Network Architecture

Cybersecurity Architecture for Maritime Vessels: Technical Overview

Concept Overview

The diagram presents a cybersecurity architecture for maritime vessels, built on the principles of Defense-in-Depth and Zero Trust. The solution is designed to securely converge shipboard IT services (crew, passenger/guest services, shore office, vendors/contractors) with mission-critical operational technology (OT/GOT)—navigation, communications, power/energy, machinery control and automation.

In today’s operating environment, onboard cybersecurity is not an “optional add-on” and it is not only about protecting data. It is a necessary safety measure for safe navigation and ship operations, supporting the integrity of command and control, the resilience of onboard systems, and the continuity of vessel operations—from preventing unauthorised access and disruptions to reducing the risk of safety incidents driven by digital interference with ship systems.

The approach is applicable across a wide range of maritime assets: commercial vessels, passenger ships and ferries, tankers, container ships, OSV/offshore, as well as large yachts. Below is a detailed description of the protection layers and key components.

1. External Perimeter & Multi-Bearers Connectivity

The first line of defence, providing flexible and secure vessel connectivity to global networks.

Connectivity Sources: Aggregation of links to maintain communications worldwide:
- Satellite VSAT: Traditional, reliable connectivity via GEO satellites.
- Starlink/LEO: High-throughput, low-latency connectivity via low-earth-orbit constellations.
- 4G/5G Modem: Cellular connectivity in coastal areas and ports.
Perimeter FW (Firewall) NOFW >1: A high-performance border security gateway in a high-availability setup (>1). Performs primary traffic filtering at the “ship-to-shore” boundary and terminates VPN tunnels.
Advanced Threat Defense: Cloud or on-prem “sandbox” service to analyse suspicious files for zero-day threats before they reach the network.

2. Secured Network Core & Services (Core Network & Server Farm)

The central node for data processing and policy enforcement.

Core Firewall (Core FW) NOFW k2 "Quantum Core": The heart of the security system. A resilient cluster of internal firewalls (k2 configuration). The “Quantum Core” processing layer delivers very high DPI performance and is positioned for future adoption of post-quantum cryptography.
Wi-Fi Morphing Controller: An advanced wireless management system using Moving Target Defense—dynamically changing network parameters (BSSID, SSID, keys) to reduce discoverability and mitigate “evil twin” style attacks.
VLANOMZ: A dedicated Management Zone for infrastructure servers with strictly restricted access from WAN and user segments.

3. Active Monitoring & AI Analytics (Overlay Security)

An overlay layer for proactive, real-time threat detection without interfering with operations.

IDS/ISM OT Monitoring: An intrusion detection capability adapted to maritime operations (ISM - International Safety Management).
- OT Cyber Sensor: Passive sensors connected to OT networks, analysing vessel-specific protocols and telemetry for anomalous commands.
AI Anomaly Detection: AI-driven analytics that identify hidden threats by detecting deviations from normal network and system behaviour beyond signature-based methods.

4. Strategic Segmentation (Segmentation Shield)

The “Segmentation Shield” visualises strict separation of the network into isolated zones with different trust levels.

GREEN ZONE:
- Passenger/Guest Services & Entertainment: An isolated segment for passengers/guests (smart services, media, personal devices) with Internet-only access via Captive Portal / Wi-Fi Controller.
- Crew (CREW): Segments for administrative tasks (back office, concierge/support services) and separate personal access for crew (VLAN Crew on request/policy).
YELLOW ZONE (CREW): Operational environment for service IT servers and IP telephony.
VLAN SecureCom: A dedicated segment for encrypted terminals used for confidential communications.

5. Protection of Critical Ship Systems (RED ZONE)

The “Red Zone” is a Zero-Trust segment housing systems essential for vessel safety and operability.

Navigation & GOT: Includes bridge navigation systems (Bridge NAV Systems), engine control and other operational technologies (Engine & GOT).
Industrial FW or Data Diode: A critical barrier enforcing one-way data flow. It allows telemetry to move out of the OT segment into monitoring systems, while physically blocking inbound connections or attacks into the Red Zone.

