1. Initial assessment. To help ensure an appropriate response, the response team should find out:
   •  how the incident occurred
   • which IT and/or OT systems were affected and how
   • the extent to which the commercial and/or operational data is affected
   • to what extent any threat to IT and OT remains.

2. Recover systems and data. Following an initial assessment of the cyber incident, IT and OT systems and data should be cleaned, recovered and restored, so far as is possible, to an operational condition by removing threats from the system and restoring software.

3. Investigate the incident. To understand the causes and consequences of a cyber incident, an investigation should be undertaken by the company, with support from an external expert, if appropriate. The information from an investigation will play a significant role in preventing a potential recurrence. Investigations into cyber incidents are covered in section 7.3.

4. Prevent a re-occurrence. Considering the outcome of the investigation mentioned above, actions to address any inadequacies in technical and/or procedural protection measures should be considered, in accordance with the company procedures for implementation of corrective action.

A team, which may include a combination of onboard and shore-based personnel and/or external experts, should be established to take the appropriate action to restore the IT and/or OT systems so that the ship can resume normal operations. The team should be capable of performing all aspects of the response.

Above Images and Below example from Borwell Secure Software Experts (www.borwell.com)

You or one of your colleagues notice strange emails that suggest passwords have been reset for Google, Ebay, LinkedIn and several other websites including banks too.  You then realise that these are for accounts related to your business.  Talking to colleagues, you eventually work out that these password resets are not from internal staff.  Someone has compromised an email account and has used it to force password changes to online services. Someone now has access to your business services and data.  A cyber attack is taking place.

What if this happened in your business today, or tonight?  If you had an IT security breach, how would you react?  How would you feel as the business owner?  What would you do?

When an incident has been confirmed like the scenario above, is the business able to put into effect a robust set of measures?

Managing an incident well can make the difference between an annoying distraction and a disaster.

Basics of Incident Response (IR):

• isolate, don’t power off
• Creating an IR playbook and response plan
• Basic hack detection skills for crew

If you think you’ve been hacked or being hacked:

• Shutdown the system
• Or turn off the system
• Separate the system from network
• Restore the system with the backup
• Or reinstall all programs
• Connect the system to the network

It would be prudent to call the police even if you do not know who or how bad it was.  Gather evidence, and don’t assume it has gone.  Many of the case studies we look at in this book, shows hacks were left dormant for many months if not a year prior to the incident.

The safety management system will already include procedures for reporting accidents or hazardous situations and define levels of communication and authority for decision making. Where appropriate, such procedures should be amended to reflect communication and authority in the event of a cyber incident.

The following is a non-exhaustive list of cyber incidents, which should be addressed in contingency plans on board:

• loss of availability of electronic navigational equipment or loss of integrity of navigation related data
• loss of availability or integrity of external data sources, including but not limited to GNSS
• loss of essential connectivity with the shore, including but not limited to the availability of Global Maritime Distress and Safety System (GMDSS) communications
• loss of availability of industrial control systems, including propulsion, auxiliary systems and other critical systems, as well as loss of integrity of data management and control

It is important for Management to understand if they are covered for Operation loss and/or loss through the many opportunities covered in the Op course in depth, namely:

• Micro-sandboxing
• Microsoft Office macros
• Spyware
• Spoofing
  Phishing
• Spear Phishing
• Phishing scams
• Example of a Scam
• CEO fraud (Captain/Master/Operator or Owner)
• Email attachments
• Pop Up Ads
• Water holing
• Harmful Software
• Malware
• Trojan
• Worms
• Crimeware
• Adware
• Bots
• DDOS