L2/L3 Network Switch Security for Ships

 Ship Solutions  Network & Perimeter NetworkSwitch Series 1 Technical Guide

L2/L3 Network Switch Security for Ships: Segmentation, Hardening & OT Zone Control

How managed L2 and L3 switches form the physical backbone of maritime OT network segmentation — VLAN design for OT zones, Layer 2 attack hardening, inter-VLAN routing control, and secure switch configuration in shipboard environments

ShipPaulJobs
ShipPaulJobs Team✓ Verified
Reviewed & fact-checked by the ShipPaulJobs editorial team · July 2026
PART 1

L2/L3 Switches — The Physical Foundation of OT Network Segmentation

Managed network switches are the physical infrastructure through which maritime OT network segmentation is implemented. While firewalls enforce policy at zone boundaries and IDS/NDR monitors traffic for threats, it is the Layer 2 and Layer 3 switches that create and enforce the underlying network topology — determining which devices can physically communicate with each other at all. Without correctly configured switches, no higher-level security control can reliably enforce OT zone isolation.

A Layer 2 (L2) switch operates at the Ethernet frame level, forwarding traffic based on MAC addresses. L2 switches implement VLANs (Virtual Local Area Networks) that partition a single physical switch into multiple isolated broadcast domains — the fundamental mechanism for separating Navigation OT, Machinery OT, Cargo Control, Ship IT, and Crew WiFi networks from each other. A Layer 3 (L3) switch adds IP routing capability, enabling controlled inter-VLAN routing with access control lists (ACLs) that specify exactly which OT zones may communicate with each other and which traffic is permitted.

On many older vessels, the OT network is "flat" — all devices (ECDIS workstations, engine monitoring, AMS controllers, cargo computers) share a single network segment with no VLAN segmentation. In this architecture, any device that gains network access can reach every other device, and a compromise of any single system potentially exposes the entire OT network. The primary function of L2/L3 switch security in the maritime context is to replace this flat topology with a properly segmented VLAN architecture that limits lateral movement after a compromise.

 Shipboard VLAN Architecture — Recommended Zone Design
VLAN IDZone NameTypical DevicesInter-Zone Routing
VLAN 10Navigation OTECDIS, AIS, Radar, GPS, GyrocompassHighly restricted — deny all by default
VLAN 20Machinery OTPMS, Propulsion Control, Engine AutomationIsolated — OEM remote only via DMZ
VLAN 30Safety SystemsFire Detection, Alarm Monitoring, GMDSSOne-way monitoring only (no inbound)
VLAN 40Cargo ControlCargo Management System, Ballast ControlPermit to Ship IT DMZ for reporting only
VLAN 50Ship IT / AdminManagement PCs, Printers, CCTV NVRPermit to Internet via firewall; limited OT access
VLAN 60Crew WiFi / BYODCrew personal devices, passenger devicesInternet only — no ship network access
VLAN 70OT Management DMZJump Server, NMS, SIEM CollectorControlled access to OT VLANs via firewall ACL
PART 2

Regulatory Framework

IACS UR E26 — Network Segmentation (Clause 5.2)

Clause 5.2 of IACS UR E26 explicitly requires network segmentation between OT and IT domains and between OT zones of different criticality. This requirement is physically implemented at the switch layer — VLANs enforce zone boundaries, and L3 switch ACLs or firewall rules control inter-zone traffic. Class surveyors verify that a segmented network architecture exists and that OT systems cannot be directly reached from IT or external networks without passing through a controlled boundary.

IACS UR E26 — Access Control (Clause 4.2)

Clause 4.2 requires that access to computer-based systems is controlled and that unauthorised devices cannot access OT networks. At the switch layer, this is implemented through port security features — 802.1X port authentication, MAC address filtering, and disabling unused switch ports — that prevent physical connection of unauthorised devices to any OT VLAN. A device that cannot authenticate to the switch port cannot join the network, regardless of what IP address it attempts to use.

IEC 62443-3-3 — System Security Requirements

IEC 62443-3-3 defines system-level security requirements for industrial control systems, including network zone separation (SR 5.1) and communication integrity (SR 4.2). The standard defines Security Levels (SL 1–4) and specifies that high-criticality OT zones (SL 2–3) must be isolated via physical network controls, not solely by software policy. L2/L3 switch VLAN architecture is the recommended implementation mechanism for IEC 62443 zone separation in maritime OT contexts.

