📚 Book Review
IACS UR E26 / E27
ICS Network Architecture
Maritime OT
[BOOK] Industrial Control System Security (2/2)
ICS Network Architecture Fundamentals — from an IACS UR E26 and E27 Certification Perspective
⚓
Lew
Maritime and Cyber Security Consultant / ISP Consultant
📅March 1, 2026
ook Information
Industrial Control System Security
Author: Pascal Ackerman · Published: 2019 · Korean Edition: Acon
Principal Industrial Cybersecurity Consultant @ Rockwell Automation (since 2015) · 15+ years in large-scale industrial systems & network security
This article is a continuation of [BOOK] Industrial Control System Security (1/2). Part 1 covered the fundamental characteristics and core security principles of ICS/OT.
Chapter 2
ICS Network Architecture Fundamentals
2.1 ICS Zone & Conduit Concept
Throughout the book, ICS Zones are presented as a core architectural foundation of OT security. The zoning model is not merely a network segmentation practice; it defines security boundaries and communication trust relationships that are directly relevant to UR E26 and E27 compliance.
①
Enterprise Zone (IT)
Corporate network environment including office systems, ERP platforms, and general-purpose Windows infrastructure.
②
IDMZ — Industrial DMZ
A buffer zone between IT and OT. Typical examples include WSUS servers, update relays, security servers, and intermediary control systems.
③
Industrial Control Zone (OT)
The actual control domain where PLCs, HMIs, and Engineering Workstations (EWS) reside.
④
Cell / Area Zone
Local network segments dedicated to individual production units or operational areas.
2.2 The Essential Role of the IDMZ
The IDMZ functions as a "shock absorber" between IT and OT. Its primary objective is to prevent attacks, patch flows, log transfers, and remote access requests from directly reaching the OT environment. The book clearly illustrates the role of the IDMZ using a WSUS deployment example.
Update Relay (WSUS)
Direct internet connectivity for OT is prohibited. Patch collection must follow a unidirectional flow: IT → IDMZ → OT.
Logging Relay (SIEM)
If OT devices communicate directly with the IT network, they may become a pathway for lateral movement. Direct connection to a central SIEM is therefore restricted.
Remote Access Gateway
Direct RDP or VPN connections to OT are prohibited. Authentication bypass or credential compromise could expose the entire OT environment.
Historian Replication
OT data may be transferred to enterprise analytics systems, but enterprise systems must not be allowed to control OT.
Secure File Transfer Zone
USB devices are a major vector for OT security incidents. A controlled file transfer zone replaces uncontrolled removable media usage.
Enhanced IDMZ Under Modern OT Security Standards
It is important to recognize why traditional IDMZ design alone is no longer sufficient.
Zero Trust-Based Session Broker
Traditional VPN solutions often grant broad internal access once authenticated. Zero Trust architectures allow session-level, least-privilege access, minimizing OT exposure.
OT-Specific NAC / IEC 62443-Based Access Control
Unauthorized laptops or maintenance devices must be prevented from connecting to OT networks.
DPI / ICS-Aware Firewall
Conventional firewalls filter based on ports and protocols. ICS-aware DPI firewalls analyze Modbus function codes and EtherNet/IP commands, enforcing semantic-level control.
🔹 Meaning of IDMZ from a UR E26/E27 Perspective
| IDMZ Function |
Impact on Test Items |
Impact on Documentation |
| Patch Relay |
Security Verification |
Maintenance Plan |
| Logging Relay |
Auditable Events |
Incident Response Information |
| Remote Access |
Authentication |
Security Capability Description |
| Historian |
Information Flow Control |
Topology |
| File Transfer |
Malicious Code Protection |
Configuration Guideline |
| DPI Firewall |
Communication Integrity |
Security Architecture |
The IDMZ is not simply a network buffer. It is a structural enforcement layer for UR E26/E27 compliance.
2.3 VLAN / Layer-2 Segmentation Structure
A VLAN is not merely a network partitioning mechanism. It is a logical barrier that prevents devices within the same physical switch from communicating freely. In OT environments, full physical separation of switches is often impractical — VLANs therefore serve as a minimum isolation mechanism.
①
Inter-VLAN Routing Must Be Controlled
If Layer-3 switches automatically allow routing between VLANs, segmentation becomes ineffective. Explicit allow rules must be enforced through ACLs or firewalls.
②
VLAN Alone Is Not Security
VLANs provide no encryption. Plain-text communication is still possible within the same VLAN. VLAN is a structural isolation foundation, not a standalone security control.
③
Mandatory Representation in Topology Diagrams
VLAN definitions reflect logical zoning, communication paths, patch and logging flows, and enforcement points.
If VLAN structure is not clearly represented in the topology diagram, the security boundary may be considered undefined.
2.4 Considerations for Firewall and NIDS Deployment in OT Networks
IT Environment
Adding security devices = Stronger protection
OT Environment
Adding security devices = Potential latency risk
If security interferes with process stability, it is operationally unacceptable.
①
Prefer Fail-Open and Passive Monitoring Architectures
Inline IDS solutions that force all traffic through inspection may introduce delay. Passive TAP-based monitoring is preferred, ensuring no impact on operational traffic during failure.
②
Firewall Rules Must Be Minimal and Explicit
The more rules implemented, the greater the risk of misconfiguration. A "Deny All → Explicit Allow Only" policy is generally appropriate.
③
Understanding the Purpose of ICS DPI
Traditional Firewall
Filters based on TCP/UDP ports
ICS DPI Firewall
Evaluates the meaning of commands (Modbus, EtherNet/IP)
Supports UR E26 requirements including:
Communication Integrity
Information Flow Enforcement
Deterministic Output
Additional Considerations
Stateful inspection may increase latency
Failover time in redundant firewall configurations must be validated
OT internal traffic should remain at Layer-2 whenever possible
2.5 Risks of Dual NIC (IT/OT Bridge) Architectures
When an Engineering Workstation (EWS) is connected simultaneously to both IT and OT networks via dual NICs, it effectively becomes a logical bridge that nullifies network segmentation.
Attack Path — Lateral Movement via Dual NIC
IT Compromise
→
EWS Access
→
Pivot via OT NIC
→
PLC Access
This represents a classic lateral movement pathway and fundamentally undermines segmentation.
Recommended Design Alternatives
① Jump Server Architecture
Design IT → Gateway → OT architecture, prohibiting direct connectivity.
② Single NIC + Firewall Enforcement
EWS is dedicated to OT only; IT access is permitted solely through controlled gateways.
🔹 Chapter 2 Summary
VLAN, Firewall / DPI, and Dual NIC from a UR E26/E27 Perspective
| Element |
Core Question |
Structural Meaning |
| VLAN |
Who can communicate with whom? |
Logical zone definition |
| Firewall / DPI |
What is allowed to pass? |
Control of communication semantics |
| Dual NIC |
Does a boundary truly exist? |
Prevention of boundary collapse |
These elements form the foundation for the following UR E26/E27 requirements:
Topology Diagram
Security Capabilities Description
Communication Integrity (Test)
Authorization Enforcement
Information Flow Enforcement
#ICSsecurity
#OTsecurity
#IDMZ
#NetworkSegmentation
#IACS
#URE26
#URE27
#MaritimeCyberSecurity
#Maritime40
⚓
Captain Ethan
Maritime 4.0 · AI, Data & Cyber Security
Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.
🌐 More Articles ↗
Comments
Post a Comment