Respond: Incident Containment & Mitigation
IACS UR E26 Control 4.4: Cyber Incident Response Capabilities
The “Fire Drill” for the digital ship. Once a threat is detected, the ETO must act to isolate systems and prevent the spread of malware. This phase defines the technical and procedural steps to protect vessel safety during an active cyber event.
Effective response relies on Pre-Defined Isolation. In a maritime environment, we do not have time for complex forensics during a crisis—we must prioritize Vessel Maneuverability. This phase ensures the ETO can “cut the lines” between infected segments without crashing the Bridge.
Core Concept: The Cyber-Emergency Shutdown
Establishing clear rules for which network links can be severed instantly and which require a controlled sequence to avoid a total blackout.
Classification & Triage
Determining the severity of the incident and initiating the immediate diagnostic sequence.
Containment
Active measures to sever malicious connections and isolate infected OT segments.
Communication
Formal reporting to the Master, Fleet Office, and meeting IMO/IACS reporting deadlines.
Critical Action Policy:
In the event of a cyber incident affecting propulsion or steering, Physical Safety overrides Cyber Response. Only isolate systems if the action does not endanger the immediate safety of the vessel.