From Cable to Cyber Resilience Designing Physical Networks for IACS UR E26/E27

🛡 IACS UR E26/E27 Ship OT Cybersecurity Series Part 1 of 5 OT Network Architecture

From Cable to Cyber Resilience

Designing Physical Networks for IACS UR E26/E27

Ship OT Cybersecurity Series · Part 1

Captain Paul
Captain Paul
Maritime 4.0 · AI, Data & Cyber Security · linkedin.com/in/shipjobs
📌 Series Overview

This series explains how physical networks evolve into logical networks, and how those architectures are ultimately translated into Zone and Conduit Diagrams (ZCD) and Cyber Security Design Descriptions (CSDD) required by IACS UR E26/E27.

📖 Key Terms — Terminology Used in This Article
OT (Operational Technology) — Systems that directly operate and control the ship at the field level — engine automation, navigation, cargo management. Distinct from IT (office/administrative networks).
IACS UR E26 / E27 — Unified Requirements for ship cybersecurity issued by IACS. E26 covers cyber resilience for the entire ship system; E27 covers cybersecurity requirements for individual onboard equipment (computer-based systems).
Cyber Resilience — The ability to maintain or rapidly restore critical ship functions even when a cyber incident occurs. The goal is operational continuity — keep the ship running — not just security hardening.
Managed Switch — A network switch that supports traffic control and monitoring. Enables VLAN configuration, port isolation, and traffic prioritization. Unlike a simple hub, it is the core device for implementing cyber architecture.
Redundancy — Designing critical equipment and paths in duplicate so that operations continue when one fails. On ships, redundancy is the cornerstone of availability.
RSTP / PRP / HSR — Network redundancy protocols. RSTP (Rapid Spanning Tree Protocol) prevents loops and enables fast path switching. PRP (Parallel Redundancy Protocol) and HSR (High-availability Seamless Redundancy) provide zero-downtime failover. PRP or HSR is recommended for OT environments.

Introduction

When people first encounter IACS UR E26 and E27, they often think about cyber security products.

Firewalls.  ·  Anti-virus software.  ·  Intrusion detection systems.  ·  Security monitoring solutions.

However, cyber resilience begins much earlier than that.

Before firewalls, there are networks.
Before networks, there are cables.
And before any security controls can be applied, systems must first be connected.

Understanding this sequence is essential because IACS UR E26 is fundamentally an architectural requirement — not a product requirement.

OT Networks Were Never Designed for Cybersecurity

To understand modern ship cyber security, we must first understand how OT systems evolved.

Traditionally, shipboard systems were designed independently:

Navigation Systems — Vendor A Propulsion Systems — Vendor B Power Management — Vendor C

Each supplier optimized its own system for reliability and operational performance. Connectivity between systems was minimal. Isolation itself acted as protection.



Cybersecurity was rarely considered because these systems were never expected to be exposed to external networks.

Digital Transformation Changed Everything

Modern vessels are no longer isolated environments. Today, ships continuously exchange information with:

🏢 Fleet Operation Centers
☁️ Cloud Services
🔧 OEM Remote Maintenance Platforms
🛰 Satellite Communication Networks
🏭 Shore Offices
🤝 Third-party Service Providers

Consequently, systems that were originally designed to operate independently are now interconnected. The result is a System of Systems.

The cyber risk no longer comes from individual equipment.

It emerges from the connections between systems. In many incidents, the vulnerability is not inside the equipment itself — it lies in the interfaces.

Why IACS Introduced UR E26 and E27

Historically, class societies focused primarily on safety and reliability. However, increasing digitalization introduced new risks. A cyber incident affecting one system could propagate throughout the vessel and compromise safety, operational continuity, and environmental protection.

IACS UR E26
Cyber Resilience of Ships

Focuses on:

Cyber Security Architecture
System Segmentation
Security Controls
Verification Activities

📌 Applies to: The Ship

IACS UR E27
Cyber Resilience of On-board Systems & Equipment

Focuses on:

Product Suppliers
Secure Development
Product Maintenance
Vulnerability Management

📌 Applies to: Products on the Ship

In simple terms: E26 focuses on the ship. E27 focuses on the products installed on the ship.

