Part of the RESPOND Playbook ← Return to Hub
Phase: Respond All vessels
Satisfies: E26E27IMO MSC-FAL.1

Emergency System Shutdown Rules

This guide defines which systems are safe to stop during a cyber incident and which must continue running, with controlled shutdown sequences that leave the vessel in a safe, known state. Under IACS UR E26 §4.4.1, the vessel must have a predefined plan for which systems are safe to stop and which are must-run — and that plan must be exercised before it is needed.

Shutting down a CBS in the middle of a voyage is a high-risk decision. The wrong shutdown sequence can create a secondary safety problem worse than the cyber incident itself. This guide gives the ETO and Master a tiered framework — based on CBS criticality category — for making that decision correctly, quickly, and with full documentation.

The shutdown tier system

Systems are grouped into three tiers based on their E26 criticality category and SOLAS obligations. The tier determines who has authority to authorise a shutdown and under what conditions it is permitted.

Tier 1 — Must-runs

CBS category
Category III — essential functions
Systems
  • ECDIS (primary and backup)
  • Main engine control CBS
  • Steering gear CBS / autopilot
  • GMDSS communications
  • Fire detection and alarm system
  • Emergency generator control
Shutdown rule
Never shut down at sea. Use network isolation instead of power-down. Only with explicit Master order and only after local manual control is confirmed active.
Authority to shutdown
Master — explicit order required

Tier 2 — Conditional stop

CBS category
Category II — important functions
Systems
  • Power Management System (PMS)
  • Ballast control CBS
  • Cargo monitoring CBS
  • Bilge alarm system
  • Fuel transfer pump control
  • IAS non-critical monitoring
Shutdown rule
Permitted only if vessel is at anchor or stable open sea, manual backup controls are fully manned and confirmed functional, and Chief Engineer concurs.
Authority to shutdown
Chief Engineer with Master awareness

Tier 3 — Safe to stop

CBS category
Category I — support functions
Systems
  • Crew Wi-Fi and entertainment
  • Administrative PCs and printers
  • CCTV (non-security critical)
  • Crew welfare systems
  • Non-essential office servers
  • Passenger network infrastructure
Shutdown rule
Can be shut down immediately without Master order. Shutting these down first limits the spread of infection and reduces the blast radius before higher-tier systems are affected.
Authority to shutdown
ETO — own authority, notify Master

The red line scenarios

There are only two scenarios where the ETO should recommend an immediate shutdown of a Tier 1 system — overriding the normal “never shut down at sea” rule. Both require Master authorisation and both must be logged with the exact justification.

  • Physical limit exceeded The attack is forcing machinery to operate outside safe parameters — speed, temperature, or pressure readings on local gauges confirm the CBS is sending dangerous commands that manual intervention cannot override. The physical safety of the vessel takes absolute priority over evidence preservation.
  • Active backup corruption in progress Ransomware is actively encrypting the Golden Image backup media. The offline backup drive is the only path to recovery. Shutting down the infected system immediately may stop the encryption before the backup is destroyed. This is the only scenario where evidence preservation is secondary to recovery capability.

The shutdown sequence — system by system

When shutdown is authorised, the sequence matters. Shutting down systems in the wrong order can create cascading failures. Always work from lowest criticality to highest — Tier 3 first, Tier 1 last.

Sequence System Safe state on shutdown Pre-shutdown check
1st Crew Wi-Fi / hotel network No impact on vessel operations None required — shut down immediately
2nd Admin PCs and office servers No impact on vessel operations Save forensic screenshots first if responsive
3rd Ballast / cargo control CBS Valves lock in current position — confirm safe before shutdown Confirm vessel stability · duty officer at local manifold
4th PMS (Power Management System) Generators hold current configuration — no auto load shedding Manual generator control confirmed · Chief Engineer present in ECR
5th Main engine control CBS Enters safe state — reduce to minimum safe speed Local control panel active · ECR manned · Master order received
Last ECDIS / bridge navigation CBS Retain last position — alert bridge — paper charts and radar only Only if physical limit red line is met · vessel not in restricted waters · Master explicit order

The shutdown execution checklist

If a shutdown is authorised by the Master, follow these steps in order for every system being shut down. Do not skip steps under time pressure — they exist to protect the recovery process.

1
Handover to local manual control
Confirm the duty engineer has transferred the affected system to local manual control and confirmed visual readings on physical gauges. Do not shut down until local control is confirmed active — not assumed.
2
Forensic capture before shutdown
If the OS is still responsive, photograph the Task Manager (Ctrl+Shift+Esc) showing active processes, take a photo of all error screens, and export the last 30 minutes of syslog data to a clean USB. This is your only window to capture RAM-resident evidence.
3
Graceful shutdown — hard cut only if locked
Use the OS shutdown command where possible. Only pull the physical power cord if the system is completely unresponsive — a hard cut on a partially-encrypted system can corrupt the file system and make recovery impossible.
4
Tag-out the hardware
Physically label the shutdown hardware “CYBER COMPROMISED — DO NOT RESTART” with the date, time, and ETO name. This prevents accidental power-up by other crew and preserves the chain of custody for the post-incident investigation.
5
Log the shutdown immediately
Record in the Cyber Incident Log: system name, shutdown time, method used (graceful/hard cut), justification (which red line criterion was met), who authorised it, and the state of local manual control at time of shutdown.

Auditor’s question

“Do you have a list of systems that are safe to shut down during a cyber attack — and who has authority to order each shutdown?”

Your answer: Show the three-tier table and the shutdown sequence table. Point to the authority column — Tier 1 requires explicit Master order, Tier 2 requires Chief Engineer with Master awareness, Tier 3 is ETO own authority. Then show the most recent shutdown drill log entry demonstrating the procedure has been exercised.

PREVIOUS:
Network Isolation Procedures

Next Section

Local & Manual Operation

Local & Manual Operation This guide defines which systems can be operated locally and manually if the primary network is...

Local & Manual Operation →
Login
Login
Scroll to Top