BIMCO/ICS Guidelines — Network Architecture

The BIMCO/ICS Maritime Cyber Risk Management guidelines recommend the use of separate networks (or VLANs on managed switches) for OT and IT systems, with controlled points of interconnection. The guidelines specifically identify flat (unsegmented) OT networks as a high-risk condition requiring remediation and recommend that vessel operators document their network topology, including VLAN architecture and switch configurations, as part of their cyber risk management evidence.

PART 3

Hardening Architecture — L2 Security Features & L3 Access Control

Switch hardening in maritime OT environments covers two distinct layers. At Layer 2, the goal is to prevent attacks on the switching infrastructure itself — attacks that exploit the way switches learn MAC addresses and forward frames. At Layer 3, the goal is to control which zones can route traffic to each other, and to ensure that routing configurations cannot be manipulated to bypass zone boundaries. Both layers require explicit configuration; factory-default switch settings are insecure and inappropriate for maritime OT deployment.

 L2 Switch Hardening — Key Controls
Port Security

Limit each port to a fixed number of MAC addresses (typically 1–2 for OT devices). If an unknown MAC appears, the port shuts down automatically. Prevents MAC flooding attacks and connection of unauthorised devices to OT ports.

BPDU Guard

Spanning Tree Protocol (STP) BPDU Guard shuts down any access port that receives a Bridge Protocol Data Unit — preventing an attacker from connecting a rogue switch and manipulating the spanning tree topology to redirect traffic. All OT access ports must have BPDU Guard enabled.

Root Guard

Prevents any port other than the designated uplink from becoming the STP root. Protects against an attacker claiming the STP root role on a designated OT access port, which would cause all traffic to flow through the attacker's device.

DHCP Snooping

Distinguishes trusted (uplink) and untrusted (access) ports, blocking DHCP server responses from any untrusted port. Prevents a rogue DHCP server connected to an OT port from assigning incorrect IP addresses and redirecting traffic (DHCP spoofing attack).

Dynamic ARP Inspection

Validates ARP packets against the DHCP snooping binding table, dropping ARP replies that do not match known IP-to-MAC bindings. Prevents ARP spoofing/poisoning attacks where an attacker associates their MAC address with a legitimate device's IP to intercept traffic (man-in-the-middle).

Disable Unused Ports

All switch ports that are not connected to an active, authorised device must be administratively shut down and assigned to a quarantine VLAN. On ships where maintenance crew routinely connect laptops to available ports, this is a critical control — an enabled but unused port is an open network connection.

 L3 Switch Hardening — Inter-VLAN Routing Controls
ControlPurposeOT Application
ACL per VLAN interfacePermit only specified traffic between zonesBlock all inter-VLAN routing except explicitly permitted flows (e.g., NMS polling from VLAN 70 to VLAN 20)
Deny-all default ruleReject any traffic not explicitly permittedAll inter-VLAN ACLs must end with an explicit deny-all rule — not rely on an implicit deny
Routing protocol authenticationPrevent injection of rogue routesIf OSPF or other dynamic routing is used, authenticate routing protocol peers (MD5 or SHA-256)
Disable IP source routingPrevent packet path manipulationIP source routing allows a sender to specify the packet's routing path — must be disabled on all OT L3 switches
Management plane isolationRestrict switch management accessSSH/HTTPS management access to switch CLI restricted to OT Management VLAN only; Telnet and HTTP disabled
PART 4

Maritime Implementation Constraints

Legacy Flat OT Networks — Retrofitting VLAN Segmentation

The largest practical challenge is that most vessels in service today have flat OT networks — all OT devices share a single network segment on unmanaged or partially managed switches. Retrofitting VLAN segmentation onto an existing vessel requires detailed network discovery to map all current device connections, re-cabling or trunk reconfiguration at every switch port, and VLAN assignment for each device — followed by testing each OT function to verify that the segmented network did not break any communication dependencies. This is typically a drydock project due to the extent of changes required, and must be performed with OEM involvement for complex systems.

