INCIDENT RESPONSE
INCIDENT RESPONSE
INCIDENT RESPONSE
INCIDENT RESPONSE
INCIDENT RESPONSE

Rogue Device Response

Incident Investigation & Isolation Protocol

Doc ID: TAG-OT-CHK-02
Issue Date: Feb 2026
Rev: 1.0

PHASE 1: VERIFICATION

[ ] Compare MAC/IP against Master Asset Inventory.	Detected IP: ____________
[ ] Check Port Status on managed switch (ECR/Bridge).	Port ID: ____________
[ ] Verify with Crew: Is an OEM Service Engineer currently onboard?	Name: ____________

PHASE 2: CONTAINMENT

⚠️ DO NOT disconnect critical IACS hardware. Follow these steps for unknown devices only:

[ ] Physical Isolation: Trace cable to switch and physically remove the connection.
[ ] Logical Isolation: Use CLI/Web GUI to shutdown the specific port.
[ ] Quarantine: If the device is a laptop, ensure it is removed from the Engine Room/Bridge space immediately.

PHASE 3: DOCUMENTATION

Incident Description:

Root Cause:
[ ] Unauthorized Vendor Access [ ] Crew Error [ ] Potential Cyber Attack [ ] Other: _________

Investigated By (ETO):

Signature & Date

Verified By (Master):

Stamp & Date

Be Ready for the Unexpected

A rogue device is often the first sign of a breach. Download the Incident Response Playbook, including this checklist and the Evidence Preservation SOP.

Get Full Response Bundle