Part of the RESPOND Playbook ← Return to Hub

Emergency System Shutdown Rules

Response Objective: To define the “Red Lines” for system power-down, ensuring that no critical safety system is deactivated unless the risk of staying online is greater than the risk of shutdown.

Shutting down a computer in the middle of a voyage is a high-risk move. Under IACS UR E26 §4.4.1, the vessel must have a predefined plan for which systems are “Safe to Stop” and which are “Must-Run.”

The “Shutdown Tier” System

The ETO must treat systems according to their tier. Never shut down a Tier 1 system without a direct order from the Master.

Tier 1: THE MUST-RUNS

Systems: ECDIS (Primary), Steering Control, Propulsion Logic, GMDSS.

Rule: Never shut down while at sea. Even if infected, these systems must remain powered to avoid immediate collision or grounding. Use Network Isolation (Pillar B.1) instead of power-down.

Tier 2: THE CONDITIONAL-STOP

Systems: PMS (Power Management), Ballast Control, Cargo Monitoring.

Rule: Can be shut down only if the vessel is in a stable state (e.g., at anchor or open sea) and manual backup controls are fully manned and tested.

The “Red Line” Scenarios

There are only two scenarios where an ETO should recommend an immediate shutdown of a critical OT system:

  • Physical Limit Exceeded: The cyber attack is forcing a machine (e.g., a pump or engine) to run outside of safe physical parameters (Speed/Temperature/Pressure) that could lead to an explosion or fire.
  • Data Corruption Spreading: The ransomware is actively encrypting the “Golden Backup” drive connected to the system. Shutting down may save the backup data required for the Recover Phase.

The Shutdown Checklist

If a shutdown is authorized, follow these steps to ensure you don’t make the recovery impossible:

  1. Handover: Ensure the duty engineer has switched to Manual/Local Control and confirmed they have visual readings on physical gauges.
  2. Last-Minute Log: If the OS is still responsive, take a screenshot of the “Running Processes” (Task Manager) to identify the malware name later.
  3. Clean Cut: Perform a graceful shutdown if possible. If the OS is locked, pull the power cord (avoiding the “Restart” loop).
  4. Tag-Out: Physically label the hardware “CYBER COMPROMISED – DO NOT RESTART” to prevent a well-meaning crew member from turning it back on.

Auditor’s Question

“Do you have a list of systems that are safe to shut down during a cyber attack?”
Your Answer: Show them the Tiered System Priority List and the Manual Backup Procedures for the Tier 2 systems.

Next Security Phase

Internal Crisis Communication

Internal Crisis Communication Response Objective: To provide the Master and Senior Officers with clear, non-technical situational awareness to support decision-making regarding vessel safety and navigation. In a cyber crisis, communication failure is...

Continue to Internal Crisis Communication →
Scroll to Top