Part of the PROTECT Playbook ← Return to Hub

Configuration Backups & Golden Images

Regulatory Context: IACS UR E27 (Section 4.6) mandates the creation and secure storage of backups for all critical systems. This module focuses on the “Golden Image” strategy, ensuring that Category II and III systems can be restored to a “Known-Good” state without internet access.

In the middle of the ocean, a system crash or a ransomware infection can be a life-safety issue. You cannot wait for a technician to fly out with a recovery disk. A Golden Image is a complete “snapshot” of a system—OS, drivers, and OT applications—that allows an ETO to rebuild a workstation in less than 30 minutes.

The 3-2-1 Maritime Backup Rule

Standard IT backup rules must be adapted for the high-vibration and disconnected environment of a ship. While shore-side IT relies on the “Cloud,” a ship must rely on physical air-gapped redundancy. This ensures that even if the entire network is compromised by ransomware, your recovery media remains “invisible” to the virus.

3 Copies

Original data + Local backup + Offline vault.

2 Media Types

SSD/NAS and an Optical Disc or encrypted Tape.

1 Off-Ship

A copy kept at the Home Office (updated annually).

What Needs to be Backed Up?

ETOs often prioritize the AMS server but forget the “glue” that holds the network together:

Asset Type Backup Method Frequency
HMI/Workstations Full “Golden Image” (Full Disk) After every major OS/Patch update.
PLC/Controllers Logic & Project Files (.bin, .pro) Whenever code logic is modified.
Switches & Firewalls Running Configuration (.conf) After every VLAN or ACL change.
ETO Recovery Readiness Checklist
Immutable Offline Storage

Backup drives must be disconnected from the network when not in use. Ransomware cannot encrypt a drive that isn’t plugged in.

Restoration Testing

A backup that hasn’t been tested is not a backup. Once a year, perform a “Mock Recovery” on a spare HDD to ensure the image actually boots.

Pro Tip: The “Cold Spare” HDD. For critical bridge PCs, keep a 1:1 clone of the system drive on a physical HDD stored in the ECR. If the primary drive fails, you simply swap the physical cables—no software recovery required.

Next Section

Data Diodes & Unidirectional Flows

Data Diodes & Unidirectional Flows Regulatory Context: IACS UR E26 (Section 4.2.3) emphasizes the need for high-integrit...

Scroll to Top