Part of the RESPOND Playbook ← Return to Hub

Emergency System Shutdown Rules

Response Objective: To define the “Red Lines” for system power-down, ensuring that no critical safety system is deactivated unless the risk of staying online is greater than the risk of shutdown.

Shutting down a computer in the middle of a voyage is a high-risk move. Under IACS UR E26 §4.4.1, the vessel must have a predefined plan for which systems are “Safe to Stop” and which are “Must-Run.”

The “Shutdown Tier” System

The ETO must treat systems according to their tier. Never shut down a Tier 1 system without a direct order from the Master.

Tier 1: THE MUST-RUNS

Systems: ECDIS (Primary), Steering Control, Propulsion Logic, GMDSS.

Rule: Never shut down while at sea. Use Network Isolation (Pillar B.1) instead of power-down to avoid immediate collision or grounding.

Tier 2: CONDITIONAL-STOP

Systems: PMS (Power Management), Ballast Control, Cargo Monitoring.

Rule: Shutdown permitted only if vessel is stable (anchor/open sea) and manual backup controls are fully manned and tested.

The “Red Line” Scenarios

There are only two scenarios where an ETO should recommend an immediate shutdown of a critical OT system:

  • Physical Limit Exceeded: The attack is forcing machinery to run outside safe parameters (Speed/Temp/Pressure) that could lead to explosion or fire.
  • Data Corruption Spreading: The ransomware is actively encrypting the “Golden Backup” drive. Shutting down may save the restoration data required for recovery.

The Shutdown Checklist

If a shutdown is authorized by the Master, follow these steps to prevent making recovery impossible:

1

Handover: Ensure the duty engineer has switched to Manual/Local Control and confirmed visual readings on physical gauges.

2

Forensics: If the OS is responsive, take a photo/screenshot of the “Task Manager” to identify the malware process for shore-side analysis.

3

Clean Cut: Perform a graceful shutdown. If locked, pull the physical power cord to avoid a “Restart loop” that could propagate malware.

4

Tag-Out: Physically label the hardware “CYBER COMPROMISED – DO NOT RESTART” to prevent accidental power-up by other crew.

Auditor’s Question

“Do you have a list of systems that are safe to shut down during a cyber attack?”

Your Answer: Show them the Tiered System Priority List and present the Manual Backup Procedures (SOPs) for the Tier 2 systems.

Next Section

Internal Crisis Communication

Internal Crisis Communication Response Objective: To provide the Master and Senior Officers with clear, non-technical si...

Scroll to Top