Part of the RECOVER Playbook ← Return to Hub
Phase: Recover All vessels
Satisfies: E26E27IEC 62443

Integrity Verification

This guide provides the post-recovery verification process for confirming that restored systems are operating correctly, their security functions are intact, and no malware persistence mechanisms remain. Under IACS UR E26 §4.5.3, no CBS may be returned to active service until integrity has been formally verified and sign-off obtained from the ETO and Chief Engineer.

Before reconnecting a restored system to the ship’s network, the ETO must verify the integrity of the environment. Advanced threats can hide in switch firmware or modify PLC logic, waiting for a reboot to re-infect the clean workstations. A system that looks clean on the surface may still be compromised at the firmware or controller level. This verification sequence closes that gap.

Step 1 — Infrastructure audit

Check the network infrastructure first. If switches, firewalls, or PLCs are compromised, reconnecting clean workstations will immediately re-infect them. This step must happen before any CBS workstation is powered back on and connected.

Switch and firewall configuration

Export the running configuration from every managed switch and firewall. Compare line by line against the known-good baseline stored in your Configuration Backup (§4.4.3). Look specifically for:

  • Unauthorised VLANs added or existing VLANs reassigned
  • Any firewall rule with source=ANY or destination=ANY
  • Default-deny rule missing or moved from last position
  • New port forwarding or NAT rules not in the baseline
  • Firmware version different from the approved baseline

PLC and controller logic verification

Perform a checksum comparison of PLC logic against the approved baseline. If the hash does not match, the controller must be reflashed from the OEM-supplied baseline before any physical machinery is operated.

  • Export current PLC program and generate SHA-256 hash
  • Compare against baseline hash stored in Configuration Backup
  • Any mismatch — halt, isolate, contact OEM immediately
  • Do not operate any mechanical system driven by a PLC until logic is verified

Critical — do not skip the PLC logic check. If an attacker has modified the PID loop for a fuel pump, cooling system, or steering actuator, the machinery could fail physically even if the workstation appears perfectly clean. PLC logic verification is non-negotiable before any propulsion or power management system is restarted.

Step 2 — Credential sanitisation

Assume every credential that existed on or was used to access an affected system during the incident is compromised. Recovery requires a clean slate on all accounts — not just the ones you know were used by the attacker.

  • Rotate all service account passwordsEspecially those used for PLC communication, database logging, OEM remote access, and syslog forwarding. Service accounts are the most commonly overlooked credential after an incident.
  • Reset all named user accounts on affected CBSForce password change for ETO, Chief Engineer, Master, and any OEM or contractor accounts on affected systems. If MFA tokens were used on affected systems, revoke and reissue them.
  • Audit for ghost accountsRun net user on every recovered Windows CBS workstation. Any account not in the current crew list or CBS user register must be deleted immediately and documented in the incident log.
  • Revoke all remote access sessionsDisable all VSAT-based VPN tunnels and OEM remote access capabilities until the shore-side SOC or DPA gives a confirmed all-clear. A single persistent OEM session can reintroduce the threat the moment the network is reconnected.

Step 3 — System-by-system verification checklist

Complete this verification for every CBS being returned to service. Do not batch-reconnect systems — verify and reconnect one at a time, monitoring for anomalies after each reconnection before proceeding to the next.

Verification area Check required Expected result Sign-off
Firmware version Compare firmware version on switch, firewall, and any embedded controllers against the approved baseline in the software register Exact match — no delta ☐ ETO
PLC logic hash Export current PLC program, generate SHA-256 hash, compare against Configuration Backup baseline Hash matches — no modification ☐ ETO + CE
Firewall ruleset Export running config, compare against known-good baseline — check for ANY rules and default-deny position No delta from baseline ☐ ETO
VLAN configuration Run show vlan brief on core switch — compare against network diagram in CSDD No unauthorised VLANs ☐ ETO
User accounts Run net user on each CBS workstation — cross-reference against current crew list and CBS user register No ghost or unknown accounts ☐ ETO
NTP synchronisation Verify all CBS clocks are synchronised to the vessel NTP server — check syslog timestamps are consistent across devices All devices within 60s of NTP server ☐ ETO
Scheduled tasks and services Run schtasks /query and sc query type= all — compare against pre-incident baseline No unknown entries ☐ ETO
Network isolation test Ping test from each zone to confirm VLAN isolation is intact — IT zone must not reach OT core, crew Wi-Fi must not reach bridge VLAN Cross-zone pings fail ☐ ETO
Syslog operational Confirm centralised syslog is receiving events from all CBS — generate a test event and verify it appears in the syslog within 60 seconds All CBS logging to syslog ☐ ETO
System function test Functional test of each CBS — ECDIS position display, PMS load display, steering response — before reconnection to ship network Normal function confirmed ☐ ETO + CE

Step 4 — Network reconnection sequence

Reconnect systems in priority order — Category III systems last, only after all lower-category systems are verified clean. Monitor syslog actively for 30 minutes after each reconnection before proceeding.

1
Reconnect network infrastructure — Switches and firewall only. Confirm no anomalous traffic on syslog for 10 minutes before proceeding.
2
Reconnect Category I systems — Crew Wi-Fi, office PCs, administrative systems. Monitor 15 minutes. If any anomaly appears — halt and investigate before proceeding.
3
Reconnect Category II systems — Ballast, bilge, cargo monitoring. Confirm local manual control remains active during reconnection. Monitor 15 minutes.
4
Reconnect Category III systems — Master order required — ECDIS, propulsion CBS, PMS, steering. Only after all prior steps are complete and 30 minutes of clean syslog confirmed post-Cat II reconnection. ETO and Chief Engineer both present.

Step 5 — Return to service sign-off

Under E26 §4.5.3, no CBS returns to active service without formal sign-off. The sign-off record is retained in the vessel SMS and submitted with the PIR report to Class.

ETO sign-off
All verification steps completed · no anomalies found · systems functioning normally · syslog confirming clean state
Chief Engineer sign-off
PLC logic verified · propulsion and power systems functioning at local level · safe to transfer back to CBS control
Master authorisation
Both sign-offs received · vessel operational state permits return to CBS control · authorises reconnection of Cat III systems
PREVIOUS:
Recovery Execution & Verification

Next Section

Post-Incident Malware Scrub

Post-Incident Malware Scrub This guide covers the systematic removal of malware following a cyber incident — including...

Post-Incident Malware Scrub →
Login
Login
Scroll to Top