Rogue Device Response

Incident Investigation & Isolation Protocol

Doc ID: TAG-OT-CHK-02
Issue Date: Feb 2026
Rev: 1.1

Compare MAC/IP against Master Asset Inventory. Record both values.
Check SNMP trap log — record first-seen timestamp and switch port of the MAC notification event.
Physically trace the cable from the identified switch port to the device location.
Verify with Crew: Is an OEM Service Engineer currently onboard?

⚠️ DO NOT disconnect critical IACS hardware. Apply only to the unknown rogue device port.

Logical Isolation: Shutdown the specific switch port via CLI or Web GUI. If SNMP-triggered automation has already applied a port shutdown, verify the port state is confirmed down before proceeding.
Verify:
Physical Isolation: Trace cable to switch port and physically remove the connection. Do not remove any device from the space until Phase 3 documentation is complete — treat it as evidence.
Quarantine: If the device is portable (laptop, USB adapter, rogue AP), remove it from the Engine Room or Bridge space. Place in a secure location pending investigation.

Incident Description:

Detection Method:

SNMP MAC notification trap Passive traffic sensor alert Visual discovery Other:

Root Cause Assessment:

Authorized vendor — access not pre-notified Crew error / personal device Unknown — potential cyber incident
Other:

Investigated By (ETO):

Signature & Date

Verified By (Master / C/E):

Stamp & Date