Part of the RESPOND Playbook ← Return to Hub

The First 15 Minutes

Response Objective: To execute a rapid, non-destructive diagnostic sequence that confirms the presence of a cyber threat while maintaining vessel safety.

When an alarm sounds or a critical system behaves erratically, the ETO must resist the urge to immediately reboot hardware. Rebooting wipes the RAM, which contains the only evidence of how the attack started. Follow this sequence instead.

The 15-Minute Triage Checklist

0-5m
Observation & Safety Check Is the ship’s maneuverability affected? Check Bridge and ECR consoles for “Frozen” screens, unauthorized mouse movement, or system error pop-ups. Inform the Master immediately if DP or Steering is erratic.
5-10m
Source Identification Check the Detect Phase Dashboard. Which VLAN is the traffic coming from? Is the firewall blocking outbound connections to unknown IPs? Note the “Patient Zero” (the first device to show symptoms).
10-15m
Evidence Capture (Snapshot) If possible, take a photo of the error screens. Check the Syslog Server and export the last 30 minutes of logs to a secure USB drive (Forensic Image). Do not power off.

The “Do Not Do” List

To comply with UR E26 §4.4.2 (Forensic Readiness), the ETO must avoid the following common mistakes during the first 15 minutes:

DO NOT Reboot: Modern malware lives in RAM. A reboot clears the evidence and may trigger a “Logic Bomb” that prevents the system from starting again.
DO NOT “Clean” Files: Attempting to delete a virus manually may cause the malware to start encrypting files immediately as a defense mechanism.
DO NOT Use Infected Networks to Report: If the ship’s business network is compromised, do not send your report via the ship’s official email. Use a separate, clean satellite link or phone.

Master’s Key Action

If the assessment confirms a Level 3 Incident, the ETO must present the findings to the Master to authorize Pillar B: Containment (Network Isolation). The ETO has the technical authority to diagnose, but the Master has the operational authority to “Cut the Lines.”

Next Security Phase

Network Isolation Procedures

Network Isolation Procedures Response Objective: To immediately halt the lateral movement of malware by severing communication links between network zones (IT, iDMZ, and OT). Isolation is the cyber equivalent of closing watertight doors. If a crew la...

Continue to Network Isolation Procedures →
Scroll to Top