Closing the gap: maritime IDS deployment lessons from 60 vessels
What we learned rolling out network intrusion detection on 60 deep-sea vessels, from sensor placement to crew workflows and class evidence.
When IACS UR E26 and E27 moved from guidance to a real compliance milestone, many operators discovered that their cyber controls were strong on paper and thin in practice. Over the past eighteen months we deployed network intrusion detection on 60 vessels across tankers, bulkers and container ships. The good news: the technology works at sea. The harder news: the operating model around it matters more than the sensor.
We standardised on a passive collector at the engine room switch and a second one at the bridge VLAN boundary. Passive only, mirrored traffic, no inline blocking. This decision keeps class happy, removes any risk to OT availability, and still surfaces almost everything an attacker would want to do, from rogue DHCP to lateral movement attempts. Inline enforcement has its place, but not on day one and not on safety-critical segments.
Tuning is where most projects stall. A maritime network is noisy in unique ways: legacy ECDIS chatter, vendor remote support tools, crew Wi-Fi backhaul, and the occasional engineer plugging a laptop into a switch port that has not seen one in three years. We built a baseline per vessel class rather than per vessel, then layered ship-specific exceptions. After roughly thirty days of supervised tuning, false positive rates settled below five per vessel per week, which is the threshold at which crew actually read the alerts.
Crew workflow is the secret ingredient. We resisted the urge to make IDS a shore-only tool. Instead, the master and chief engineer get a daily one-page summary, and a weekly call with the shore cyber lead. Detection without ownership on the vessel is detection that never closes. By contrast, when the chief engineer treats an IDS alert the same way as a high exhaust temperature alarm, the mean time to acknowledgement drops to under an hour even on poor satellite days.
For class evidence, the trick is to design the report before the deployment. Auditors want to see policy, configuration, monitoring, response and continuous improvement. We pre-mapped each IDS rule to a control objective, kept signed configuration history, and exported monthly metrics in a format the auditor could ingest without a meeting. The first surveyor visit took ninety minutes, not a day.
If you are planning a similar rollout, three lessons stand out. Pick a known vessel class first and prove the baseline before scaling. Invest in tuning rather than buying a bigger box. And put a real human on the vessel into the loop, because cyber resilience is not a tool, it is a habit.
