Detect: Continuous Monitoring & Anomaly Discovery
IACS UR E26 Control 4.3: Real-time Security Event Detection
The “Eyes and Ears” of the vessel. Hardened firewalls are only effective if you know when they are being attacked. This phase establishes the monitoring infrastructure required to identify unauthorized access, hardware failures, and malicious patterns within the OT network.
Effective detection in Maritime OT requires a move from Passive Asset Lists to Active Behavioral Analysis. By monitoring network flows and centralizing system logs, we can identify a cyber incident before it affects the ship’s maneuverability or safety systems.
Core Concept: The SOC-on-a-Ship Model
Implementing local syslog aggregation and anomaly detection that works even when the VSAT link is down.
Monitoring & Health
Asset availability and performance baseline monitoring to detect hardware tampering or failure.
Logging & SIEM
Centralizing event logs from all Category II and III systems for forensic readiness and audit proof.
Intrusion Detection
Identifying unauthorized connections and physical cabinet breaches in real-time.
Detection Tip for ETOs:
Detection isn’t just about hackers; it’s about Baseline Drift. If your Engine Control network usually has 500kbps of traffic and suddenly jumps to 10Mbps, something is wrong—even if no “alarm” has gone off yet.