Detection in maritime OT — working with the constraints

Detection in a maritime OT environment is fundamentally different from detection in a shore-side IT network. Most bridge and engine room systems were designed for reliability and deterministic behaviour — not for security logging. NMEA 0183 is a one-way serial protocol with no concept of authentication. Modbus has no built-in access control. Many PLCs produce no meaningful event logs at all. A detection strategy for a vessel has to be built around what is actually achievable with the equipment fitted, not what a shore-side SOC would specify.

The playbooks in this phase take that reality as the starting point. They cover syslog aggregation from the systems that can produce logs, network traffic baselining to establish what normal looks like on the OT network, and periodic CBS verification checks that confirm the controls put in place during the Protect phase are still working. Together these create a detection capability that works even when VSAT is down and there is no connection to a shore-side security team.

Detection is also relevant well below the threshold of a formal cyber incident. Baseline drift — gradual changes in network behaviour, unexpected new connections, services running on ports that should be closed — are often the first indicators that something has changed on a system. Catching these early, through routine monitoring, is significantly better than discovering them during a survey or after an operational failure.