Integrity Verification
Recovery Objective:
Confirm that underlying network infrastructure and embedded controllers (PLCs) have not been modified or compromised with persistent backdoors.
Before reconnecting a restored system to the ship’s network, the ETO must verify the Integrity of the environment. Advanced threats can hide in switch firmware or change PLC logic, waiting for a reboot to re-infect the “clean” workstations.
Step 1: The Infrastructure Audit
Check the “Brains” of your network. If these are compromised, the entire recovery is void.
Switch & Firewall Configs
Compare running configurations against the Known-Good Configs. Look for unauthorized VLANs or “Allow All” firewall rules.
PLC Logic Verification
Perform a Checksum Comparison of PLC logic. If the hash does not match the original, the controller must be reflashed.
Step 2: Credential Sanitization
Assume every password used during the incident is compromised. Recovery requires a “Clean Slate.”
- Change Service Account Passwords: Especially those used for PLC communication or database logging.
- Reset Admin Credentials: Force a password change for ETO, Chief Engineer, and Master accounts.
- Revoke Remote Access: Disable VSAT-based VPNs until the shore-side SOC gives the “All Clear.”
The “Sanitized for Re-Entry” Checklist
Under UR E26 §4.5.3, complete this verification before “flicking the switch” to bring the OT network live:
| Category | Verification Requirement |
|---|---|
| Firmware Validation | Confirmed that Switch and Router firmware matches approved versions. |
| Account Audit | Verified no “Ghost” or “Guest” accounts were created during the attack. |
| NTP Sync | Ensured system clocks are synced across the OT network for log integrity. |
CRITICAL WARNING:
Do not skip the PLC Logic check. If an attacker has changed the PID loop for a fuel pump or cooling system, the hardware could fail physically even if the workstation looks perfectly “clean.”
Next Section
Post-Incident Malware Scrub
Post-Incident Malware Scrub Recovery Objective: Scan and sanitize all user data, logs, and configuration files before th...