Cyber Resilience Is Different from Cyber Security

🔒 Cyber Security

Focuses on preventing attacks.

🛡 Cyber Resilience

Focuses on maintaining essential functions despite attacks.

This distinction is particularly important for ships. Because a ship cannot simply stop operating in the middle of the ocean.

The objective is not to create perfect protection.

The objective is to ensure that critical functions remain available even when cyber incidents occur.

Availability becomes as important as confidentiality. This is why redundancy, segmentation, and survivability play a central role in E26.

The Physical Network Is the Foundation

A cyber architecture does not exist independently. It is built on top of a physical architecture. Every switch, every router, every firewall, every communication cable — together they form the foundation upon which cyber resilience is built.

The Correct Design Sequence

1 Physical Network Cables · Switches · Routers · Firewalls
2 Logical Network VLANs · IP Addressing · Routing
3 Zone and Conduit Architecture Zones · Conduits · Security Levels
4 Cyber Security Design Description (CSDD) Documentation · Evidence
5 Verification and Validation Testing · Class Survey

⚠️ Skipping these steps often leads to diagrams that satisfy documentation requirements but fail to represent reality.

Understanding the Purdue Reference Model

Although originally developed for industrial automation systems, the Purdue Model provides an effective framework for maritime OT environments. Most ship architectures can be interpreted through its layered structure.

Level 5 External Connectivity
Internet VSAT LTE Shore Connection
Level 4 Business Network
Office LAN Crew Network Administrative Systems
Level 3.5 Demilitarized Zone (DMZ)
Jump Server Patch Server Remote Access Gateway Antivirus Server
Level 3 Operations Network
Navigation Systems Communication Systems Operational Servers
Level 2 Supervisory Control
HMI SCADA Operator Stations
Level 1 Basic Control
PLC Controllers Remote I/O

The Purdue Model is not explicitly mandated by IACS. Nevertheless, it provides a practical foundation for designing trust boundaries and network segmentation in ship environments.

The Role of Network Components

Each network component serves a different purpose. Understanding these roles is essential before designing a cyber architecture.

🔀 Router External connectivity

Provides connectivity to external networks.

VSAT Routers LTE Routers
🔌 Switch Intra-network communication

Provides communication within a network.

Core Switches Distribution Switches Access Switches

Switches are responsible for connectivity, not security.

🛡 Firewall Trust boundaries

Provides trust boundaries. Controls communication between networks.

Firewalls define conduits. They do not define zones.

📡 Wireless Access Points Mobility

Provide mobility. However, wireless networks also increase the attack surface.

Wireless access should be isolated from critical OT environments whenever possible.

Cyber Resilience Requires Redundancy

Unlike office environments, shipboard systems must remain operational under abnormal conditions. Physical network design must account for survivability.

Redundancy Design Considerations

Redundant Core Switches
Ring Topologies
RSTP (Rapid Spanning Tree)
PRP / HSR Protocols
Dual Communication Paths
Dual Power Supplies

Cyber resilience is not merely about security. It is equally about survivability.

Before Designing Security, Design the Network

Many projects begin with security products. But experienced engineers understand that products alone cannot create cyber resilience. Architecture creates cyber resilience. And architecture begins with networks.

Before defining VLANs,
before assigning IP addresses,
before creating firewall rules,
we must first understand how systems are physically connected.

Because every cyber architecture ultimately begins with a cable.

➡ Next in the Series
Part 2

Zone Before VLAN

In Part 2, we move one layer above physical connectivity. Instead of asking "How should VLANs be configured?" we will ask a much more important question: "How should Zones be defined?"
Because in ship cyber security — Zones come before VLANs.

Captain Paul
Captain Paul
Maritime cybersecurity professional specializing in IACS UR E26/E27 compliance, OT system architecture, and shipyard-level cyber resilience design. Writing for engineers, superintendents, and operators navigating Maritime 4.0.

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments