Part of the DETECT Playbook ← Return to Hub
Phase: Detect All vessels
Satisfies: E26E27IEC 62443IMO MSC-FAL.1BIMCO v5

IDS/IPS for OT Networks

This guide covers the deployment of Intrusion Detection and Prevention Systems in passive mode on maritime OT networks, providing early warning of anomalous behaviour without risking false-positive shutdowns.

An Intrusion Detection System (IDS) acts like a digital “Security Guard” that monitors the traffic flowing between the Bridge, ECR, and the SATCOM terminal. In a maritime environment, we prioritize Passive IDS via a network “TAP” or “SPAN Port” to ensure zero impact on vessel operations.

How it Works: The SPAN Port

To avoid slowing down critical automation traffic, the IDS sits “out of band.” It receives a copy of all traffic without sitting directly in the path of the data.

The ETO Configuration Task:

  1. Identify the Core Switch where the Bridge and Engine Room networks converge.
  2. Configure a Mirror Port (SPAN) to copy all traffic from the OT VLANs to a dedicated physical port.
  3. Connect the IDS Sensor (e.g., Snort, Suricata, or a vendor-specific OT sensor) to that mirror port.

Signature vs. Behavior Detection

Modern maritime IDS solutions use two methods to catch threats:

Signature-Based

Checks traffic against a database of “known bad” fingerprints.
Catches: Known ransomware (e.g., WannaCry), common exploit kits.

Protocol-Based

Looks for “Illegal” commands in industrial protocols like Modbus or NMEA.
Catches: Unauthorized “Stop” or “Write” commands to a PLC.

Critical Alerts for the ETO

When the IDS triggers, the ETO must prioritize the following “High” severity events:

Alert Name Impact Immediate Action
Lateral Movement Internal IP accessing multiple Bridge consoles. Isolate source workstation immediately.
Beaconing OT device reaching unknown IP via SATCOM. Check Firewall logs for C2 traffic.
PLC Write Denial Unauthorized attempt to change PLC logic. EMERGENCY: Potential sabotage.

A Note on “IPS” (Prevention)

While “Intrusion Prevention” (IPS) can automatically block traffic, it carries extreme risk in maritime OT. A “False Positive” could result in the security system accidentally dropping the load or shutting down a main engine.

Best Practice: Refrain from using “Prevention” (Block) mode on any critical system. If IPS is required by policy, it should only be enabled after a minimum 90-day “Shadow Period” of zero false positives and a full operational impact assessment.

PREVIOUS:
Retention & Integrity Rules

Next Section

Rogue Device Alerting

Rogue Device Alerting This guide establishes automated alerts for unauthorised device connections on the OT network, ena...

Rogue Device Alerting →
Login
Login
Scroll to Top