Incident response at sea — what makes it different

Incident response on a vessel operates under constraints that simply do not exist on shore. There might be no IT department to call. The ETO may be the only person on board with any understanding of the OT network. The vessel may be at sea with no shore connectivity. And critically — isolating a system to contain a cyber incident can itself create a safety risk if that system is part of propulsion, steering, or power management. Physical safety overrides cyber response at every decision point, and the response procedures have to be written with that constraint built in.

The playbooks in this phase are designed for that environment. They cover the first 15 minutes after a suspected incident is identified — what to check, what to preserve, what to isolate, and how to communicate — through to formal reporting to the Master, DPA, flag state, and Class. The procedures work whether the vessel is subject to IACS UR E26, operating under IMO MSC-FAL.1, or simply implementing best practice without a regulatory driver.

Pre-written response procedures are not just a compliance requirement — they are the difference between a controlled response and a chaotic one. An ETO who has read the First 15 Minutes playbook before an incident occurs will make better decisions under pressure than one who is working it out in real time. That benefit exists regardless of whether the vessel has a Class notation or a SIRE inspection coming up.