OT Traffic Baselining Procedures
Objective: Capture the “Normal” state of communication to create a blueprint for Firewall Rules (Conduits). This satisfies the IACS UR E26 requirement for verifying network traffic flows.
1. The 72-Hour Observation Window
A baseline must cover multiple operational states. For a maritime audit, we recommend a 72-hour capture to include:
- Dynamic Positioning / Maneuvering: High-frequency thruster control traffic.
- Steady State (Cruise): Consistent navigation and engine telemetry.
- Cargo Operations: Pump control and automated valve sequences.
2. Implementation: Passive Capture
Mirror all traffic from the core OT switch to a dedicated monitoring port. Ensure no packets are dropped during high-load maneuvers.
Use tools like Wireshark or dedicated IDS sensors to identify talkers, listeners, and the protocols they use.
3. Critical Findings Table
| Observed Behavior | Risk Mitigation |
|---|---|
| Unknown MAC Addresses | Trace physical cable; update Inventory. |
| External Phone-Home | Block DNS/NTP requests to public servers. |
| Broadcast Storms | Reconfigure VLANs to reduce network noise. |
Next Security Phase
System Interdependency Matrix
System Interdependency Matrix UR E26 §3.2 (1) & §4.1: The 'Identify' functional element aims to develop an organizational understanding to manage cybersecurity risk by identifying the ship’s computer-based systems (CBS), their interdependencies, ...