IDS/IPS for OT Networks

Part of the DETECT Playbook ← Return to Hub

IDS/IPS for OT Networks

Detection Objective: To identify signatures of known malware, brute-force attacks, and unauthorized protocol commands targeting the ship’s control systems.

An Intrusion Detection System (IDS) acts like a digital “Security Guard” that monitors the traffic flowing between the Bridge, ECR, and the SATCOM terminal. In a maritime environment, we prioritize Passive IDS via a network “TAP” or “SPAN Port” to ensure zero impact on vessel operations.

How it Works: The SPAN Port

To avoid slowing down critical automation traffic, the IDS sits “out of band.” It receives a copy of all traffic without sitting directly in the path of the data.

The ETO Configuration Task:

Identify the Core Switch where the Bridge and Engine Room networks converge.
Configure a Mirror Port (SPAN) to copy all traffic from the OT VLANs to a dedicated physical port.
Connect the IDS Sensor (e.g., Snort, Suricata, or a vendor-specific OT sensor) to that mirror port.

Signature vs. Behavior Detection

Modern maritime IDS solutions use two methods to catch threats:

Signature-Based

Checks traffic against a database of “known bad” fingerprints.
Catches: Known ransomware (e.g., WannaCry), common exploit kits.

Protocol-Based

Looks for “Illegal” commands in industrial protocols like Modbus or NMEA.
Catches: Unauthorized “Stop” or “Write” commands to a PLC.

Critical Alerts for the ETO

When the IDS triggers, the ETO must prioritize the following “High” severity events:

Alert Name	Impact	Immediate Action
Lateral Movement	Internal IP accessing multiple Bridge consoles.	Isolate source workstation immediately.
Beaconing	OT device reaching unknown IP via SATCOM.	Check Firewall logs for C2 traffic.
PLC Write Denial	Unauthorized attempt to change PLC logic.	EMERGENCY: Potential sabotage.

A Note on “IPS” (Prevention)

While “Intrusion Prevention” (IPS) can automatically block traffic, it carries extreme risk in maritime OT. A “False Positive” could result in the security system accidentally dropping the load or shutting down a main engine.

Best Practice: Refrain from using “Prevention” (Block) mode on any critical system. If IPS is required by policy, it should only be enabled after a minimum 90-day “Shadow Period” of zero false positives and a full operational impact assessment.

PREVIOUS:
Retention & Integrity Rules

Next Section

Rogue Device Alerting

Rogue Device Alerting Detection Objective: To identify and alert on the presence of any hardware connected to the OT net...

Rogue Device Alerting →