Part of the IDENTIFY Playbook ← Return to Hub

OT Traffic Baselining Procedures

Objective: Capture the “Normal” state of communication to create a blueprint for Firewall Rules (Conduits). This satisfies the IACS UR E26 requirement for verifying network traffic flows and justifying the “Cyber Security Design Description.”

1. The 72-Hour Observation Window

A baseline must cover multiple operational states. For a maritime audit, we recommend a 72-hour capture to include:

Maneuvering

High-frequency thruster control and DP traffic.

Steady State

Consistent navigation (GPS/AIS) and engine telemetry.

Cargo Ops

Pump control and automated valve sequences.

2. Design Verification (E26 4.2.1.4.1)

Per IACS UR E26, the Systems Integrator must prove that physical data flows match the approved Cyber Security Design Description.

Internal Zone Flows
  • Validate Intra-Zone Protocols
  • Verify Physical Port Mapping
  • Confirm “Least Functionality”
Conduit Flows (Cross-Zone)
  • Verify Zone Boundary Device
  • Match against Firewall ACLs
  • Document Purpose of Data Link
Untrusted Links (Satcom)
  • Identify Outbound Serial/IP
  • Verify Physical Segmentation
  • Block Unauthorized Telemetry

3. Implementation: Passive Capture

To maintain vessel safety, baselining must be passive. Use the following methods to ingest traffic without introducing latency or risk.

A. SPAN / Mirroring

Configure the Managed Switch to duplicate traffic from “Member Ports” (PLCs/Sensors) to a “Destination Port” (Laptop/IDS).

  • Best for: Core switches with high CPU overhead.
  • Risk: Switch may drop mirror packets if CPU exceeds 80%.
B. Physical Hardware TAP

Install a physical “Test Access Point” between critical assets.

  • Best for: 100% visibility of full-duplex traffic without switch CPU load.
  • Risk: Requires a brief downtime for physical cable insertion.

Wireshark Protocol Dissection

Use these display filters to isolate critical maritime flows from the noise:

Objective Display Filter
Modbus Writes mbtcp.func_code == 5 || mbtcp.func_code == 6
NMEA-over-IP udp.port == 10110
S7 CPU Halt s7comm.param.func == 0x29

4. OT Risk Mitigation & Anomaly Matrix

Observed Baseline Anomaly Maritime Risk Mitigation Action
Unmapped MAC Address
Missing from Asset Inventory.		 Isolate port; physical verification required. Update Asset Inventory per UR E26.
Unauthorized Bridge-to-Shore
Direct Nav-to-SATCOM link discovered.		 Immediate Firewall Block. Force all data through a secure Jump Host or DMZ.
Multicast/Broadcast Flood
NMEA-0183/IP saturating core switch.		 Implement IGMP Snooping and VLAN segregation to prevent safety-critical lag.
Unexpected Protocol (Telnet/HTTP)
Clear-text management on PLC interfaces.		 Disable insecure services at the device level. Enforce HTTPS/SSH or OOB Management.

5. Formal Validation & Sign-off

A baseline is only an audit-valid “Target Profile” if reviewed. The following sign-off is required for the Ship Cyber Security Program:

  • Chief Engineer / ETO: Verification that all discovered traffic is operationally necessary.
  • Inventory Link: Confirm every talking IP/MAC has a corresponding entry in the Asset Master List.

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle
Includes Unlimited Intel Search
Instant access to IACS E26/E27 Templates

Next Section

System Interdependency Matrix

System Interdependency Matrix UR E26 §3.2 (1) & §4.1: The 'Identify' functional element requires developing an underst...

Login
Login
Scroll to Top