Part of the IDENTIFY Playbook ← Return to Hub
Phase: Identify All vessels
Satisfies: E26E27IEC 62443IMO MSC-FAL.1BIMCO v5

OT Traffic Baselining Procedures

This guide provides a methodology for capturing the normal communication patterns of the vessel’s OT network, establishing the baseline needed to detect anomalies and configure network protection.

1. The 72-Hour Observation Window

A baseline must cover multiple operational states. For a maritime audit, we recommend a 72-hour capture to include:

Maneuvering

High-frequency thruster control and DP traffic.

Steady State

Consistent navigation (GPS/AIS) and engine telemetry.

Cargo Ops

Pump control and automated valve sequences.

2. Design Verification (E26 4.2.1.4.1)

Per IACS UR E26, the Systems Integrator must prove that physical data flows match the approved Cyber Security Design Description.

Internal Zone Flows
  • Validate Intra-Zone Protocols
  • Verify Physical Port Mapping
  • Confirm “Least Functionality”
Conduit Flows (Cross-Zone)
  • Verify Zone Boundary Device
  • Match against Firewall ACLs
  • Document Purpose of Data Link
Untrusted Links (Satcom)
  • Identify Outbound Serial/IP
  • Verify Physical Segmentation
  • Block Unauthorized Telemetry

3. Implementation: Passive Capture

To maintain vessel safety, baselining must be passive. Use the following methods to ingest traffic without introducing latency or risk.

SPAN / Mirroring

Configure the Managed Switch to duplicate traffic from “Member Ports” (PLCs/Sensors) to a “Destination Port” (Laptop/IDS).

  • Best for: Core switches with high CPU overhead.
  • Risk: Switch may drop mirror packets if CPU exceeds 80%.
Physical Hardware TAP

Install a physical “Test Access Point” between critical assets.

  • Best for: 100% visibility of full-duplex traffic without switch CPU load.
  • Risk: Requires a brief downtime for physical cable insertion.

Wireshark Protocol Dissection

Use these display filters to isolate critical maritime flows from the noise:

Objective Display Filter
Modbus Writes mbtcp.func_code == 5 || mbtcp.func_code == 6
NMEA-over-IP udp.port == 10110
S7 CPU Halt s7comm.param.func == 0x29

4. OT Risk Mitigation & Anomaly Matrix

Observed Baseline Anomaly Maritime Risk Mitigation Action
Unmapped MAC Address
Missing from Asset Inventory.		 Isolate port; physical verification required. Update Asset Inventory per UR E26.
Unauthorized Bridge-to-Shore
Direct Nav-to-SATCOM link discovered.		 Immediate Firewall Block. Force all data through a secure Jump Host or DMZ.
Multicast/Broadcast Flood
NMEA-0183/IP saturating core switch.		 Implement IGMP Snooping and VLAN segregation to prevent safety-critical lag.
Unexpected Protocol (Telnet/HTTP)
Clear-text management on PLC interfaces.		 Disable insecure services at the device level. Enforce HTTPS/SSH or OOB Management.

5. Formal Validation & Sign-off

A baseline is only an audit-valid “Target Profile” if reviewed. The following sign-off is required for the Ship Cyber Security Program:

  • Chief Engineer / ETO: Verification that all discovered traffic is operationally necessary.
  • Inventory Link: Confirm every talking IP/MAC has a corresponding entry in the Asset Master List.
PREVIOUS:
Marine Protocol Guides

Next Section

System Interdependency Matrix

System Interdependency Matrix This guide documents how onboard systems depend on each other for data and control — ess...

System Interdependency Matrix →
Login
Login
Scroll to Top