IEC 62443 for Maritime: Zones, Conduits, Modbus and NMEA Isolation Practical Guide

Why IEC 62443 Fits Maritime OT Better Than Generic Cyber Frameworks

Generic enterprise cyber frameworks (NIST CSF, ISO 27001) work well for IT but struggle with OT realities: legacy protocols without authentication, real-time control system constraints, safety-critical operations that cannot tolerate disruptive scans, vendor-locked control systems with limited patching.

IEC 62443 is the international standard family for industrial automation and control system (IACS) cyber security. It was designed for OT environments and explicitly addresses these constraints. The standard family includes multiple parts: IEC 62443-1 (concepts and terminology), IEC 62443-2 (program requirements), IEC 62443-3 (system requirements), IEC 62443-4 (component requirements).

Maritime adoption is accelerating. IACS Unified Requirement E27 (cyber resilience of on-board systems and equipment for new builds) explicitly references IEC 62443 as the framework for ship system cyber resilience. Class societies audit vessel OT cyber elements against IEC 62443-aligned approaches. Codesecure delivers maritime OT assessments based on IEC 62443 plus NIST 800-82 OT security and the IACS UR E26/E27 framework.

Zones and Conduits for Vessel OT

The IEC 62443 zones and conduits model is the foundation of vessel OT segmentation. A zone is a grouping of assets with common security requirements. A conduit is a defined communication path between zones with documented security controls.

For a typical vessel, the zones and conduits look like this:

Zone 1: Bridge Integrated Navigation

Assets: ECDIS, RADAR, AIS console, conning PC, VDR, GMDSS, autopilot interface. Protocols: NMEA 0183 / NMEA 2000 between sensors and integrated bridge system, proprietary vendor protocols. Security level target: SL 3 (intentional malicious actor with moderate resources). Conduits: to engine control (selected alarms only), to ship management LAN (read-only data feeds), to communications (AIS, GMDSS).

Zone 2: Engine Control and Machinery

Assets: engine control terminals, alarm and monitoring system (AMS), planned-maintenance workstations, propulsion controllers. Protocols: J1939 marine, Modbus TCP, vendor-specific (MAN, Wartsila, Sulzer). Security level target: SL 3. Conduits: to bridge (alarms, telegraph orders), to engineer office (monitoring, reports), to vendor remote access (controlled, audited).

Zone 3: Cargo Control

Assets: cargo control PCs, cargo monitoring, ballast water management, fuel monitoring, inert gas (where applicable). Protocols: Modbus, vendor-specific. Security level target: SL 2 or SL 3 (vessel type dependent; tankers higher). Conduits: to bridge (cargo state alarms), to ship management LAN (cargo manifests, reports).

Zone 4: Ship Management LAN

Assets: ship management server, planned maintenance, crew records, voyage data, charterer communications, ship-to-shore connectivity gateway, file servers. Protocols: standard IT (TCP/IP, SMB, HTTPS). Security level target: SL 2. Conduits: to bridge (read-only feeds), to engine control (monitoring data), to cargo (manifests), to crew Wi-Fi (no direct conduit, fully isolated), to ship-to-shore (egress through vessel-edge VPN).

Zone 5: Crew Wi-Fi and Personal Devices

Assets: crew laptops, personal devices, crew Wi-Fi access points. Protocols: standard IT. Security level target: SL 1 (assumed compromised). Conduits: to ship-to-shore (egress through vessel-edge VPN, no direct internet), no conduit to any OT zone.

Zone 6: Ship-to-Shore Communications

Assets: VSAT terminal, LEO terminal (Starlink, OneWeb), GSM/4G gateway, port WiFi interface, edge router, SD-WAN appliance. Protocols: standard IP. Security level target: SL 2. Conduits: to ship management LAN (encrypted tunnel), to crew Wi-Fi (egress only), to bridge (selective for AIS, GMDSS), to engine control (vendor remote access, controlled).

Modbus and NMEA Isolation: The Hard Part

Maritime OT runs heavily on Modbus (TCP and serial RTU) and NMEA (0183 serial, 2000 CAN-bus). Both protocols were designed before cyber threats were considered and carry no authentication, encryption or message integrity. Any device on the same network segment can send commands that controllers will execute.

The fundamental defence is segmentation. Modbus and NMEA must not be reachable from IT zones, crew Wi-Fi or ship-to-shore conduits. This is more than VLAN tagging; in safety-critical zones (engine control, propulsion) the segmentation should be physical with dedicated switches and one-way data diodes for the limited cases where data must flow outward but no command should flow inward.

