Effective network security starts with compliance. The global standard for maritime OT cyber risk management relies on a foundational concept: Zones and Conduits.
This article breaks down this core principle, which is mandated by IACS UR E26 and derived from IEC 62443, and shows how it translates into two distinct, actionable segmentation models for the fleet—whether you are retrofitting an existing vessel or overseeing a new build.
TAGSIA Tags: IACS UR E26 (3.1); IEC 62443-3-3 SR 1 (Zones & Conduits); IMO/ISM Code §11.2
1. The Core Principle: Zones and Conduits
The goal of segmentation is to isolate groups of assets that share similar security requirements. This is achieved through two elements:
- Security Zone (The Room): A logical or physical grouping of assets (systems, equipment) that all require the same level of confidentiality, integrity, and availability. For instance, all systems impacting the stability or propulsion of the vessel would belong to a single, high-criticality zone.
- Conduit (The Doorway): The secure pathway that controls all data flow between two Security Zones. A Conduit must strictly enforce the rules for what traffic is allowed in or out (e.g., using a firewall or router with Access Control Lists).
The fundamental rule is Deny by Default: No data is permitted to pass between zones unless explicitly approved, necessary for operation, and securely logged.
2. Segmentation Model 1: The Pragmatic Three-Zone Retrofit
This model is designed for existing vessels and mixed-age fleets where the cost and complexity of a full, system-level redesign are prohibitive. It focuses on achieving the biggest security impact with the least disruption, satisfying the spirit of IACS E26 for current operations.
- Focus: High-impact segregation based on asset criticality and risk profile.
- Goal: Prevent common malware or IT-borne incidents from reaching critical OT.
| Zone Name | Role & Criticality | Primary Assets | E26 Control Focus |
| Zone 1: Mission-Critical OT | Highest safety/availability needs. Must be isolated. | ECDIS, Steering, PMS, VDR, GMDSS. | Protect (E26 3.2: Network Security) |
| Zone 2: Ship Operations / Business IT | General administration, crew email, non-safety systems. | Crew/Guest Wi-Fi, Admin PCs, Cargo/Ballast Monitoring (if non-critical). | Identify (E26 3.1: Inventory & Zoning) |
| Zone 3: Remote Access / DMZ | The necessary buffer for external communications. | Jump Hosts, Shore-side Gateways, Cyber Monitoring Tools. | Protect (E26 3.4: Remote Access) |
Key Action: Establish a high-assurance Conduit (Firewall) between Zone 2 (IT) and Zone 1 (OT) that strictly limits communications to essential services (e.g., only allowing chart updates).
3. Segmentation Model 2: The Rigorous UR E26 Design Approach
This model is mandatory for newbuilds where IACS UR E26 applies from the design phase (July 2024 onwards). It requires a much more granular approach, often resulting in numerous zones defined by specific system requirements, not just generic IT/OT separation.
- Focus: Full compliance from the outset, driven by system failure analysis and required security levels (SL).
- Goal: Ensure the failure or compromise of one system does not cascade to another critical system.
| Segmentation Characteristic | Rigorous E26 Design Approach | Pragmatic Three-Zone Retrofit |
| Zone Definition | Defined by System Requirements (e.g., Propulsion Control System is one zone; Power Management is another). | Defined by Criticality (e.g., Bridge OT is one zone; Engine OT is another). |
| Minimum Requirement | Mandatory isolation for Safety Systems, Propulsion, Steering, and Power Generation. | Recommended minimum separation between OT and IT. |
| Evidence | Requires formal System Definition Documentation and proof of security levels from OEMs (E27). | Requires Network Diagram and Auditable Access Control Lists (ACLs). |
Key Action: Work with Class and OEMs to verify that all systems within the E27 scope are designed as isolated zones with secure conduits, meeting the required Security Levels (SLs).
