SIEM Integration for Ships
Maritime SIEM — Connecting Security Events Across the Fleet
A Security Information and Event Management (SIEM) platform aggregates security logs from multiple sources, correlates events across those sources, and applies detection rules to identify attack patterns that no individual log source would reveal in isolation. A firewall sees blocked connections; an IDS sees anomalous traffic; a PAM platform sees privileged access events — but only a SIEM can correlate these three signals to identify an attack campaign in progress.
Maritime SIEM architecture must address a fundamental challenge: shipboard log sources generate data continuously, but satellite bandwidth for streaming that data to a shore-based SIEM is expensive and limited. Maritime SIEM deployment therefore typically involves a hybrid architecture — an onboard log aggregator stores and pre-processes logs locally, forwards high-priority alerts in real-time, and transfers full log data in batches during periods of available bandwidth.
The shore-based SIEM component provides the fleet-wide visibility that individual vessel SIEMs cannot — correlating alerts across an entire fleet to identify attack campaigns targeting multiple vessels, comparing vessel behaviour to fleet baselines, and providing the centralised analyst capability that enables 24/7 monitoring without requiring a dedicated security analyst on each vessel.
IDS/NDR alerts, NMS events, AMS/PMS alarms, Firewall OT zone logs, OT workstation Windows event logs
PAM session logs, MFA authentication events, Jump Server access logs, SVRA vendor session records, Active Directory logs
IT/OT firewall deny logs, VSAT/Starlink gateway logs, DNS query logs, VPN connection logs, switch port logs
Ship server OS logs, endpoint protection alerts, email security events, file share access logs, backup system logs
Regulatory Framework
Requires logging of security-relevant events from computer-based systems with a minimum 90-day retention. SIEM is the primary platform for aggregating, storing, and making these logs searchable for forensic investigation. Without a SIEM, meeting E26's logging requirement across a complex vessel with 10+ security event sources requires manual log management that is not operationally sustainable.
Anomaly detection and alert generation requirements in Clause 5.5 are most effectively implemented when individual detection tools (IDS, NDR, NMS) feed their alerts into a SIEM for correlation. A SIEM-based correlation approach detects complex multi-stage attacks that single-source detection misses — the IDS might detect unusual traffic, but only the SIEM correlating that with a PAM alert can identify it as the second stage of a specific attack pattern.
IMO guidelines require cyber event detection and response capability. SIEM implements the detect component by correlating and alerting on security events across all ship systems. It supports the respond component by providing analysts with the full event context — what happened, in what order, across which systems — needed to make response decisions and triage effectively.
Under the ISM Code, cyber incidents must be reported to flag states and, where safety implications exist, to other relevant authorities. SIEM provides the evidence base for incident reports — timestamps, affected systems, event sequences, and indicators of compromise extracted from correlated log data. SIEM also supports post-incident reviews required by the ISM Code continuous improvement process.
Architecture & Performance Standards
Maritime SIEM deployment uses a two-tier architecture: an onboard log aggregator (collecting, normalising, and storing logs from all vessel security sources) and a shore-based SIEM platform (receiving forwarded logs and alerts, applying correlation rules, and providing analyst interface). The onboard aggregator enables offline log collection when satellite is unavailable and reduces bandwidth by forwarding only normalised, compressed data rather than raw logs.
| Performance Metric | Minimum | Target | Note |
|---|---|---|---|
| Local Log Retention (onboard) | 90 days | 180 days | IACS E26 minimum |
| Shore SIEM Retention | 12 months | 24 months | Full forensic history |
| Critical Alert Forwarding | <10 min via satellite | <3 min (Starlink) | Priority alert queue |
| Log Ingestion Sources | Firewall, IDS, PAM | All E26 asset event sources | 100% coverage target |
| Maritime Correlation Rules | Generic IT ruleset | Maritime OT-specific rules | Tuned to vessel behaviour |
Maritime Implementation Constraints
Full log streaming to a shore SIEM consumes significant satellite bandwidth — potentially competing with operational VSAT traffic for navigation, weather, and cargo management. SIEM deployment must include a bandwidth management strategy: prioritise high-severity alerts for real-time forwarding, compress and batch lower-priority logs for scheduled transfer, and set maximum SIEM bandwidth limits that protect operational traffic priority.
OT systems generate logs in proprietary formats that standard SIEM parsers do not support. Modbus event logs, NMEA alarm records, AMS maintenance logs — each has a different format that must be parsed and normalised into a common schema before the SIEM can correlate them. Maritime SIEM deployments require custom log parsers for each OT system type, adding both implementation time and ongoing maintenance as OT systems are updated.
Generic SOC analysts receiving SIEM alerts from shipboard OT systems may lack the knowledge to correctly triage maritime-specific events — an IDS alert on unusual Modbus traffic requires OT expertise to determine whether it represents a configuration change by an engineer or an actual attack. Shore SOC teams supporting maritime SIEM must include analysts with OT and maritime system knowledge, or have clear escalation paths to OT subject matter experts.
Trends & Market Developments
ML-based SIEM correlation is replacing manually-written rules for maritime environments — learning normal vessel behaviour from historical data and detecting deviations without requiring security engineers to anticipate every possible attack scenario. Unsupervised anomaly detection is particularly valuable for maritime OT where normal behaviour patterns vary by vessel type, route, and operational mode.
Dedicated maritime SOC services (provided by companies including CyberOwl, Horangi, Naval Dome) operate shore-based SIEM platforms covering multiple operators' fleets, providing 24/7 maritime-knowledgeable analyst coverage at costs individual operators cannot sustain independently. Fleet aggregation across clients also enables cross-operator threat intelligence sharing.
Starlink's high bandwidth and low latency is transforming maritime SIEM from a batch-based delayed model to near-real-time monitoring. Shore analysts can now see vessel security events within seconds, enabling detection-to-response timescales that were previously only achievable in shore-based environments. This is enabling maritime MDR (Managed Detection and Response) services for the first time.
Next-generation maritime SIEM platforms are integrating navigation data (AIS, GPS, route data) alongside security events — enabling correlation between vessel position (e.g. proximity to contested waters) and security anomalies. Context-aware SIEM that understands the operational state of the vessel can reduce false positives and improve alert prioritisation significantly.
SIEM is the linchpin of IACS UR E26 Clause 5.4 compliance. A vessel with multiple security tools — IDS, firewall, PAM — but no SIEM cannot meet the 90-day log retention requirement efficiently, cannot perform cross-source incident correlation, and cannot provide the forensic evidence base needed for incident reporting and class survey verification.
Design the onboard aggregator as the primary log repository. Shore SIEM connectivity will be intermittent at sea. The onboard aggregator must be sized to store the full 90-day minimum log retention independently, with shore synchronisation as an enhancement rather than a dependency.
Maritime OT log parsers are a critical implementation dependency. Standard SIEM products do not include parsers for maritime OT formats. Verify OT log source coverage with SIEM vendor before procurement — or select a maritime-specific SIEM provider with pre-built maritime OT parsers.
Continue the Security Monitoring series with Maritime Threat Intelligence — enriching SIEM detections with current threat knowledge.
⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment