OT Traffic Baselining & Anomaly Detection

Part of the DETECT Playbook ← Return to Hub

Phase: Detect All vessels

Satisfies: E26E27IEC 62443IMO MSC-FAL.1BIMCO v5

Traffic Baselining & Anomaly Detection

This guide captures the normal communication patterns of the OT network and configures alert thresholds, enabling detection of unusual traffic that may indicate a breach or misconfiguration.

A maritime OT network is remarkably predictable. Unlike an office network, the communication between the Bridge and the Engine Room follows a strict pattern. Traffic Baselining is the process of defining these patterns so we can spot the “noise” created by a cyber incident.

The Three Dimensions of a Maritime Baseline

To detect anomalies effectively, the ETO must monitor three specific metrics within the OT zones:

Volume (Mbps)

Is the Engine Room network suddenly seeing 50x more data than usual?

Flows (Src/Dst)

Is a PLC trying to talk to the Crew Wi-Fi? (Unauthorized lateral movement)

Frequency

Are packets being sent at 2 AM when the system should be idle?

Technical Execution: Capturing the Flow

1. Enable Port Mirroring (SPAN)

To see what is happening *inside* the network without disturbing the PLCs, the ETO must configure a **Mirror Port**. This sends a copy of all OT traffic to your monitoring station (Zabbix/PRTG/Wireshark).


            # Example Cisco Mirror Config (Source: PLC Port 1, Destination: Monitoring Port 24)

            monitor session 1 source interface FastEthernet0/1

            monitor session 1 destination interface FastEthernet0/24

2. Syslog Consolidation

Individual switch logs are useless if you have to log into 20 switches to find an error. All switches must point to a central **Syslog Server**.


            # Configure Switch to send "Warning" level logs and above to the ETO Station

            logging host 10.0.1.50

            logging trap warning

Anomaly Logic Table

Anomaly Type	Threshold / Logic	Likely Cause
Broadcast Storm	Layer 2 traffic > 5% of total bandwidth.	Switch loop or hardware failure.
Port Scanning	Single IP hitting > 10 ports in 1 minute.	Reconnaissance / Malware mapping.
New MAC Address	Unrecognized OUI (Vendor ID) detected.	Unauthorized device connected.

Procedure: The “Clean Baseline” Sign-Off

Before the vessel leaves the shipyard (Newbuild) or after a major upgrade (Retrofit), the ETO should capture a 24-hour “Golden Baseline” PCAP file. This file serves as the forensic “Proof of Normal” during an IACS audit.

PREVIOUS:
Asset Availability Tracking

Next Section

Trusted Time (NTP) Management

Trusted Time (NTP) Management This guide establishes accurate and tamper-resistant time synchronisation across all OT as...

Trusted Time (NTP) Management →