Post-Incident Malware Scrub
Recovery Objective:
Scan and sanitize all user data, logs, and configuration files before they are re-imported into the newly restored production environment.
Malware often uses “Living off the Land” techniques, hiding inside legitimate-looking files like PDF manuals or Excel macros. Re-importing these files without scrubbing can lead to an Immediate Re-infection loop.
The Sandbox Scan Method
Never scan backup data on the “Live” OT network. Use an isolated, stand-alone “Scanning Station” (usually a dedicated laptop in the ETO office) disconnected from the ship’s Bridge or Engine networks.
Deep Heuristic Scan
Use two different AV engines. One should be signature-based for known threats, and the other behavioral to catch zero-day variants.
Macro Removal
Disable macros in all recovered Office docs. Any essential macro-enabled file must be manually inspected by shore-side IT/SOC.
The Data Sanitization Workflow
Follow this flow for every piece of data returning to the OT network:
Identify High-Risk Files: Filter for .exe, .bat, .ps1, and .docm payloads.
Offline Scan: Run full disk scan on the Sandbox Station.
Incremental Import: Batch restoration while monitoring CPU and network spikes.
Evidence for the “Lessons Learned” Report
Under IACS UR E26 §4.4.1.3, the incident response procedures must include reporting needed evidence of the incident. Furthermore, per §4.5.1.2, the ETO must ensure that recovery actions do not inadvertently result in the destruction of evidence that could provide valuable information on the causes of an incident. This preserved data is vital for the Pillar C: Post-Incident Review.
| File Name | Threat Type | Action Taken |
|---|---|---|
| engine_logs_2026.xlsx | Trojan.Downloader.W97M | Quarantined; Restored from archive. |
| manual_update.exe | Suspicious Heuristic | Deleted; Re-downloaded from OEM. |
Professional Integrity Tip
When restoring databases (PMS/AMS history), coordinate with the OEM. They can often provide a “Clean Script” to verify data structure integrity before re-entry.
Next Section
Post-Incident Debriefing
Post-Incident Debriefing Recovery Objective: To analyze the "Root Cause" of the incident and document the timeline to pr...