Key Takeaways
- Incident response at sea is constrained. Intermittent satcom, isolated bridge OT, and small crew teams change every assumption a corporate IR plan makes.
- Classification matters. Safety-impacting incidents trigger a different response (and reporting obligation) than IT-only incidents.
- Vessel-shore comms protocol during a cyber incident must be defined in advance. Asking the master to invent it during the incident does not work.
- Isolating OT at sea may mean reverting to paper navigation, manual engine control, or paper cargo logs. Drills are how the crew confirms this is feasible.
- BIMCO reporting and flag state notification obligations vary by jurisdiction. Define them per flag and rehearse the workflow.
Why Maritime IR Is Not Corporate IR With Saltwater
Standard enterprise incident response assumes always-on connectivity, geographically reachable assets, and a SOC that can issue commands and ship out replacement equipment in hours. None of that holds true on a vessel at sea. Satcom is intermittent and expensive per megabyte. The vessel cannot be physically reached for days or weeks. The crew on board may be the only team capable of executing manual containment. The chief engineer and master are not full-time security responders.
These constraints reshape the IR plan. The plan must give the master and chief officer clear, executable actions for the first hour of an incident, without needing shore-side approval for the basics. Shore-side decision authority kicks in later for higher-impact choices (declaring a safety incident to the flag state, deciding to divert, deciding to engage external forensics). The shore-vessel handoff and communication is the single most important design choice in a maritime IR plan.
Incident Classification: Safety, Operations, IT
Not all incidents are equal. Our recommended classification has three tiers that map to escalation, reporting and decision authority.
Tier 1 (Safety-Impacting): the incident affects, or has credible potential to affect, navigation, propulsion, steering, communications, cargo safety or pollution prevention. ECDIS apparently showing wrong position, autopilot behaviour deviating from setpoint, GMDSS unreachable, engine alarm flood with no physical cause. The master has authority to declare and take immediate action. Shore is notified within the first hour.
Tier 2 (Operations-Impacting): the incident affects vessel operations but not safety. Planned maintenance system offline, cargo manifest software unreachable, crew welfare WiFi down, vendor remote diagnostic compromised. The chief officer or chief engineer leads, shore IT is engaged, business continuity activities apply.
Tier 3 (IT-Only): limited to vessel IT or shore IT, no operational or safety impact. Routine SOC response, normal change management.
Need Maritime Cyber Assessment?
Codesecure runs IMO 2021 and BIMCO-aligned cyber risk assessments and OT pentests for shipowners, managers, ports and terminals. ISO/IEC 27001:2022 certified, named consultants with OSCP and ICS credentials, fixed-price proposals and free retest within 90 days.
See Maritime Services →Vessel-Shore Communications During an Incident
An IT-only incident might be diagnosed and resolved by shore IT over a remote session. A safety-impacting incident is a different conversation. The vessel must report what is happening using verified channels that are themselves not the suspect system. If GMDSS is the suspect system, you cannot use GMDSS to report the GMDSS incident. The IR plan must define alternate channels.
Recommended practice: maintain at least two independent communication paths between vessel and shore for incident use. Typically one is satcom voice (Inmarsat phone, Iridium handset), the other is satcom data through a separate VSAT or 4G link in coastal waters. Define a coded message format (short, structured, easily transmitted over a noisy link) for initial incident notification so the master is not improvising under stress. Examples: 'CYB1' (cyber tier 1) plus 6-character incident identifier plus 1-line description.
Shore-side, the IR team must have a 24/7 reachable number, a defined on-call rotation, and the authority to wake the DPA, the head of IT, the CISO and the head of fleet operations. Practice this calling tree with at least one realistic drill per quarter.
Isolating OT Systems at Sea
When a bridge or engine OT system is suspected of compromise, the operational instinct is to disconnect it. Doing that safely requires pre-defined procedures because the suspect system may itself be the means of control for a safety-critical function.
ECDIS suspected of tampering: revert to paper charts and gyro plus dead reckoning, the master and OOW navigate by traditional methods. The IR plan must confirm that paper charts on board are current and the bridge team is current in their use. Some companies have allowed paper navigation to lapse since ECDIS became mandatory; the IR plan exposes that gap.
Autopilot suspected of compromise: switch to hand steering. The IR plan must confirm at least two crew members are competent at sustained hand steering for the longest expected period before shore guidance is available.
Engine monitoring suspected of compromise: revert to local watchkeeping at the engine console, paper logs of pressures and temperatures, manual response to alarms. The chief engineer must be able to operate the plant without the alarm and monitoring software for the period required.
Cargo control suspected of compromise: stop ongoing cargo operations, fall back to manual valve operation, paper logs and pen-and-paper cargo plan adjustments. For LNG, chemical and crude carriers, this is non-trivial and must be drilled.
