Detect Phase: Summary & Audit Readiness Page

Part of the DETECT Playbook ← Return to Hub

Detect Phase: Summary & Audit Readiness Page

Phase Objective

The Detect Phase is about Visibility. We transition from static defenses to active monitoring, ensuring that hardware failures, rogue devices, and malicious traffic are identified before they impact vessel safety.

Detection Capabilities Grid

To satisfy IACS UR E26 Section 4.3, the vessel must maintain these three pillars of detection. Click each pillar to review the technical configuration playbooks.

PILLAR A

Monitoring & Health

Real-time availability tracking of Category II/III assets and traffic volume baselining.

→ Asset Availability Tracking → Traffic Baselining

PILLAR B

Logging & SIEM

The “Cyber Black Box.” Centralized log collection with strict retention and integrity rules.

→ Centralized Syslog Setup → Retention & Integrity

PILLAR C

Intrusion Detection

Active threat hunting. Identifying malware signatures and unauthorized hardware (Rogue Devices).

→ IDS/IPS for OT → Rogue Device Alerting

Auditor Readiness Checklist

Before an annual survey, the ETO should verify that the detection “Evidence Chain” is intact:

Log Continuity: Can you show a continuous log file for the last 90 days without gaps?
Alert Functionality: When a “Rogue Device” is simulated, does an alert actually pop up on the ETO workstation?
Time Sync: Are the timestamps on the ECDIS, Firewall, and Syslog Server identical (UTC)?

Phase 3: DETECT Complete

The Alarm is Sounding: What Now?

Detection is useless without action. In the next phase, we define the Incident Response procedures. How do we isolate an infected PLC? How do we communicate during a cyber-crisis?

Begin Phase 4: RESPOND →