Part of the Protect Playbook ← Return to Protect Hub

Regulatory Models for Segmentation: Zones & Conduits Explained

Requirement: This module defines the “Zones and Conduits” framework mandated by IACS UR E26 and IEC 62443, providing actionable segmentation models for both existing vessel retrofits and newbuild designs.

Effective network security starts with compliance. The global standard for maritime OT cyber risk management relies on a foundational concept: Zones and Conduits.

IACS UR E26 (3.1) IEC 62443-3-3 SR 1 IMO/ISM CODE §11.2

1. The Core Principle: Zones and Conduits

The goal of segmentation is to isolate groups of assets that share similar security requirements. Think of your vessel’s network as a secure building:

Security Zone (The Room)

A logical grouping of assets that require the same security level. Systems impacting propulsion or steering belong in their own high-criticality “room.”

Conduit (The Doorway)

The secure pathway controlling data flow between zones. It enforces rules (Firewalls/ACLs) to ensure only authorized traffic passes.

Fundamental Rule: Deny by Default

No data passes between zones unless explicitly approved, operationally necessary, and securely logged.

2. Implementation Strategy

Regulatory requirements vary based on the age of the vessel. Choose the model that fits your fleet’s lifecycle:

Model 1: The Pragmatic Three-Zone Retrofit

BEST FOR EXISTING FLEETS

Designed for mixed-age vessels where full system redesign is impossible. Satisfies the spirit of IACS E26 by isolating critical OT from IT risks.

Zone Name Primary Assets Criticality
Zone 1: Mission-Critical OT ECDIS, Steering, PMS, VDR, GMDSS HIGH
Zone 2: Business IT Crew Wi-Fi, Admin PCs, Guest Access LOW
Zone 3: Remote Access (iDMZ) ZTNA Gateways, Jump Hosts MEDIUM

Model 2: Rigorous UR E26 Design

MANDATORY FOR NEWBUILDS (JULY 2024+)

Requires granular isolation based on system failure analysis. Compromising one system (e.g., Cargo Monitoring) must not allow access to another (e.g., Propulsion).

Key Difference: Unlike the Retrofit model, this requires formal System Definition Documentation and proof of Security Levels (SL) from every OEM involved in the vessel’s construction.

Implementation Insight: Legacy Hardware

When implementing Model 1 on older vessels, you may encounter legacy PLCs that do not support VLAN tagging. In these cases, Physical Isolation (dedicated unmanaged switches for the OT zone) combined with a single Industrial Firewall acting as the gateway is the most reliable way to achieve IACS E26 compliance without replacing multi-million dollar machinery.

Strategy Defined?

Now that the zones are established, learn how to implement the risk-based architecture required for Newbuilds.

Continue to Newbuilds →
Scroll to Top