Part of the RESPOND Playbook ← Return to Hub

Incident Severity Matrix

Response Objective: To standardize how cyber events are reported and prioritized, ensuring that the Master and Shore-side SOC receive accurate information during a crisis.

Not every anomaly is a cyber-attack. A failing sensor or a loose Ethernet cable can trigger a “Device Down” alert. The ETO’s first job is Triage: determining if the event is a Technical Failure, a Suspicious Event, or a Confirmed Attack.

The 3-Tier Severity Scale

In alignment with IACS UR E26 and IMO MSC.428(98), we categorize incidents based on their impact on “Essential Services” (Propulsion, Steering, Navigation).

Severity Technical Indicator Operational Impact
LOW (Cat 1) Single non-critical workstation failure; suspected virus on Crew Wi-Fi. None. Essential services unaffected. Administrative annoyance.
MEDIUM (Cat 2) Unauthorized “Rogue Device” in ECR; partial loss of monitoring data. Degraded visibility. Vessel safe but risk of escalation is high.
CRITICAL (Cat 3) Ransomware on Bridge; loss of ECDIS or Engine Control. Immediate Safety Risk. Potential loss of maneuverability or blackout.

Decision Tree: Is it a Cyber Attack?

If you see an anomaly, ask these three questions to confirm if you should initiate the Respond Phase:

1

Multiple Failures? Did multiple unrelated systems fail at the same time? (Indicates lateral movement/malware).

2

Unusual Activity? Are there log entries for “Administrator Login” at a time when no one was working on the system?

3

Data Tampering? Are configuration files changed or is the system demanding payment (Ransomware screen)?

Reporting Rule: “When in Doubt, Shout”

If you cannot definitively rule out a cyber attack within 15 minutes, the ETO must report a “Potential Level 2 Incident” to the Master. It is safer to stand down a false alarm than to delay the isolation of a real threat.

Audit Evidence Preparation

Class surveyors will ask to see your Incident Log. Even with zero attacks, you must demonstrate active recording of “Near Misses” or “Technical Glitches.”

  • Evidence: A log entry showing a Level 1 event (e.g., “Faulty Switch Replaced”) being assessed and closed.
  • Evidence: Proof that the ETO has the current emergency contact details for the CSO and Shore-side SOC.

Next Section

The First 15 Minutes

The First 15 Minutes Response Objective: To execute a rapid, non-destructive diagnostic sequence that confirms the prese...

Scroll to Top