Part of the RECOVER Playbook ← Return to Hub

Integrity Verification

Recovery Objective: To confirm that the underlying network infrastructure and embedded controllers (PLCs) have not been modified or compromised with persistent backdoors.

Before reconnecting a restored system to the ship’s network, the ETO must verify the Integrity of the environment. Advanced threats can hide in the firmware of a network switch or change the logic of a PLC, waiting for the system to reboot to re-infect the “clean” workstations.

Step 1: The Infrastructure Audit

Check the “Brains” of your network. If these are compromised, the entire recovery is void.

Switch & Firewall Configs

Compare the running configuration of your switches against the Known-Good Configs stored in the Identify Phase. Look for unauthorized VLANs or “Allow All” firewall rules.

PLC Logic Verification

For critical machinery, use the vendor’s tool to perform a “Checksum Comparison” of the PLC logic. If the hash doesn’t match the original, the controller must be reflashed.

Step 2: Credential Sanitization

Assume every password used during the incident is compromised. Recovery requires a “Clean Slate” for access control.

  • Change Service Account Passwords: Especially those used for PLC communication or database logging.
  • Reset Admin Credentials: Force a password change for the ETO, Chief Engineer, and Master accounts.
  • Revoke Remote Access: Disable all VSAT-based VPNs until the shore-side SOC gives the “All Clear.”

The “Sanitized for Re-Entry” Checklist

Under UR E26 §4.5.3, the ETO must complete this verification before “flicking the switch” to bring the OT network live:

Firmware Validation Confirmed that Switch and Router firmware matches approved versions.
Account Audit Verified no “Ghost” or “Guest” accounts were created during the attack.
NTP Sync Ensured system clocks are synced. Forensic analysis is impossible if logs have different times.

Critical Warning:

Do not skip the “PLC Logic” check. If an attacker has changed the PID loop for a fuel pump or cooling system, the hardware could fail physically even if the workstation looks perfectly “clean” and recovered.

Next Security Phase

Post-Incident Malware Scrub

Post-Incident Malware Scrub Recovery Objective: To scan and sanitize all user data, logs, and configuration files before they are re-imported into the newly restored production environment. Malware often uses "Living off the Land" techniques, hiding ...

Continue to Post-Incident Malware Scrub →
Scroll to Top