• Single non-critical workstation failure
• Suspected virus isolated to crew Wi-Fi
• Single application crash with no spread
• Anomalous log entry with no follow-on activity
• Hardware failure with no cyber indicators

• No impact on propulsion, steering, or navigation
• No impact on PMS or safety systems
• Administrative inconvenience only
• No crew safety risk

• ETO investigates and documents
• Master notification at ETO discretion
• Log entry in Incident Register
• Monitor for 24 hours for escalation
• DPA notification not required at this level

• Unauthorised rogue device in ECR or bridge network
• Partial loss of monitoring or alarm data
• Unusual outbound traffic from OT zone
• Admin login in audit log at unexpected time
• Repeated failed authentication on CBS
• Multiple systems with minor anomalies simultaneously

• Degraded monitoring visibility
• Vessel operationally safe at present
• Risk of escalation to Level 3 is elevated
• No immediate maneuverability impact

• ETO notifies Master immediately
• DPA notified within 30 minutes
• Increased monitoring frequency
• Preserve all logs — do not overwrite
• Prepare isolation procedures for activation
• Reassess every 30 minutes

• Ransomware screen or active encryption detected
• Loss of ECDIS, propulsion control, or PMS
• Confirmed lateral movement across VLANs
• Active command-and-control traffic from OT zone
• Configuration files modified without MoC authorisation
• Golden Image or backup drives targeted or encrypted

• Immediate safety risk to vessel
• Potential loss of maneuverability
• Risk of blackout or navigation loss
• Manual fallback activation likely required

• Master immediately informed
• DPA notified immediately via out-of-band channel
• Master authorises network isolation
• Manual fallback activated for all Cat III systems
• Class notification per SCSRP §6.1.4
• Shore-side incident response team engaged

Multiple simultaneous failures?

Did multiple unrelated systems fail at the same time? Simultaneous failures across zones are the strongest indicator of lateral movement. A single failure is probably technical. Multiple simultaneous failures almost certainly are not. → Level 2 minimum

Unexplained login activity in audit logs?

Are there log entries for administrator login, configuration changes, or remote access sessions when no authorised personnel were working on the system? Check the last 24 hours of syslog. → Level 2 minimum

Configuration files changed without a MoC entry?

Are any CBS configuration files dated more recently than the last authorised change in the MoC log? Unexplained configuration changes are a direct indicator of unauthorised access or malware activity. → Level 2 or Level 3

Ransom demand, encrypted files, or locked screens?

Any screen displaying a payment demand, any files that cannot be opened and were not recently modified by authorised personnel, or any system locked with an unfamiliar password. → Level 3 immediately

Essential services affected?

Is ECDIS, propulsion control, PMS, steering, or fire detection behaving unexpectedly and the cause cannot be confirmed as purely technical within 15 minutes? → Level 3 immediately — notify Master now