Modbus TCP Segmentation

Modbus TCP (port 502) should be confined to OT zones. Firewall rules block port 502 at zone boundaries except for documented monitoring flows (e.g., engine alarm read-only access from bridge AMS). Modbus gateways translating serial RTU to TCP should be hardened: dedicated VLAN, no internet exposure, latest firmware, strong management plane authentication.

NMEA 0183 Segmentation

NMEA 0183 is point-to-point serial. Segmentation is physical wiring. Risk vector: an NMEA multiplexer or NMEA-to-Ethernet gateway becomes the entry point. Harden the multiplexer/gateway, audit physical wiring at refit, and assume any Ethernet-side NMEA traffic can be observed or injected by a compromised IT device.

NMEA 2000 Segmentation

NMEA 2000 is a CAN-bus protocol. CAN does not support authentication and is broadcast-based. Defence is again physical segmentation: NMEA 2000 backbone restricted to bridge zone, not bridged to IT networks. NMEA 2000 to Ethernet gateways carefully hardened.

One-Way Data Diodes for Safety-Critical Isolation

For the most safety-critical zones (engine telegraph, autopilot, propulsion), consider one-way data diodes: hardware that physically allows data to flow in one direction only. Data can flow from OT to IT for monitoring, but no command can flow back. Increases capex but provides architectural-level isolation. Most relevant for tankers, LNG carriers, cruise ships and DP-class vessels.

IEC 62443 Security Levels Applied to Maritime

IEC 62443 defines four security levels (SL 1 to SL 4) based on the resources of the adversary the zone must defend against:

SL 1: Protection Against Casual or Coincidental Violation

Adversary: untrained crew, accidental misconfiguration, malware not specifically targeting maritime. Appropriate for: crew Wi-Fi zone, some low-criticality IT areas. Controls: basic authentication, employee training, baseline security hygiene.

SL 2: Protection Against Intentional Violation Using Simple Means With Low Resources

Adversary: opportunistic attacker, generic ransomware, low-skill insider. Appropriate for: ship management LAN, cargo control (most vessel types), ship-to-shore communications. Controls: MFA on admin access, vulnerability management, IDS/IPS, EDR, SIEM monitoring, network segmentation.

SL 3: Protection Against Intentional Violation Using Sophisticated Means With Moderate Resources

Adversary: skilled attacker with maritime-specific intent, organised cyber crime, advanced ransomware, targeted insider. Appropriate for: bridge integrated navigation, engine control, cargo control (high-value vessels: tankers, LNG, cruise, DP-class). Controls: SL 2 plus tighter access control, anomaly detection, application allow-listing, robust incident response with maritime-specific playbooks, supply-chain controls for vendors.

SL 4: Protection Against Intentional Violation Using Sophisticated Means With Extended Resources

Adversary: state-level actor with extended resources, supply chain compromise of vessel equipment, infrastructure-level access. Generally beyond commercial vessel cyber programmes. Relevant for: naval vessels, government-charter vessels, vessels operating in high-threat geopolitical contexts. Controls: SL 3 plus hardware roots of trust, cryptographically signed firmware, supply chain assurance programmes.

IEC 62443 Foundational Requirements in Maritime Context

IEC 62443-3-3 defines seven Foundational Requirements (FRs) that each zone must address at the targeted security level:

FR1: Identification and Authentication Control

Every user, device and software process is identified and authenticated. Maritime application: per-user accounts on bridge PCs and engine control terminals (not shared accounts), MFA on management access, certificate-based authentication for vessel-shore VPN.

FR2: Use Control

Authenticated users have only the access required for their function. Maritime application: bridge officer has navigation access but not engine control admin; chief engineer has engine control but not cargo manifest write access; crew has internet only via egress VPN.

FR3: System Integrity

System integrity is maintained against intentional and accidental change. Maritime application: file integrity monitoring on ECDIS, RADAR, engine control terminals; firmware integrity verification on edge devices; application allow-listing on critical workstations.

FR4: Data Confidentiality

Sensitive data is protected from unauthorised disclosure. Maritime application: encryption at rest for charterer communications, cargo manifests, crew records; encryption in transit via vessel-shore VPN; access control on sensitive data stores.

FR5: Restricted Data Flow

Data flows are restricted to documented paths. Maritime application: this is the zones and conduits model applied. Every cross-zone data flow is documented, justified, controlled at firewall, monitored.

FR6: Timely Response to Events

Security events are detected and responded to. Maritime application: vessel SIEM or maritime SOC with named analysts, anomaly detection across OT and IT, incident response playbooks per IMO MSC.428(98), master and shore-side IR coordination.

FR7: Resource Availability

Critical systems remain available under attack or fault. Maritime application: cyber resilience for navigation and propulsion, manual override capabilities for safety-critical control, business continuity for ship management systems.