Part of the DETECT Playbook ← Return to Hub

Rogue Device Alerting

Detection Objective: To identify and alert on the presence of any hardware connected to the OT network that is not part of the authorized “Golden Asset Inventory.”

In a controlled maritime environment, new devices should never appear on the network without a prior change request. A “Rogue” device is any laptop, router, or wireless access point that appears unexpectedly. These are often the primary entry points for ransomware.

Detection Methods

The ETO can detect rogue devices using two primary technical methods:

1. MAC Address Whitelisting

The switch or IDS monitors the Media Access Control (MAC) address of every connected device. If a MAC address appears that is not on the “White List,” an alarm is sent to the Syslog server.

2. DHCP Lease Monitoring

If a device requests an IP address from the OT DHCP server, the server logs the request. Monitoring these logs helps identify unknown hostnames (e.g., “Contractor-Laptop-01”).

Common “Rogue” Scenarios in Maritime

Not all rogue devices are malicious, but all represent a violation of UR E26. The ETO should investigate the following immediately:

  • Vendor Maintenance: A service engineer plugs their laptop directly into the PLC switch to perform a software update without informing the ETO.
  • Unauthorized Access Points: A crew member installs a “travel router” into a Bridge port to extend the Wi-Fi signal, creating an unmonitored back-door.
  • Malicious Hardware: A “Rubber Ducky” or small drop-box device hidden behind a console designed to sniff traffic.

The Response Procedure

When a Rogue Device alert is received, follow this 3-step response:

Action Task
1. LOCATE Check the switch MAC address table to see which physical port the device is plugged into.
2. ISOLATE Log into the switch and administratively shut down (Disable) that specific port immediately.
3. INSPECT Physically go to the port location to identify the hardware and the person responsible.

Proactive Defense: Port Security

The best way to “detect” a rogue device is to prevent it from connecting in the first place. Refer back to the Protect Phase: Pillar C to ensure all unused switch ports are disabled in software.

Next Security Phase

Detect Phase: Summary & Audit Readiness Page

Detect Phase: Summary & Audit Readiness Page Phase Objective The Detect Phase is about Visibility. We transition from static defenses to active monitoring, ensuring that hardware failures, rogue devices, and malicious traffic are identified before th...

Continue to Detect Phase: Summary & Audit Readiness Page →
Scroll to Top