Retention & Integrity Rules
Compliance Requirement: IACS UR E26 requires that security logs be protected from unauthorized deletion or modification and retained for a duration sufficient to support incident investigation.
Generating logs is only the first half of the battle. If a malicious actor gains access to the network, their first move is often to clear the logs to hide their tracks. This playbook defines how the ETO must protect the “Forensic Black Box.”
Log Retention Standards
While local devices may only hold logs for hours, the Centralized Log Server must adhere to the following maritime retention schedule:
Ensuring Log Integrity
To prevent “Log Injection” or unauthorized deletion, the ETO must implement the following Integrity Safeguards:
Write-Once Logic
Configure the Log Database so that entries can be Appended but never Edited. Even the Administrator should not be able to change an existing log entry.
The “Dead Man’s Switch”
Enable an alert that triggers if the Syslog Service is stopped or if the log volume drops to zero for more than 5 minutes. This identifies if a hacker has disabled the “Black Box.”
Vessel-to-Shore Sync
For high-risk vessels, IACS UR E26 suggests off-vessel log storage. If the ship’s hardware is physically destroyed (fire/sinking), the cyber forensic data must survive.
- Daily Delta: Sync “High” and “Critical” logs to the company cloud or shore-side SOC during periods of low VSAT usage.
- Data Compression: Use GZIP compression to minimize satellite bandwidth costs.
Next Security Phase
IDS/IPS for OT Networks
IDS/IPS for OT Networks Detection Objective: To identify signatures of known malware, brute-force attacks, and unauthorized protocol commands targeting the ship's control systems. An Intrusion Detection System (IDS) acts like a digital "Security Guar...