Recover: Shipboard Restoration & Resilience

Recover: Restoration & Resilience

IACS UR E26 Control 4.5: Recovery of Essential Services

The road back to “Business as Usual.” Recovery is the process of restoring compromised systems from verified backups and learning from the event. This phase ensures that the vessel is not only restored but is more resilient than it was before the attack.

Phase: Recover (Step 05)

→

→

→

→

05
Recover
Restoration & Lessons

Recovery — restoring systems you can trust

Recovery is not just restoring a system to working order — it is restoring it to a state you can trust. A system that has been compromised and then simply rebooted is not recovered; it may be running the same malware with a fresh process ID. Genuine recovery means restoring from a verified backup to a known-good configuration, confirming the system’s integrity before reconnecting it to the network, and documenting every step so there is an auditable record of what was done and by whom.

The playbooks in this phase cover the full recovery cycle — maintaining Golden Images of CBS configurations, verifying backup integrity before you need to use them, executing a controlled restoration, scrubbing for residual malware, and conducting the Post-Incident Review that turns the experience into an improvement to the vessel’s security posture. This cycle applies to every vessel that has networked systems onboard, not just those subject to IACS UR E26.

The Post-Incident Review is often treated as an administrative obligation — a box to tick after the crisis has passed. It is actually the most operationally valuable part of the recovery phase. Understanding what happened, why the detection or response fell short, and what change would prevent recurrence is how a vessel’s cyber resilience genuinely improves over time rather than remaining static between surveys.

Phase Objective: The Clean-Room Restoration

Recovery is a race against the clock. We focus on Immutable Backups and Sanitized Re-entry—restoring systems in a “Sandbox” to ensure we don’t accidentally re-infect the OT network.

PILLAR A

Backup & Restore

Maintaining “Golden Images” and executing the technical restoration of Category II and III assets.

→ Golden Image Setup → Offline Backup Rules → Recovery Execution & Verification

PILLAR B

Forensic Clean-Up

Verifying system integrity and scanning restored data for hidden backdoors before full re-activation.

→ Integrity Verification → Malware Scrubbing

PILLAR C

Post-Incident Review

The “Lessons Learned” phase. Updating risk assessments and security plans based on the incident findings.

→ Debriefing Procedure → Updating the Cyber Plan

Resilience Tip for ETOs:

A backup is only as good as its last Restore Test. Every quarter, pick one non-critical workstation and perform a full restore from your “Golden Image” to ensure the process actually works in the middle of the ocean.