Part of the Protect Playbook ← Return to Protect Hub

VLAN & ACL Configuration: Implementing the 3-Zone Model

Requirement: This module details the technical execution of VLAN tagging and Access Control List (ACL) enforcement to satisfy IEC 62443-3-3 and IACS UR E26 segmentation mandates.

The 3-Zone Network Segmentation Model is the engineering standard for protecting a vessel’s Essential Services. By establishing firewalled boundaries between Operational Technology (OT), Corporate IT, and Untrusted guest networks, we ensure that a compromise in one zone cannot propagate to critical ship functions.

Step 1: Logical Isolation via VLAN Tagging

The first step is to logically segment the physical switch fabric into three distinct broadcast domains. This prevents “flat network” risks where a single infected device can see the entire vessel’s traffic.

Zone / Functional Group VLAN ID IP Subnet Policy Posture
1. OT Zone (Essential Services) 10 192.168.10.0/24 Strict Isolation. No Direct Internet.
2. IT Zone (Administrative) 20 192.168.20.0/24 Monitored. Proxy access only.
3. Untrusted (Crew/Guest) 30 192.168.30.0/24 Sandboxed. Direct to WAN only.

Step 2: The Firewall as the “Conduit” Enforcer

In accordance with IEC 62443, traffic between zones must pass through a secure “Conduit.” In this model, the Firewall acts as that conduit. All Inter-VLAN routing must be disabled on the switches and offloaded to the firewall (Router-on-a-Stick or Multi-interface) to ensure 100% packet inspection.

Step 3: Access Control List (ACL) Strategy

We implement a Default Deny posture. No traffic is permitted unless it matches a specific “Permit” rule in the firewall’s policy engine.

Rule ID & Name Source Destination Service Action
01: OT Ingress IT / Guest Zone OT Zone ANY REJECT
02: Managed Maint. iDMZ Jump Host OT Zone SSH / RDP ALLOW
03: OT Egress OT Zone WAN / Uplink ANY REJECT
04: Final Catch ANY ANY ANY DROP

The following technical ruleset translates these high-level policies into a granular firewall configuration, specifically designed for IACS UR E26 compliance by brokering all essential services through the iDMZ:

ID Source Zone Dest. Zone Protocol/Port Purpose Action
01 OT Zone iDMZ TCP 443 / 8530 WSUS / AV Updates ALLOW
02 iDMZ (Jump Host) OT Zone TCP 3389 / 22 Remote Maintenance ALLOW
03 OT Zone iDMZ UDP 123 NTP Time Sync ALLOW
04 IT/Guest Zone OT Zone ANY Unauthorized Access REJECT
05 OT Zone WAN (Internet) ANY Direct “Phone Home” DROP
99 ANY ANY ANY Explicit Cleanup Rule DENY ALL

Implementation Guidance for Surveyors

When a Class Auditor (DNV/ABS) asks how you enforce these rules, you should be prepared to demonstrate the following three “Hardening” steps:

  1. Stealth Logging: Every “Drop” or “Reject” action in the ruleset above must be logged. This provides the auditable evidence required for IACS UR E26 Section 4 (Detection).
  2. No “Any/Any” Rules: Even within the OT Zone, if you have multiple vendors (e.g., Kongsberg and Wärtsilä), they should ideally be in separate sub-VLANs with rules preventing them from “talking” to each other unless technically necessary.
  3. MAC Filtering (Optional but Recommended): For static OT assets like PLC controllers, bind the IP address to the MAC address on the firewall to prevent “IP Spoofing” if someone plugs an unauthorized laptop into a machinery space network port.

Logical Boundaries Set?

With VLANs and ACLs defined, the next step is building the “Air-Lock” for secure remote vendor access using ZTNA.

Continue to ZTNA & iDMZ →
Scroll to Top