[Ship OT Security] Where and How OT Security Is Applied on a Ship?

Where and How OT Security Is Applied on a Ship ?

One of the most common misconceptions when discussing shipboard OT security is the belief that
“security is something applied to a specific piece of equipment or system.”

In reality, OT security is not about installing something inside a device.
It is far closer to deciding where connections should exist, and where they must be restricted, within the overall structure of a ship.

To understand OT security properly, we must first revisit a fundamental question:
Where is OT security actually applied?

1. OT Security Is Applied at the “Boundaries,” Not Inside the Equipment

Most shipboard OT systems function exactly as intended.
Engines run, generators supply power, and control systems operate based on control logic that has been validated over decades.

The problem rarely lies within the system itself.
It emerges at the points where systems are connected to one another.

This is why OT security is primarily applied at:

  • The boundaries between different OT zones

  • The connection points between OT and IT networks

  • Remote access paths linking ship and shore

  • External access points used for maintenance and diagnostics

OT security does not aim to change how systems operate inside a zone.
It starts by controlling movement between zones.

That is why OT security is often described as
“security that operates at the boundary, not inside the system.”

2. What Is a Zone?

A zone is not merely a network segmentation.
On a ship, zones are defined by a combination of factors:

  • The function the system performs

  • The impact on navigation or safety if it fails or malfunctions

  • Whether external connectivity is required

  • Whether real-time control is involved

Based on these criteria, shipboard systems are typically organized as follows:

Control Zone

Systems such as engine control, DP, and PMS that directly affect ship operation
→ Requires the highest level of protection

Monitoring / Supervisory Zone

Systems such as AMS and integrated monitoring platforms
→ Primarily observational, with limited and controlled access

Information / IT Zone

Crew administration, reporting, and office systems
→ Similar to IT environments, but must remain separated from OT

The first step in OT security is not mixing these zones,
and strictly controlling any connections that are unavoidable.

3. Real Security Risks Arise from Connections

An important observation is that
most OT cybersecurity incidents do not originate inside a zone.

They typically occur through connections such as:

  • OT–IT network interconnections

  • Remote access for maintenance and support

  • Vendor laptops connected during servicing

  • Ship–shore data communication links

These connections are often introduced for convenience or operational efficiency.

From an OT security perspective, however,
each connection becomes a potential entry point for risk.

That is why E26 and E27 repeatedly ask the same fundamental questions:

  • Why is this connection necessary?

  • Does it need to remain open at all times?

  • Who is authorized to access it?

  • Are access activities logged and traceable?

OT security becomes real only when these questions can be clearly answered.

4. OT Security Is Not Designed Around Patching

In IT security, the cycle is straightforward:
vulnerability → patch → resolution.

In shipboard OT environments, this model rarely works.

  • Patches require full system re-validation

  • Class approval may be needed

  • Operational downtime can occur

  • Manufacturer liability must be considered

As a result, many ships operate with patch servers under review,
or apply patches only in highly controlled scenarios.

This does not mean security is being neglected.

OT security is designed from the outset for environments
where frequent patching is not feasible.

Instead, the focus shifts to:

  • Identifying systems that cannot be patched

  • Defining the zones those systems belong to

  • Restricting and controlling their external connections

Rather than eliminating vulnerabilities,
OT security prevents those vulnerabilities from being exploited through structural controls.

5. E26 and E27 Define Different Scopes of Application

A critical aspect of OT security implementation is the separation of roles between E26 and E27.

E26 looks at the ship as a whole.
It explains the OT architecture, zone structure, network segregation,
and how overall cyber risk is managed at the vessel level.

E27 looks at individual equipment.
It describes which zone a system belongs to,
what interfaces it exposes,
and what security capabilities or limitations exist at the equipment level.

A common issue in many projects is the accumulation of E27 documents
without a coherent E26-level explanation.

In such cases, OT security may exist “on paper,”
but the overall structure remains poorly understood.

6. OT Security Is About Design, Not Installation

By this point, the nature of OT security becomes clear.

OT security is:

  • Not about installing a specific solution

  • Not about a single piece of equipment

  • Not solely the responsibility of an IT department

OT security must be designed as part of the ship’s architecture from the beginning.

It starts by answering fundamental questions:

  • What should be separated?

  • What must be connected?

  • Who is allowed to approve and control those connections?

The process of answering these questions is OT security.

In Summary

OT security is applied:

  • At the boundaries of shipboard systems

  • By controlling connections rather than modifying internals

  • Without assuming frequent patching

  • Through structural and architectural design

That is why E26 and E27 are not merely cybersecurity requirements.
They are regulations that require ship operators and builders
to explain and justify the structure of ship operations themselves.


Comments

Post a Comment