapped or Firewall-restricted.
Action: All data crossing this boundary must be brokered through a Stateful Firewall with a “Deny All” default rule. A managed switch with VLAN tagging alone does not constitute this boundary.

Zone 1 boundary rule: Where physical cabling constraints make dedicated runs impractical, use a dedicated unmanaged switch for the OT segment feeding into a single industrial firewall as the sole gateway. Do not substitute this with VLAN tagging on a shared managed switch.

2 Zone 2: Ship Operations / Business IT

Assets: Admin (HR, Cargo), Crew Internet, CCTV, Inventory.
Requirement: Standard IT controls. Susceptible to phishing.
Action: Use 802.1Q VLANs to separate crew from admin from CCTV within this zone. Place a firewall at the Zone 1 boundary — not at the Zone 2 internal boundaries, where VLANs are sufficient.

Correct use of VLANs: VLAN tagging between crew Wi-Fi, admin PCs, and CCTV within Zone 2 is appropriate and sufficient — these are systems of similar low criticality with no direct OT interface.

3 Zone 3: Remote Access / DMZ (The Air Lock)

Assets: ZTNA Gateways, Jump Hosts, VSAT Comms termination.
Requirement: High Protection / Low Trust. All external traffic terminates here before any access to Zone 1 or Zone 2 is considered.
Action: External traffic lands at ZTNA. MFA is mandatory for all entry. Jump hosts in this zone are the only permitted path into Zone 1 for remote maintenance — via the firewall conduit.

Note on SIEM placement: If deploying a SIEM, do not place it in Zone 3 without careful consideration. A SIEM must receive logs from Zone 1, which requires an inbound connection crossing the firewall. Place the SIEM in Zone 3 only if your firewall supports one-way log forwarding (syslog push from Zone 1 to Zone 3) with no return path permitted.

Vessel Network Security Checklist

Use this checklist to verify that your segmentation strategy aligns with the E26-derived best practices for retrofit security. The Standard Reference column indicates the E26 or IEC 62443 clause each control is based on. These are voluntary best-practice targets for existing vessels unless your class notation specifies otherwise.

Task	Category	E26 Reference (Best Practice)	ETO / Superintendent Action
1. Asset Inventory	Identify	E26 §4.1.1 / §5.1.3	Document all OT assets including hardware, firmware versions, and communication interfaces. Include legacy serial devices (Modbus RTU, NMEA 0183) that may not appear in network scans.
2. Security Zones	Protect	E26 §4.2.1 / §5.1.1	Group CBSs by criticality. Safety-critical systems must be in their own zone. Document in a Zones and Conduit Diagram showing physical boundaries, not just logical VLAN assignments.
3. Conduit Enforcement	Protect	E26 §4.2.1.1 / §4.2.2	Zone 1 boundaries must be enforced by a stateful firewall — physically or via a dedicated routed firewall interface. VLAN-only logical separation does not satisfy this requirement for Zone 1. Zone 2 internal separation via VLANs is acceptable.
4. Access Control (ACL)	Protect	E26 §4.2.1.1 / §4.2.2.1	Only explicitly allowed traffic may traverse zone boundaries. Disable all unused ports and protocols on managed switches. Ensure inter-VLAN routing is handled by the firewall, not the switch.
5. Remote Access (MFA)	Protect	E26 §4.2.6.3.2	MFA required for all human users accessing OT systems from untrusted networks. Jump host in Zone 3 (DMZ) is the only permitted remote access path into Zone 1.
6. Network Monitoring	Detect	E26 §4.3.1	Log all firewall deny/reject events. Generate alarms for unusual traffic patterns or degraded capacity. Retain logs for minimum 90 days where storage permits.
7. Management of Change	Respond	E26 §5.3.1 / §4.1.1.3	Record all hardware and software modifications in the asset inventory. Update the Zones and Conduit Diagram whenever a new device is added to or removed from any zone.

Retrofit Implementation Tip

When implementing on an existing vessel, use 802.1Q VLAN tagging to separate crew, admin, CCTV, and other non-critical systems within Zone 2 only. Ensure your core switch is Managed to support VLAN boundaries and ACLs.

Where legacy PLCs or sensors do not support VLAN tagging, connect them to a dedicated unmanaged switch and route that switch’s uplink through a single industrial firewall interface. This gives you a clean, auditable Zone 1 boundary without touching the OT devices themselves.

Compliance Note: A managed switch with VLAN tagging is a Layer 2 control only. It does not inspect traffic, enforce stateful policy, or satisfy the conduit requirement under IACS UR E26 §4.2.1.1 and IEC 62443-3-3 SR 5.1. Presenting VLAN-only separation as your Zone 1 boundary to a Class auditor (DNV, LR, ABS) will not satisfy the conduit enforcement requirement.

Known Limitations of Retrofit Segmentation

Retrofit segmentation can significantly reduce risk but cannot replicate a purpose-built E26 newbuild architecture. The following limitations are inherent to most existing vessel installations and should be documented in your risk register.

Legacy Serial Protocols Cannot Be Firewalled at Layer 3

NMEA 0183 is a one-way serial protocol operating below the IP layer — it cannot be inspected or blocked by a network firewall. Modbus RTU over RS-485 has the same constraint. These protocols require physical isolation (serial-to-Ethernet gateways with application-layer filtering) to achieve meaningful segmentation.

Legacy OT Devices Have No Authentication Capability

Many PLCs, sensors, and control panels on existing vessels were designed before network security was a consideration. They accept any connection from any IP on their subnet. Firewall-enforced zone isolation is the primary — and often only — compensating control available without replacing the hardware.

Shared Infrastructure Creates Implicit Zone Crossings

On many vessels, OT and IT traffic shares the same physical switch fabric or cabling runs. Even with VLANs configured, a misconfigured trunk port, a compromised managed switch, or a technician plugging into the wrong port can collapse zone boundaries. Document all shared infrastructure as a residual risk.

Vendor Remote Access Often Bypasses Zone Architecture

Many OEM vendors (propulsion, PMS, navigation) retain their own remote access paths — often direct modem or VSAT connections that pre-date your zone design. Audit all vendor remote access paths and ensure they terminate in Zone 3 (DMZ), not directly into Zone 1. Undocumented vendor connections are a common audit finding.

Documentation advice: These limitations should be formally recorded in your vessel’s cyber risk register as accepted residual risks with compensating controls noted. For vessels pursuing a class cyber notation, discuss these constraints with your surveyor early — they are recognised challenges, not automatic disqualifiers.

PREVIOUS:
IACS UR E26 Design Newbuilds

Next Section

VLANs and ACL – 3-Zone Model

VLAN & ACL Configuration: Implementing the 3-Zone Model This guide provides a step-by-step implementation of VLAN ta...

VLANs and ACL – 3-Zone Model →