Part of the DETECT Playbook ← Return to Hub

Asset Availability Tracking

Detection Objective: To identify in real-time when a critical cyber-asset becomes unreachable or when an unauthorized device is connected to the OT network.

In the Identify Phase, we created the Asset Inventory. In this playbook, we turn that static list into an Active Watchlist. We use “Heartbeat” monitoring to ensure that every bridge console, engine controller, and switch is alive and responding.

The “Heartbeat” Methodology

For maritime OT, we utilize non-intrusive monitoring to avoid disrupting sensitive PLC operations. This is typically achieved through ICMP (Ping) or SNMP polling.

Expected Behavior

The Asset Inventory lists 42 Category II devices. All 42 should respond to a “Heartbeat” every 60 seconds.

Anomaly Detected

A “Device Down” alert triggers. This indicates hardware failure, cable disconnection, or a potential Cyber-DoS attack.

Technical Implementation

1. Setup Watchdog Ping (Heartbeat)

Use this to detect if a device (HMI, PLC, Sensor) goes offline.

From your monitoring station (e.g., Zabbix or PRTG), create a PING Sensor for each IP in your Asset Inventory:

  • Polling Interval: 60 Seconds (to stay “lazy” and safe for OT).
  • Timeout: 5 Seconds.
  • Detection Logic: If 3 consecutive pings fail, trigger a CRITICAL alert.
“If the ping stops, the heartbeat stops. Check the physical cable first.”

2. Configure Switch “Link Down” Alerts

Use this to detect exactly where a disconnection occurred.

Configure your Managed Switches to push information to the ETO the moment a physical port is unplugged using SNMP Traps:

# Cisco/Hirschmann Example:
snmp-server enable traps linkdown
snmp-server enable traps port-security
snmp-server host [Monitoring_IP] version 2c [Community_String]

The Benefit: You don’t have to wait 60 seconds for a ping to fail. The switch tells you instantly: “Port 5 (ECDIS Controller) has lost Link Status.”

Audit Evidence Preparation

When an auditor asks, “How do you know if a critical system has been tampered with or removed?”, provide the following:

Evidence Item Description
Availability Report A 30-day log showing 99.9% uptime for Category III systems.
Rogue Device Log Proof that the system alerts the ETO when an unknown laptop is plugged into the ECR switch.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; premium SOPs and fillable forms require the Pro Bundle.

TAG-OT-SOP-04
Monitoring Config SOP
Unlock with Pro Bundle
TAG-OT-CHK-02
Rogue Device Checklist
View Form

ETO Implementation Checklist

Follow these steps to establish the monitoring baseline for UR E26 compliance:

Step-by-Step Configuration
  • 1. Define the Monitoring Scope Prioritize Category III (Critical) and Category II (Important) assets. Do not monitor Crew IT devices on this dashboard.
  • 2. Configure “Discovery” vs “Inventory” Set your monitoring tool to alert when a MAC address NOT in the approved inventory appears on the network (Rogue Device).
  • 3. Set Alert Thresholds Set “Device Down” alerts to trigger after 3 missed heartbeats to avoid false alarms during minor network congestion.

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle
Includes Unlimited Intel Search
Instant access to IACS E26/E27 Templates

Next Section

Traffic Baselining & Anomaly Detection

Traffic Baselining & Anomaly Detection Detection Objective: To establish a "Digital Fingerprint" of normal vessel operat...

Login
Login
Scroll to Top