Flag State and BIMCO Reporting Obligations
Notification obligations vary significantly by flag state and by incident type. Several flag states (USCG, MCA, Norwegian Maritime Authority, MPA Singapore, Indian DGS via guidance) now require cyber incidents affecting safety to be reported through their casualty or incident notification channels. BIMCO recommends voluntary incident sharing to enable industry learning.
Practical action for the IR plan: maintain a per-flag notification card for every flag in your fleet. The card states whom to call, what minimum information to provide, the deadline (often within 24 hours of master becoming aware), and the format. Update annually because regulator contact details change.
Where personal data is exposed (crew records, passenger data, business contact data), the DPDP Act 2023 in India (Section 8 and the breach notification rules) and equivalent regulations in other jurisdictions create a separate, parallel notification obligation. The maritime IR plan and the corporate data protection IR plan must align so the company does not over-report or under-report into either regime.
Flag State Audit or Customer Questionnaire?
Whether you need cyber evidence for a flag state, P&I club query, charterer security questionnaire or BIMCO gap closure, our maritime cyber lead is available for a 30-minute free scoping call.
Talk to a Maritime Lead →Crew Training and Tabletop Exercises
Training is the link between the IR plan on paper and execution at sea. The recommended cadence is a four-hour cyber familiarisation at every crew change for the master, chief officer and chief engineer, an annual refresher for all crew, and a tabletop exercise per vessel per year involving at least the master, the chief officer, the DPA and a designated shore IT responder.
Tabletop scenarios that reliably surface gaps include: ECDIS showing impossible position, ransomware on the ship office workstation propagating toward bridge LAN, master suspects engine monitoring is being manipulated by an external party, crew member reports unusual behaviour on welfare WiFi router, satcom firmware update fails and management interface is unresponsive. Each scenario walks through the first hour decisions, the vessel-shore handoff, the reporting obligations, and the recovery path.
Drill outputs become evidence for the flag state cyber audit. Document the scenario, the participants, the decisions taken, the gaps surfaced, and the corrective actions raised. This evidence pack is also useful in customer security questionnaires and at P&I renewal.
Recovery: Vessel Return to Normal Operations
Recovery from a maritime cyber incident has two phases: technical restoration (getting the affected systems back to a verified clean state) and operational verification (confirming that the vessel can resume normal operations). Both must be deliberate. A vessel that resumes bridge operations on an ECDIS that has not been verified clean is taking a second risk on top of the first.
Technical restoration typically involves restoring from a verified pre-incident backup, applying any patches the original incident depended on, rotating all credentials known to or used by the suspect system, and reconnecting only after verification. Where the affected system is OT and verification at sea is infeasible, the safe path is often to revert to manual operation until the next port stay where the vendor can verify and re-baseline.
Operational verification is led by the master and chief engineer, with shore-side technical confirmation. The Master signs off when satisfied that the system behaves as expected. Post-incident review feeds back into the SMS as a non-conformity or improvement, depending on outcome, and into the IR plan as lessons learned.
Frequently Asked Questions
Does IMO 2021 require us to have a cyber incident response plan?
Yes, by implication. MSC-FAL.1/Circ.3 explicitly references Respond and Recover as functional elements that the SMS must address. Most flag states and class societies treat the absence of a documented cyber IR plan as an SMS non-conformity in cyber risk management.
Is the cyber IR plan separate from the SMS emergency response procedures?
It should be integrated, not separate. The strongest implementations add cyber-specific contingencies to the existing SMS emergency response sections so the master has a single reference, not two. Standalone cyber IR documents tend to be ignored under stress.
How often should we run a cyber tabletop?
Annual per vessel is the recommended cadence. The shore office runs more frequently (quarterly fits most companies). Tabletop scenarios should rotate so the same scenario does not repeat in the same calendar year.
What about crew turnover; how do we keep the IR plan effective?
Build cyber familiarisation into the crew change handover process. The relieving master and chief officer get a 30-minute briefing on the IR plan, channels, and recent drill outcomes during sign-on. Codesecure provides ship-specific briefing packs that the company HSE or DPA can deliver consistently.
Do we need an external SOC for our vessels?
Not strictly necessary, but increasingly common. A maritime SOC tuned for ship telemetry, satcom anomalies, and vessel-side log streams provides real-time triage that crew cannot. Codesecure helps clients design and operate such SOCs (see our companion guide on maritime SIEM solutions).
Does the IR plan need to cover supply chain incidents?
Yes. Many vessel incidents originate with vendors: chart distributors, satcom providers, planned maintenance vendors, remote diagnostic technicians. The IR plan must define vendor incident notification expectations and the company response when a vendor reports a compromise affecting your fleet.
Build A Cyber IR Plan That Works At Sea, Not Just On Paper
Codesecure helps shipowners design, document, train and exercise maritime cyber incident response plans aligned with IMO 2021 and BIMCO. ISO/IEC 27001:2022 certified delivery, vessel walkthroughs, tabletop facilitation and crew-friendly playbooks.
