Zone Before VLAN — Designing Logical Networks Using the Purdue Model and Zone & Conduit Concepts

🛡 IACS UR E26/E27 Ship OT Cybersecurity Series Part 2 of 5 Zone & Conduit Architecture

Zone Before VLAN

Designing Logical Networks Using the Purdue Model and Zone & Conduit Concepts

Ship OT Cybersecurity Series · Part 2

Captain Paul
Captain Paul
Maritime 4.0 · AI, Data & Cyber Security · linkedin.com/in/shipjobs
📌 Series Overview

This series explains how physical networks evolve into logical architectures and eventually become Zone and Conduit Diagrams (ZCD) required by IACS UR E26/E27.

📖 Key Terms — Terminology Used in This Article
Zone — IEC 62443 definition: "A grouping of assets that share common security requirements." Grouped by trust level, not physical location. Examples: Navigation Zone, Machinery Control Zone.
Conduit — A controlled communication path between Zones. Specifies which systems can communicate, using which protocol, in which direction. Includes security controls such as firewalls, ACLs, and VPNs.
VLAN (Virtual Local Area Network) — Technology that logically segments a single physical switch into multiple networks. A tool for implementing Zones — but Zone design comes first; VLANs follow.
Purdue Model — A reference model that organizes industrial control systems into levels (1 through 5). Level 1 is field control (PLCs); Level 5 is external internet. Provides the structural framework for Zone design required by IACS UR E26.
DMZ (Demilitarized Zone) — A buffer network zone between IT and OT (Purdue Level 3.5). Houses jump servers, patch servers, and remote access gateways.
ACL (Access Control List) — A rule list on a network device specifying which traffic is permitted or denied. Used alongside firewalls; one of the key security controls applied within a Conduit.
SL-T (Security Level Target) — The required security protection level for each Zone (SL-1 to SL-4), determined through risk assessment. Navigation and machinery Zones typically require SL-T 3 or above.

Introduction

Once the physical network has been established, engineers naturally begin asking:

"How should we configure VLANs?"
"Which IP addresses should we use?"
"How many subnets are required?"

Although these questions are important, they are not the first questions we should ask. The more fundamental question is:

What are we trying to protect?

And the answer to that question leads us to Zones.

In cyber architecture, Zones come before VLANs.

Why Network Segmentation Exists

Historically, many shipboard systems were connected primarily for operational efficiency — information sharing improved, maintenance became easier, and remote access reduced operational costs.

However, increased connectivity also created new risks.

⚠ Propagation Risk

A compromise in one system could propagate into another.

⚠ Lateral Movement

An infected engineering workstation might affect the IAS.

⚠ Entry Point Risk

A maintenance laptop could become an entry point into a navigation system.

✓ The Challenge

No longer protecting individual equipment — controlling trust between systems.

This is where segmentation becomes essential.

Physical Separation vs. Logical Separation

Traditional: Physical Separation

Separate switches per system
Separate cables per system
Separate workstations

Strong isolation, but high complexity and cost.

Modern: Logical Separation

Common switches
Shared fiber networks
Integrated platforms

Trust boundaries defined logically, not physically.

Cyber architecture must define trust boundaries even when systems share physical infrastructure.

Understanding the Concept of a Zone

IEC 62443 — Definition

"A grouping of assets sharing common security requirements."

Notice what the definition does not say:

✗ Same VLAN ✗ Same IP range ✗ Same supplier ✗ Same switch

Instead, a Zone groups assets that require similar levels of protection.

Zones are based on

Trust

Not topology.

Understanding Conduits

Zone

Represents trust boundaries

Conduit

Represents controlled communication paths

Conduits answer the key questions governing communication between Zones:

? Who can communicate?
? Which protocols are allowed?
? In which direction?
? Under what conditions?

A conduit is much more than a cable. It represents the security controls that govern communication between Zones.

Typical Conduit Controls

🛡 Firewalls 📋 Access Control Lists 🔐 VPNs 🔑 Authentication 👁 IDS Monitoring 📝 Logging

Zones define trust.

Conduits control trust.

The Purdue Model Provides Structure

Most maritime cyber architectures can be aligned with the Purdue Reference Model to establish trust boundary layers.

