Part of the DETECT Playbook ← Return to Hub

IDS/IPS for OT Networks

Detection Objective: To identify signatures of known malware, brute-force attacks, and unauthorized protocol commands targeting the ship’s control systems.

An Intrusion Detection System (IDS) acts like a digital “Security Guard” that monitors the traffic flowing between the Bridge, ECR, and the SATCOM terminal. In a maritime environment, we prioritize Passive IDS via a network “TAP” or “SPAN Port” to ensure zero impact on vessel operations.

How it Works: The SPAN Port

To avoid slowing down critical automation traffic, the IDS sits “out of band.” It receives a copy of all traffic without sitting directly in the path of the data.

The ETO Configuration Task:

  1. Identify the Core Switch where the Bridge and Engine Room networks converge.
  2. Configure a Mirror Port (SPAN) to copy all traffic from the OT VLANs to a dedicated physical port.
  3. Connect the IDS Sensor (e.g., Snort, Suricata, or a vendor-specific OT sensor) to that mirror port.

Signature vs. Behavior Detection

Modern maritime IDS solutions use two methods to catch threats:

Signature-Based

Checks traffic against a database of “known bad” fingerprints.
Catches: Known ransomware (e.g., WannaCry), common exploit kits.

Protocol-Based

Looks for “Illegal” commands in industrial protocols like Modbus or NMEA.
Catches: Unauthorized “Stop” or “Write” commands to a PLC.

Critical Alerts for the ETO

When the IDS triggers, the ETO must prioritize the following “High” severity events:

Alert Name Impact Immediate Action
Lateral Movement Internal IP trying to access multiple Bridge consoles. Isolate the source workstation immediately.
Beaconing OT device trying to reach an unknown IP over SATCOM. Check Firewall logs for “Command & Control” traffic.
PLC Write Denial Unauthorized laptop trying to change PLC logic. EMERGENCY: Potential attempt to sabotage machinery.

A Note on “IPS” (Prevention)

While “Intrusion Prevention” (IPS) can automatically block traffic, it is rarely used in maritime OT. A “False Positive” could result in the security system accidentally shutting down the main engine. Always stick to “Detection Only” (IDS) mode unless directed otherwise by the Fleet Manager.

Next Security Phase

Rogue Device Alerting

Rogue Device Alerting Detection Objective: To identify and alert on the presence of any hardware connected to the OT network that is not part of the authorized "Golden Asset Inventory." In a controlled maritime environment, new devices should never a...

Continue to Rogue Device Alerting →
Scroll to Top