Part of the DETECT Playbook ← Return to Hub

Traffic Baselining & Anomaly Detection

Detection Objective: To establish a “Digital Fingerprint” of normal vessel operations so that any deviation—such as a malware outbreak or a broadcast storm—triggers an immediate alert.

A maritime OT network is remarkably predictable. Unlike an office network, the communication between the Bridge and the Engine Room follows a strict pattern. Traffic Baselining is the process of defining these patterns so we can spot the “noise” created by a cyber incident.

The Three Dimensions of a Maritime Baseline

To detect anomalies effectively, the ETO must monitor three specific metrics within the OT zones:

Volume (Mbps)

Is the Engine Room network suddenly seeing 50x more data than usual?

Flows (Src/Dst)

Is a PLC trying to talk to the Crew Wi-Fi? (Unauthorized lateral movement)

Frequency

Are packets being sent at 2 AM when the system should be idle?

Anomaly Type Threshold / Logic Likely Cause
Broadcast Storm Layer 2 traffic > 5% of total bandwidth. Switch loop or hardware failure.
Port Scanning Single IP hitting > 10 ports in 1 minute. Reconnaissance / Malware mapping.
New MAC Address Unrecognized OUI (Vendor ID) detected. Unauthorized device connected.

Procedure: The “Clean Baseline” Sign-Off

Before the vessel leaves the shipyard (Newbuild) or after a major upgrade (Retrofit), the ETO should capture a 24-hour “Golden Baseline” PCAP file. This file serves as the forensic “Proof of Normal” during an IACS audit.

Next Section

Centralized Syslog Setup

Centralized Syslog Setup Detection Objective: To aggregate security events from all firewalls, switches, and workstation...

Scroll to Top