Part of the DETECT Playbook ← Return to Hub

Rogue Device Alerting

Detection Objective: To identify and alert on the presence of any hardware connected to the OT network that is not part of the authorized “Golden Asset Inventory.”

In a controlled maritime environment, new devices should never appear on the network without a prior change request. A “Rogue” device is any laptop, router, or wireless access point that appears unexpectedly. These are often the primary entry points for ransomware.

Detection Methods

The ETO can detect rogue devices using two primary technical methods:

1. MAC Address Whitelisting

The switch or IDS monitors the Media Access Control (MAC) address of every connected device. If a MAC appears that is not on the inventory, an alarm is triggered.

2. DHCP Lease Monitoring

If a device requests an IP from the OT DHCP server, the server logs the request. Monitoring these logs helps identify unknown hostnames (e.g., “Contractor-Laptop-01”).

Common “Rogue” Scenarios in Maritime

Not all rogue devices are malicious, but all represent a violation of UR E26. The ETO should investigate the following immediately:

  • Vendor Maintenance: A service engineer plugs a laptop directly into the PLC switch for an update without informing the ETO.
  • Unauthorized Access Points: A crew member installs a “travel router” to extend Wi-Fi, creating an unmonitored back-door.
  • Malicious Hardware: A “Rubber Ducky” or drop-box device hidden behind a console designed to sniff traffic.

The Response Procedure

When a Rogue Device alert is received, follow this 3-step response:

Action Technical Task
1. LOCATE Check the switch MAC address table to identify the physical port the device is plugged into.
2. ISOLATE Log into the switch and administratively shut down (Disable) that specific port immediately.
3. INSPECT Physically go to the port location to identify the hardware and secure the device.

Proactive Defense: Port Security

The best way to “detect” a rogue device is to prevent it from connecting in the first place. You can virtually eliminate the risk of unauthorized hardware by following the hardening steps in the Protect Phase.

→ Practical Guide: Network Port Security & RJ45 Hardening

Why read the Inventory Guide? You cannot identify a “Rogue” device unless you have a verified “Golden Baseline.” The Master Asset Register provides the authorized MAC/IP pairs used to program your Whitelist alerts.

→ Establish the Master Asset Register

Next Section

Detect Phase: Summary & Audit Readiness Page

Detect Phase: Summary & Audit Readiness Page Phase Objective The Detect Phase is about Visibility. We transition from st...

Scroll to Top