Traffic Baselining & Anomaly Detection

Part of the DETECT Playbook ← Return to Hub

Traffic Baselining & Anomaly Detection

Detection Objective: To establish a “Digital Fingerprint” of normal vessel operations so that any deviation—such as a malware outbreak or a broadcast storm—triggers an immediate alert.

A maritime OT network is remarkably predictable. Unlike an office network, the communication between the Bridge and the Engine Room follows a strict pattern. Traffic Baselining is the process of defining these patterns so we can spot the “noise” created by a cyber incident.

The Three Dimensions of a Maritime Baseline

To detect anomalies effectively, the ETO must monitor three specific metrics within the OT zones:

Volume (Mbps)

Is the Engine Room network suddenly seeing 50x more data than usual?

Flows (Src/Dst)

Is a PLC trying to talk to the Crew Wi-Fi? (Unauthorized lateral movement)

Frequency

Are packets being sent at 2 AM when the system should be idle?

Technical Execution: Capturing the Flow

1. Enable Port Mirroring (SPAN)

To see what is happening *inside* the network without disturbing the PLCs, the ETO must configure a **Mirror Port**. This sends a copy of all OT traffic to your monitoring station (Zabbix/PRTG/Wireshark).


            # Example Cisco Mirror Config (Source: PLC Port 1, Destination: Monitoring Port 24)

            monitor session 1 source interface FastEthernet0/1

            monitor session 1 destination interface FastEthernet0/24

2. Syslog Consolidation

Individual switch logs are useless if you have to log into 20 switches to find an error. All switches must point to a central **Syslog Server**.


            # Configure Switch to send "Warning" level logs and above to the ETO Station

            logging host 10.0.1.50

            logging trap warning

Anomaly Logic Table

Anomaly Type	Threshold / Logic	Likely Cause
Broadcast Storm	Layer 2 traffic > 5% of total bandwidth.	Switch loop or hardware failure.
Port Scanning	Single IP hitting > 10 ports in 1 minute.	Reconnaissance / Malware mapping.
New MAC Address	Unrecognized OUI (Vendor ID) detected.	Unauthorized device connected.

Procedure: The “Clean Baseline” Sign-Off

Before the vessel leaves the shipyard (Newbuild) or after a major upgrade (Retrofit), the ETO should capture a 24-hour “Golden Baseline” PCAP file. This file serves as the forensic “Proof of Normal” during an IACS audit.

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle

Includes Unlimited Intel Search

Instant access to IACS E26/E27 Templates

PREVIOUS:
Asset Availability Tracking

Next Section

Centralized Syslog Setup

Centralized Syslog Setup Detection Objective: To aggregate security events from all firewalls, switches, and workstation...

Centralized Syslog Setup →