Incident Severity Matrix
Response Objective: To standardize how cyber events are reported and prioritized, ensuring that the Master and Shore-side SOC receive accurate information during a crisis.
Not every anomaly is a cyber-attack. A failing sensor or a loose Ethernet cable can trigger a “Device Down” alert. The ETO’s first job is Triage: determining if the event is a Technical Failure, a Suspicious Event, or a Confirmed Attack.
The 3-Tier Severity Scale
In alignment with IACS UR E26 and IMO MSC.428(98), we categorize incidents based on their impact on “Essential Services” (Propulsion, Steering, Navigation).
Decision Tree: Is it a Cyber Attack?
If you see an anomaly, ask these three questions to confirm if you should initiate the Respond Phase:
Multiple Failures? Did multiple unrelated systems fail at the same time? (Indicates lateral movement/malware).
Unusual Activity? Are there log entries for “Administrator Login” at a time when no one was working on the system?
Data Tampering? Are configuration files changed or is the system demanding payment (Ransomware screen)?
Reporting Rule: “When in Doubt, Shout”
If you cannot definitively rule out a cyber attack within 15 minutes, the ETO must report a “Potential Level 2 Incident” to the Master. It is safer to stand down a false alarm than to delay the isolation of a real threat.
Audit Evidence Preparation
Class surveyors will ask to see your Incident Log. Even with zero attacks, you must demonstrate active recording of “Near Misses” or “Technical Glitches.”
- Evidence: A log entry showing a Level 1 event (e.g., “Faulty Switch Replaced”) being assessed and closed.
- Evidence: Proof that the ETO has the current emergency contact details for the CSO and Shore-side SOC.
Next Section
The First 15 Minutes
The First 15 Minutes Response Objective: To execute a rapid, non-destructive diagnostic sequence that confirms the prese...