Traffic Baselining & Anomaly Detection
Detection Objective: To establish a “Digital Fingerprint” of normal vessel operations so that any deviation—such as a malware outbreak or a broadcast storm—triggers an immediate alert.
A maritime OT network is remarkably predictable. Unlike an office network, the communication between the Bridge and the Engine Room follows a strict pattern. Traffic Baselining is the process of defining these patterns so we can spot the “noise” created by a cyber incident.
The Three Dimensions of a Maritime Baseline
To detect anomalies effectively, the ETO must monitor three specific metrics within the OT zones:
Volume (Mbps)
Is the Engine Room network suddenly seeing 50x more data than usual?
Flows (Src/Dst)
Is a PLC trying to talk to the Crew Wi-Fi? (Unauthorized lateral movement)
Frequency
Are packets being sent at 2 AM when the system should be idle?
| Anomaly Type | Threshold / Logic | Likely Cause |
|---|---|---|
| Broadcast Storm | Layer 2 traffic > 5% of total bandwidth. | Switch loop or hardware failure. |
| Port Scanning | Single IP hitting > 10 ports in 1 minute. | Reconnaissance: Someone is mapping your network. |
| New MAC Address | Unrecognized OUI (Vendor ID) detected. | Unauthorized device plugged into an RJ45 port. |
Procedure: The “Clean Baseline” Sign-Off
Before the vessel leaves the shipyard (Newbuild) or after a major upgrade (Retrofit), the ETO should capture a 24-hour “Golden Baseline” PCAP file. This file serves as the forensic “Proof of Normal” during an IACS audit.
Next Security Phase
Centralized Syslog Setup
Centralized Syslog Setup Detection Objective: To aggregate security events from all firewalls, switches, and workstations into a single, tamper-proof location for real-time analysis and post-incident forensics. Most OT devices have limited internal m...