Asset Availability Tracking
Detection Objective: To identify in real-time when a critical cyber-asset becomes unreachable or when an unauthorized device is connected to the OT network.
In the Identify Phase, we created the Asset Inventory. In this playbook, we turn that static list into an Active Watchlist. We use “Heartbeat” monitoring to ensure that every bridge console, engine controller, and switch is alive and responding.
The “Heartbeat” Methodology
For maritime OT, we utilize non-intrusive monitoring to avoid disrupting sensitive PLC operations. This is typically achieved through ICMP (Ping) or SNMP polling.
Expected Behavior
The Asset Inventory lists 42 Category II devices. All 42 should respond to a “Heartbeat” every 60 seconds.
Anomaly Detected
A “Device Down” alert triggers. This indicates hardware failure, cable disconnection, or a potential Cyber-DoS attack.
ETO Implementation Checklist
Follow these steps to establish the monitoring baseline for UR E26 compliance:
Audit Evidence Preparation
When an auditor asks, “How do you know if a critical system has been tampered with or removed?”, provide the following:
| Evidence Item | Description |
|---|---|
| Availability Report | A 30-day log showing 99.9% uptime for Category III systems. |
| Rogue Device Log | Proof that the system alerts the ETO when an unknown laptop is plugged into the ECR switch. |
Next Security Phase
Traffic Baselining & Anomaly Detection
Traffic Baselining & Anomaly Detection Detection Objective: To establish a "Digital Fingerprint" of normal vessel operations so that any deviation—such as a malware outbreak or a broadcast storm—triggers an immediate alert. A maritime OT network ...