This guide covers internal communication procedures during a cyber incident — who to notify, in what order, using which channel, and what to say. Communication failure during a cyber incident is often more dangerous than the technical failure itself. Under ISM Code §8, the vessel must have documented emergency communication procedures — this playbook is that procedure for a cyber event.
In a cyber crisis, the ETO must provide a Cyber SITREP (Situation Report) that tells the Master exactly what they need to know: what is broken, what is at risk, and what is being done. The Master cannot make good decisions without accurate information — and the ETO cannot act without Master authorisation. This communication chain is not bureaucracy — it is the command structure that keeps the vessel safe.
Notification sequence — who to notify and when
Notifications happen in parallel with technical response — not after. Use the channel priority table below to select the correct channel based on what is confirmed compromised.
0–5 minutes
Master
Verbal on Bridge or by phone. One sentence brief. Do not wait for diagnosis — notify immediately when any anomaly is detected that could affect vessel safety.
5–10 minutes
Chief Engineer
If any engine room CBS is affected or manual fallback may be needed. Chief Engineer must be ready to transfer propulsion to local control on short notice.
Within 15 minutes
DPA (shore-side)
Via out-of-band channel — Iridium, personal mobile, or shore landline. Do not use the vessel’s business email or SATCOM if those networks are suspected compromised.
Per SCSRP timeline
Class / Flag State
Per SCSRP §6.1.4 notification timeline for Level 3 incidents. DPA coordinates this — ETO provides technical input to the notification.
The plain language rule
When briefing the Bridge, avoid technical acronyms. Use operational analogies that the Master and OOW can immediately act on. The goal is a decision — not an explanation.
Avoid (technical)
Use instead (operational)
“We have lateral movement in the iDMZ.”
“The infection is spreading from the office computers toward the engine control systems.”
“Implementing a port-shutdown on the core switch.”
“I am cutting the network link between the Bridge and the Engine Room to stop the infection from reaching the engines.”
“ECDIS 1 is showing indicators of a logic bomb.”
“ECDIS 1 is unreliable and may give false position data. Switch to ECDIS 2 or paper charts immediately.”
“The threat actor has C2 persistence via the VSAT uplink.”
“The attacker is still connected to the vessel via the satellite link. I need your authorisation to cut the SATCOM connection.”
“We need to nuke-and-pave the PMS before RTO expires.”
“The power management system needs to be completely rebuilt from backup. That will take approximately [X hours] during which we need manual generator operation.”
Cyber SITREP scripts
Deliver a SITREP every 30–60 minutes during an active Level 3 incident. These scripts give the ETO the exact language to use — read them verbatim if needed. Consistent language reduces confusion and ensures the Master has accurate information for every decision.
Initial SITREP — deliver within first 5 minutes
“Captain, this is the ETO. I am reporting a [Level 1 / Level 2 / Level 3] cyber event detected at [time] UTC. The affected system is [system name] located [location on vessel]. At this time, [propulsion / steering / navigation] is [unaffected / affected — describe]. I am monitoring the situation and will report again in 15 minutes or immediately if the situation changes. Your awareness is confirmed.”
Update SITREP — every 30 minutes during active Level 3
“Captain, ETO with SITREP update at [time] UTC. Current status: [X] systems confirmed affected, [Y] systems confirmed clean, [Z] systems under assessment. Safety status: propulsion is [normal / on local control], steering is [normal / on manual], ECDIS is [operational / switched to backup / on paper charts]. Actions taken since last report: [describe isolation or containment steps]. Next action: [describe what ETO is about to do and what authorisation is needed]. Estimated time to next update: [30 / 60 minutes].”
Action request SITREP — when Master authorisation is required
“Captain, ETO requesting authorisation for [describe action — e.g. ‘cutting the SATCOM link’ / ‘isolating the engine room monitoring network’ / ‘shutting down ECDIS 1’]. The reason is [plain language explanation]. The consequence will be [what the vessel will lose]. Manual backup is [ready / being prepared]. I need your explicit authorisation before I proceed. Do I have your authorisation?”
Important: The Master’s verbal authorisation must be logged immediately with exact time and the action authorised. Do not proceed without it — and do not proceed before logging it.
What NOT to say on compromised channels
If the vessel’s business network, email system, or SATCOM link is suspected compromised, the attacker may be monitoring all traffic on those systems. Do not transmit the following via any potentially compromised channel:
The name or location of the Golden Image backup drive
Any passwords or access credentials, even “to help”
Confirmation that the backup has not yet been encrypted
Which systems are confirmed clean and still operational
The vessel’s intended port of refuge or next port call
Details of what ransom demand was received or its amount
Communication channel priority
Select the highest available channel from this list. Move down the list only if the channel above it is confirmed compromised or unavailable.
1st
Face-to-face verbal briefing
Always available · cannot be intercepted · go to the Bridge or ECR in person if situation allows
2nd
Sound-powered telephone (Bridge to ECR)
No network dependency · works during blackout · secure against cyber interception
3rd
Handheld UHF/VHF radio (vessel internal)
No ship network dependency · use vessel internal working channel · do not use external VHF channels for sensitive information
4th
Iridium satellite phone (shore communication)
Independent of vessel VSAT · use for DPA notification if SATCOM is compromised · keep Iridium number in SCSRP non-digital backup
5th
Personal mobile via cellular (near coast only)
4G/5G bypasses ship VSAT entirely · only available within coastal range · confirm coverage before relying on it
Recommendation to shutdown
If you identify a scenario involving physical danger or active backup corruption, advise the Master to authorise a power-down. Do not wait for the scheduled SITREP — interrupt immediately.
Refer to the Red Line criteria for the specific technical triggers required to justify an emergency power-down recommendation.
The ETO informs — the Master decides. If the ETO recommends isolating the bridge network, the Master must confirm that the current navigational environment allows for a temporary loss of electronic monitoring before authorising the action.
Every authorisation must be logged with exact time and the specific action authorised. This log is the primary evidence that the command structure defined in the SCSRP was followed — it will be reviewed by Class at the next survey.
The specific regulatory requirements this playbook satisfies. Use these references when preparing for Class survey or responding to a surveyor's checklist.
E26 §4.4
Respond functional element — Appropriate measures must be developed to take action against a detected cyber incident, minimise its impact and contain the impairment of systems and networks.
E27 §3.1.8
Information supporting incident response and recovery — Procedures or instructions enabling the crew to carry out: local independent control, network isolation, forensic audit record review, deterministic output, backup, restore, and controlled shutdown and rollback.
