Part of the RECOVER Playbook ← Return to Hub
Phase: Recover All vessels
Satisfies: E26E27IMO MSC-FAL.1

Golden Image Management

This guide establishes the creation, secure storage, verification, and restoration of complete system images for all Category II and III CBS — enabling restoration to a known-good state within the defined Recovery Time Objective. Under IACS UR E26 §4.5.1, the vessel must maintain documented recovery capability for all in-scope CBS. The Golden Image is the technical implementation of that requirement.

In a ransomware scenario the ETO does not waste time attempting to clean infected files. The correct response is nuke and pave — wipe the drive completely and restore from a Golden Image: a pre-configured, hardened, and cryptographically verified snapshot of the system in its known-clean state. This procedure only works if the Golden Image was created correctly, stored offline, and kept current with OEM updates.

What a Golden Image must contain

A Golden Image is a complete system snapshot — not just an OS backup. For maritime OT workstations it must contain all four of these components or the restored system will not function correctly.

1 — Hardened operating system

Windows or Linux with all unnecessary services disabled — Bluetooth, Xbox services, file sharing, remote registry, Telnet. Captured after hardening and before any OEM application is installed. This is the clean baseline layer.

2 — OEM application and drivers

The exact OEM-approved version of the CBS application, serial-to-USB or PLC interface drivers, and any middleware required for the system to communicate with vessel hardware. Version numbers must match the software register.

3 — Configuration and licence files

System-specific configuration files, licence keys, calibration data, and any network settings unique to this vessel. Without these the restored system will start but will not function as the original — it will appear clean but will require manual reconfiguration that can take days.

4 — Security baseline settings

Access control configuration, local user accounts (with hashed passwords, not plain text), firewall or host-based rules, and audit logging configuration. Restoring the OS without these restores the security settings to factory defaults — likely insecure.

Image creation procedure

Create the Golden Image on a clean, air-gapped workstation — never on the live vessel network. The creation process must be witnessed by the ETO and documented with a MoC entry.

1
Start from a verified clean system — The source system must be confirmed malware-free before imaging. Run the full sandbox scan procedure (see Post-Incident Malware Scrub) and confirm zero detections. Do not image a system that was connected to the vessel network during an incident without full scrub first.
2
Use OEM-approved imaging tool — Use the tool specified by the OEM for that CBS wherever possible. If no OEM tool is specified, Clonezilla (open source, air-gapped capable) is the recommended default. Document the tool name and version used in the image record.
3
Generate SHA-256 hash immediately after creation — On Windows: Get-FileHash -Algorithm SHA256 [imagefile] · On Linux: sha256sum [imagefile]. Record the hash in the image inventory. This hash is the only way to verify the image has not been tampered with or corrupted in storage.
4
Label the physical media clearly — Label with: CBS name, system ID, image date, OS version, OEM application version, and SHA-256 hash (first 8 characters). Use a permanent marker and a printed label — not sticky labels that fall off in humid ECR environments.
5
Store offline immediately — Place the media in the ECR safe or a locked cabinet. Never leave a Golden Image drive connected to any network or powered USB hub. Ransomware specifically targets mapped drives and connected storage during encryption.

The 3-2-1 storage rule — maritime version

To comply with UR E26 §4.5.1, Golden Images must be stored following this protocol. All three conditions must be met simultaneously — not as alternatives.

3
Copies
Redundancy — three complete copies Original on the source system (or server) · one local copy in the ECR safe · one shore-side copy held by the DPA or technical superintendent. If the vessel is lost, the shore copy enables Class to confirm what the vessel’s CBS state was.
2
Media types
Different physical media types Store on two different media — for example, an internal SSD and a ruggedised external USB drive. If one media type fails (USB drives fail in humid environments), the other copy is recoverable.
1
Offline
At least one copy completely air-gapped Physically disconnected from all networks and powered storage at all times — locked in the ECR safe. This is the copy used for ransomware recovery. It must never be connected to any network while the vessel is in normal operation.

Critical ETO warning

Never store your Golden Image on a drive that is permanently mapped (assigned a drive letter) to the vessel network. Ransomware is specifically designed to find and encrypt all mapped drives before attacking the primary system. Disconnect after sync — every time.

Image refresh schedule

A Golden Image that is 18 months old will restore correctly but will require extensive patching before the system is current — and may not include OEM updates that fixed critical bugs. Keep images current with this refresh schedule.

Trigger Action required Notes
OEM firmware or software update applied Refresh image within 30 days of update Old image restores a vulnerable version — defeats the purpose of patching
Post-incident recovery complete Refresh image after integrity verification sign-off The old image captured the vulnerable state — the new baseline is post-remediation
Annual — regardless of changes Refresh all Cat II and III images at annual survey preparation Gives Class surveyor a current image inventory dated within 12 months
Configuration change (MoC event) Refresh image after MoC is completed and verified Image must reflect the current configuration — not the pre-change state

Image inventory — Class audit evidence

Class surveyors require proof of recovery maturity. Use this tracking structure for all Category II and III assets. The inventory must be current — an image dated more than 12 months ago without a documented refresh reason is a finding.

Asset ID Cat. Image date OS / App version Storage location SHA-256 (first 8) Verified
ECDIS-MASTER-01 III 2026-02-15 Win10 LTSC / Transas v5.2 ECR Safe #2 a3f29b1c ✓ 2026-03-01
PMS-SERVER-01 III 2026-01-20 Win Server 2019 / Kongsberg v8.1 ECR Safe #2 + Shore office e9114db2 ✓ 2026-02-01
BALLAST-HMI-01 II 2025-11-10 Win7 Embedded / Wärtsilä v4.3 Server Room cabinet b77c2a19 ⚠ Due refresh

Restoration reminder

Before using a Golden Image for recovery, always verify the SHA-256 hash against the image inventory record. A hash mismatch means the image has been corrupted or tampered with — do not restore from a mismatched image. Contact the DPA to retrieve the shore-side copy.

After restoration is complete and the system passes integrity verification, refresh the Golden Image immediately. The old image captured the pre-incident state which may contain the vulnerability that caused the incident.

PREVIOUS:
RECOVER

Next Section

Offline Backup Verification

Offline Backup Verification This guide defines the offline backup rotation strategy and periodic verification process, e...

Offline Backup Verification →
Login
Login
Scroll to Top