Level 5 External Connectivity
Internet VSAT LTE
Level 4 Business Network
Office Network Crew Welfare Network
Level 3.5 DMZ
Jump Server Patch Server Remote Access Gateway
Level 3 Operational Network
Navigation Systems Communication Systems
Level 2 Supervisory Control
HMI Operator Stations
Level 1 Basic Control
PLC Controllers

Although IACS UR E26 does not mandate the Purdue model, it provides a practical framework for establishing trust boundaries in maritime environments.

Designing Zones

⚠️ One of the biggest mistakes in E26 projects is defining Zones according to equipment names alone — Navigation Zone, Machinery Zone, Cargo Zone. This approach is only partially correct.

A proper Zone design must consider five dimensions:

1

Criticality

How important is the system to vessel safety and operation?

2

Connectivity

What other systems communicate with it?

3

Consequences of Compromise

What happens if the system becomes unavailable or corrupted?

4

Trust Level

Can the system trust external connections?

5

Operational Requirements

Does the system require continuous availability?

The Nine Baseline Zones

A practical ship architecture typically includes the following zones. These may vary depending on vessel type, but they provide a useful starting point.

Zone 1

External Access Zone

Internet · VSAT · LTE

Zone 2

Ship Business Zone

Office Network

Zone 3

Crew Welfare Zone

WiFi · Entertainment

Zone 4

DMZ

Jump Server · Patch Server

Zone 5

Security Monitoring Zone

SIEM · IDS · Syslog

Zone 6

Navigation Zone

ECDIS · Radar · VDR

Zone 7

Communication Zone

GMDSS · Satellite Comms

Zone 8

Machinery Control Zone

IAS · AMS · PMS

Zone 9

Cargo / Mission Zone

Cargo Control · DP Systems

Why VLANs Come Later

After Zones are defined, VLANs can be assigned. For example:

Zone VLAN Assignment
Navigation Zone VLAN 10
Communication Zone VLAN 20
Machinery Zone VLAN 30
Cargo Zone VLAN 40
DMZ VLAN 50
Business Zone VLAN 60
Crew Zone VLAN 70

VLANs are implementation mechanisms. They are not cyber architecture.
Two systems belonging to different trust levels should never be placed in the same Zone simply because they share a VLAN.
Likewise, one Zone may span multiple VLANs.

✗ VLANs do not create Zones.

✓ Zones create VLANs.

Asset Inventory Comes First

Before defining Zones, engineers must understand the assets they are protecting. This is why Asset Inventory and Dependency Mapping are foundational activities in IACS UR E26.

Four Questions to Answer Before Defining Zones

What assets exist?
How are they connected?
Which functions do they perform?
Which systems depend on them?

Without understanding assets and dependencies, meaningful Zone definitions become impossible.

Logical Networks Are About Trust

Physical Networks

Describe connectivity

Logical Networks

Describe trust

The purpose of Zone and Conduit architecture is not to simplify drawings. Its purpose is to contain cyber incidents. If one Zone is compromised, the impact should be limited.

Segmentation is not about efficiency.

Segmentation is about survivability.

Before Drawing the ZCD

By the end of this stage, we should have the following in place. These are the ingredients — not yet the ZCD itself.

Asset Inventory
Dependency Mapping
Criticality Assessment
Purdue Level Assignments
Zone Definitions
Conduit Requirements

None of these are yet a Zone and Conduit Diagram. They are simply the ingredients. The next step is translating these concepts into documentation — and that is where many projects struggle.

➡ Next in the Series
Part 3

From Networks to ZCD

In Part 3, we explore how physical networks and logical architectures are transformed into actual IACS UR E26 deliverables — including Zone and Conduit Diagrams, Zone Tables, Conduit Tables, Data Flow Matrices, Security Level Definitions, and Cyber Security Design Descriptions (CSDD).

ZCD Zone Tables Conduit Tables Data Flow Matrix CSDD
Captain Paul
Captain Paul
Maritime cybersecurity professional specializing in IACS UR E26/E27 compliance, OT system architecture, and shipyard-level cyber resilience design. Writing for engineers, superintendents, and operators navigating Maritime 4.0.

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments