Incident Severity Matrix
Response Objective: To standardize how cyber events are reported and prioritized, ensuring that the Master and Shore-side SOC receive accurate information during a crisis.
Not every anomaly is a cyber-attack. A failing sensor or a loose Ethernet cable can trigger a “Device Down” alert. The ETO’s first job is Triage: determining if the event is a Technical Failure, a Suspicious Event, or a Confirmed Attack.
The 3-Tier Severity Scale
In alignment with IACS UR E26 and IMO MSC.428(98), we categorize incidents based on their impact on “Essential Services” (Propulsion, Steering, Navigation).
| Severity | Indicator | Operational Impact |
|---|---|---|
| LOW (Cat 1) | Single non-critical workstation failure; suspected virus on Crew Wi-Fi. | None. Essential services unaffected. Administrative annoyance. |
| MEDIUM (Cat 2) | Unauthorized “Rogue Device” in ECR; partial loss of monitoring data. | Degraded visibility. Vessel safe but risk of escalation is high. |
| CRITICAL (Cat 3) | Ransomware on Bridge; loss of ECDIS or Engine Control. | Immediate Safety Risk. Potential loss of maneuverability or blackout. |
Decision Tree: Is it a Cyber Attack?
If you see an anomaly, ask these three questions to confirm if you should initiate the Respond Phase:
Multiple Failures? Did multiple unrelated systems fail at the same time? (Indicates lateral movement/malware).
Unusual Activity? Are there log entries for “Administrator Login” at a time when no one was working on the system?
Data Tampering? Are configuration files changed or is the system demanding payment (Ransomware screen)?
Reporting Rule: “When in Doubt, Shout”
If you cannot definitively rule out a cyber attack within 15 minutes, the ETO must report a “Potential Level 2 Incident” to the Master. It is better to stand down a false alarm than to delay the isolation of a real threat.
Audit Evidence Preparation
Class surveyors will ask to see your **Incident Log**. Even if you have had zero attacks, you must show you are recording “Near Misses” or “Technical Glitches” using this matrix.
- Evidence: A logbook entry showing a Level 1 event (e.g., “Faulty Switch Replaced”) being assessed and closed.
- Evidence: Proof that the ETO knows how to contact the CSO for a Level 3 event.
Next Security Phase
The First 15 Minutes
The First 15 Minutes Response Objective: To execute a rapid, non-destructive diagnostic sequence that confirms the presence of a cyber threat while maintaining vessel safety. When an alarm sounds or a critical system behaves erratically, the ETO must...