Part of the PROTECT Playbook ← Return to Hub
Phase: Protect All vessels
Satisfies: E26E27IMO MSC-FAL.1BIMCO v5

Configuration Backups & Golden Images

This guide establishes the creation, secure storage and verification of complete system images for all Category II and III systems, enabling restoration to a known-good state within a defined recovery time objective.

In the middle of the ocean, a system crash or a ransomware infection can be a life-safety issue. You cannot wait for a technician to fly out with a recovery disk. A Golden Image is a complete “snapshot” of a system—OS, drivers, and OT applications—that allows an ETO to rebuild a workstation in less than 30 minutes.

The 3-2-1 Maritime Backup Rule

Standard IT backup rules must be adapted for the high-vibration and disconnected environment of a ship. While shore-side IT relies on the “Cloud,” a ship must rely on physical air-gapped redundancy. This ensures that even if the entire network is compromised by ransomware, your recovery media remains “invisible” to the virus.

3 Copies

Original data + Local backup + Offline vault.

2 Media Types

SSD/NAS and an Optical Disc or encrypted Tape.

1 Off-Ship

A copy kept at the Home Office (updated annually).

What Needs to be Backed Up?

ETOs often prioritize the AMS server but forget the “glue” that holds the network together:

Asset Type Backup Method Frequency
HMI/Workstations Full “Golden Image” (Full Disk) After every major OS/Patch update.
PLC/Controllers Logic & Project Files (.bin, .pro) Whenever code logic is modified.
Switches & Firewalls Running Configuration (.conf) After every VLAN or ACL change.
Manual Export SOP: Switches, Firewalls & PLCs

OT Managed Switches (Hirschmann/Cisco)

  1. Login to the Web Interface (HiView/Browser) or Console.
  2. Navigate to Basic Settings > Load/Save (Hirschmann) or Admin > File Management (Cisco).
  3. Select “Save Running-Config to PC” via HTTP/HTTPS download.
  4. Verify the .cfg or .txt file contains readable logic before storing.

OT Firewalls (FortiGate/mGuard)

  1. Go to System > Configuration > Backup.
  2. Select Local PC as the destination.
  3. Pro Tip: Do not encrypt the backup with a personal password; use the Ship’s Master Password stored in the Physical Safe.

PLC Controllers (Siemens/WAGO/Rockwell)

Note: PLC backups require the specific Engineering Software installed on the Field PG.

  1. Connect the Field Laptop to the PLC Programming Port.
  2. Open the Project (TIA Portal/Studio 5000).
  3. Perform an “Upload from Device” to capture the running logic, including current setpoints and variables.
  4. Save as a compressed archive (e.g., .zap17) on the Offline Vault drive.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; All fillable forms and SOPs are free with a registered account.

TAG-OT-LOG-01
Backup & Recovery Log
View Form
TAG-OT-SOP-RECOVERY
Cloning Guide (Rescuezilla)
View Form
ETO Recovery Readiness Checklist
Immutable Offline Storage

Backup drives must be disconnected from the network when not in use. Ransomware cannot encrypt a drive that isn’t plugged in.

Restoration Testing

A backup that hasn’t been tested is not a backup. Once a year, perform a “Mock Recovery” on a spare HDD to ensure the image actually boots.

Pro Tip: The “Cold Spare” HDD. For critical bridge PCs, keep a 1:1 clone of the system drive on a physical HDD stored in the ECR. If the primary drive fails, you simply swap the physical cables—no software recovery required.

PREVIOUS:
Supply Chain & Vendor Security

Next Section

Data Diodes & Unidirectional Flows

Data Diodes & Unidirectional Flows This guide explains the deployment of hardware-enforced unidirectional data flows...

Data Diodes & Unidirectional Flows →
Login
Login
Scroll to Top