Recovery Execution & Verification

Part of the RECOVER Playbook ← Return to Hub

Phase: Recover All vessels

Satisfies: E26E27IMO MSC-FAL.1

Recovery Execution & Verification

This guide covers the operational execution of CBS recovery within defined RTO and RPO targets — from incident declaration through manual fallback activation, controlled restoration using Golden Images, system verification before re-activation, and survey-ready logging. Prerequisites: RTO and RPO values must already be established in your CBS Recovery Register (see Identify → RTO & RPO Determination).

When a cyber incident compromises a CBS, the clock starts immediately. This guide gives the ETO and Chief Engineer the step-by-step execution sequence to restore systems within their defined RTOs, verify integrity before returning to service, and produce the documented evidence a Class surveyor will require. The methodology behind your RTO/RPO values is covered in the Identify Playbook → RTO & RPO Determination.

Safety First — Navigation and Propulsion Take Priority

E26 §4.5.1.3 is explicit: the operation and navigation of the ship shall be prioritized. Category III systems — ECDIS, Main Engine Control, PMS, Steering — must be recovered or their manual fallbacks activated before any Category II restoration work begins. Never delay manual fallback activation to attempt a digital recovery.

Recovery Decision Flow

The first two minutes of a cyber incident determine whether recovery stays within RTO. The Master, ETO and Chief Engineer must know this decision flow by drill — not by reading it for the first time during an actual event.

Seven-step CBS recovery execution sequence under IACS UR E26 §4.5.1.3 — from incident declaration through manual fallback activation, Golden Image restore, integrity verification, and survey-ready log entry, with separate guidance for at-sea and in-port RTO windows

The seven-step sequence is designed to be read once and then executed from memory — not consulted mid-incident. The colour coding follows the emotional arc of an incident response: red for the high-stress declaration phase, moving through amber assessment, purple isolation, navy fallback, and finally teal and green for the controlled restore and verification phases.

Step 4 — fallback activation — is full-width in the diagram deliberately. It is the step most crews skip in the rush to attempt digital recovery, and it is the step that causes the most harm when skipped. Activating manual fallback for Category III systems before attempting any CBS restoration buys time, maintains vessel safety, and prevents a recovery attempt from making the situation worse.

Step 7 — the log entry — is the step that determines whether the incident response was recoverable from a Class survey perspective. An incident that was perfectly executed but not documented is indistinguishable from an incident that was not handled at all.

<< Click the diagram to expand at full resolution

Incident → Recovery Decision Tree

DECLARE — Confirm cyber incident, notify Master and DPA

Master activates the Cyber Incident Response Plan. DPA notified ashore. Class notification initiated per SCSRP Section 6.1.4. Clock starts — RTO countdown begins.

ASSESS — Identify affected CBS and operational state of vessel

What systems are compromised? What is the vessel’s current operational state — open ocean, coastal, port approach, alongside? Operational state determines which RTOs are active. Refer to your CBS Recovery Register.

ISOLATE — Contain the incident before it spreads

Activate network isolation procedures per SCSRP Section 6.3. Disconnect affected CBS from ship network. Prevent lateral movement to unaffected systems. Do not attempt recovery on a live network.

FALLBACK — Activate manual operation for Category III systems immediately

Do not wait for digital recovery before activating manual fallback. Transfer ECDIS navigation to paper charts. Transfer propulsion to local control stand. Transfer power management to manual breaker operations. Fallback endurance clock starts — refer to SCSRP Section 6.2.

RESTORE — Execute controlled recovery using Golden Image

Retrieve offline Gold Copy media from secure storage. Execute nuke-and-pave procedure per Recover → Golden Image Management. Verify Gold Copy hash before applying. Document Gold Copy ID and restoration start time in Cyber Security Journal.

VERIFY — Integrity check before returning to service

Complete full verification checklist before reconnecting to ship network. Refer to Recover → Integrity Verification (Pillar B). No CBS returns to active service until verification is signed off by ETO and Chief Engineer.

LOG — Record all actions for survey evidence

Complete the Cyber Security Journal entry with full timeline, CBS affected, Gold Copy ID used, verification outcome, and restoration time. This record is the primary survey evidence for Class at the next annual or special survey.

RTO Execution — At Sea vs. In Port

Your CBS Recovery Register defines two RTO values per system — one for sea state, one for port. The execution sequence differs because the constraints differ. The table below gives the operational guidance for each context.

At Sea — Restricted RTO Window

Category III: RTO = OEM restart time. No buffer.

1. Activate manual fallback immediately — do not attempt digital recovery first

2. Inform Master — vessel operational state may need to change (reduce speed, alter course, request VTS assistance)

3. Retrieve Gold Copy from offline secure storage (ECR safe)

4. Execute restore within OEM restart baseline — if this cannot be met, maintain manual fallback and proceed to port for full recovery

5. Do not reconnect to ship network until Pillar B integrity check is complete

In Port / At Anchor — Extended RTO Window

Category III: ≤ 2–4 hrs. Category II: ≤ 8 hrs.