Glossary: Terms & Abbreviations

To ensure unambiguous understanding of the technologies used, the following terms and abbreviations are provided:

Term / Abbreviation	Description
AI Anomaly Detection	AI Anomaly Detection. An AI/ML-based system that detects threats not via known malware signatures but via deviations from normal network and user/system behaviour.
Captive Portal	An authentication web page presented to a user before access is granted to a public/guest Wi-Fi network (e.g., passenger/guest zone).
Data Diode	Data Diode. A hardware cybersecurity device that physically enforces one-way data transfer (out of a protected segment), eliminating inbound attacks.
GOT	Generic Operational Technology. An umbrella term for shipboard control and automation systems (propulsion, power, HVAC, machinery, etc.) critical to safe operations.
IDS/ISM	Intrusion Detection System / International Safety Management. Intrusion detection aligned with the vessel’s safety management processes.
LEO	Low Earth Orbit. Satellite systems such as Starlink providing high bandwidth and low latency.
NOFW (>1 / k2)	Internal designation for high-availability / high-performance Network Firewall cluster configurations.
OT Cyber Sensor	OT Cyber Sensor. A specialised device for passive monitoring of OT networks without impacting control processes.
Quantum Core	Quantum Core. A marketing designation for the high-performance processing module of the Core FW, designed for large-scale traffic inspection and future cryptographic readiness.
Segmentation Shield	Segmentation Shield. A visual representation of deep logical isolation between network zones to prevent lateral movement and threat propagation.
VLANOMZ	VLAN Operations Management Zone. An isolated virtual network for infrastructure management with strictly restricted access from WAN and user segments.
VSAT	Very Small Aperture Terminal. Traditional satellite connectivity via GEO satellites for global coverage.
Wi-Fi Morphing	Wi-Fi Morphing. A Moving Target Defense approach for wireless networks—continuously changing parameters (BSSID, keys, etc.) to hinder reconnaissance and Wi-Fi attacks.
FW	Firewall.

Functional Block Diagram — Shipboard Systems Logic

1. External Layer: Connectivity & Data Ingress (WAN)

BLOCK: External Connectivity Links (WAN Sources)

Components: Satellite VSAT, Starlink/LEO, 4G/5G modems.
Purpose: Provides ship-to-shore communications and Internet access.
Flow: Primary ingress point for all incoming/outgoing data streams.

↓ (Raw traffic)

2. Security Perimeter & Access Control

BLOCK: Perimeter Protection

Components: Perimeter firewall (Perimeter FW), Advanced Threat Protection (ATP).
Purpose: “Allow/deny” traffic filtering, blocking external attacks and unauthorised access.

BLOCK: Controlled Remote Access (VLAN OMZ)

Components: VLAN OMZ (Operations Management Zone).
Purpose: A restricted zone reachable from WAN for remote administration or vendor support under controlled conditions.
Note: An isolated path that does not mix with passenger/guest or general crew traffic.

↓ (Sanitised traffic)

3. Core Layer: Network Intelligence

BLOCK: Network Core & Server Farm

Components: Quantum Core, Core firewall (FW Core), Wi-Fi Morphing Controller.
Purpose: Traffic routing, seamless Wi-Fi roaming management, and resource distribution.

BLOCK: Fleet/Shipwide Security Monitoring (IDS/ISM OT Monitoring)

Components: AI anomaly detection, cyber sensors, monitoring dashboards.
Purpose: The security “brain”. Collects data (logs/alerts) from the perimeter and from the isolated OT segment (via a data diode) to assess ship status in near real time.

4. Internal Segmentation: User & Service Zones

PATH A: Passenger/Guest Services & Entertainment (Green Zone)

Ingress control: Captive Portal / Wi-Fi Controller (user authentication).

BLOCK: Hospitality & Entertainment

Systems: Guest access gateway, smart services, Apple TV / iPad.
Status: Fully isolated from ship control systems. Internet-only access.

PATH B: Crew & Administration (Green/Yellow Zones)

BLOCK: Crew Services (Green Zone > Crew)

Systems: Crew service management, accounting/administration.
Systems: Shipboard IT servers (on request) — servers available only by policy/request.

BLOCK: Crew Operations (Yellow Zone)

Systems: IP telephony, shared crew servers.

BLOCK: VLAN SecureCom

Systems: Encrypted communications terminals (confidential communications).

5. Critical Infrastructure: OT & Safety (Red Zone)

PATH C: “Red” Zone (Maximum Protection)

Critical barrier: Industrial firewall or Data Diode.

Principle: One-way data transfer. Information may exit for monitoring, but nothing from outside can enter.

BLOCK: Navigation & Control (Red Zone)

Systems: Bridge systems (Bridge HUB Systems), engine systems and GOT.
Status: Fully isolated.

BLOCK: Safety-Critical Systems (Safety & Alert System Zone)

Systems: Public Address (PA), fire detection/suppression and smoke extraction, emergency lighting and alarms.
Purpose: Autonomous safety systems supporting the vessel’s physical safety and emergency response.