Part of the DETECT Playbook ← Return to Hub
Phase: Detect All vessels
Satisfies: E26E27IMO MSC-FAL.1BIMCO v5

Retention & Integrity Rules

This guide defines log retention periods, storage capacity requirements, and integrity controls to ensure audit records remain available, unmodified, and usable for incident investigation for as long as operationally required. Retention periods are based on NIST SP 800-92 Table 4-1, mapped to E26 CBS categories.

Generating logs is only the first half of the problem. If a malicious actor gains access to the network, their first move is often to clear the logs to hide their tracks. This playbook defines how the ETO must protect the vessel’s forensic record — and how long different types of logs must be kept.

Regulatory position on retention periods

Neither IACS UR E26, UR E27, nor IMO MSC-FAL.1/Circ.3 Rev.3 specify mandatory log retention periods for OT cyber event logs. The standards require that logging capability exists and that logs support incident investigation — but the duration is left to operator policy.

The most applicable published guidance is NIST Special Publication 800-92 — “Guide to Computer Security Log Management” — which provides retention recommendations based on system impact level. A revised version (SP 800-92r1) is currently in draft and will include updated retention guidance when finalised. The table below applies the NIST SP 800-92 Table 4-1 framework to E26 CBS categories.

Operator obligation: Define your vessel’s log retention schedule in the SMS or CSRP and document it in the CSDD. The periods below are recommended minimums based on NIST SP 800-92 — your flag state, P&I club, or Class Society may impose longer requirements. Always check flag state specific guidance.

Log retention — NIST SP 800-92 mapped to E26 CBS categories

NIST SP 800-92 Table 4-1 defines retention periods by system impact level. The mapping below applies those levels to the E26 Category I / II / III classification used on board.

E26 CBS Category NIST Impact Level Recommended Retention Log Rotation Integrity Check Encryption
Category III
Safety-critical CBS — propulsion, steering, power, navigation		 High Impact 3–12 months Every 15–60 min or every 0.5–1 MB Required Required
Category II
Important CBS — cargo, ballast, fire detection, CCTV		 Moderate Impact 1–3 months Every 6–24 hours or every 2–5 MB Required Optional
Category I
General CBS — crew Wi-Fi, administrative IT, non-critical monitoring		 Low Impact 1–2 weeks At least weekly or every 25 MB Optional Optional

Source: NIST SP 800-92 Table 4-1 “Examples of Logging Configuration Settings” (September 2006), mapped to IACS UR E26 CBS category definitions. Retention periods are recommended minimums — operators should apply longer periods where flag state, Class, or P&I requirements exceed these figures.

Log analysis frequency

NIST SP 800-92 also defines how frequently logs should be reviewed — not just retained. On a vessel without a dedicated SOC, the ETO is responsible for local log analysis. The following minimum frequencies apply:

Category III — High Impact
6× per day
At least every 4 hours. Automated alerting strongly recommended — manual review alone is insufficient for Category III systems.
Category II — Moderate Impact
1–2× per day
Every 12–24 hours. Daily review as part of ETO watch routine is sufficient for moderate impact systems.
Category I — Low Impact
Weekly
Every 1–7 days. Weekly review during routine ETO maintenance rounds is acceptable for low impact systems.

Ensuring log integrity

To prevent unauthorised deletion or modification, the ETO must implement the following integrity safeguards. NIST SP 800-92 requires integrity checking for moderate and high impact systems — it is optional for low impact systems.

Write-once configuration

Configure the log database so entries can be appended but never edited or deleted. Even the administrator account should not be able to modify an existing log entry. Use append-only file permissions on Linux syslog servers.

Log service monitoring

Enable an alert that fires if the syslog service stops or if log volume drops to zero unexpectedly. A sudden absence of logs from a Category III system is itself a security event and must be investigated immediately.

Cryptographic integrity checks

For Category III systems, generate a hash (SHA-256) of each rotated log file at the time of rotation. Store the hash separately from the log. This allows verification that archived logs have not been tampered with after the fact.

Vessel-to-shore log transfer

Where vessel hardware could be destroyed or lost — fire, flooding, or sinking — cyber forensic data must survive. NIST SP 800-92 recommends transferring logs to a centralised management infrastructure. On a vessel this means shore-side sync during periods of available connectivity.

  • Category III logs: Transfer at least every 15–60 minutes where VSAT bandwidth allows — or at minimum once per watch period during low-traffic hours.
  • Category II logs: Daily transfer during low VSAT usage periods is sufficient.
  • Compression: Use GZIP compression to minimise satellite bandwidth cost. A typical vessel syslog stream compresses to 5–10% of its original size.
  • Shore-side storage: Retain transferred logs for the same minimum periods as the vessel-side copies — the shore copy supplements, it does not replace, the on-vessel archive.
Auditor’s integrity check

During a survey or E26 compliance review, be prepared to demonstrate the following:

  • Retention policy documented: Show the SMS or CSRP section that defines your vessel’s retention schedule by CBS category.
  • Log server free space: Show the centralised log server’s available disk space — logs cannot be retained if the server is full.
  • Access permissions: Show that the log server is restricted to ETO and authorised roles only — no shared credentials, no crew access.
  • Integrity verification: For Category III systems, demonstrate the hash verification process for at least one recent rotated log file.
  • Backup schedule: Show the log backup schedule and the most recent successful backup timestamp.

Reference: NIST Special Publication 800-92, “Guide to Computer Security Log Management”, Table 4-1 “Examples of Logging Configuration Settings” (September 2006). Available at doi.org/10.6028/NIST.SP.800-92. A revised edition (SP 800-92r1) is currently in draft — when finalised it will supersede the 2006 edition. Neither IACS UR E26, UR E27, nor IMO MSC-FAL.1/Circ.3 Rev.3 specify mandatory retention periods for OT cyber logs — operators should define and document their retention policy in the SMS and verify it against flag state and Class Society requirements.

PREVIOUS:
Centralized Syslog Setup

Next Section

IDS/IPS for OT Networks

IDS/IPS for OT Networks This guide covers the deployment of Intrusion Detection and Prevention Systems in passive mode o...

IDS/IPS for OT Networks →
Login
Login
Scroll to Top