Part of the RESPOND Playbook ← Return to Hub

Regulatory & Shore-Side Reporting

Response Objective: To fulfill legal and company obligations by providing timely, accurate incident data to the Company Security Officer (CSO) and external authorities.

When the vessel is under cyber-attack, the shore-side office acts as your “Extended Technical Team.” However, they can only help if the information you provide is structured and timely. A delayed report can lead to fines from Port State Control or a denial of entry into port.

The Reporting Timeline

Most maritime cyber-risk frameworks (including BIMCO and IACS) suggest a tiered reporting window based on the severity identified in Pillar A.1.

Immediate (0-2 Hours)

Who: Company Security Officer (CSO).
What: Initial verbal SITREP. Confirmation of Level 3 status and safety of the crew.

Detailed (12-24 Hours)

Who: Flag State, Port State, Class Surveyor.
What: Written report including “Patient Zero” details and current containment status.

The Incident Data Package

The ETO must prepare a “Digital Evidence Bag” to send to the shore-side SOC or the CSO. This should be sent via a Clean Connection (e.g., the Master’s independent satellite phone or a 4G roaming hotspot).

Mandatory Data Points:

  • Timestamp: When was the anomaly first detected? (Use UTC).
  • Affected Systems: List all Category II and III systems currently offline.
  • IP/MAC Addresses: The addresses of the infected machines and any “Rogue” IPs identified.
  • Log Samples: The last 50 lines of the Firewall/Syslog that show the malicious activity.
  • Visuals: Photos of “Blue Screens,” Ransomware notes, or erratic console behavior.

External Parties to Notify

The Master (supported by the ETO) is responsible for notifying:

  • Port State Control (PSC): If the incident affects the vessel’s ability to safely navigate or maneuver within port limits.
  • The Flag State: Required if the incident resulted in a partial or total loss of “Essential Services.”
  • Equipment Vendors: (e.g., Kongsberg, Wärtsilä) To receive emergency patches or remote diagnostic support.

Legal Protection Note:

Under UR E26 §4.4.2, the ETO must not attempt to “fix” or “wipe” a system until the shore-side team has confirmed they have enough data for a forensic investigation. Prematurely wiping a system is considered a failure in regulatory compliance.

Next Security Phase

Respond Phase: Summary & Audit Readiness

Respond Phase: Summary & Audit Readiness Phase Objective The Respond Phase is about Effective Containment. We ensure the ETO can move from "Alarm" to "Action" without compromising vessel safety, providing the bridge between technical isolation an...

Continue to Respond Phase: Summary & Audit Readiness →
Scroll to Top