Part of the DETECT Playbook ← Return to Hub
Phase: Detect All vessels
Satisfies: E26E27IMO MSC-FAL.1BIMCO v5

Rogue Device Alerting

This guide establishes automated alerts for unauthorised device connections on the OT network, enabling rapid detection of unmanaged devices introduced by crew, contractors or attackers.

In a controlled maritime environment, new devices should never appear on the network without a prior change request. A “Rogue” device is any laptop, router, or wireless access point that appears unexpectedly. These are often the primary entry points for ransomware.

Detection Methods

The ETO can detect rogue devices using two primary technical methods:

1. MAC Address Whitelisting

The switch or IDS monitors the Media Access Control (MAC) address of every connected device. If a MAC appears that is not on the inventory, an alarm is triggered.

2. DHCP Lease Monitoring

If a device requests an IP from the OT DHCP server, the server logs the request. Monitoring these logs helps identify unknown hostnames (e.g., “Contractor-Laptop-01”).

Common “Rogue” Scenarios in Maritime

Not all rogue devices are malicious, but all represent a violation of UR E26. The ETO should investigate the following immediately:

  • Vendor Maintenance: A service engineer plugs a laptop directly into the PLC switch for an update without informing the ETO.
  • Unauthorized Access Points: A crew member installs a “travel router” to extend Wi-Fi, creating an unmonitored back-door.
  • Malicious Hardware: A “Rubber Ducky” or drop-box device hidden behind a console designed to sniff traffic.

The Response Procedure

When a Rogue Device alert is received, follow this 3-step response:

Action Technical Task
1. LOCATE Check the switch MAC address table to identify the physical port the device is plugged into.
2. ISOLATE Log into the switch and administratively shut down (Disable) that specific port immediately.
3. INSPECT Physically go to the port location to identify the hardware and secure the device.

Proactive Defense: Port Security

The best way to “detect” a rogue device is to prevent it from connecting in the first place. You can virtually eliminate the risk of unauthorized hardware by following the hardening steps in the Protect Phase.

→ Practical Guide: Network Port Security & RJ45 Hardening

Why read the Inventory Guide? You cannot identify a “Rogue” device unless you have a verified “Golden Baseline.” The Master Asset Register provides the authorized MAC/IP pairs used to program your Whitelist alerts.

→ Establish the Master Asset Register
PREVIOUS:
IDS/IPS for OT Networks

Next Section

CBS Verification & Diagnostics

CBS Verification & Diagnostics This guide covers how to actively verify that the security controls on your Computer-...

CBS Verification & Diagnostics →
Login
Login
Scroll to Top