1. Activate manual fallback as precaution — vessel at rest but fallback confirms controlled state

2. Contact vendor if required — OEM-dependent systems should have vendor notified within first 30 minutes

3. Retrieve Gold Copy and verify SHA-256 hash before applying

4. Execute systematic restore — Cat III first, Cat II second, following the priority sequence in your SCSRP

5. Full Pillar B integrity verification before returning any CBS to active service

Pre-Reconnection Verification Checklist

No CBS returns to the ship network until this checklist is complete and signed off. This is the bridge between Pillar A (Backup & Restore) and Pillar B (Forensic Clean-Up). Connecting a restored but unverified system to the ship network risks reintroducing the incident.

Step	Verification Action	Responsible	Sign-Off
V1	Confirm Gold Copy SHA-256 hash matches the register entry before image was applied	ETO	____/__/__
V2	Confirm system boots to correct OS version and all OEM application versions match documented baseline	ETO	____/__/__
V3	Run malware scan on restored system before network reconnection (see Recover → Malware Scrubbing)	ETO	____/__/__
V4	Confirm all unnecessary services and ports remain disabled (hardened state matches Gold Copy baseline)	ETO	____/__/__
V5	Functional test: confirm CBS performs its intended operational function correctly before reconnecting to ship network	ETO + C/E	____/__/__
V6	Confirm restoration did not introduce inconsistency in connected or integrated systems (E26 §4.5.3.3)	ETO + C/E	____/__/__
V7	Master authorizes return to service — CBS reconnected to ship network under monitored conditions	Master	____/__/__

Cyber Security Journal — Required Log Entry

Every CBS recovery event must be recorded in the Cyber Security Journal. This record is the primary evidence a Class surveyor will request at the next annual or special survey. Incomplete or absent records are treated as non-compliance with E26 §4.5.1.4.4.

Cyber Security Journal — Recovery Event Record

Date / Time of Incident

____-__-__ / __:__ UTC

CBS Affected

System name + Asset ID from CBS Register

Vessel Operational State

Open ocean / Coastal / Port approach / Alongside

Manual Fallback Activated

Yes / No — time activated: __:__ UTC

Gold Copy ID Used

Label ID + SHA-256 hash from media label

Restoration Start Time

__:__ UTC

Restoration Complete Time

__:__ UTC — Total elapsed: ___ min

RTO Target (from Register)

___ min / hrs — MET / EXCEEDED

Verification Steps V1–V7

All passed / Step ___ failed — action taken: ___

Return to Service Authorised By

Master signature + time: __:__ UTC

DPA / Office Notified

Yes / No — time: __:__ UTC — method: ___

Class Notified

Yes / No — reference number: ___

What a Surveyor Will Ask at Annual Survey

These are the evidence questions a Class surveyor will ask specifically about recovery execution — distinct from the methodology questions covered in the Identify article. Having the Cyber Security Journal entries and test records available closes every one of these.

#	Surveyor Question	Evidence Required
Q1	When was the last restoration test performed and what was the result?	Cyber Security Journal entry: date, Gold Copy ID, system tested, pass/fail. Must be within 12 months.
Q2	Show me a completed recovery drill record.	Drill log entry including scenario, CBS involved, time to activate manual fallback, time to complete restore, and lessons identified.
Q3	If a vendor is required for recovery of a specific CBS, what is your procedure?	Vendor contact details in SCSRP, documented response SLA, and compensating controls for the gap period documented in CBS Recovery Register.
Q4	Was the recovery plan available in hard copy onboard during the last incident or drill?	Documented storage location onboard (e.g., Bridge and ECR). Hard copy must be current version — not an outdated print.
Q5	Was any restoration performed that exceeded the defined RTO? If so, what corrective action was taken?	Cyber Security Journal entry showing elapsed time vs. RTO target. If exceeded: documented root cause analysis and SCSRP update via MoC. No entry = no incident, which is acceptable if a drill log confirms tested capability.

Annual Restoration Test — Drill Requirement

E26 §4.5.2.4.4 requires that backup media integrity is verified periodically. In practice this means an annual restoration test on spare hardware or a virtual machine — a non-destructive exercise that proves the Gold Copy actually works before you need it during an incident.

Frequency

Minimum annually. Recommend after each Gold Copy refresh to confirm the new image is restorable before retiring the old one.

Method

Restore to spare hardware or VM. Verify OS boots, applications load, and configuration matches the documented baseline. Do not restore to a live CBS during testing.

Record

Log in Cyber Security Journal: date, Gold Copy ID and hash used, system tested, elapsed time, result (pass/fail), and ETO sign-off. Retain onboard for Class inspection.

Critical ETO Warning — Do Not Skip Integrity Verification

Restoring a Golden Image removes the malware payload but does not guarantee the incident vector is closed. If the CBS is reconnected to the ship network before verification steps V1–V7 are complete and the network isolation root cause is identified, you risk reinfection within minutes. A fast recovery that skips verification is not a recovery — it is a reinfection waiting to happen.

PREVIOUS:
Offline Backup Verification

Next Section

Integrity Verification

Integrity Verification This guide provides the post-recovery verification process for confirming that restored systems a...

Integrity Verification →