Part of the IDENTIFY Playbook
← Return to Hub
OT Traffic Baselining Procedures
Objective: Capture the “Normal” state of communication to create a blueprint for Firewall Rules (Conduits). This satisfies the IACS UR E26 requirement for verifying network traffic flows.
1. The 72-Hour Observation Window
A baseline must cover multiple operational states. For a maritime audit, we recommend a 72-hour capture to include:
- Dynamic Positioning / Maneuvering: High-frequency thruster control traffic.
- Steady State (Cruise): Consistent navigation and engine telemetry.
- Cargo Operations: Pump control and automated valve sequences.
2. Implementation: Passive Capture
SPAN Port Config
Mirror all traffic from the core OT switch to a dedicated monitoring port. Ensure no packets are dropped during high-load maneuvers.
Traffic Analysis
Use tools like Wireshark or dedicated IDS sensors to identify talkers, listeners, and the protocols they use.
3. Critical Findings Table
| Observed Behavior | Risk Mitigation |
|---|---|
| Unknown MAC Addresses | Trace physical cable; update Inventory. |
| External Phone-Home | Block DNS/NTP requests to public servers. |
| Broadcast Storms | Reconfigure VLANs to reduce network noise. |
Traffic Baselined?
Pillar B Progressing. Now that you have captured live data, you must map the functional relationships and dependencies between your systems.