Part of the RESPOND Playbook ← Return to Hub

Internal Crisis Communication

Response Objective: To provide the Master and Senior Officers with clear, non-technical situational awareness to support decision-making regarding vessel safety and navigation.

In a cyber crisis, communication failure is often more dangerous than system failure. The ETO must provide a Cyber SITREP (Situation Report) that tells the Master exactly what they need to know: What is broken, what is at risk, and what is being done.

The “Plain Language” Rule

When briefing the Bridge, avoid acronyms like “VLAN,” “MAC Filtering,” or “Lateral Movement.” Use operational analogies that reflect the ship’s physical safety.

Avoid (Technical) Use (Operational)
“We have lateral movement in the iDMZ.” “The infection is spreading from the office computers toward the machinery controls.”
“I am implementing a port-shutdown on the core.” “I am cutting the link between the Bridge and the Engine Room to protect the engines.”
“ECDIS 1 is showing a logic bomb.” “ECDIS 1 is unreliable and may give false data. Use ECDIS 2 or Paper Charts.”

The “Red Line” Scenarios

There are only two scenarios where an ETO should recommend an immediate shutdown of a critical OT system:

  • Physical Limit Exceeded: The cyber attack is forcing a machine (e.g., a pump or engine) to run outside of safe physical parameters (Speed/Temperature/Pressure) that could lead to an explosion or fire.
  • Data Corruption Spreading: The ransomware is actively encrypting the “Golden Backup” drive connected to the system. Shutting down may save the backup data required for the Recover Phase.

The Cyber SITREP Template

The ETO should deliver a SITREP every 30-60 minutes during an active Level 3 incident. Use this 4-point structure:

  • 1. CURRENT STATUS: Which systems are 100% compromised, which are degraded, and which are clean.
  • 2. SAFETY IMPACT: Can we still steer? Can we still communicate with shore? Is the engine automated or local?
  • 3. ACTIONS TAKEN: “I have isolated the Crew Wi-Fi and disconnected the SATCOM link.”
  • 4. NEXT STEPS: “I am now attempting to verify the integrity of the Engine Control backups.”

Communication Channels

If the ship’s network is compromised, assume the internal VoIP phones and ship’s email are monitored by the attacker.

  • Primary: Face-to-face briefings or handheld UHF/VHF radios.
  • Secondary: Sound-powered telephones (if available for Engine-to-Bridge).
  • Emergency: Use a personal/work mobile phone via a roaming 4G/5G signal (if near coast) to bypass the ship’s VSAT.

Master’s Advisory

The ETO informs; the Master decides. If the ETO recommends isolating the Bridge network, the Master must confirm that the current navigational environment (e.g., heavy traffic or narrow channel) allows for a temporary loss of electronic monitoring.

Next Security Phase

Regulatory & Shore-Side Reporting

Regulatory & Shore-Side Reporting Response Objective: To fulfill legal and company obligations by providing timely, accurate incident data to the Company Security Officer (CSO) and external authorities. When the vessel is under cyber-attack, the shor...

Continue to Regulatory & Shore-Side Reporting →
Scroll to Top