Part of the PROTECT Playbook ← Return to Hub

VLAN & ACL Configuration: Implementing the 3-Zone Model

Requirement: This module details the technical execution of VLAN tagging and Access Control List (ACL) enforcement to satisfy IEC 62443-3-3 and IACS UR E26 segmentation mandates.

The 3-Zone Network Segmentation Model is the engineering standard for protecting a vessel’s Essential Services. By establishing firewalled boundaries between Operational Technology (OT), Corporate IT, and Untrusted guest networks, we ensure that a compromise in one zone cannot propagate to critical ship functions.

Step 1: Logical Isolation via VLAN Tagging

The first step is to logically segment the physical switch fabric into three distinct broadcast domains. This prevents “flat network” risks where a single infected device can see the entire vessel’s traffic.

Zone / Functional Group VLAN ID IP Subnet Policy Posture
1. OT Zone (Essential Services) 10 192.168.10.0/24 Strict Isolation. No Direct Internet.
2. IT Zone (Administrative) 20 192.168.20.0/24 Monitored. Proxy access only.
3. Untrusted (Crew/Guest) 30 192.168.30.0/24 Sandboxed. Direct to WAN only.

Step 2: The Firewall as the “Conduit” Enforcer

In accordance with IEC 62443, traffic between zones must pass through a secure “Conduit.” In this model, the Firewall acts as that conduit. All Inter-VLAN routing must be disabled on the switches and offloaded to the firewall (Router-on-a-Stick or Multi-interface) to ensure 100% packet inspection.

Step 3: Access Control List (ACL) Strategy

The following technical ruleset translates high-level policies into a granular firewall configuration, specifically designed for IACS UR E26 compliance by brokering all essential services through the iDMZ:

ID Source Zone Dest. Zone Protocol/Port Purpose Action
01 OT Zone iDMZ TCP 443 / 8530 WSUS / AV Updates ALLOW
02 iDMZ (Jump Host) OT Zone TCP 3389 / 22 Remote Maintenance ALLOW
03 OT Zone iDMZ UDP 123 NTP Time Sync ALLOW
04 IT/Guest Zone OT Zone ANY Unauthorized Access REJECT
99 ANY ANY ANY Explicit Cleanup Rule DENY ALL

Implementation Guidance for Surveyors

When a Class Auditor (DNV/ABS) asks how you enforce these rules, you should be prepared to demonstrate the following three “Hardening” steps:

1. Stealth Logging: Every “Drop” or “Reject” action in the ruleset above must be logged. This provides the auditable evidence required for IACS UR E26 Section 4 (Detection).

2. No “Any/Any” Rules: Even within the OT Zone, if you have multiple vendors (e.g., Kongsberg and Wärtsilä), they should ideally be in separate sub-VLANs with rules preventing them from “talking” to each other unless technically necessary.

3. MAC Filtering (Optional): For static OT assets like PLC controllers, bind the IP address to the MAC address on the firewall to prevent “IP Spoofing” if someone plugs an unauthorized laptop into a machinery space network port.

Next Section

Wireless & Bluetooth Hardening

Wireless & Bluetooth Hardening Requirement: This module addresses IACS UR E26 (Section 4.1) regarding wireless commu...

Scroll to Top