Post-Incident Debriefing
Recovery Objective: To analyze the “Root Cause” of the incident and document the timeline to prevent recurrence and improve the ship’s overall Cyber Resilience.
The incident isn’t truly over until the Post-Incident Review (PIR) is complete. This meeting, often called a “Hot Wash,” should happen within 72 hours of the vessel returning to normal operations while the details are still fresh in the crew’s minds.
The Debriefing Team
The PIR should be led by the ETO but must include the following key personnel to ensure a 360-degree view of the event:
The 5 Key Questions
To avoid a “blame culture,” the ETO should guide the discussion using these objective questions:
- What was the “Patient Zero”? (How did the threat enter the ship?)
- Did the Detect Phase work? (Why did/didn’t our sensors catch it earlier?)
- Was the Respond Phase effective? (Did isolation happen fast enough?)
- Were our backups current? (Did we lose any data during the restore?)
- What is the one thing we change today? (Immediate action item.)
The PIR Report Template
The result of this meeting is a formal report for the Safety Management System (SMS). It must include:
| Section | Required Detail |
|---|---|
| Executive Summary | A 3-sentence overview for management (What, When, Impact). |
| Root Cause Analysis | Technical breakdown: e.g., “Compromised USB on Bridge PC.” |
| Corrective Actions | e.g., “Disabled USB ports on all Bridge workstations.” |
Closing the Loop
The PIR report is the primary evidence used to update the Identify Phase asset risk scores. If a “Low Risk” system was the entry point, its risk level must be elevated in the next audit cycle.
Next Security Phase
Updating the Cyber Plan
Post-Incident Debriefing Recovery Objective: To translate incident findings into permanent procedural changes within the Ship’s Safety Management System (SMS), ensuring the vessel returns to a "safe, consistent, and known state" as required by IACS...