Unmanaged Switches in OT Spaces

Many OT equipment racks contain unmanaged switches provided by the OEM as part of the original system delivery — simple plug-and-play switches that have no VLAN, port security, or management capability. These devices cannot be secured or monitored and create flat network zones within what might appear to be a segmented topology. Every unmanaged switch in an OT space represents a location where an unauthorised device can be connected without any detection. Unmanaged switches in OT environments should be replaced with managed switches as part of security remediation programmes.

Hidden OT Communication Dependencies

OT systems often have undocumented network communication dependencies — an engine alarm system that sends status to the navigation display, a cargo computer that queries the engine room for fuel data, or an AMS that polls multiple sensor PLCs on a shared network segment. These dependencies are not always visible in OEM documentation and may only be discovered when VLAN segmentation breaks them. Pre-segmentation network traffic analysis (using passive tap/SPAN port monitoring) is essential to map all communication flows before implementing VLAN boundaries, to avoid disrupting operational functions.

Physical Access to Switch Ports

Unlike corporate IT environments where network closets are locked, ships often have accessible network cabinets in machinery spaces and accommodation areas where OT switches are located. Maintenance crew, port agents, and OEM technicians may have physical access to spaces containing active switch ports. Port security features (MAC address binding, port shutdown on unauthorised MAC) are the technical control, but physical cable-locking of unused ports and restricted access to switch panels are equally important compensating controls in a shipboard context.

PART 5

Trends & Market Developments

Maritime-Grade Managed Switches

A growing market of marine-certified managed switches (DNV-GL type-approved, IEC 60945 compliant for vibration and EMC) now offer enterprise-grade security features — 802.1X port authentication, VLAN support, port security, DHCP snooping, and management APIs — in hardware that meets the environmental standards required for shipboard OT spaces. Vendors including Cisco IE series, Hirschmann, Moxa, and Phoenix Contact all supply maritime-grade managed switches suitable for OT zone deployment.

Network as a Security Sensor

Modern managed switches generate rich telemetry — syslog events for port security violations, link state changes, MAC address table changes, and authentication failures. This telemetry is increasingly forwarded to the onboard SIEM/log aggregator, turning the switch infrastructure into a passive security sensor that can detect device connection/disconnection events, VLAN hopping attempts, and STP topology changes without any additional monitoring hardware.

802.1X Port Authentication in OT

802.1X network access control — which requires a device to authenticate to a RADIUS server before a switch port activates — is gradually being adopted in maritime OT environments for IT-adjacent zones. While full 802.1X deployment across all OT ports remains challenging due to legacy device limitations, it is increasingly applied to Switch IT VLAN ports and any port accessible to non-crew personnel, providing cryptographic device authentication before network access is granted.

IACS E26 Driving New Build Standards

For vessels ordered after IACS UR E26 entry into force, class societies are now reviewing network architecture documentation as part of the design approval process — verifying that the shipboard network design includes appropriate VLAN segmentation and that the specified switch hardware supports the required security features. This is normalising proper L2/L3 switch security design in new construction, reducing the retrofit burden that the existing fleet faces.

 Key Takeaways
01

VLAN segmentation is the physical foundation of OT security — no software control above it is reliable without it. A flat OT network means that any compromised device has unrestricted access to every other OT device on the ship. Implementing correct VLAN zone separation is the highest-priority network security action for vessels that do not yet have it.

02

Map traffic before you segment. Hidden OT communication dependencies will be broken by VLAN boundaries if they are not identified first. Run passive traffic capture on the existing flat network for 4–8 weeks before implementing VLAN boundaries — this identifies all inter-device communication flows that must be explicitly permitted in the new segmented design.

03

Replace unmanaged switches in OT spaces. Every unmanaged switch is a security gap — devices connected to it cannot be monitored, port security cannot be enforced, and the switch cannot generate security telemetry. Including managed switch replacement in the next scheduled drydock as part of the OT security programme is a high-value, achievable improvement for most vessel operators.

ShipPaulJobs
ShipPaulJobs Team✓ Verified
Maritime Cybersecurity Editorial Team — Network & Perimeter

Explore the full Network & Perimeter series — from switch segmentation through firewall policy, IDS detection, and NDR response — at the MaritimeCyber hub.

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments